Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
April 2025
- 27 participants
- 32 discussions
As we're working to finalize v4 (real soon now!) one question which came up is MongDB.
The Mongo team is currently looking into creating a fully async API for Mongo. We would need to use this in v4 in order to increase scalability. If we don't have such an API, then the Mongo drivers would be significantly slower than other databases.
Their forum as a poll available at: https://feedback.mongodb.com/forums/924286-drivers/suggestions/47080057-asy…
If you're interested in using Mongo with FreeRADIUS please vote on that page for their async API.
Alan DeKok.
5
7
All,
I've got authentication working nicely with MSCHAP, but now I'd like to
only allow users that are members of a certain AD group.
I would prefer to have this happen only when requests come from a
specific client (wireless access point). In this case the idea is to
have users only be able to get wireless access when they're in a
specific AD group.
How can I do this in freeradius?
Thanks,
Brian
7
18
Hi everyone,
I've been banging my head against the wall and thought I'd ask the wiser
ones.
I installed FreeRadius version 3.0.21 with ldap and krb modules and
installed IPA server version 4.12.2. I would now like to use IPA as a
backend server and authenticate my remote users using radius.
I would like to ask if this is possible and if there are any
instructions on how to do it.
Thanks for your help.
--
Regards,
Ville
4
6
All,
How do I disable the following proxy settings:
Listening on proxy address * port 50106
Listening on proxy address :: port 49193
Thanks
Tim
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/
⠈⠳⣄⠀⠀
2
2
Hello,
I am trying to set up accounting to log commands entered into a switch.
What log file will FreeRADIUS log the accounting commands too?
Here is my config:
Cisco 3550-EMI
username tmb privilege 15 secret 5 <Removed>
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated local
aaa accounting exec default start-stop group radius
aaa accounting commands 1 default stop-only group radius
aaa session-id common
ip radius source-interface Vlan60
radius-server host 10.0.0.1 auth-port 1812 acct-port 1813
radius-server key 7 <Removed>
FreeRADIUS Config:
### Configure listening IP Socket
sudo vim /usr/lib/systemd/system/freeradius.service
ExecStart=/usr/sbin/freeradius -f $FREERADIUS_OPTIONS -i 10.0.0.1 -p
1812-1813
# Define Listening socket
sudo vim /etc/freeradius/3.0/radiusd.conf
listen {
ipv4addr = 10.0.0.1,
port = 1812,
type = auth
}
listen {
ipv4addr = 10.0.0.1,
port = 1813,
type = acct
}
### Free RADIUS Configuration
sudo vim /etc/freeradius/3.0/clients.conf
client 10.0.0.0/8 {
ipv4addr = 10.0.0.0/8
secret = FreeRadiusSecret#1
nastype = cisco
shortname = Butter.net
}
### FreeRADIUS User Config
sudo vim /etc/freeradius/3.0/users
tmb Cleartext-Password := "620978"
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15"
# FreeRADIUS group config
DEFAULT Group == "cisco-rw"
Service-Type = NAS-Prompt-User,
Cisco-AVPair == 'shell:priv-lvl=15',
User-Name = tmb
I see that both sockets have been bound:
netstat -l -n | grep 181
udp 0 0 10.0.0.1:1812 0.0.0.0:*
udp 0 0 10.0.0.1:1813 0.0.0.0:*
I have AAA and RADIUS debugging enabled but it is not showing me anything.
Core-3550-EMI-1#show debugging
Load for five secs: 0%/0%; one minute: 0%; five minutes: 0%
Time source is NTP, 22:34:52.993 Eastern Sun Apr 27 2025
General OS:
AAA Accounting debugging is on
Radius protocol debugging is on
Radius packet protocol (accounting) debugging is on
show log:
000621: Apr 27 22:34:09.147 Eastern: AAA/ACCT/EXEC(00000006): Pick method
list 'default'
000622: Apr 27 22:34:09.147 Eastern: AAA/ACCT/SETMLIST(00000006): Handle 0,
mlist 0250E700, Name default
000623: Apr 27 22:34:09.147 Eastern: Getting session id for EXEC(00000006)
: db=23DA658
000624: Apr 27 22:34:09.147 Eastern: AAA/ACCT/EXEC(00000006): add, count 2
000625: Apr 27 22:34:09.147 Eastern: AAA/ACCT/EVENT/(00000006): EXEC UP
000626: Apr 27 22:34:09.151 Eastern: AAA/ACCT/EXEC(00000006): Queueing
record is START
000627: Apr 27 22:34:09.151 Eastern: AAA/ACCT(00000006): Accounting
method=radius (RADIUS)
000663: Apr 27 22:34:28.107 Eastern: AAA/ACCT/EXEC(00000006): START
protocol reply FAIL
000664: Apr 27 22:34:28.107 Eastern: AAA/ACCT(00000006): Accounting
method=NOT_SET
000631: Apr 27 22:34:09.151 Eastern: RADIUS/ENCODE: Best Local IP-Address
10.1.1.1 for Radius-Server 10.0.0.1
000632: Apr 27 22:34:09.151 Eastern: RADIUS(00000006): Send
Accounting-Request to 10.0.0.1:1813 id 1646/11, len 90
000633: Apr 27 22:34:09.151 Eastern: RADIUS: authenticator 3A F3 6C 4B 06
17 9B 41 - 77 74 DB 8A 2E 94 2D 6C
000634: Apr 27 22:34:09.151 Eastern: RADIUS: Acct-Session-Id [44] 10
"00000006"
000635: Apr 27 22:34:09.151 Eastern: RADIUS: User-Name [1] 5
"tmb"
000636: Apr 27 22:34:09.151 Eastern: RADIUS: Acct-Authentic [45] 6
RADIUS [1]
000637: Apr 27 22:34:09.155 Eastern: RADIUS: Acct-Status-Type [40] 6
Start [1]
000638: Apr 27 22:34:09.155 Eastern: RADIUS: NAS-Port [5] 6
0
000639: Apr 27 22:34:09.155 Eastern: RADIUS: NAS-Port-Id [87] 6
"tty0"
000640: Apr 27 22:34:09.155 Eastern: RADIUS: NAS-Port-Type [61] 6
Async [0]
000641: Apr 27 22:34:09.155 Eastern: RADIUS: Calling-Station-Id [31] 7
"async"
000642: Apr 27 22:34:09.155 Eastern: RADIUS: Service-Type [6] 6
NAS Prompt [7]
000643: Apr 27 22:34:09.155 Eastern: RADIUS: NAS-IP-Address [4] 6
10.1.1.1
000644: Apr 27 22:34:09.155 Eastern: RADIUS: Acct-Delay-Time [41] 6
0
000645: Apr 27 22:34:09.155 Eastern: RADIUS(00000006): Started 5 sec timeout
000646: Apr 27 22:34:13.771 Eastern: RADIUS(00000006): Request timed out
000647: Apr 27 22:34:13.771 Eastern: RADIUS: acct-delay-time for 800043CC
(at 80004420) now 4
000648: Apr 27 22:34:13.771 Eastern: RADIUS: Retransmit to (10.0.0.1:1812,1813)
for id 1646/11
000649: Apr 27 22:34:13.771 Eastern: RADIUS(00000006): Started 5 sec timeout
000650: Apr 27 22:34:18.795 Eastern: RADIUS(00000006): Request timed out
000651: Apr 27 22:34:18.795 Eastern: RADIUS: acct-delay-time for 800043CC
(at 80004420) now 9
000652: Apr 27 22:34:18.795 Eastern: RADIUS: Retransmit to (10.0.0.1:1812,1813)
for id 1646/11
000653: Apr 27 22:34:18.795 Eastern: RADIUS(00000006): Started 5 sec timeout
000654: Apr 27 22:34:23.403 Eastern: RADIUS(00000006): Request timed out
000655: Apr 27 22:34:23.403 Eastern: RADIUS: acct-delay-time for 800043CC
(at 80004420) now 14
000656: Apr 27 22:34:23.403 Eastern: RADIUS: Retransmit to (10.0.0.1:1812,1813)
for id 1646/11
000657: Apr 27 22:34:23.403 Eastern: RADIUS(00000006): Started 5 sec timeout
000658: Apr 27 22:34:28.107 Eastern: RADIUS(00000006): Request timed out
000659: Apr 27 22:34:28.107 Eastern: RADIUS: acct-delay-time for 800043CC
(at 80004420) now 18
000660: Apr 27 22:34:28.107 Eastern: RADIUS: No response from
(10.0.0.1:1812,1813)
for id 1646/11
000661: Apr 27 22:34:28.107 Eastern: RADIUS/DECODE: parse response no app
start; FAIL
000662: Apr 27 22:34:28.107 Eastern: RADIUS/DECODE: parse response; FAIL
000765: Apr 27 22:43:56.532 Eastern: RADIUS: acct-delay-time for 80002DEC
(at 80002E40) now 4
000766: Apr 27 22:43:56.532 Eastern: RADIUS: Retransmit to (10.0.0.1:1812,1813)
for id 1646/13
000767: Apr 27 22:43:56.532 Eastern: RADIUS(00000007): Started 5 sec timeout
Any ideas are appreciated!
Thanks
Tim
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/
⠈⠳⣄⠀⠀
2
10
28 Apr '25
Hi guys
Maybe any idea / recommendations on the „threading error“ while starting freeradius with the new TLS configuration?
Regards
Dominic
> Follow up on the radsec configuration: I configured /etc/freeradius/sites-available/tls but get the following error while starting freeradius in debug mode (see debug output below):
>
>
> /etc/freeradius/sites-enabled/tls[44]: Threading must be enabled for TLS sockets to function properly
> /etc/freeradius/sites-enabled/tls[44]: You probably need to do 'radiusd -fxx -l stdout' for debugging
>
>
>
>
> I checked the global freeradius daemon configuration and threading shoudl be enabled: /etc/freeradius/radiusd.conf
>
>
> thread pool {
> # Number of servers to start initially --- should be a reasonable
> # ballpark figure.
> start_servers = 5
>
>
> # Limit on the total number of servers running.
> #
> # If this limit is ever reached, clients will be LOCKED OUT, so it
> # should NOT BE SET TOO LOW. It is intended mainly as a brake to
> # keep a runaway server from taking the system with it as it spirals
> # down...
> #
> # You may find that the server is regularly reaching the
> # 'max_servers' number of threads, and that increasing
> # 'max_servers' doesn't seem to make much difference.
> #
> # If this is the case, then the problem is MOST LIKELY that
> # your back-end databases are taking too long to respond, and
> # are preventing the server from responding in a timely manner.
> #
> # The solution is NOT do keep increasing the 'max_servers'
> # value, but instead to fix the underlying cause of the
> # problem: slow database, or 'hostname_lookups=yes'.
> #
> # For more information, see 'max_request_time', above.
> #
> max_servers = 32
>
>
> # Server-pool size regulation. Rather than making you guess
> # how many servers you need, FreeRADIUS dynamically adapts to
> # the load it sees, that is, it tries to maintain enough
> # servers to handle the current load, plus a few spare
> # servers to handle transient load spikes.
> #
> # It does this by periodically checking how many servers are
> # waiting for a request. If there are fewer than
> # min_spare_servers, it creates a new spare. If there are
> # more than max_spare_servers, some of the spares die off.
> # The default values are probably OK for most sites.
> #
> min_spare_servers = 3
> max_spare_servers = 10
>
>
> # When the server receives a packet, it places it onto an
> # internal queue, where the worker threads (configured above)
> # pick it up for processing. The maximum size of that queue
> # is given here.
> #
> # When the queue is full, any new packets will be silently
> # discarded.
> #
> # The most common cause of the queue being full is that the
> # server is dependent on a slow database, and it has received
> # a large "spike" of traffic. When that happens, there is
> # very little you can do other than make sure the server
> # receives less traffic, or make sure that the database can
> # handle the load.
> #
> # max_queue_size = 65536
>
>
> # Clean up old threads periodically. For no reason other than
> # it might be useful.
> #
> # '0' is a special value meaning 'infinity', or 'the servers never
> # exit'
> max_requests_per_server = 0
>
>
> # Automatically limit the number of accounting requests.
> # This configuration item tracks how many requests per second
> # the server can handle. It does this by tracking the
> # packets/s received by the server for processing, and
> # comparing that to the packets/s handled by the child
> # threads.
> #
>
>
> # If the received PPS is larger than the processed PPS, *and*
> # the queue is more than half full, then new accounting
> # requests are probabilistically discarded. This lowers the
> # number of packets that the server needs to process. Over
> # time, the server will "catch up" with the traffic.
> #
> # Throwing away accounting packets is usually safe and low
> # impact. The NAS will retransmit them in a few seconds, or
> # even a few minutes. Vendors should read RFC 5080 Section 2.2.1
> # to see how accounting packets should be retransmitted. Using
> # any other method is likely to cause network meltdowns.
> #
> auto_limit_acct = no
> }
>
>
>
>
> root@id-radiustest1:~# freeradius -X
> FreeRADIUS Version 3.2.7
> Copyright (C) 1999-2023 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License
> For more information about these matters, see the file named COPYRIGHT
> Starting - reading configuration files ...
> including dictionary file /usr/share/freeradius/dictionary
> including dictionary file /usr/share/freeradius/dictionary.dhcp
> including dictionary file /usr/share/freeradius/dictionary.vqp
> including dictionary file /etc/freeradius/dictionary
> including configuration file /etc/freeradius/radiusd.conf
> including configuration file /etc/freeradius/proxy.conf
> including configuration file /etc/freeradius/clients.conf
> including files in directory /etc/freeradius/mods-enabled/
> including configuration file /etc/freeradius/mods-enabled/preprocess
> including configuration file /etc/freeradius/mods-enabled/utf8
> including configuration file /etc/freeradius/mods-enabled/expr
> including configuration file /etc/freeradius/mods-enabled/expiration
> including configuration file /etc/freeradius/mods-enabled/proxy_rate_limit
> including configuration file /etc/freeradius/mods-enabled/passwd
> including configuration file /etc/freeradius/mods-enabled/sradutmp
> including configuration file /etc/freeradius/mods-enabled/dynamic_clients
> including configuration file /etc/freeradius/mods-enabled/digest
> including configuration file /etc/freeradius/mods-enabled/chap
> including configuration file /etc/freeradius/mods-enabled/unix
> including configuration file /etc/freeradius/mods-enabled/always
> including configuration file /etc/freeradius/mods-enabled/linelog
> including configuration file /etc/freeradius/mods-enabled/soh
> including configuration file /etc/freeradius/mods-enabled/date
> including configuration file /etc/freeradius/mods-enabled/pap
> including configuration file /etc/freeradius/mods-enabled/totp
> including configuration file /etc/freeradius/mods-enabled/rest
> including configuration file /etc/freeradius/mods-enabled/files
> including configuration file /etc/freeradius/mods-enabled/echo
> including configuration file /etc/freeradius/mods-enabled/replicate
> including configuration file /etc/freeradius/mods-enabled/exec
> including configuration file /etc/freeradius/mods-enabled/eap
> including configuration file /etc/freeradius/mods-enabled/ntlm_auth
> including configuration file /etc/freeradius/mods-enabled/radutmp
> including configuration file /etc/freeradius/mods-enabled/attr_filter
> including configuration file /etc/freeradius/mods-enabled/mschap
> including configuration file /etc/freeradius/mods-enabled/logintime
> including configuration file /etc/freeradius/mods-enabled/realm
> including configuration file /etc/freeradius/mods-enabled/detail
> including configuration file /etc/freeradius/mods-enabled/unpack
> including configuration file /etc/freeradius/mods-enabled/detail.log
> including files in directory /etc/freeradius/policy.d/
> including configuration file /etc/freeradius/policy.d/operator-name
> including configuration file /etc/freeradius/policy.d/debug
> including configuration file /etc/freeradius/policy.d/filter
> including configuration file /etc/freeradius/policy.d/accounting
> including configuration file /etc/freeradius/policy.d/canonicalization
> including configuration file /etc/freeradius/policy.d/abfab-tr
> including configuration file /etc/freeradius/policy.d/moonshot-targeted-ids
> including configuration file /etc/freeradius/policy.d/rfc7542
> including configuration file /etc/freeradius/policy.d/cui
> including configuration file /etc/freeradius/policy.d/eap
> including configuration file /etc/freeradius/policy.d/dhcp
> including configuration file /etc/freeradius/policy.d/control
> including files in directory /etc/freeradius/sites-enabled/
> including configuration file /etc/freeradius/sites-enabled/inner-tunnel
> including configuration file /etc/freeradius/sites-enabled/tls
> including configuration file /etc/freeradius/sites-enabled/default
> including configuration file /etc/freeradius/sites-enabled/status
> including configuration file /etc/freeradius/sites-enabled/proxy-inner-tunnel
> including configuration file /etc/freeradius/sites-enabled/control-socket
> main {
> security {
> user = "freerad"
> group = "freerad"
> allow_core_dumps = no
> }
> name = "freeradius"
> prefix = "/usr"
> localstatedir = "/var"
> logdir = "/var/log/freeradius"
> run_dir = "/var/run/freeradius"
> }
> main {
> name = "freeradius"
> prefix = "/usr"
> localstatedir = "/var"
> sbindir = "/usr/sbin"
> logdir = "/var/log/freeradius"
> run_dir = "/var/run/freeradius"
> libdir = "/usr/lib/freeradius"
> radacctdir = "/var/log/freeradius/radacct"
> hostname_lookups = no
> max_request_time = 30
> proxy_dedup_window = 1
> cleanup_delay = 5
> max_requests = 16384
> max_fds = 512
> postauth_client_lost = no
> pidfile = "/var/run/freeradius/freeradius.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = yes
> auth_badpass = no
> auth_goodpass = no
> colourise = yes
> msg_denied = "You are already logged in - access denied"
> }
> resources {
> }
> security {
> max_attributes = 200
> reject_delay = 1.000000
> status_server = yes
> require_message_authenticator = "auto"
> limit_proxy_state = "auto"
> }
> unlang {
> group_stop_return = no
> policy_stop_return = no
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server ftlr1.eduroam.ch-TLS {
> nonblock = no
> ipaddr = 130.59.31.24
> port = 2083
> type = "auth+acct"
> proto = "tcp"
> secret = <<< secret >>>
> response_window = 20.000000
> response_timeouts = 1
> max_outstanding = 65536
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> check_timeout = 4
> num_answers_to_alive = 3
> revive_interval = 300
> limit {
> max_connections = 16
> max_requests = 0
> lifetime = 0
> idle_timeout = 0
> }
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> }
> tls {
> verify_depth = 0
> pem_file_type = yes
> private_key_file = "/etc/freeradius/certs/radsec-id-radius.unibe.ch.key"
> certificate_file = "/etc/freeradius/certs/radsec-id-radius.unibe.ch.pem"
> ca_file = "/etc/freeradius/certs/edupki-root-ca-cert.pem"
> fragment_size = 8192
> include_length = yes
> check_crl = no
> ca_path_reload_interval = 0
> ecdh_curve = "prime256v1"
> tls_min_version = "1.2"
> }
> home_server ftlr2.eduroam.ch-TLS {
> nonblock = no
> ipaddr = 130.59.31.25
> port = 2083
> type = "auth+acct"
> proto = "tcp"
> secret = <<< secret >>>
> response_window = 20.000000
> response_timeouts = 1
> max_outstanding = 65536
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> check_timeout = 4
> num_answers_to_alive = 3
> revive_interval = 300
> limit {
> max_connections = 16
> max_requests = 0
> lifetime = 0
> idle_timeout = 0
> }
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> }
> tls {
> verify_depth = 0
> pem_file_type = yes
> private_key_file = "/etc/freeradius/certs/radsec-id-radius.unibe.ch.key"
> certificate_file = "/etc/freeradius/certs/radsec-id-radius.unibe.ch.pem"
> ca_file = "/etc/freeradius/certs/edupki-root-ca-cert.pem"
> fragment_size = 8192
> include_length = yes
> check_crl = no
> ca_path_reload_interval = 0
> ecdh_curve = "prime256v1"
> tls_min_version = "1.2"
> }
> home_server aai-nps-eduv2.campus.unibe.ch {
> nonblock = no
> ipaddr = 130.92.14.27
> port = 1812
> type = "auth+acct"
> secret = <<< secret >>>
> response_window = 20.000000
> response_timeouts = 1
> max_outstanding = 65536
> zombie_period = 40
> status_check = "none"
> ping_interval = 30
> check_timeout = 4
> num_answers_to_alive = 3
> revive_interval = 300
> limit {
> max_connections = 16
> max_requests = 0
> lifetime = 0
> idle_timeout = 0
> }
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> }
> realm NULL {
> }
> realm LOCAL {
> }
> realm UNIBE.CH {
> nostrip
> }
> realm STUDENTS.UNIBE.CH {
> nostrip
> }
> realm FACULTY.UNIBE.CH {
> nostrip
> }
> realm EXT.UNIBE.CH {
> nostrip
> }
> realm ~(.*\.UNIBE\.CH$) {
> virtual_server = reject
> }
> home_server_pool SWITCH-EDUROAM-TLS {
> type = fail-over
> home_server = ftlr1.eduroam.ch-TLS
> home_server = ftlr2.eduroam.ch-TLS
> }
> realm ~(.*PHBERN\.CH$) {
> auth_pool = SWITCH-EDUROAM-TLS
> nostrip
> }
> realm ~(.*\.GET\.EDUROAM\.ORG$) {
> auth_pool = SWITCH-EDUROAM-TLS
> nostrip
> }
> home_server_pool UNIBE-NPS-DEV {
> type = fail-over
> home_server = aai-nps-eduv2.campus.unibe.ch
> }
> realm REALM-NPS-DEV {
> pool = UNIBE-NPS-DEV
> }
> realm DEFAULT {
> auth_pool = SWITCH-EDUROAM-TLS
> nostrip
> }
> radiusd: #### Loading Clients ####
> client ftlr1.eduroam.ch-TLS {
> ipaddr = 130.59.31.24
> netmask = 32
> require_message_authenticator = "no"
> secret = <<< secret >>>
> virtual_server = "default"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> Shared secret for client ftlr1.eduroam.ch-TLS is short, and likely can be broken by an attacker.
> client ftlr2.eduroam.ch-TLS {
> ipaddr = 130.59.31.25
> netmask = 32
> require_message_authenticator = "no"
> secret = <<< secret >>>
> virtual_server = "default"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> Shared secret for client ftlr2.eduroam.ch-TLS is short, and likely can be broken by an attacker.
> client localhost {
> ipaddr = 127.0.0.1
> netmask = 32
> require_message_authenticator = "no"
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client cisco-wlc-9800-mgmt.wifi.unibe.ch {
> ipaddr = 130.92.42.20
> netmask = 32
> require_message_authenticator = "no"
> secret = <<< secret >>>
> virtual_server = "default"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client cisco-wlc-9800-dev-mgmt.wifi.unibe.ch {
> ipaddr = 130.92.42.15
> netmask = 32
> require_message_authenticator = "no"
> secret = <<< secret >>>
> virtual_server = "default"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client uvisrz0215.insel.ch {
> ipaddr = 161.62.201.77
> netmask = 32
> require_message_authenticator = "no"
> secret = <<< secret >>>
> virtual_server = "default"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> Debugger not attached
> Configuration version: d53a-826f-8cee-356b
> systemd watchdog is disabled
> # Creating Auth-Type = mschap
> # Creating Auth-Type = eap
> # Creating Autz-Type = Status-Server
> radiusd: #### Instantiating modules ####
> modules {
> # Loaded module rlm_preprocess
> # Loading module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
> preprocess {
> huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
> hints = "/etc/freeradius/mods-config/preprocess/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> # Loaded module rlm_utf8
> # Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8
> # Loaded module rlm_expr
> # Loading module "expr" from file /etc/freeradius/mods-enabled/expr
> expr {
> safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
> }
> # Loaded module rlm_expiration
> # Loading module "expiration" from file /etc/freeradius/mods-enabled/expiration
> # Loaded module rlm_proxy_rate_limit
> # Loading module "proxy_rate_limit" from file /etc/freeradius/mods-enabled/proxy_rate_limit
> proxy_rate_limit {
> max_entries = 2048
> idle_timeout = 10
> num_subtables = 256
> window = 1
> }
> # Loaded module rlm_passwd
> # Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
> passwd etc_passwd {
> filename = "/etc/passwd"
> format = "*User-Name:Crypt-Password:"
> delimiter = ":"
> ignore_nislike = no
> ignore_empty = yes
> allow_multiple_keys = no
> hash_size = 100
> }
> # Loaded module rlm_radutmp
> # Loading module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp
> radutmp sradutmp {
> filename = "/var/log/freeradius/sradutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 420
> caller_id = no
> }
> # Loaded module rlm_dynamic_clients
> # Loading module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients
> # Loaded module rlm_digest
> # Loading module "digest" from file /etc/freeradius/mods-enabled/digest
> # Loaded module rlm_chap
> # Loading module "chap" from file /etc/freeradius/mods-enabled/chap
> # Loaded module rlm_unix
> # Loading module "unix" from file /etc/freeradius/mods-enabled/unix
> unix {
> radwtmp = "/var/log/freeradius/radwtmp"
> }
> Creating attribute Unix-Group
> # Loaded module rlm_always
> # Loading module "reject" from file /etc/freeradius/mods-enabled/always
> always reject {
> rcode = "reject"
> simulcount = 0
> mpp = no
> }
> # Loading module "fail" from file /etc/freeradius/mods-enabled/always
> always fail {
> rcode = "fail"
> simulcount = 0
> mpp = no
> }
> # Loading module "ok" from file /etc/freeradius/mods-enabled/always
> always ok {
> rcode = "ok"
> simulcount = 0
> mpp = no
> }
> # Loading module "handled" from file /etc/freeradius/mods-enabled/always
> always handled {
> rcode = "handled"
> simulcount = 0
> mpp = no
> }
> # Loading module "invalid" from file /etc/freeradius/mods-enabled/always
> always invalid {
> rcode = "invalid"
> simulcount = 0
> mpp = no
> }
> # Loading module "userlock" from file /etc/freeradius/mods-enabled/always
> always userlock {
> rcode = "userlock"
> simulcount = 0
> mpp = no
> }
> # Loading module "notfound" from file /etc/freeradius/mods-enabled/always
> always notfound {
> rcode = "notfound"
> simulcount = 0
> mpp = no
> }
> # Loading module "noop" from file /etc/freeradius/mods-enabled/always
> always noop {
> rcode = "noop"
> simulcount = 0
> mpp = no
> }
> # Loading module "updated" from file /etc/freeradius/mods-enabled/always
> always updated {
> rcode = "updated"
> simulcount = 0
> mpp = no
> }
> # Loaded module rlm_linelog
> # Loading module "802.1x_auth_log" from file /etc/freeradius/mods-enabled/linelog
> linelog 802.1x_auth_log {
> filename = "/var/log/freeradius/802.1x_auth.log"
> escape_filenames = no
> syslog_severity = "info"
> permissions = 384
> format = "%t : AuthZ: (%I) %{reply:Packet-Type}: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown})"
> }
> # Loading module "MAC_auth_log" from file /etc/freeradius/mods-enabled/linelog
> linelog MAC_auth_log {
> filename = "/var/log/freeradius/mac_auth.log"
> escape_filenames = no
> syslog_severity = "info"
> permissions = 384
> format = "%t : MAC Auth: (%I) %{reply:Packet-Type}: [%{%{Calling-Station-Id}:-NULL}] REST-Module-Reply=%{%{reply:REST-HTTP-Body}:-NULL}"
> }
> # Loading module "802.1x_acct_log" from file /etc/freeradius/mods-enabled/linelog
> linelog 802.1x_acct_log {
> filename = "/var/log/freeradius/802.1x_acct.log"
> escape_filenames = no
> syslog_severity = "info"
> permissions = 384
> format = "%t : Acct: (%I) Accounting-%{%{Acct-Status-Type}:-Unknown}: [%{User-Name}] Acct-Session-Id=%{%{Acct-Session-Id}:-Unknown} Acct-Terminate-Cause=%{%{Acct-Terminate-Cause}:-Unknown} Acct-Session-Time=%{%{Acct-Session-Time}:-Unknown} seconds Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{NAS-Identifier}:-Unknown} Framed-IP-Address=%{%{Framed-IP-Address}:-Uknown} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown})"
> }
> # Loaded module rlm_soh
> # Loading module "soh" from file /etc/freeradius/mods-enabled/soh
> soh {
> dhcp = yes
> }
> # Loaded module rlm_date
> # Loading module "date" from file /etc/freeradius/mods-enabled/date
> date {
> format = "%b %e %Y %H:%M:%S %Z"
> utc = no
> }
> # Loading module "wispr2date" from file /etc/freeradius/mods-enabled/date
> date wispr2date {
> format = "%Y-%m-%dT%H:%M:%S"
> utc = no
> }
> # Loaded module rlm_pap
> # Loading module "pap" from file /etc/freeradius/mods-enabled/pap
> pap {
> normalise = yes
> }
> # Loaded module rlm_totp
> # Loading module "totp" from file /etc/freeradius/mods-enabled/totp
> totp {
> time_step = 30
> otp_length = 6
> lookback_steps = 1
> lookback_interval = 30
> lookforward_steps = 0
> }
> # Loaded module rlm_rest
> # Loading module "rest" from file /etc/freeradius/mods-enabled/rest
> rest {
> connect_uri = "https://infoblox.some.domain/"/ <https://infoblox.some.domain/"/>
> connect_timeout = 4.000000
> http_negotiation = "default"
> }
> # Loaded module rlm_files
> # Loading module "files" from file /etc/freeradius/mods-enabled/files
> files {
> filename = "/etc/freeradius/mods-config/files/authorize"
> acctusersfile = "/etc/freeradius/mods-config/files/accounting"
> preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
> }
> # Loaded module rlm_exec
> # Loading module "echo" from file /etc/freeradius/mods-enabled/echo
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = "request"
> output_pairs = "reply"
> shell_escape = yes
> }
> # Loaded module rlm_replicate
> # Loading module "replicate" from file /etc/freeradius/mods-enabled/replicate
> # Loading module "exec" from file /etc/freeradius/mods-enabled/exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> timeout = 10
> }
> # Loaded module rlm_eap
> # Loading module "eap" from file /etc/freeradius/mods-enabled/eap
> eap {
> default_eap_type = "PEAP"
> timer_expire = 60
> max_eap_type = 52
> ignore_unknown_eap_types = yes
> cisco_accounting_username_bug = no
> max_sessions = 8192
> dedup_key = ""
> }
> # Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth
> exec ntlm_auth {
> wait = yes
> program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
> shell_escape = yes
> }
> # Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
> radutmp {
> filename = "/var/log/freeradius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 384
> caller_id = yes
> }
> # Loaded module rlm_attr_filter
> # Loading module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.post-proxy {
> filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.pre-proxy {
> filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> # Loading module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.access_reject {
> filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.access_challenge {
> filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.accounting_response {
> filename = "/etc/freeradius/mods-config/attr_filter/accounting_response"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.coa" from file /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.coa {
> filename = "/etc/freeradius/mods-config/attr_filter/coa"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loaded module rlm_mschap
> # Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> passchange {
> }
> allow_retry = yes
> winbind_retry_with_normalised_username = no
> }
> # Loaded module rlm_logintime
> # Loading module "logintime" from file /etc/freeradius/mods-enabled/logintime
> logintime {
> minimum_timeout = 60
> }
> # Loaded module rlm_realm
> # Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm
> realm IPASS {
> format = "prefix"
> delimiter = "/"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "suffix" from file /etc/freeradius/mods-enabled/realm
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "bangpath" from file /etc/freeradius/mods-enabled/realm
> realm bangpath {
> format = "prefix"
> delimiter = "!"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "realmpercent" from file /etc/freeradius/mods-enabled/realm
> realm realmpercent {
> format = "suffix"
> delimiter = "%"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm
> realm ntdomain {
> format = "prefix"
> delimiter = "\"
> ignore_default = no
> ignore_null = no
> }
> # Loaded module rlm_detail
> # Loading module "detail" from file /etc/freeradius/mods-enabled/detail
> detail {
> filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> dates_as_integer = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loaded module rlm_unpack
> # Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack
> # Loading module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
> detail auth_log {
> filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> dates_as_integer = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
> detail reply_log {
> filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> dates_as_integer = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
> detail pre_proxy_log {
> filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> dates_as_integer = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
> detail post_proxy_log {
> filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> dates_as_integer = no
> escape_filenames = no
> log_packet_header = no
> }
> instantiate {
> }
> # Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
> reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
> reading pairlist file /etc/freeradius/mods-config/preprocess/hints
> # Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration
> # Instantiating module "proxy_rate_limit" from file /etc/freeradius/mods-enabled/proxy_rate_limit
> # Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
> # Instantiating module "reject" from file /etc/freeradius/mods-enabled/always
> # Instantiating module "fail" from file /etc/freeradius/mods-enabled/always
> # Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
> # Instantiating module "handled" from file /etc/freeradius/mods-enabled/always
> # Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always
> # Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always
> # Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always
> # Instantiating module "noop" from file /etc/freeradius/mods-enabled/always
> # Instantiating module "updated" from file /etc/freeradius/mods-enabled/always
> # Instantiating module "802.1x_auth_log" from file /etc/freeradius/mods-enabled/linelog
> # Instantiating module "MAC_auth_log" from file /etc/freeradius/mods-enabled/linelog
> # Instantiating module "802.1x_acct_log" from file /etc/freeradius/mods-enabled/linelog
> # Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
> # Instantiating module "totp" from file /etc/freeradius/mods-enabled/totp
> # Instantiating module "rest" from file /etc/freeradius/mods-enabled/rest
> authorize {
> uri = "https://infoblox.some.domain/wapi/v2.11.3/record:host?network=%25 <https://infoblox.some.domain/wapi/v2.11.3/record:host?network=%25>{locMacAuth-IP-Subnet}&mac=%{tolower:%{request:locMacAuth-Calling-Station-Id}}"
> method = "get"
> body = "none"
> attr_num = no
> raw_value = no
> force_to = "plain"
> auth = "basic"
> username = "xyz"
> password = "xyz"
> require_auth = yes
> timeout = 4.000000
> chunk = 0
> tls {
> check_cert = yes
> check_cert_cn = yes
> }
> body_uri_encode = yes
> }
> rlm_rest: libcurl version: libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.18
> rlm_rest (rest): Initialising connection pool
> pool {
> start = 5
> min = 3
> max = 32
> spare = 10
> uses = 0
> lifetime = 0
> cleanup_interval = 30
> idle_timeout = 60
> retry_delay = 30
> max_retries = 5
> spread = no
> }
> rlm_rest (rest): Opening additional connection (0), 1 of 32 pending slots used
> rlm_rest (rest): Connecting to "https://infoblox.some.domain/" <https://infoblox.some.domain/">
> rlm_rest (rest): Opening additional connection (1), 1 of 31 pending slots used
> rlm_rest (rest): Connecting to "https://infoblox.some.domain/" <https://infoblox.some.domain/">
> rlm_rest (rest): Opening additional connection (2), 1 of 30 pending slots used
> rlm_rest (rest): Connecting to "https://infoblox.some.domain/" <https://infoblox.some.domain/">
> rlm_rest (rest): Opening additional connection (3), 1 of 29 pending slots used
> rlm_rest (rest): Connecting to "https://infoblox.some.domain/" <https://infoblox.some.domain/">
> rlm_rest (rest): Opening additional connection (4), 1 of 28 pending slots used
> rlm_rest (rest): Connecting to "https://infoblox.some.domain/" <https://infoblox.some.domain/">
> # Instantiating module "files" from file /etc/freeradius/mods-enabled/files
> reading pairlist file /etc/freeradius/mods-config/files/authorize
> reading pairlist file /etc/freeradius/mods-config/files/accounting
> reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
> # Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
> # Linked to sub-module rlm_eap_peap
> peap {
> tls = "tls-common"
> default_eap_type = "mschapv2"
> copy_request_to_tunnel = yes
> use_tunneled_reply = yes
> proxy_tunneled_request_as_eap = yes
> virtual_server = "proxy-inner-tunnel"
> soh = no
> require_client_cert = no
> }
> tls-config tls-common {
> verify_depth = 0
> ca_path = "/etc/freeradius/certs"
> pem_file_type = yes
> private_key_file = "/etc/freeradius/certs/aai.unibe.ch.key"
> certificate_file = "/etc/freeradius/certs/aai.unibe.ch.pem"
> fragment_size = 1024
> include_length = yes
> auto_chain = yes
> check_crl = no
> check_all_crl = no
> ca_path_reload_interval = 0
> cipher_list = "ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 TLS_AES_256_GCM_SHA384"
> reject_unknown_intermediate_ca = no
> ecdh_curve = "prime256v1"
> tls_max_version = "1.3"
> tls_min_version = "1.2"
> cache {
> enable = no
> lifetime = 12
> name = "EAP module"
> max_entries = 0
> persist_dir = "/var/log/freeradius/tlscache"
> }
> verify {
> skip_if_ocsp_ok = no
> }
> ocsp {
> enable = no
> override_cert_url = no
> use_nonce = yes
> timeout = 0
> softfail = no
> }
> }
> # Linked to sub-module rlm_eap_mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> send_error = no
> }
> # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
> # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
> # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
> # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge
> # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response
> # Instantiating module "attr_filter.coa" from file /etc/freeradius/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius/mods-config/attr_filter/coa
> # Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap
> rlm_mschap (mschap): using internal authentication
> # Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime
> # Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm
> # Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm
> # Instantiating module "bangpath" from file /etc/freeradius/mods-enabled/realm
> # Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm
> # Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm
> # Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail
> # Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
> # Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
> # Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
> # Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
> } # modules
> radiusd: #### Loading Virtual Servers ####
> server { # from file /etc/freeradius/radiusd.conf
> } # server
> server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
> # Loading authenticate {...}
> # Loading authorize {...}
> Ignoring "sql" (see raddb/mods-available/README.rst)
> Ignoring "ldap" (see raddb/mods-available/README.rst)
> # Loading session {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:336
> Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
> } # server inner-tunnel
> server default { # from file /etc/freeradius/sites-enabled/default
> # Loading authenticate {...}
> Compiling Auth-Type Accept for attr Auth-Type
> Compiling Auth-Type eap for attr Auth-Type
> # Loading authorize {...}
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading pre-proxy {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
> } # server default
> server status { # from file /etc/freeradius/sites-enabled/status
> # Loading authorize {...}
> Compiling Autz-Type Status-Server for attr Autz-Type
> } # server status
> server proxy-inner-tunnel { # from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
> # Loading authenticate {...}
> Compiling Auth-Type mschap for attr Auth-Type
> # Loading authorize {...}
> } # server proxy-inner-tunnel
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth+acct"
> virtual_server = "default"
> ipaddr = *
> port = 2083
> proto = "tcp"
> tls {
> verify_depth = 0
> ca_path = "/etc/freeradius/certs"
> pem_file_type = yes
> private_key_file = "/etc/freeradius/certs/radsec-id-radius.unibe.ch.key"
> certificate_file = "/etc/freeradius/certs/radsec-id-radius.unibe.ch.pem"
> ca_file = "/etc/freeradius/certs/edupki-root-ca-cert.pem"
> fragment_size = 8192
> include_length = yes
> auto_chain = yes
> check_crl = no
> check_all_crl = no
> ca_path_reload_interval = 3600
> allow_expired_crl = no
> cipher_list = "DEFAULT"
> cipher_server_preference = no
> require_client_cert = yes
> reject_unknown_intermediate_ca = no
> ecdh_curve = "prime256v1"
> tls_max_version = "1.3"
> tls_min_version = "1.2"
> cache {
> enable = no
> lifetime = 24
> max_entries = 255
> }
> verify {
> skip_if_ocsp_ok = no
> }
> ocsp {
> enable = no
> override_cert_url = no
> use_nonce = yes
> timeout = 0
> softfail = no
> }
> }
> check_client_connections = no
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> clients = "radsec"
> }
> listen {
> type = "control"
> listen {
> socket = "/var/run/freeradius/control/freeradius.sock"
> uid = "freerad"
> gid = "freerad"
> mode = "rw"
> peercred = no
> }
> }
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 18120
> }
> listen {
> type = "auth"
> ipaddr = *
> port = 1812
> }
> listen {
> type = "acct"
> ipaddr = *
> port = 1813
> }
> listen {
> type = "status"
> ipaddr = 127.0.0.1
> port = 18121
> client admin {
> ipaddr = 127.0.0.1
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> Shared secret for client admin is short, and likely can be broken by an attacker.
> }
> /etc/freeradius/sites-enabled/tls[44]: Threading must be enabled for TLS sockets to function properly
> /etc/freeradius/sites-enabled/tls[44]: You probably need to do 'radiusd -fxx -l stdout' for debugging
>
>
> Additional debug output:
>
>
> root@id-radiustest1:~# radiusd -fxx -l stdout
> FreeRADIUS Version 3.2.5
> Copyright (C) 1999-2023 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License
> For more information about these matters, see the file named COPYRIGHT
> Starting - reading configuration files ...
> including dictionary file /usr/local/share/freeradius/dictionary
> including dictionary file /usr/local/share/freeradius/dictionary.dhcp
> including dictionary file /usr/local/share/freeradius/dictionary.vqp
> including dictionary file /usr/local/etc/raddb/dictionary
> including configuration file /usr/local/etc/raddb/radiusd.conf
> including configuration file /usr/local/etc/raddb/proxy.conf
> including configuration file /usr/local/etc/raddb/clients.conf
> including files in directory /usr/local/etc/raddb/mods-enabled/
> including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
> including configuration file /usr/local/etc/raddb/mods-enabled/utf8
> including configuration file /usr/local/etc/raddb/mods-enabled/expr
> including configuration file /usr/local/etc/raddb/mods-enabled/expiration
> including configuration file /usr/local/etc/raddb/mods-enabled/passwd
> including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
> including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
> including configuration file /usr/local/etc/raddb/mods-enabled/digest
> including configuration file /usr/local/etc/raddb/mods-enabled/chap
> including configuration file /usr/local/etc/raddb/mods-enabled/unix
> including configuration file /usr/local/etc/raddb/mods-enabled/always
> including configuration file /usr/local/etc/raddb/mods-enabled/linelog
> including configuration file /usr/local/etc/raddb/mods-enabled/soh
> including configuration file /usr/local/etc/raddb/mods-enabled/date
> including configuration file /usr/local/etc/raddb/mods-enabled/pap
> including configuration file /usr/local/etc/raddb/mods-enabled/totp
> including configuration file /usr/local/etc/raddb/mods-enabled/files
> including configuration file /usr/local/etc/raddb/mods-enabled/echo
> including configuration file /usr/local/etc/raddb/mods-enabled/replicate
> including configuration file /usr/local/etc/raddb/mods-enabled/exec
> including configuration file /usr/local/etc/raddb/mods-enabled/eap
> including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
> including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
> including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
> including configuration file /usr/local/etc/raddb/mods-enabled/mschap
> including configuration file /usr/local/etc/raddb/mods-enabled/logintime
> including configuration file /usr/local/etc/raddb/mods-enabled/realm
> including configuration file /usr/local/etc/raddb/mods-enabled/detail
> including configuration file /usr/local/etc/raddb/mods-enabled/unpack
> including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
> including files in directory /usr/local/etc/raddb/policy.d/
> including configuration file /usr/local/etc/raddb/policy.d/operator-name
> including configuration file /usr/local/etc/raddb/policy.d/debug
> including configuration file /usr/local/etc/raddb/policy.d/filter
> including configuration file /usr/local/etc/raddb/policy.d/accounting
> including configuration file /usr/local/etc/raddb/policy.d/canonicalization
> including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
> including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
> including configuration file /usr/local/etc/raddb/policy.d/rfc7542
> including configuration file /usr/local/etc/raddb/policy.d/cui
> including configuration file /usr/local/etc/raddb/policy.d/eap
> including configuration file /usr/local/etc/raddb/policy.d/dhcp
> including configuration file /usr/local/etc/raddb/policy.d/control
> including files in directory /usr/local/etc/raddb/sites-enabled/
> including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
> including configuration file /usr/local/etc/raddb/sites-enabled/default
> main {
> security {
> user = "freerad"
> group = "freerad"
> allow_core_dumps = no
> }
> name = "freeradius"
> prefix = "/usr/local"
> localstatedir = "/usr/local/var"
> logdir = "/usr/local/var/log/radius"
> run_dir = "/usr/local/var/run/freeradius"
> }
> main {
> name = "freeradius"
> prefix = "/usr/local"
> localstatedir = "/usr/local/var"
> sbindir = "/usr/local/sbin"
> logdir = "/usr/local/var/log/radius"
> run_dir = "/usr/local/var/run/freeradius"
> libdir = "/usr/local/lib"
> radacctdir = "/usr/local/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 30
> proxy_dedup_window = 1
> cleanup_delay = 5
> max_requests = 16384
> max_fds = 512
> postauth_client_lost = no
> pidfile = "/usr/local/var/run/freeradius/freeradius.pid"
> checkrad = "/usr/local/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> colourise = yes
> msg_denied = "You are already logged in - access denied"
> }
> resources {
> }
> security {
> max_attributes = 200
> reject_delay = 1.000000
> status_server = yes
> allow_vulnerable_openssl = "no"
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server localhost {
> nonblock = no
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = <<< secret >>>
> response_window = 20.000000
> response_timeouts = 1
> max_outstanding = 65536
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> check_timeout = 4
> num_answers_to_alive = 3
> revive_interval = 120
> limit {
> max_connections = 16
> max_requests = 0
> lifetime = 0
> idle_timeout = 0
> }
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> }
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
> realm example.com {
> auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
> radiusd: #### Loading Clients ####
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = <<< secret >>>
> nas_type = "other"
> proto = "*"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client localhost_ipv6 {
> ipv6addr = ::1
> require_message_authenticator = no
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> Debugger not attached
> # Creating Auth-Type = mschap
> # Creating Auth-Type = eap
> # Creating Auth-Type = PAP
> # Creating Auth-Type = CHAP
> # Creating Auth-Type = MS-CHAP
> # Creating Auth-Type = digest
> # Creating Autz-Type = New-TLS-Connection
> radiusd: #### Instantiating modules ####
> modules {
> # Loaded module rlm_preprocess
> # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
> preprocess {
> huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
> hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> # Loaded module rlm_utf8
> # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
> # Loaded module rlm_expr
> # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
> expr {
> safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
> }
> # Loaded module rlm_expiration
> # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
> # Loaded module rlm_passwd
> # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
> passwd etc_passwd {
> filename = "/etc/passwd"
> format = "*User-Name:Crypt-Password:"
> delimiter = ":"
> ignore_nislike = no
> ignore_empty = yes
> allow_multiple_keys = no
> hash_size = 100
> }
> # Loaded module rlm_radutmp
> # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
> radutmp sradutmp {
> filename = "/usr/local/var/log/radius/sradutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 420
> caller_id = no
> }
> # Loaded module rlm_dynamic_clients
> # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
> # Loaded module rlm_digest
> # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
> # Loaded module rlm_chap
> # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
> # Loaded module rlm_unix
> # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
> unix {
> radwtmp = "/usr/local/var/log/radius/radwtmp"
> }
> Creating attribute Unix-Group
> # Loaded module rlm_always
> # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
> always reject {
> rcode = "reject"
> simulcount = 0
> mpp = no
> }
> # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
> always fail {
> rcode = "fail"
> simulcount = 0
> mpp = no
> }
> # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
> always ok {
> rcode = "ok"
> simulcount = 0
> mpp = no
> }
> # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
> always handled {
> rcode = "handled"
> simulcount = 0
> mpp = no
> }
> # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
> always invalid {
> rcode = "invalid"
> simulcount = 0
> mpp = no
> }
> # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
> always userlock {
> rcode = "userlock"
> simulcount = 0
> mpp = no
> }
> # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
> always notfound {
> rcode = "notfound"
> simulcount = 0
> mpp = no
> }
> # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
> always noop {
> rcode = "noop"
> simulcount = 0
> mpp = no
> }
> # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
> always updated {
> rcode = "updated"
> simulcount = 0
> mpp = no
> }
> # Loaded module rlm_linelog
> # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
> linelog {
> filename = "/usr/local/var/log/radius/linelog"
> escape_filenames = no
> syslog_severity = "info"
> permissions = 384
> format = "This is a log message for %{User-Name}"
> reference = "messages.%{%{reply:Packet-Type}:-default}"
> }
> # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
> linelog log_accounting {
> filename = "/usr/local/var/log/radius/linelog-accounting"
> escape_filenames = no
> syslog_severity = "info"
> permissions = 384
> format = ""
> reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
> }
> # Loaded module rlm_soh
> # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
> soh {
> dhcp = yes
> }
> # Loaded module rlm_date
> # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
> date {
> format = "%b %e %Y %H:%M:%S %Z"
> utc = no
> }
> # Loading module "wispr2date" from file /usr/local/etc/raddb/mods-enabled/date
> date wispr2date {
> format = "%Y-%m-%dT%H:%M:%S"
> utc = no
> }
> # Loaded module rlm_pap
> # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
> pap {
> normalise = yes
> }
> # Loaded module rlm_totp
> # Loading module "totp" from file /usr/local/etc/raddb/mods-enabled/totp
> totp {
> time_step = 30
> otp_length = 6
> lookback_steps = 1
> lookback_interval = 30
> lookforward_steps = 0
> }
> # Loaded module rlm_files
> # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
> files {
> filename = "/usr/local/etc/raddb/mods-config/files/authorize"
> acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
> preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
> }
> # Loaded module rlm_exec
> # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = "request"
> output_pairs = "reply"
> shell_escape = yes
> }
> # Loaded module rlm_replicate
> # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
> # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> timeout = 10
> }
> # Loaded module rlm_eap
> # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
> eap {
> default_eap_type = "md5"
> timer_expire = 60
> max_eap_type = 52
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 16384
> dedup_key = ""
> }
> # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
> exec ntlm_auth {
> wait = yes
> program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
> shell_escape = yes
> }
> # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
> radutmp {
> filename = "/usr/local/var/log/radius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 384
> caller_id = yes
> }
> # Loaded module rlm_attr_filter
> # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.post-proxy {
> filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.pre-proxy {
> filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.access_reject {
> filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.access_challenge {
> filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.accounting_response {
> filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.coa" from file /usr/local/etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.coa {
> filename = "/usr/local/etc/raddb/mods-config/attr_filter/coa"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loaded module rlm_mschap
> # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> passchange {
> }
> allow_retry = yes
> winbind_retry_with_normalised_username = no
> }
> # Loaded module rlm_logintime
> # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
> logintime {
> minimum_timeout = 60
> }
> # Loaded module rlm_realm
> # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
> realm IPASS {
> format = "prefix"
> delimiter = "/"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "bangpath" from file /usr/local/etc/raddb/mods-enabled/realm
> realm bangpath {
> format = "prefix"
> delimiter = "!"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
> realm realmpercent {
> format = "suffix"
> delimiter = "%"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
> realm ntdomain {
> format = "prefix"
> delimiter = "\"
> ignore_default = no
> ignore_null = no
> }
> # Loaded module rlm_detail
> # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
> detail {
> filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> dates_as_integer = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loaded module rlm_unpack
> # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
> # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
> detail auth_log {
> filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> dates_as_integer = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
> detail reply_log {
> filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> dates_as_integer = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
> detail pre_proxy_log {
> filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> dates_as_integer = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
> detail post_proxy_log {
> filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> dates_as_integer = no
> escape_filenames = no
> log_packet_header = no
> }
> instantiate {
> }
> # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
> reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
> reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
> # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
> # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
> # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
> # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
> # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
> # Instantiating module "totp" from file /usr/local/etc/raddb/mods-enabled/totp
> # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
> reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
> reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
> reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
> # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
> # Linked to sub-module rlm_eap_md5
> # Linked to sub-module rlm_eap_gtc
> gtc {
> challenge = "Password: "
> auth_type = "PAP"
> }
> # Linked to sub-module rlm_eap_tls
> tls {
> tls = "tls-common"
> }
> tls-config tls-common {
> verify_depth = 0
> ca_path = "/usr/local/etc/raddb/certs"
> pem_file_type = yes
> private_key_file = "/usr/local/etc/raddb/certs/server.pem"
> certificate_file = "/usr/local/etc/raddb/certs/server.pem"
> ca_file = "/usr/local/etc/raddb/certs/ca.pem"
> private_key_password = <<< secret >>>
> fragment_size = 1024
> include_length = yes
> auto_chain = yes
> check_crl = no
> check_all_crl = no
> ca_path_reload_interval = 0
> cipher_list = "DEFAULT"
> cipher_server_preference = no
> reject_unknown_intermediate_ca = no
> ecdh_curve = ""
> tls_max_version = "1.2"
> tls_min_version = "1.2"
> cache {
> enable = no
> lifetime = 24
> max_entries = 255
> }
> verify {
> skip_if_ocsp_ok = no
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/" <http://127.0.0.1/ocsp/">
> use_nonce = yes
> timeout = 0
> softfail = no
> }
> }
> # Linked to sub-module rlm_eap_ttls
> ttls {
> tls = "tls-common"
> default_eap_type = "md5"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> include_length = yes
> require_client_cert = no
> }
> tls: Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_peap
> peap {
> tls = "tls-common"
> default_eap_type = "mschapv2"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> proxy_tunneled_request_as_eap = yes
> virtual_server = "inner-tunnel"
> soh = no
> require_client_cert = no
> }
> tls: Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> send_error = no
> }
> # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
> # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
> # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
> # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
> # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
> # Instantiating module "attr_filter.coa" from file /usr/local/etc/raddb/mods-enabled/attr_filter
> reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/coa
> # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
> rlm_mschap (mschap): using internal authentication
> # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
> # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
> # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
> # Instantiating module "bangpath" from file /usr/local/etc/raddb/mods-enabled/realm
> # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
> # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
> # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
> # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
> # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
> # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
> # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
> } # modules
> radiusd: #### Loading Virtual Servers ####
> server { # from file /usr/local/etc/raddb/radiusd.conf
> } # server
> server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
> # Loading authenticate {...}
> Compiling Auth-Type PAP for attr Auth-Type
> Compiling Auth-Type CHAP for attr Auth-Type
> Compiling Auth-Type MS-CHAP for attr Auth-Type
> # Loading authorize {...}
> Ignoring "sql" (see raddb/mods-available/README.rst)
> Ignoring "ldap" (see raddb/mods-available/README.rst)
> # Loading session {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:366
> Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
> } # server inner-tunnel
> server default { # from file /usr/local/etc/raddb/sites-enabled/default
> # Loading authenticate {...}
> Compiling Auth-Type PAP for attr Auth-Type
> Compiling Auth-Type CHAP for attr Auth-Type
> Compiling Auth-Type MS-CHAP for attr Auth-Type
> # Loading authorize {...}
> Compiling Autz-Type New-TLS-Connection for attr Autz-Type
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
> Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
> Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
> } # server default
> thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
> cleanup_delay = 5
> max_queue_size = 65536
> auto_limit_acct = no
> }
> Thread spawned new child 1. Total threads in pool: 1
> Thread spawned new child 2. Total threads in pool: 2
> Thread 1 waiting to be assigned a request
> Thread 2 waiting to be assigned a request
> Thread 3 waiting to be assigned a request
> Thread spawned new child 3. Total threads in pool: 3
> Thread spawned new child 4. Total threads in pool: 4
> Thread 4 waiting to be assigned a request
> Thread spawned new child 5. Total threads in pool: 5
> Thread 5 waiting to be assigned a request
> Thread pool initialized
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 18120
> }
> listen {
> type = "auth"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "acct"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "auth"
> ipv6addr = ::
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> Failed opening auth address :: port 1812 bound to server default: Address family not supported by protocol
> /usr/local/etc/raddb/sites-enabled/default[246]: Error binding to port for :: port 1812
> _EXIT(1) CALLED src/main/process.c[6325]. Last error was: /usr/local/lib/proto_auth.so: cannot open shared object file: No such file or directory
>
>
>
>
>
>
>
>
> Am 17.04.25, 13:22 schrieb "Freeradius-Users im Auftrag von Alan DeKok" <freeradius-users-bounces+dominic.stalder=unibe.ch(a)lists.freeradius.org <mailto:unibe.ch@lists.freeradius.org> <mailto:unibe.ch@lists.freeradius.org <mailto:unibe.ch@lists.freeradius.org>> im Auftrag von aland(a)deployingradius.com <mailto:aland@deployingradius.com> <mailto:aland@deployingradius.com <mailto:aland@deployingradius.com>>>:
>
>
>
>
> On Apr 17, 2025, at 2:24 AM, <dominic.stalder(a)unibe.ch <mailto:dominic.stalder@unibe.ch> <mailto:dominic.stalder@unibe.ch <mailto:dominic.stalder@unibe.ch>>> <dominic.stalder(a)unibe.ch <mailto:dominic.stalder@unibe.ch> <mailto:dominic.stalder@unibe.ch <mailto:dominic.stalder@unibe.ch>>> wrote:
>>
>> Hi Alan
>>
>> Thanks for the fast and informative feedback. When I get your answer correct, I can just can put:
>>
>> 1. all RADIUS [UDP] & RadSec [TCP] clients into clients.conf and it does work
>>
>> 2. all RADIUS [UDP] & RadSec [TCP] home servers into proxy.conf and it does work
>>
>> So I can "consolidate" all clients and all home servers in one location respectively?
>
>
>
>
> Yes.
>
>
>
>
> The file names don't matter. All of the files are merged into one via $INCLUDE statements. So you can add clients to the bottom of a virtual server file if you want.
>
>
>
>
> What matters is the sections. If you put clients into a "name { ...} " section, then they won't be found. Each section has a pre-defined purpose, and a pre-defined content.
>
>
>
>
> Alan DeKok.
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html> <http://www.freeradius.org/list/users.html> <http://www.freeradius.org/list/users.html;>
>
>
>
>
>
>
>
>
>
2
10
Hi Experts:
I use the latest FreeRadius 4.0 from github and I only use the rlm_tacacs
module build in FreeRadius
I would like to use FreeRadius forward auth request to remote TACACS server
like Cicso ISE using the rlm_tacacs module
why I use FreeRadius tacacs module is currently all my authenticate request
will go to FreeRadius 1812 port and we have a new request that the local
server should send authenticate request to remote TACACS server, so I would
like to use rlm_tacacs module to do this work
I downloaded the zip package from github and build in local, the
src/modules/stable file only contain the rlm_tacacs module, build has no
problem and I replaced the radiusd and all dependent so files to server
side.
When I try to start the radiusd daemon with -X, I encounter one segV error,
and start option with -XC has no problem for configuration
The config file for modules like:
# cat modules/tacacs
#modules {
tacacs {
transport = tcp
type = Authentication-Start
type = Authentication-Continue
type = Authorization-Request
type = Accounting-Request
tcp {
ipaddr = 10.76.xx.xx
port = 49
secret = testkey123
}
pool {
start = 1
min = 1
max = 1
}
#}
}
and the virtual server config like below, not sure this config will forward
the auth request to tacacs module as above IP and port:
#
# Does nothing other than send packets. It doesn't listen on any input
sockets.
#
server default {
namespace = tacacs
listen {
type = Authentication-Start
type = Authentication-Continue
type = Authorization-Request
type = Accounting-Request
}
recv Authentication-Start {
tacacs
}
recv Authentication-Continue {
tacacs
}
recv Authorization-Request {
tacacs
}
recv Accounting-Request {
tacacs
}
}
below is the output for radiusd with -X option
Info : Copyright 1999-2024 The FreeRADIUS server project and contributors
Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info : PARTICULAR PURPOSE
Info : You may redistribute copies of FreeRADIUS under the terms of the
Info : GNU General Public License
Info : For more information about these matters, see the file named
COPYRIGHT
Info : Starting - reading configuration files ...
Debug : including configuration file
/etc/opt/LU3Pfreeradius-server/radiusd.conf
Debug : including configuration file
/etc/opt/LU3Pfreeradius-server/clients.conf
Debug : Including files in directory
"/etc/opt/LU3Pfreeradius-server/modules/"
Debug : including configuration file
/etc/opt/LU3Pfreeradius-server/modules/tacacs
Debug : including configuration file
/etc/opt/LU3Pfreeradius-server/sites-cpm/cpm_radius_config
Debug : Loaded module process_tacacs
Debug : Parsing initial logging configuration.
Debug : main {
Debug : prefix = /opt/LU3P
Debug : log {
Debug : destination = files
Debug : syslog_facility = daemon
Debug : local_state_dir = "/opt/LU3P/var"
Debug : logdir = "/opt/LU3P/var/log"
Debug : file = /var/opt/log/freeradius-server/radius.log
Debug : suppress_secrets = no
Debug : }
Debug : }
Debug : Parsing security rules to bootstrap UID / GID / chroot / etc.
Debug : main {
Debug : log {
Debug : }
Debug : security {
Debug : allow_core_dumps = no
Debug : allow_vulnerable_openssl = "no"
Debug : }
Debug : name = radiusd
Debug : local_state_dir = "/opt/LU3P/var"
Debug : run_dir = /var/opt/run
Debug : }
Debug : Parsing main configuration
Debug : main {
Debug : server default {
Debug : namespace = tacacs
Debug : tacacs {
Debug : Authentication {
Debug : session {
Debug : timeout = 15
Debug : max = 4096
Debug : max_rounds = 4
Debug : }
Debug : }
Debug : }
Debug : Loaded module proto_tacacs
Debug : listen {
Debug : type = Authentication-Start
Debug : type = Authentication-Continue
Debug : type = Authorization-Request
Debug : type = Accounting-Request
Debug : limit {
Debug : idle_timeout = 30.0
Debug : max_connections = 1024
Debug : }
Debug : priority {
Debug : Authentication-Start = high
Debug : Authentication-Continue = high
Debug : Authorization-Request = normal
Debug : Accounting-Request = low
Debug : }
Debug : }
Debug : }
Debug : log {
Debug : }
Debug : security {
Debug : }
Debug : sbin_dir = "/opt/LU3P/sbin"
Debug : logdir = /var/opt/log/freeradius-server
Debug : radacctdir = /var/opt/log/freeradius-server/radacct
Debug : reverse_lookups = no
Debug : hostname_lookups = no
Debug : max_request_time = 30
Debug : pidfile = /var/opt/run/radiusd.pid
Debug : debug_level = 0
Debug : max_requests = 1024
Debug : resources {
Debug : }
Debug : thread pool {
Debug : num_networks = 1
Info : Dynamically determined thread.workers = 2
Debug : num_workers = 2
Debug : }
Debug : migrate {
Debug : }
Debug : }
Info : Switching to configured log settings
Debug : radiusd: #### Loading Clients ####
Debug : client 127.0.0.1 {
Debug : ipaddr = 127.0.0.1
Debug : secret = <<< secret >>>
Debug : shortname = sig03-oam-b
Debug : require_message_authenticator = no
Debug : limit_proxy_state = auto
Debug : limit {
Debug : max_connections = 16
Debug : lifetime = 0
Debug : idle_timeout = 30s
Debug : }
Debug : }
Debug : client 169.254.64.0/20 {
Debug : ipaddr = 169.254.64.0/20
Debug : secret = <<< secret >>>
Debug : shortname = sig03-oam-b
Debug : require_message_authenticator = no
Debug : limit_proxy_state = auto
Debug : limit {
Debug : max_connections = 16
Debug : lifetime = 0
Debug : idle_timeout = 30s
Debug : }
Debug : }
Debug : client 169.254.128.0/17 {
Debug : ipaddr = 169.254.128.0/17
Debug : secret = <<< secret >>>
Debug : shortname = sig03-oam-b
Debug : require_message_authenticator = no
Debug : limit_proxy_state = auto
Debug : limit {
Debug : max_connections = 16
Debug : lifetime = 0
Debug : idle_timeout = 30s
Debug : }
Debug : }
Info : Debugger not attached
Info : Configuration version: 1F5FA0A8-6BD9-4091-B482-B90249BB93BD
Info : systemd watchdog is disabled
Info : pre-suid-down capabilities: =ep
*Error : _tmpl_global_init: Autoloader attribute "Packet-Type" not found in
"RADIUS" dictionary*
Warn : trigger { ... } subsection not found, triggers will be disabled
Debug : #### Instantiating libraries ####
Debug : #### Bootstrapping process modules ####
Debug : Bootstrapping process_tacacs "default"
Debug : #### Bootstrapping protocol modules ####
Debug : #### Instantiating libraries ####
Debug : #### Bootstrapping static modules ####
Debug : modules {
Debug : static {
Debug : Loaded module rlm_tacacs
Debug : tacacs {
Debug : transport = tcp
Debug : Loaded module rlm_tacacs_tcp
Debug : tcp {
Debug : ipaddr = 10.76.xx.xx
Debug : port = 49
Debug : secret = testkey123
Debug : max_packet_size = 4096
Debug : max_send_coalesce = 1024
Debug : }
Debug : type = Authentication-Start
Debug : type = Authentication-Continue
Debug : type = Authorization-Request
Debug : type = Accounting-Request
Debug : max_attributes = 255
Debug : response_window = 20
Debug : zombie_period = 40
Debug : pool {
Debug : start = 1
Debug : min = 1
Debug : max = 1
Debug : connecting = 2
Debug : uses = 0
Debug : lifetime = 0
Debug : idle_timeout = 0
Debug : open_delay = 0.2
Debug : close_delay = 10.0
Debug : manage_interval = 0.2
Debug : max_backlog = 1000
Debug : connection {
Debug : connect_timeout = 3.0
Debug : reconnect_delay = 1
Debug : }
Debug : request {
Debug : per_connection_max = 2000
Debug : per_connection_target = 1000
Debug : free_delay = 10.0
Debug : }
Debug : }
Debug : retry {
Debug : initial_rtx_time = 2
Debug : max_rtx_time = 16
Debug : max_rtx_count = 5
Debug : max_rtx_duration = 30
Debug : }
Debug : }
Debug : } # static
Debug : #### Bootstrapping rlm modules ####
Debug : Including dictionary file
"/etc/opt/LU3Pfreeradius-server/dictionary"
Debug : #### Instantiating listeners ####
Debug : Compiling policies in server default { ... }
Debug : Compiling policies in - recv Authentication-Start {...}
Debug : Compiling policies in - recv Authentication-Continue {...}
Debug : Compiling policies in - recv Authorization-Request {...}
Debug : Compiling policies in - recv Accounting-Request {...}
Warn :* tacacs { ... } section is unused*
Debug : #### Instantiating process modules ####
Debug : Instantiating process_tacacs "default"
Debug : #### Instantiating protocol modules ####
Debug : Instantiating proto_tacacs "default.tacacs.generic"
Debug : #### Instantiating rlm modules ####
Debug : Instantiating rlm_tacacs "tacacs"
Warn : Ignoring "trunk.per_connection_max = 2000", forcing to
"trunk.per_connection_max = 255"
Warn : Ignoring "trunk.per_connection_target = 1000", forcing to
"trunk.per_connection_target = 127"
Warn : Ignoring "revive_interval = 0", forcing to "revive_interval = 10"
Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp"
CAUGHT SIGNAL: Segmentation fault
Backtrace of last 11 frames:
/opt/LU3P/lib64/libfreeradius-util.so(+0x32fc9)[0x7f2d3e4e3fc9]
/opt/LU3P/lib64/libfreeradius-util.so(fr_fault+0x75)[0x7f2d3e4e4465]
/lib64/libpthread.so.0(+0x12d10)[0x7f2d3c454d10]
/opt/LU3P/lib64/rlm_tacacs_tcp.so(+0x266f)[0x7f2d339f266f]
/opt/LU3P/lib64/libfreeradius-server.so(module_thread_instantiate+0xda)[0x7f2d3dff1e3a]
/opt/LU3P/lib64/libfreeradius-server.so(modules_thread_instantiate+0x65)[0x7f2d3dff2045]
/opt/LU3P/sbin/radiusd[0x4056d1]
/opt/LU3P/lib64/libfreeradius-io.so(fr_schedule_create+0x126)[0x7f2d3dae4d16]
/opt/LU3P/sbin/radiusd(main+0xdff)[0x404bcf]
/lib64/libc.so.6(__libc_start_main+0xe5)[0x7f2d3bd5a7e5]
/opt/LU3P/sbin/radiusd(_start+0x2e)[0x40533e]
No panic action set
regards,
Bryan
3
24
Hello Team,
I am looking to set up a freeradius server on my ubuntu 22.04 and the
sample test certs for server and client for testing wired 802.1x
authentication. Can someone please help.
Regards
Simon
1
0
Hello All,
I have been trying to use only a specific tls1.3 cipher but it fails. I
want to use only SHA256. Below is the debug out.
root@WIFI_TLS1:~# vi /etc/freeradius3/mods-enabled/eap
root@WIFI_TLS1:~# radiusd -Xf
FreeRADIUS Version 3.2.5
Copyright (C) 1999-2023 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius3/dictionary
including dictionary file /etc/freeradius3/dictionary
including configuration file /etc/freeradius3/radiusd.conf
including configuration file /etc/freeradius3/clients.conf
including files in directory /etc/freeradius3/mods-enabled/
including configuration file /etc/freeradius3/mods-enabled/eap
including configuration file /etc/freeradius3/mods-enabled/pap
including configuration file /etc/freeradius3/mods-enabled/preprocess
including configuration file /etc/freeradius3/mods-enabled/chap
including configuration file /etc/freeradius3/mods-enabled/exec
including configuration file /etc/freeradius3/mods-enabled/expr
including configuration file /etc/freeradius3/mods-enabled/unix
including configuration file /etc/freeradius3/mods-enabled/radutmp
including configuration file /etc/freeradius3/mods-enabled/attr_filter
including configuration file /etc/freeradius3/mods-enabled/mschap
including configuration file /etc/freeradius3/mods-enabled/logintime
including configuration file /etc/freeradius3/mods-enabled/passwd
including configuration file /etc/freeradius3/mods-enabled/files
including configuration file /etc/freeradius3/mods-enabled/realm
including configuration file /etc/freeradius3/mods-enabled/sradutmp
including configuration file /etc/freeradius3/mods-enabled/always
including configuration file /etc/freeradius3/mods-enabled/detail
including configuration file /etc/freeradius3/mods-enabled/digest
including configuration file /etc/freeradius3/mods-enabled/expiration
including files in directory /etc/freeradius3/policy.d/
including configuration file /etc/freeradius3/policy.d/eap
including configuration file /etc/freeradius3/policy.d/accounting
including configuration file /etc/freeradius3/policy.d/filter
including files in directory /etc/freeradius3/sites-enabled/
including configuration file /etc/freeradius3/sites-enabled/default
including configuration file /etc/freeradius3/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib/freeradius3"
radacctdir = "/var/db/radacct"
hostname_lookups = no
max_request_time = 30
proxy_dedup_window = 1
cleanup_delay = 5
max_requests = 16384
max_fds = 512
postauth_client_lost = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
require_message_authenticator = "auto"
limit_proxy_state = "auto"
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client abc81 {
ipaddr = 192.168.1.81
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client abc83 {
ipaddr = 192.168.1.83
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client abcnet {
ipaddr = 192.168.1.0/24
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client abcBL020 {
ipaddr = 192.168.1.20
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client abcBL002 {
ipaddr = 192.168.1.92
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client abcBL016 {
ipaddr = 192.168.1.96
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client abcnet {
ipaddr = 172.27.70.0/24
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client abcnet {
ipaddr = 172.27.80.0/24
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost {
ipv4addr = *
require_message_authenticator = "no"
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client routertest {
ipaddr = 172.27.70.15
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = eap
# Creating Autz-Type = New-TLS-Connection
# Creating Auth-Type = mschap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius3/mods-enabled/eap
eap {
default_eap_type = "tls"
timer_expire = 60
max_eap_type = 52
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
dedup_key = ""
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius3/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/etc/freeradius3/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius3/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius3/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius3/mods-enabled/chap
# Loaded module rlm_exec
# Loading module "exec" from file /etc/freeradius3/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius3/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius3/mods-enabled/unix
unix {
radwtmp = "/var/log/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/freeradius3/mods-enabled/radutmp
radutmp {
filename = "/var/log/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/freeradius3/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius3/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/freeradius3/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius3/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/freeradius3/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius3/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/freeradius3/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius3/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/freeradius3/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius3/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file
/etc/freeradius3/mods-enabled/attr_filter
attr_filter attr_filter.coa {
filename = "/etc/freeradius3/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius3/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file
/etc/freeradius3/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/etc/freeradius3/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius3/mods-enabled/files
files {
filename = "/etc/freeradius3/mods-config/files/authorize"
acctusersfile = "/etc/freeradius3/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius3/mods-config/files/pre-proxy"
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius3/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius3/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/freeradius3/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file
/etc/freeradius3/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius3/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Loading module "sradutmp" from file
/etc/freeradius3/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius3/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius3/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius3/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius3/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius3/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius3/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius3/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius3/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius3/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/freeradius3/mods-enabled/detail
detail {
filename =
"/var/db/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius3/mods-enabled/digest
# Loaded module rlm_expiration
# Loading module "expiration" from file
/etc/freeradius3/mods-enabled/expiration
instantiate {
}
# Instantiating module "eap" from file /etc/freeradius3/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius3/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius3/certs/hostapd.server.prv"
certificate_file = "/etc/freeradius3/certs/hostapd.server.pem"
ca_file = "/etc/freeradius3/certs/hostapd.ca.pem"
private_key_password = <<< secret >>>
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "TLS_AES_128_GCM_SHA256"
cipher_server_preference = yes
reject_unknown_intermediate_ca = no
ecdh_curve = ""
tls_max_version = "1.3"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
tls: (TLS) Failed setting cipher list: error:0A0000B9:SSL routines::no
cipher match
rlm_eap_tls: Failed initializing SSL context
rlm_eap (EAP): Failed to initialise rlm_eap_tls
/etc/freeradius3/mods-enabled/eap[14]: Instantiation failed for module "eap"
Any idea why this fails?
2
5
RADsec (TLS) based communication from Cisco Wireless Controllers to FreeRadius
by Thorsten Fritsch 24 Apr '25
by Thorsten Fritsch 24 Apr '25
24 Apr '25
Dear colleagues,
we plan to implement RADsec for secure TLS-based communication between our Cisco 9800-80 Wireless Controller and
our FreeRadius 3.x server to enhance security both for management access to the wireless controllers and for our wifi clients using 802.1x based
SSIDs (including Identity PSK which does rely on the AAA servers as well).
Does anyone already have such a setup in place ? What has been your experience in implanting it ?
We'd be very interested in your feedback how it worked.
Thanks and best regards,
Thorsten
Thorsten Fritsch | Network Engineer
University of Basel | Direktion Infrastruktur & Betrieb | IT Services
Spitalstrasse 41 | 4056 Basel | Switzerland
Tel. +41 61 207 16 07 | Mobil +41 79 720 8150
Mail: Thorsten.fritsch(a)unibas.ch<mailto:Thorsten.fritsch@unibas.ch> | https://www.unibas.ch<https://www.unibas.ch/>
Work Days: Mo. through Friday except on Wednesdays
This e-mail and any attachments to it may contain confidential information, which is for the sole attention and use of
the intended recipient. If you are not the correct addressee or have received this email in error, please notify us
immediately and delete this email. Copying and forwarding this message without consent of the sender is not
permitted.
1
0