Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 10 participants
- 27046 discussions
I am trying to configure FreeRADIUS to add the "Force10-avpair" VSA to
some replies. The VSA is (mostly) documented here:
https://www.dell.com/support/manuals/us/en/04/force10-s4048-on/s4048-on-9.1…
Am I correct that the dictionary should look something like this:
VENDOR Force10 6027
BEGIN-VENDOR Force10
ATTRIBUTE Force10-AVPair 1 string
END-VENDOR Force10
(I'm having to guess at the OID of the attribute, as Dell/Force 10 don't
seem to have every documented it anywhere.)
Would this just go into /etc/raddb/dictionary?
Thanks!
--
========================================================================
Ian Pilcher arequipeno(a)gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
2
2
I have disabled iptables:
[3:26 PM, 4/18/2019] Abed Abd Elhai: iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
And also the firewalld
service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
I don’t have access to the vcenter, is there anything that I can check within the server?
When the server receives a accounting message I see it in tcpdump and also in radsniff but not in the radiusd -X terminal.
However when I run a test with radtest or radwho I do see the message in the radiusd terminal.
BR
Liran
can you show the networking that you have done for making the vm network
reachable to outside network ?
On Thu, Apr 18, 2019 at 5:23 PM Matthew Newton <mcn at freeradius.org <http://lists.freeradius.org/mailman/listinfo/freeradius-users>> wrote:
> On Thu, 2019-04-18 at 14:47 +0300, liran kessel wrote:
> > I am thinking it might be something to do with the fact that this is
> > a VM and maybe packets aren’t forwarded from the Kernel to the socket
> > that the Freeradius has opened.
>
> VMs work in the same way as "real" machines.
>
> > However I wanted to ask if radsniff listens like tcpdump or to the
> > actual socket?
>
> Like tcpdump
>
> > If it is listening to the socket than I guess I have a problem in the
> > server configuration rather than the Kernel.
>
> iptables?
>
> --
> Matthew
>
>
> -
> List info/subscribe/unsubscribe? See
2
3
Hi,
Is there a way to stop writing 'Info:' events to the log file and to
keep Warning, Auth and Error events ?
Something like a severity log level to adjust ?
We have a lot of non relevant logs added by rlm_ldap and eap modules.
Example with a wrong user password :
Wed Apr 24 11:54:01 2019 : Info: (31) eap_peap: This means you need to
read the PREVIOUS messages in the debug output
Wed Apr 24 11:54:01 2019 : Info: (31) eap_peap: to find out the reason
why the user was rejected
Wed Apr 24 11:54:01 2019 : Info: (31) eap_peap: Look for "reject" or
"fail". Those earlier messages will tell you
Wed Apr 24 11:54:01 2019 : Info: (31) eap_peap: what went wrong, and
how to fix the problem
We use freeradius 3.0.16.
Regards,
Arnaud Lauriou
2
1
24 Apr '19
Supposing you mean to update in DHCP-Request section, I added the line in request section.,
update control {
&Pool-Name := "VSAT"
&Pool-Action := Update
}
Now I see below error in request section,
Discover:
(0) redis_ippool - Allocating lease from pool "VSAT", to "00:a0:bc:00:00:03", expires in 120s
(0) redis_ippool - &reply:DHCP-Your-IP-Address := 75.104.40.111
(0) redis_ippool - &reply:DHCP-IP-Address-Lease-Time := 120
Request:
(1) redis_ippool - Updating 75.104.40.111 in pool "VSAT", device "00:a0:bc:00:00:03", expires in 3600s
(1) redis_ippool - ERROR: Requested IP address "75.104.40.111" is not a member of the specified pool
Debug output:
# /usr/local/sbin/radiusd -X
Info : FreeRADIUS Version 4.0.0
Info : Copyright 1999-2018 The FreeRADIUS server project and contributors
Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info : PARTICULAR PURPOSE
Info : You may redistribute copies of FreeRADIUS under the terms of the
Info : GNU General Public License
Info : For more information about these matters, see the file named COPYRIGHT
Info : Starting - reading configuration files ...
Debug : Including dictionary file "/usr/local/share/freeradius/dictionary"
Debug : Including dictionary file "/usr/local/etc/raddb/dictionary"
Debug : including configuration file /usr/local/etc/raddb/radiusd.conf
Debug : including configuration file /usr/local/etc/raddb/clients.conf
Debug : Including files in directory "/usr/local/etc/raddb/mods-enabled/"
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/always
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/chap
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/client
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/detail
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/digest
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/dhcpv4
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/echo
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/escape
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/exec
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/expiration
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/expr
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/files
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/linelog
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/logintime
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/mschap
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/pap
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/passwd
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/radius
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/stats
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/unix
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/unpack
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/utf8
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/redis_ippool
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/redis
Debug : Including files in directory "/usr/local/etc/raddb/policy.d/"
Debug : including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
Debug : including configuration file /usr/local/etc/raddb/policy.d/accounting
Debug : including configuration file /usr/local/etc/raddb/policy.d/canonicalization
Debug : including configuration file /usr/local/etc/raddb/policy.d/control
Debug : including configuration file /usr/local/etc/raddb/policy.d/cui
Debug : including configuration file /usr/local/etc/raddb/policy.d/debug
Debug : including configuration file /usr/local/etc/raddb/policy.d/dhcp
Debug : including configuration file /usr/local/etc/raddb/policy.d/eap
Debug : including configuration file /usr/local/etc/raddb/policy.d/operator-name
Debug : including configuration file /usr/local/etc/raddb/policy.d/time
Debug : including configuration file /usr/local/etc/raddb/policy.d/vendor
Debug : including configuration file /usr/local/etc/raddb/policy.d/filter
Debug : Including files in directory "/usr/local/etc/raddb/sites-enabled/"
Debug : including configuration file /usr/local/etc/raddb/sites-enabled/dhcp
Debug : Loading dictionary proto_dhcpv4
Info : Loaded module "proto_dhcpv4"
Debug : Parsing security rules to bootstrap UID / GID / chroot / etc.
Debug : main {
Debug : security {
Debug : allow_core_dumps = no
Debug : allow_vulnerable_openssl = "no"
Debug : }
Debug : name = radiusd
Debug : name = "radiusd"
Debug : prefix = "/usr/local"
Debug : local_state_dir = "/usr/local/var"
Debug : run_dir = "/usr/local/var/run/radiusd"
Debug : }
Debug : Parsing main configuration.
Debug : main {
Debug : server dhcp {
Debug : namespace = "dhcpv4"
Debug : listen {
Debug : type = DHCP-Discover
Info : Loaded module "proto_dhcpv4_base"
Debug : type = DHCP-Request
Debug : type = DHCP-Inform
Debug : type = DHCP-Release
Debug : type = DHCP-Decline
Debug : transport = udp
Debug : Loading dictionary proto_dhcpv4_udp
Info : Loaded module "proto_dhcpv4_udp"
Debug : udp {
Debug : ipaddr = 10.43.16.207
Debug : src_ipaddr = 10.43.16.207
Debug : port = 67
Debug : broadcast = no
Debug : networks {
Debug : }
Debug : max_packet_size = 4096
Debug : max_attributes = 0
Debug : }
Debug : limit {
Debug : idle_timeout = 30.000000
Debug : nak_lifetime = 30.000000
Debug : max_connections = 1024
Debug : max_clients = 256
Debug : max_pending_packets = 256
Debug : priority {
Debug : DHCP-Discover = normal
Debug : DHCP-Request = normal
Debug : DHCP-Decline = normal
Debug : DHCP-Release = normal
Debug : DHCP-Inform = normal
Debug : DHCP-Lease-Query = low
Debug : DHCP-Bulk-Lease-Query = low
Debug : }
Debug : }
Debug : }
Debug : }
Debug : security {
Debug : }
Debug : sbin_dir = "/usr/local/sbin"
Debug : logdir = "/usr/local/var/log/radius"
Debug : libdir = "/usr/local/lib"
Debug : radacctdir = "/usr/local/var/log/radius/radacct"
Debug : reverse_lookups = no
Debug : reverse_lookups = no
Debug : hostname_lookups = yes
Debug : hostname_lookups = yes
Debug : max_request_time = 30
Debug : max_request_time = 30
Debug : pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
Debug : debug_level = 0
Debug : log {
Debug : colourise = yes
Debug : }
Debug : resources {
Debug : }
Debug : thread pool {
Debug : num_networks = 1
Debug : num_networks = 1
Debug : num_workers = 4
Debug : num_workers = 4
Debug : }
Debug : }
Switching to configured log settings
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.0.0.0 {
ipaddr = 10.0.0.0/8
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
#### Bootstrapping listeners ####
#### Bootstrapping modules ####
modules {
Loaded module "rlm_always"
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
Loading dictionary rlm_attr_filter
Loaded module "rlm_attr_filter"
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
relaxed = no
}
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
relaxed = no
}
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
relaxed = no
}
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
relaxed = no
}
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
relaxed = no
}
Loading dictionary rlm_cache
Loaded module "rlm_cache"
cache cache_eap {
driver = "rlm_cache_rbtree"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
Loading dictionary rlm_chap
Loaded module "rlm_chap"
Loaded module "rlm_client"
Loading dictionary rlm_detail
Loaded module "rlm_detail"
detail {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y-%m-%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail auth_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y-%m-%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail reply_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y-%m-%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail pre_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y-%m-%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail post_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y-%m-%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
Loading dictionary rlm_digest
Loaded module "rlm_digest"
Loaded module "rlm_dhcpv4"
Loaded module "rlm_exec"
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
Loaded module "rlm_escape"
escape {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Loading dictionary rlm_expiration
Loaded module "rlm_expiration"
Loaded module "rlm_expr"
Loading dictionary rlm_files
Loaded module "rlm_files"
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
Loaded module "rlm_linelog"
linelog {
destination = "file"
delimiter = " "
file {
filename = "/usr/local/var/log/radius/linelog"
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
port = 514
timeout = 2.000000
}
udp {
port = 514
timeout = 2.000000
}
}
linelog log_accounting {
destination = "file"
delimiter = " "
file {
filename = "/usr/local/var/log/radius/linelog-accounting"
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
timeout = 1000.000000
}
udp {
timeout = 1000.000000
}
}
Loading dictionary rlm_logintime
Loaded module "rlm_logintime"
logintime {
minimum_timeout = 60
}
Loaded module "rlm_mschap"
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
Loading dictionary rlm_pap
Loaded module "rlm_pap"
pap {
normalise = yes
}
Loading dictionary rlm_passwd
Loaded module "rlm_passwd"
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
Loading dictionary rlm_radius
Loaded module "rlm_radius"
radius {
transport = udp
Loading dictionary rlm_radius_udp
Loaded module "rlm_radius_udp"
udp {
ipaddr = 127.0.0.1
port = 1812
secret = "testing123"
max_packet_size = 4096
}
type = Access-Request
type = Accounting-Request
status_checks {
type = Status-Server
}
max_connections = 32
max_attributes = 255
connection {
connect_timeout = 5.000000
reconnect_delay = 5.000000
idle_timeout = 5.000000
zombie_period = 10.000000
}
Access-Request {
initial_retransmission_time = 2
maximum_retransmission_time = 16
maximum_retransmission_count = 2
maximum_retransmission_duration = 30
}
Accounting-Request {
initial_retransmission_time = 2
maximum_retransmission_time = 16
maximum_retransmission_count = 5
maximum_retransmission_duration = 30
}
Status-Server {
initial_retransmission_time = 2
maximum_retransmission_time = 16
maximum_retransmission_count = 5
maximum_retransmission_duration = 30
}
}
Loading dictionary rlm_radutmp
Loaded module "rlm_radutmp"
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
radutmp sradutmp {
filename = "/usr/local/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
Loading dictionary rlm_stats
Loaded module "rlm_stats"
stats {
}
Loading dictionary rlm_unix
Loaded module "rlm_unix"
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
Loading dictionary rlm_unpack
Loaded module "rlm_unpack"
Loaded module "rlm_utf8"
libfreeradius-redis: libhiredis version: 0.12.1
Loading dictionary rlm_redis_ippool
Loaded module "rlm_redis_ippool"
redis_ippool {
copy_on_update = yes
redis {
server = "devstack08-db-eval1-0001-001.oovb0g.0001.usw2.cache.amazonaws.com"
port = 6379
database = 0
max_nodes = 20
max_alt = 3
max_redirects = 2
}
}
libfreeradius-redis: libhiredis version: 0.12.1
Loaded module "rlm_redis"
redis {
server = "devstack08-db-eval1-0001-001.oovb0g.0001.usw2.cache.amazonaws.com"
port = 6379
database = 0
max_nodes = 20
max_alt = 3
max_redirects = 2
}
instantiate {
}
} # modules
#### Instantiating listeners ####
Compiling policies in server dhcp { ... }
compiling - recv DHCP-Discover {...}
compiling - recv DHCP-Request {...}
compiling - recv DHCP-Decline {...}
compiling - recv DHCP-Inform {...}
compiling - recv DHCP-Release {...}
compiling - recv DHCP-Lease-Query {...}
#### Instantiating modules ####
Instantiating module "attr_filter.access_challenge"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
Instantiating module "attr_filter.access_reject"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
Instantiating module "attr_filter.accounting_response"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
Instantiating module "attr_filter.post-proxy"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
Instantiating module "attr_filter.pre-proxy"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
Instantiating module "auth_log"
rlm_detail (auth_log) - 'User-Password' suppressed, will not appear in detail output
Instantiating module "cache_eap"
Loaded module "rlm_cache_rbtree"
Instantiating module "detail"
Instantiating module "etc_passwd"
Instantiating module "expiration"
Instantiating module "fail"
Instantiating module "files"
Reading file /usr/local/etc/raddb/mods-config/files/authorize
Reading file /usr/local/etc/raddb/mods-config/files/accounting
Reading file /usr/local/etc/raddb/mods-config/files/pre-proxy
Instantiating module "handled"
Instantiating module "invalid"
Instantiating module "linelog"
Instantiating module "log_accounting"
Instantiating module "logintime"
Instantiating module "mschap"
mschap: using internal authentication
Instantiating module "noop"
Instantiating module "notfound"
Instantiating module "ok"
Instantiating module "post_proxy_log"
Instantiating module "pre_proxy_log"
Instantiating module "radius"
Instantiating module "redis"
rlm_redis (redis) [1] - Initialising connection pool
pool {
start = 4
min = 4
max = 4
max_pending = 0
spare = 1
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
connect_timeout = 3.000000
held_trigger_min = 0.000000
held_trigger_max = 0.500000
retry_delay = 30
spread = no
}
rlm_redis (redis) [1] - Ignoring "spare = 1", forcing to "spare = 0"
rlm_redis (redis) [1] - Opening additional connection (0), 1 of 4 pending slots used
rlm_redis (redis) [1]: Connecting node to 10.43.17.86:6379
rlm_redis (redis) [1] - Opening additional connection (1), 1 of 3 pending slots used
rlm_redis (redis) [1]: Connecting node to 10.43.17.86:6379
rlm_redis (redis) [1] - Opening additional connection (2), 1 of 2 pending slots used
rlm_redis (redis) [1]: Connecting node to 10.43.17.86:6379
rlm_redis (redis) [1] - Opening additional connection (3), 1 of 1 pending slots used
rlm_redis (redis) [1]: Connecting node to 10.43.17.86:6379
rlm_redis (redis) [1] - Reserved connection (3)
rlm_redis (redis) [1] - Released connection (3)
rlm_redis (redis): Cluster map consists of 1 key ranges
rlm_redis (redis): 0 - keys 0-16383
rlm_redis (redis): master: 10.43.17.86:6379
rlm_redis (redis): slave0: 10.43.16.148:6379
rlm_redis (redis): slave1: 10.43.16.109:6379
rlm_redis (redis) [2] - Initialising connection pool
pool {
start = 4
min = 4
max = 4
max_pending = 0
spare = 1
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
connect_timeout = 3.000000
held_trigger_min = 0.000000
held_trigger_max = 0.500000
retry_delay = 30
spread = no
}
rlm_redis (redis) [2] - Ignoring "spare = 1", forcing to "spare = 0"
rlm_redis (redis) [2] - Opening additional connection (0), 1 of 4 pending slots used
rlm_redis (redis) [2]: Connecting node to 10.43.16.148:6379
rlm_redis (redis) [2] - Opening additional connection (1), 1 of 3 pending slots used
rlm_redis (redis) [2]: Connecting node to 10.43.16.148:6379
rlm_redis (redis) [2] - Opening additional connection (2), 1 of 2 pending slots used
rlm_redis (redis) [2]: Connecting node to 10.43.16.148:6379
rlm_redis (redis) [2] - Opening additional connection (3), 1 of 1 pending slots used
rlm_redis (redis) [2]: Connecting node to 10.43.16.148:6379
rlm_redis (redis) [3] - Initialising connection pool
pool {
start = 4
min = 4
max = 4
max_pending = 0
spare = 1
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
connect_timeout = 3.000000
held_trigger_min = 0.000000
held_trigger_max = 0.500000
retry_delay = 30
spread = no
}
rlm_redis (redis) [3] - Ignoring "spare = 1", forcing to "spare = 0"
rlm_redis (redis) [3] - Opening additional connection (0), 1 of 4 pending slots used
rlm_redis (redis) [3]: Connecting node to 10.43.16.109:6379
rlm_redis (redis) [3] - Opening additional connection (1), 1 of 3 pending slots used
rlm_redis (redis) [3]: Connecting node to 10.43.16.109:6379
rlm_redis (redis) [3] - Opening additional connection (2), 1 of 2 pending slots used
rlm_redis (redis) [3]: Connecting node to 10.43.16.109:6379
rlm_redis (redis) [3] - Opening additional connection (3), 1 of 1 pending slots used
rlm_redis (redis) [3]: Connecting node to 10.43.16.109:6379
Instantiating module "redis_ippool"
rlm_redis (redis) [1] - Initialising connection pool
pool {
start = 0
min = 4
max = 4
max_pending = 0
spare = 1
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
connect_timeout = 3.000000
held_trigger_min = 0.000000
held_trigger_max = 0.500000
retry_delay = 30
spread = no
}
rlm_redis (redis) [1] - Ignoring "spare = 1", forcing to "spare = 0"
rlm_redis (redis) [1] - 0 of 0 connections in use. You may need to increase "spare"
rlm_redis (redis) [1] - Opening additional connection (0), 1 of 4 pending slots used
rlm_redis (redis) [1]: Connecting node to 10.43.17.86:6379
rlm_redis (redis) [1] - Reserved connection (0)
rlm_redis (redis) [1] - Released connection (0)
rlm_redis (redis) [1] - Need 3 more connections to reach min connections (4)
rlm_redis (redis) [1] - Opening additional connection (1), 1 of 3 pending slots used
rlm_redis (redis) [1]: Connecting node to 10.43.17.86:6379
Instantiating module "reject"
Instantiating module "reply_log"
Instantiating module "stats"
Instantiating module "updated"
Instantiating module "userlock"
[1] radius - Connection initialising
[1] radius - Connection initialised
Scheduler created in single-threaded mode
#### Opening listener interfaces ####
Listening on dhcpv4 address proto_dhcpv4_udp server 10.43.16.207 port 67 bound to virtual server dhcp
Waking up in 4.9 seconds.
radius - Connection open - proto udp local 0.0.0.0 port 54317 remote 127.0.0.1 port 1812
radius - Allocated Status-Server ID 0 for status checks on connection proto udp local 0.0.0.0 port 54317 remote 127.0.0.1 port 1812
radius - Setting idle timeout to +5.000000 for connection proto udp local 0.0.0.0 port 54317 remote 127.0.0.1 port 1812
[1] radius - Connection established
Waking up in 4.9 seconds.
Waking up in 4.9 seconds.
radius - Idle timeout for connection proto udp local 0.0.0.0 port 54317 remote 127.0.0.1 port 1812
[1] radius - Closing connection (25)
radius - Connection closed - proto udp local 0.0.0.0 port 54317 remote 127.0.0.1 port 1812
Ready to process requests
proto_dhcpv4_udp - Received DHCP-Discover XID 00000000 length 310 proto_dhcpv4_udp server 10.43.16.207 port 67
Network received packet size 310
Resetting worker 30 cleanup timer to +0s
(0) running request
(0) Received DHCP-Discover XID 00000000 from 10.43.18.94:67 to 10.43.16.207:67 via eth0
(0) &DHCP-Opcode = Client-Message
(0) &DHCP-Hardware-Type = Ethernet
(0) &DHCP-Hardware-Address-Length = 6
(0) &DHCP-Hop-Count = 1
(0) &DHCP-Transaction-Id = 0
(0) &DHCP-Number-of-Seconds = 0
(0) &DHCP-Flags = 0
(0) &DHCP-Client-IP-Address = 10.43.18.94
(0) &DHCP-Your-IP-Address = 0.0.0.0
(0) &DHCP-Server-IP-Address = 0.0.0.0
(0) &DHCP-Gateway-IP-Address = 10.43.18.94
(0) &DHCP-Client-Hardware-Address = 00:a0:bc:00:00:03
(0) &DHCP-Message-Type = DHCP-Discover
(0) &DHCP-DHCP-Server-Identifier = 10.43.18.92
(0) &DHCP-Client-Identifier = 0x0100a1bc000001
(0) &DHCP-Subscriber-Id = "00a0bc000001@ut3>ut3.viasat.com"
(0) &DHCP-Relay-Remote-Id = 0x00a0bc000001
(0) &DHCP-Relay-Circuit-Id = 0x000000222066
(0) Running 'recv DHCP-Discover' from file /usr/local/etc/raddb/sites-enabled/dhcp
(0) recv DHCP-Discover {
(0) update reply {
(0) DHCP-Message-Type = DHCP-Offer
(0) } # update reply (noop)
(0) update reply {
(0) &DHCP-Subnet-Mask = 255.255.255.0
(0) &DHCP-Router-Address = 192.0.2.1
(0) &DHCP-DHCP-Server-Identifier = 192.0.2.1
(0) } # update reply (noop)
(0) update control {
(0) &Pool-Name := "VSAT"
(0) } # update control (noop)
(0) redis_ippool - Allocating lease from pool "VSAT", to "00:a0:bc:00:00:03", expires in 120s
(0) redis_ippool - Reserved connection (1)
(0) redis_ippool - [1] >>> Sending command(s) to 10.43.17.86:6379
(0) redis_ippool - [1] <<< Returned: success
(0) redis_ippool - Released connection (1)
(0) redis_ippool - Need 2 more connections to reach min connections (4)
(0) redis_ippool - Opening additional connection (2), 1 of 2 pending slots used
rlm_redis (redis) [1]: Connecting node to 10.43.17.86:6379
(0) redis_ippool - &reply:DHCP-Your-IP-Address := 75.104.40.111
(0) redis_ippool - &reply:DHCP-IP-Address-Lease-Time := 120
(0) redis_ippool - IP address lease allocated
(0) redis_ippool (updated)
(0) ok (ok)
(0) } # recv DHCP-Discover (updated)
(0) Sent DHCP-Offer XID 00000000 from 10.43.16.207:67 to 10.43.18.94:67 via eth0
(0) &DHCP-Message-Type = DHCP-Offer
(0) &DHCP-Subnet-Mask = 255.255.255.0
(0) &DHCP-Router-Address = 192.0.2.1
(0) &DHCP-DHCP-Server-Identifier = 192.0.2.1
(0) &DHCP-IP-Address-Lease-Time := 120
(0) done request
(0) finished request.
Ready to process requests
Reply will be unicast to CIADDR from original packet.
proto_dhcpv4_udp - cleaning up ID 1
Ready to process requests
proto_dhcpv4_udp - Received DHCP-Request XID 00000000 length 316 proto_dhcpv4_udp server 10.43.16.207 port 67
Network received packet size 316
Resetting worker 30 cleanup timer to +0s
(1) running request
(1) Received DHCP-Request XID 00000000 from 10.43.18.94:67 to 10.43.16.207:67 via eth0
(1) &DHCP-Opcode = Client-Message
(1) &DHCP-Hardware-Type = Ethernet
(1) &DHCP-Hardware-Address-Length = 6
(1) &DHCP-Hop-Count = 1
(1) &DHCP-Transaction-Id = 0
(1) &DHCP-Number-of-Seconds = 0
(1) &DHCP-Flags = 0
(1) &DHCP-Client-IP-Address = 10.43.18.94
(1) &DHCP-Your-IP-Address = 0.0.0.0
(1) &DHCP-Server-IP-Address = 0.0.0.0
(1) &DHCP-Gateway-IP-Address = 10.43.18.94
(1) &DHCP-Client-Hardware-Address = 00:a0:bc:00:00:03
(1) &DHCP-Requested-IP-Address = 75.104.40.111
(1) &DHCP-Message-Type = DHCP-Request
(1) &DHCP-DHCP-Server-Identifier = 10.43.18.92
(1) &DHCP-Client-Identifier = 0x0100a1bc000001
(1) &DHCP-Subscriber-Id = "00a0bc000001@ut3>ut3.viasat.com"
(1) &DHCP-Relay-Remote-Id = 0x00a0bc000001
(1) &DHCP-Relay-Circuit-Id = 0x000000222066
(1) Running 'recv DHCP-Request' from file /usr/local/etc/raddb/sites-enabled/dhcp
(1) recv DHCP-Request {
(1) update reply {
(1) &DHCP-Message-Type = DHCP-Ack
(1) } # update reply (noop)
(1) update reply {
(1) &DHCP-Subnet-Mask = 255.255.255.0
(1) &DHCP-Router-Address = 192.0.2.1
(1) &DHCP-DHCP-Server-Identifier = 192.0.2.1
(1) } # update reply (noop)
(1) update control {
(1) &Pool-Name := "VSAT"
(1) &Pool-Action := Update
(1) } # update control (noop)
(1) redis_ippool - EXPAND %{%{DHCP-Requested-IP-Address}:-%{DHCP-Client-IP-Address}}
(1) redis_ippool - --> 75.104.40.111
(1) redis_ippool - Updating 75.104.40.111 in pool "VSAT", device "00:a0:bc:00:00:03", expires in 3600s
(1) redis_ippool - Reserved connection (2)
(1) redis_ippool - [1] >>> Sending command(s) to 10.43.17.86:6379
(1) redis_ippool - [1] <<< Returned: success
(1) redis_ippool - Released connection (2)
(1) redis_ippool - ERROR: Requested IP address "75.104.40.111" is not a member of the specified pool
(1) redis_ippool (notfound)
(1) ok (ok)
(1) } # recv DHCP-Request (ok)
(1) ERROR: DHCP-Ack packet does not have YIADDR. The client will not receive an IP address.
(1) Sent DHCP-Ack XID 00000000 from 10.43.16.207:67 to 10.43.18.94:67 via eth0
(1) &DHCP-Message-Type = DHCP-Ack
(1) &DHCP-Subnet-Mask = 255.255.255.0
(1) &DHCP-Router-Address = 192.0.2.1
(1) &DHCP-DHCP-Server-Identifier = 192.0.2.1
(1) done request
(1) finished request.
Ready to process requests
Reply will be unicast to CIADDR from original packet.
proto_dhcpv4_udp - cleaning up ID 1
Ready to process requests
Regards,
Nagamani Chinnapaiyan
1
0
Hello, is there any way to add redis cluster module of freeradius 4 to freeradius 3 ThanksBassemEnvoyé depuis mon smartphone Samsung Galaxy.
5
9
How I can construct octet value for VSA if some octet in it has to be `0x00`?
For example I can set value for VSA using expression like this
```
VSA-Name := '\001somevalue'
```
or
```
VSA-Name := 0x01736f6d6576616c7565
```
But when I tried to use this expression
```
VSA-Name := '\001\000somevalue'
```
All data after \000 are truncated
--
Vladimir
2
1
23 Apr '19
Hi,
I have redis_ippool module with below configurations,
offer_time = 120
lease_time = 3600
During offer 120 seconds is assigned. During ack the same 120 seconds is returned instead of assigning 3600 seconds.
Debug output:
# /usr/local/sbin/radiusd -X
Info : FreeRADIUS Version 4.0.0
Info : Copyright 1999-2018 The FreeRADIUS server project and contributors
Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info : PARTICULAR PURPOSE
Info : You may redistribute copies of FreeRADIUS under the terms of the
Info : GNU General Public License
Info : For more information about these matters, see the file named COPYRIGHT
Info : Starting - reading configuration files ...
Debug : Including dictionary file "/usr/local/share/freeradius/dictionary"
Debug : Including dictionary file "/usr/local/etc/raddb/dictionary"
Debug : including configuration file /usr/local/etc/raddb/radiusd.conf
Debug : including configuration file /usr/local/etc/raddb/clients.conf
Debug : Including files in directory "/usr/local/etc/raddb/mods-enabled/"
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/always
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/chap
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/client
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/detail
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/digest
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/dhcpv4
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/echo
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/escape
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/exec
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/expiration
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/expr
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/files
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/linelog
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/logintime
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/mschap
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/pap
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/passwd
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/radius
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/stats
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/unix
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/unpack
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/utf8
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/redis_ippool
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/redis
Debug : Including files in directory "/usr/local/etc/raddb/policy.d/"
Debug : including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
Debug : including configuration file /usr/local/etc/raddb/policy.d/accounting
Debug : including configuration file /usr/local/etc/raddb/policy.d/canonicalization
Debug : including configuration file /usr/local/etc/raddb/policy.d/control
Debug : including configuration file /usr/local/etc/raddb/policy.d/cui
Debug : including configuration file /usr/local/etc/raddb/policy.d/debug
Debug : including configuration file /usr/local/etc/raddb/policy.d/dhcp
Debug : including configuration file /usr/local/etc/raddb/policy.d/eap
Debug : including configuration file /usr/local/etc/raddb/policy.d/operator-name
Debug : including configuration file /usr/local/etc/raddb/policy.d/time
Debug : including configuration file /usr/local/etc/raddb/policy.d/vendor
Debug : including configuration file /usr/local/etc/raddb/policy.d/filter
Debug : Including files in directory "/usr/local/etc/raddb/sites-enabled/"
Debug : including configuration file /usr/local/etc/raddb/sites-enabled/dhcp
Debug : Loading dictionary proto_dhcpv4
Info : Loaded module "proto_dhcpv4"
Debug : Parsing security rules to bootstrap UID / GID / chroot / etc.
Debug : main {
Debug : security {
Debug : allow_core_dumps = no
Debug : allow_vulnerable_openssl = "no"
Debug : }
Debug : name = radiusd
Debug : name = "radiusd"
Debug : prefix = "/usr/local"
Debug : local_state_dir = "/usr/local/var"
Debug : run_dir = "/usr/local/var/run/radiusd"
Debug : }
Debug : Parsing main configuration.
Debug : main {
Debug : server dhcp {
Debug : namespace = "dhcpv4"
Debug : listen {
Debug : type = DHCP-Discover
Info : Loaded module "proto_dhcpv4_base"
Debug : type = DHCP-Request
Debug : type = DHCP-Inform
Debug : type = DHCP-Release
Debug : type = DHCP-Decline
Debug : transport = udp
Debug : Loading dictionary proto_dhcpv4_udp
Info : Loaded module "proto_dhcpv4_udp"
Debug : udp {
Debug : ipaddr = 10.43.16.207
Debug : src_ipaddr = 10.43.16.207
Debug : port = 67
Debug : broadcast = no
Debug : networks {
Debug : }
Debug : max_packet_size = 4096
Debug : max_attributes = 0
Debug : }
Debug : limit {
Debug : idle_timeout = 30.000000
Debug : nak_lifetime = 30.000000
Debug : max_connections = 1024
Debug : max_clients = 256
Debug : max_pending_packets = 256
Debug : priority {
Debug : DHCP-Discover = normal
Debug : DHCP-Request = normal
Debug : DHCP-Decline = normal
Debug : DHCP-Release = normal
Debug : DHCP-Inform = normal
Debug : DHCP-Lease-Query = low
Debug : DHCP-Bulk-Lease-Query = low
Debug : }
Debug : }
Debug : }
Debug : }
Debug : security {
Debug : }
Debug : sbin_dir = "/usr/local/sbin"
Debug : logdir = "/usr/local/var/log/radius"
Debug : libdir = "/usr/local/lib"
Debug : radacctdir = "/usr/local/var/log/radius/radacct"
Debug : reverse_lookups = no
Debug : reverse_lookups = no
Debug : hostname_lookups = yes
Debug : hostname_lookups = yes
Debug : max_request_time = 30
Debug : max_request_time = 30
Debug : pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
Debug : debug_level = 0
Debug : log {
Debug : colourise = yes
Debug : }
Debug : resources {
Debug : }
Debug : thread pool {
Debug : num_networks = 1
Debug : num_networks = 1
Debug : num_workers = 4
Debug : num_workers = 4
Debug : }
Debug : }
Switching to configured log settings
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.0.0.0 {
ipaddr = 10.0.0.0/8
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
#### Bootstrapping listeners ####
#### Bootstrapping modules ####
modules {
Loaded module "rlm_always"
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
Loading dictionary rlm_attr_filter
Loaded module "rlm_attr_filter"
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
relaxed = no
}
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
relaxed = no
}
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
relaxed = no
}
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
relaxed = no
}
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
relaxed = no
}
Loading dictionary rlm_cache
Loaded module "rlm_cache"
cache cache_eap {
driver = "rlm_cache_rbtree"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
Loading dictionary rlm_chap
Loaded module "rlm_chap"
Loaded module "rlm_client"
Loading dictionary rlm_detail
Loaded module "rlm_detail"
detail {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y-%m-%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail auth_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y-%m-%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail reply_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y-%m-%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail pre_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y-%m-%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail post_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y-%m-%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
Loading dictionary rlm_digest
Loaded module "rlm_digest"
Loaded module "rlm_dhcpv4"
Loaded module "rlm_exec"
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
Loaded module "rlm_escape"
escape {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Loading dictionary rlm_expiration
Loaded module "rlm_expiration"
Loaded module "rlm_expr"
Loading dictionary rlm_files
Loaded module "rlm_files"
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
Loaded module "rlm_linelog"
linelog {
destination = "file"
delimiter = " "
file {
filename = "/usr/local/var/log/radius/linelog"
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
port = 514
timeout = 2.000000
}
udp {
port = 514
timeout = 2.000000
}
}
linelog log_accounting {
destination = "file"
delimiter = " "
file {
filename = "/usr/local/var/log/radius/linelog-accounting"
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
timeout = 1000.000000
}
udp {
timeout = 1000.000000
}
}
Loading dictionary rlm_logintime
Loaded module "rlm_logintime"
logintime {
minimum_timeout = 60
}
Loaded module "rlm_mschap"
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
Loading dictionary rlm_pap
Loaded module "rlm_pap"
pap {
normalise = yes
}
Loading dictionary rlm_passwd
Loaded module "rlm_passwd"
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
Loading dictionary rlm_radius
Loaded module "rlm_radius"
radius {
transport = udp
Loading dictionary rlm_radius_udp
Loaded module "rlm_radius_udp"
udp {
ipaddr = 127.0.0.1
port = 1812
secret = "testing123"
max_packet_size = 4096
}
type = Access-Request
type = Accounting-Request
status_checks {
type = Status-Server
}
max_connections = 32
max_attributes = 255
connection {
connect_timeout = 5.000000
reconnect_delay = 5.000000
idle_timeout = 5.000000
zombie_period = 10.000000
}
Access-Request {
initial_retransmission_time = 2
maximum_retransmission_time = 16
maximum_retransmission_count = 2
maximum_retransmission_duration = 30
}
Accounting-Request {
initial_retransmission_time = 2
maximum_retransmission_time = 16
maximum_retransmission_count = 5
maximum_retransmission_duration = 30
}
Status-Server {
initial_retransmission_time = 2
maximum_retransmission_time = 16
maximum_retransmission_count = 5
maximum_retransmission_duration = 30
}
}
Loading dictionary rlm_radutmp
Loaded module "rlm_radutmp"
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
radutmp sradutmp {
filename = "/usr/local/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
Loading dictionary rlm_stats
Loaded module "rlm_stats"
stats {
}
Loading dictionary rlm_unix
Loaded module "rlm_unix"
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
Loading dictionary rlm_unpack
Loaded module "rlm_unpack"
Loaded module "rlm_utf8"
libfreeradius-redis: libhiredis version: 0.12.1
Loading dictionary rlm_redis_ippool
Loaded module "rlm_redis_ippool"
redis_ippool {
copy_on_update = yes
redis {
server = "devstack08-db-eval1-0001-001.oovb0g.0001.usw2.cache.amazonaws.com"
port = 6379
database = 0
max_nodes = 20
max_alt = 3
max_redirects = 2
}
}
libfreeradius-redis: libhiredis version: 0.12.1
Loaded module "rlm_redis"
redis {
server = "devstack08-db-eval1-0001-001.oovb0g.0001.usw2.cache.amazonaws.com"
port = 6379
database = 0
max_nodes = 20
max_alt = 3
max_redirects = 2
}
instantiate {
}
} # modules
#### Instantiating listeners ####
Compiling policies in server dhcp { ... }
compiling - recv DHCP-Discover {...}
compiling - recv DHCP-Request {...}
compiling - recv DHCP-Decline {...}
compiling - recv DHCP-Inform {...}
compiling - recv DHCP-Release {...}
compiling - recv DHCP-Lease-Query {...}
#### Instantiating modules ####
Instantiating module "attr_filter.access_challenge"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
Instantiating module "attr_filter.access_reject"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
Instantiating module "attr_filter.accounting_response"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
Instantiating module "attr_filter.post-proxy"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
Instantiating module "attr_filter.pre-proxy"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
Instantiating module "auth_log"
rlm_detail (auth_log) - 'User-Password' suppressed, will not appear in detail output
Instantiating module "cache_eap"
Loaded module "rlm_cache_rbtree"
Instantiating module "detail"
Instantiating module "etc_passwd"
Instantiating module "expiration"
Instantiating module "fail"
Instantiating module "files"
Reading file /usr/local/etc/raddb/mods-config/files/authorize
Reading file /usr/local/etc/raddb/mods-config/files/accounting
Reading file /usr/local/etc/raddb/mods-config/files/pre-proxy
Instantiating module "handled"
Instantiating module "invalid"
Instantiating module "linelog"
Instantiating module "log_accounting"
Instantiating module "logintime"
Instantiating module "mschap"
mschap: using internal authentication
Instantiating module "noop"
Instantiating module "notfound"
Instantiating module "ok"
Instantiating module "post_proxy_log"
Instantiating module "pre_proxy_log"
Instantiating module "radius"
Instantiating module "redis"
rlm_redis (redis) [1] - Initialising connection pool
pool {
start = 4
min = 4
max = 4
max_pending = 0
spare = 1
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
connect_timeout = 3.000000
held_trigger_min = 0.000000
held_trigger_max = 0.500000
retry_delay = 30
spread = no
}
rlm_redis (redis) [1] - Ignoring "spare = 1", forcing to "spare = 0"
rlm_redis (redis) [1] - Opening additional connection (0), 1 of 4 pending slots used
rlm_redis (redis) [1]: Connecting node to 10.43.17.86:6379
rlm_redis (redis) [1] - Opening additional connection (1), 1 of 3 pending slots used
rlm_redis (redis) [1]: Connecting node to 10.43.17.86:6379
rlm_redis (redis) [1] - Opening additional connection (2), 1 of 2 pending slots used
rlm_redis (redis) [1]: Connecting node to 10.43.17.86:6379
rlm_redis (redis) [1] - Opening additional connection (3), 1 of 1 pending slots used
rlm_redis (redis) [1]: Connecting node to 10.43.17.86:6379
rlm_redis (redis) [1] - Reserved connection (3)
rlm_redis (redis) [1] - Released connection (3)
rlm_redis (redis): Cluster map consists of 1 key ranges
rlm_redis (redis): 0 - keys 0-16383
rlm_redis (redis): master: 10.43.17.86:6379
rlm_redis (redis): slave0: 10.43.16.148:6379
rlm_redis (redis): slave1: 10.43.16.109:6379
rlm_redis (redis) [2] - Initialising connection pool
pool {
start = 4
min = 4
max = 4
max_pending = 0
spare = 1
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
connect_timeout = 3.000000
held_trigger_min = 0.000000
held_trigger_max = 0.500000
retry_delay = 30
spread = no
}
rlm_redis (redis) [2] - Ignoring "spare = 1", forcing to "spare = 0"
rlm_redis (redis) [2] - Opening additional connection (0), 1 of 4 pending slots used
rlm_redis (redis) [2]: Connecting node to 10.43.16.148:6379
rlm_redis (redis) [2] - Opening additional connection (1), 1 of 3 pending slots used
rlm_redis (redis) [2]: Connecting node to 10.43.16.148:6379
rlm_redis (redis) [2] - Opening additional connection (2), 1 of 2 pending slots used
rlm_redis (redis) [2]: Connecting node to 10.43.16.148:6379
rlm_redis (redis) [2] - Opening additional connection (3), 1 of 1 pending slots used
rlm_redis (redis) [2]: Connecting node to 10.43.16.148:6379
rlm_redis (redis) [3] - Initialising connection pool
pool {
start = 4
min = 4
max = 4
max_pending = 0
spare = 1
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
connect_timeout = 3.000000
held_trigger_min = 0.000000
held_trigger_max = 0.500000
retry_delay = 30
spread = no
}
rlm_redis (redis) [3] - Ignoring "spare = 1", forcing to "spare = 0"
rlm_redis (redis) [3] - Opening additional connection (0), 1 of 4 pending slots used
rlm_redis (redis) [3]: Connecting node to 10.43.16.109:6379
rlm_redis (redis) [3] - Opening additional connection (1), 1 of 3 pending slots used
rlm_redis (redis) [3]: Connecting node to 10.43.16.109:6379
rlm_redis (redis) [3] - Opening additional connection (2), 1 of 2 pending slots used
rlm_redis (redis) [3]: Connecting node to 10.43.16.109:6379
rlm_redis (redis) [3] - Opening additional connection (3), 1 of 1 pending slots used
rlm_redis (redis) [3]: Connecting node to 10.43.16.109:6379
Instantiating module "redis_ippool"
rlm_redis (redis) [1] - Initialising connection pool
pool {
start = 0
min = 4
max = 4
max_pending = 0
spare = 1
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
connect_timeout = 3.000000
held_trigger_min = 0.000000
held_trigger_max = 0.500000
retry_delay = 30
spread = no
}
rlm_redis (redis) [1] - Ignoring "spare = 1", forcing to "spare = 0"
rlm_redis (redis) [1] - 0 of 0 connections in use. You may need to increase "spare"
rlm_redis (redis) [1] - Opening additional connection (0), 1 of 4 pending slots used
rlm_redis (redis) [1]: Connecting node to 10.43.17.86:6379
rlm_redis (redis) [1] - Reserved connection (0)
rlm_redis (redis) [1] - Released connection (0)
rlm_redis (redis) [1] - Need 3 more connections to reach min connections (4)
rlm_redis (redis) [1] - Opening additional connection (1), 1 of 3 pending slots used
rlm_redis (redis) [1]: Connecting node to 10.43.17.86:6379
Instantiating module "reject"
Instantiating module "reply_log"
Instantiating module "stats"
Instantiating module "updated"
Instantiating module "userlock"
[1] radius - Connection initialising
[1] radius - Connection initialised
Scheduler created in single-threaded mode
#### Opening listener interfaces ####
Listening on dhcpv4 address proto_dhcpv4_udp server 10.43.16.207 port 67 bound to virtual server dhcp
Waking up in 4.9 seconds.
radius - Connection open - proto udp local 0.0.0.0 port 45078 remote 127.0.0.1 port 1812
radius - Allocated Status-Server ID 0 for status checks on connection proto udp local 0.0.0.0 port 45078 remote 127.0.0.1 port 1812
radius - Setting idle timeout to +5.000000 for connection proto udp local 0.0.0.0 port 45078 remote 127.0.0.1 port 1812
[1] radius - Connection established
Waking up in 4.9 seconds.
Waking up in 4.9 seconds.
radius - Idle timeout for connection proto udp local 0.0.0.0 port 45078 remote 127.0.0.1 port 1812
[1] radius - Closing connection (25)
radius - Connection closed - proto udp local 0.0.0.0 port 45078 remote 127.0.0.1 port 1812
Ready to process requests
proto_dhcpv4_udp - Received DHCP-Discover XID 00000000 length 310 proto_dhcpv4_udp server 10.43.16.207 port 67
Network received packet size 310
Resetting worker 30 cleanup timer to +0s
(0) running request
(0) Received DHCP-Discover XID 00000000 from 10.43.18.94:67 to 10.43.16.207:67 via eth0
(0) &DHCP-Opcode = Client-Message
(0) &DHCP-Hardware-Type = Ethernet
(0) &DHCP-Hardware-Address-Length = 6
(0) &DHCP-Hop-Count = 1
(0) &DHCP-Transaction-Id = 0
(0) &DHCP-Number-of-Seconds = 0
(0) &DHCP-Flags = 0
(0) &DHCP-Client-IP-Address = 10.43.18.94
(0) &DHCP-Your-IP-Address = 0.0.0.0
(0) &DHCP-Server-IP-Address = 0.0.0.0
(0) &DHCP-Gateway-IP-Address = 10.43.18.94
(0) &DHCP-Client-Hardware-Address = 00:a0:bc:00:00:02
(0) &DHCP-Message-Type = DHCP-Discover
(0) &DHCP-DHCP-Server-Identifier = 10.43.18.92
(0) &DHCP-Client-Identifier = 0x0100a1bc000001
(0) &DHCP-Subscriber-Id = "00a0bc000001(a)aut.res.viasat.com"
(0) &DHCP-Relay-Remote-Id = 0x00a0bc000002
(0) &DHCP-Relay-Circuit-Id = 0x000000222066
(0) Running 'recv DHCP-Discover' from file /usr/local/etc/raddb/sites-enabled/dhcp
(0) recv DHCP-Discover {
(0) update reply {
(0) DHCP-Message-Type = DHCP-Offer
(0) } # update reply (noop)
(0) update reply {
(0) &DHCP-Subnet-Mask = 255.255.255.0
(0) &DHCP-Router-Address = 192.0.2.1
(0) &DHCP-DHCP-Server-Identifier = 192.0.2.1
(0) } # update reply (noop)
(0) update control {
(0) &Pool-Name := "VSAT-UT"
(0) } # update control (noop)
(0) redis_ippool - Allocating lease from pool "VSAT-UT", to "00:a0:bc:00:00:02", expires in 120s
(0) redis_ippool - Reserved connection (1)
(0) redis_ippool - [1] >>> Sending command(s) to 10.43.17.86:6379
(0) redis_ippool - [1] <<< Returned: success
(0) redis_ippool - Released connection (1)
(0) redis_ippool - Need 2 more connections to reach min connections (4)
(0) redis_ippool - Opening additional connection (2), 1 of 2 pending slots used
rlm_redis (redis) [1]: Connecting node to 10.43.17.86:6379
(0) redis_ippool - &reply:DHCP-Your-IP-Address := 10.88.64.104
(0) redis_ippool - &reply:DHCP-IP-Address-Lease-Time := 120
(0) redis_ippool - IP address lease allocated
(0) redis_ippool (updated)
(0) ok (ok)
(0) } # recv DHCP-Discover (updated)
(0) Sent DHCP-Offer XID 00000000 from 10.43.16.207:67 to 10.43.18.94:67 via eth0
(0) &DHCP-Message-Type = DHCP-Offer
(0) &DHCP-Subnet-Mask = 255.255.255.0
(0) &DHCP-Router-Address = 192.0.2.1
(0) &DHCP-DHCP-Server-Identifier = 192.0.2.1
(0) &DHCP-IP-Address-Lease-Time := 120
(0) done request
(0) finished request.
Ready to process requests
Reply will be unicast to CIADDR from original packet.
proto_dhcpv4_udp - cleaning up ID 1
Ready to process requests
proto_dhcpv4_udp - Received DHCP-Request XID 00000000 length 316 proto_dhcpv4_udp server 10.43.16.207 port 67
Network received packet size 316
Resetting worker 30 cleanup timer to +0s
(1) running request
(1) Received DHCP-Request XID 00000000 from 10.43.18.94:67 to 10.43.16.207:67 via eth0
(1) &DHCP-Opcode = Client-Message
(1) &DHCP-Hardware-Type = Ethernet
(1) &DHCP-Hardware-Address-Length = 6
(1) &DHCP-Hop-Count = 1
(1) &DHCP-Transaction-Id = 0
(1) &DHCP-Number-of-Seconds = 0
(1) &DHCP-Flags = 0
(1) &DHCP-Client-IP-Address = 10.43.18.94
(1) &DHCP-Your-IP-Address = 0.0.0.0
(1) &DHCP-Server-IP-Address = 0.0.0.0
(1) &DHCP-Gateway-IP-Address = 10.43.18.94
(1) &DHCP-Client-Hardware-Address = 00:a0:bc:00:00:02
(1) &DHCP-Requested-IP-Address = 10.88.64.104
(1) &DHCP-Message-Type = DHCP-Request
(1) &DHCP-DHCP-Server-Identifier = 10.43.18.92
(1) &DHCP-Client-Identifier = 0x0100a1bc000001
(1) &DHCP-Subscriber-Id = "00a0bc000001(a)aut.res.viasat.com"
(1) &DHCP-Relay-Remote-Id = 0x00a0bc000002
(1) &DHCP-Relay-Circuit-Id = 0x000000222066
(1) Running 'recv DHCP-Request' from file /usr/local/etc/raddb/sites-enabled/dhcp
(1) recv DHCP-Request {
(1) update reply {
(1) &DHCP-Message-Type = DHCP-Ack
(1) } # update reply (noop)
(1) update reply {
(1) &DHCP-Subnet-Mask = 255.255.255.0
(1) &DHCP-Router-Address = 192.0.2.1
(1) &DHCP-DHCP-Server-Identifier = 192.0.2.1
(1) } # update reply (noop)
(1) update control {
(1) &Pool-Name := "VSAT-UT"
(1) } # update control (noop)
(1) redis_ippool - Allocating lease from pool "VSAT-UT", to "00:a0:bc:00:00:02", expires in 120s
(1) redis_ippool - Reserved connection (2)
(1) redis_ippool - [1] >>> Sending command(s) to 10.43.17.86:6379
(1) redis_ippool - [1] <<< Returned: success
(1) redis_ippool - Released connection (2)
(1) redis_ippool - &reply:DHCP-Your-IP-Address := 10.88.64.104
(1) redis_ippool - &reply:DHCP-IP-Address-Lease-Time := 120
(1) redis_ippool - IP address lease allocated
(1) redis_ippool (updated)
(1) ok (ok)
(1) } # recv DHCP-Request (updated)
(1) Sent DHCP-Ack XID 00000000 from 10.43.16.207:67 to 10.43.18.94:67 via eth0
(1) &DHCP-Message-Type = DHCP-Ack
(1) &DHCP-Subnet-Mask = 255.255.255.0
(1) &DHCP-Router-Address = 192.0.2.1
(1) &DHCP-DHCP-Server-Identifier = 192.0.2.1
(1) &DHCP-IP-Address-Lease-Time := 120
(1) done request
(1) finished request.
Ready to process requests
Reply will be unicast to CIADDR from original packet.
proto_dhcpv4_udp - cleaning up ID 1
Ready to process requests
Regards,
Nagamani Chinnapaiyan
2
2
I have a problem authenticating users on my freeradius server. It appears
as if the `User-Password` attribute is empty. I receive the following error
when authenticating:
rest: ERROR: You set 'Auth-Type = REST' for a request that does not contain
a User-Password attribute!
I'm not sure if the problem is with my AP. radtest work as expected.
[root@ip-172-31-54-190 raddb]# radiusd -X
FreeRADIUS Version 3.0.18
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/rest
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/abfab-tr
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/rfc7542
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 0.0.0.0/0 {
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 0.0.0.0/0.
Please fix your configuration
Support for old-style clients will be removed in a future release
client ::/0 {
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client ::/0. Please
fix your configuration
Support for old-style clients will be removed in a future release
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = digest
# Creating Auth-Type = rest
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/raddb/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_rest
# Loading module "rest" from file /etc/raddb/mods-enabled/rest
rest {
connect_uri = "https://bla-spire-29862.herokuapp.com/"
connect_timeout = 4.000000
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /etc/raddb/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
instantiate {
}
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "rest" from file /etc/raddb/mods-enabled/rest
authorize {
uri = "https://bla-spire-29862.herokuapp.com/auth/authorize"
method = "post"
body = "json"
data = "{ "username": "%{User-Name}", "password": "%{User-Password}" }"
force_to = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
authenticate {
uri = "https://bla-spire-29862.herokuapp.com/auth/login"
method = "post"
body = "json"
data = "{ "username": "%{User-Name}", "password": "%{User-Password}" }"
force_to = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
accounting {
uri = "https://bla-spire-29862.herokuapp.com/accounting/%{User-Name}"
method = "post"
body = "post"
data = "{"username": %{User-Name}, "apIpAddress": "%{NAS-IP-Address}",
"apPort": "{%NAS-Port}", "callingStationId": "%{Calling-Station-Id}",
"framedIpAddress": "%{Framed-IP-Address}", "calledStationId":
"%{Called-Station-Id}", "apIdentifier": "%{NAS-Identifier}",
acctStatusType: %{Acct-Status-Type}, acctSessionId: %{Acct-Session-Id},
eventTimestamp: %{Event-Timestamp}, wISPr-Location-ID:
%{WISPr-Location-ID}, WISPr-Location-Name: %{WISPr-Location-Name},
"sessionId": "%{Acct-Unique-Session-Id}"}"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
rlm_rest: libcurl version changed since the server was built
rlm_rest: linked: 7.61.1 built: 7.29.0
rlm_rest: libcurl version: libcurl/7.61.1 OpenSSL/1.0.2k zlib/1.2.7
libidn2/2.0.4 libssh2/1.4.3 nghttp2/1.31.1
rlm_rest (rest): Initialising connection pool
pool {
start = 5
min = 0
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_rest (rest): Opening additional connection (0), 1 of 32 pending slots
used
rlm_rest (rest): Connecting to "https://bla-spire-29862.herokuapp.com/"
rlm_rest (rest): Opening additional connection (1), 1 of 31 pending slots
used
rlm_rest (rest): Connecting to "https://bla-spire-29862.herokuapp.com/"
rlm_rest (rest): Opening additional connection (2), 1 of 30 pending slots
used
rlm_rest (rest): Connecting to "https://bla-spire-29862.herokuapp.com/"
rlm_rest (rest): Opening additional connection (3), 1 of 29 pending slots
used
rlm_rest (rest): Connecting to "https://bla-spire-29862.herokuapp.com/"
rlm_rest (rest): Opening additional connection (4), 1 of 28 pending slots
used
rlm_rest (rest): Connecting to "https://bla-spire-29862.herokuapp.com/"
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/raddb/sites-enabled/inner-tunnel:339
} # server inner-tunnel
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 38315
Listening on proxy address :: port 59975
Ready to process requests
(0) Received Access-Request Id 1 from 172.254.122.110:39189 to
172.31.54.190:1812 length 237
(0) User-Name = "sean(a)kettlespace.com"
(0) NAS-IP-Address = 10.1.3.100
(0) NAS-Identifier = "f09fc2cba179"
(0) Called-Station-Id = "02-9F-C2-CC-A1-79:SeanRadiusTest"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Calling-Station-Id = "6C-E8-5C-66-76-FD"
(0) Connect-Info = "CONNECT 0Mbps 802.11b"
(0) Acct-Session-Id = "4AF926FF85930522"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027073
(0) Framed-MTU = 1400
(0) EAP-Message = 0x02010019017365616e406b6574746c6573706163652e636f6d
(0) Message-Authenticator = 0xa108f672205ef0c265511ecd509b4082
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "kettlespace.com" for User-Name = "
sean(a)kettlespace.com"
(0) suffix: No such realm "kettlespace.com"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 25
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 2 length 22
(0) eap: EAP session adding &reply:State = 0xd875364fd87732b7
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 1 from 172.31.54.190:1812 to
172.254.122.110:39189 length 0
(0) EAP-Message = 0x010200160410e67831d8e743b730a6074fa71e6caed4
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xd875364fd87732b7119778626ac41c2c
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 2 from 172.254.122.110:39189 to
172.31.54.190:1812 length 238
(1) User-Name = "sean(a)kettlespace.com"
(1) NAS-IP-Address = 10.1.3.100
(1) NAS-Identifier = "f09fc2cba179"
(1) Called-Station-Id = "02-9F-C2-CC-A1-79:SeanRadiusTest"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Calling-Station-Id = "6C-E8-5C-66-76-FD"
(1) Connect-Info = "CONNECT 0Mbps 802.11b"
(1) Acct-Session-Id = "4AF926FF85930522"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027073
(1) Framed-MTU = 1400
(1) EAP-Message = 0x020200080319152b
(1) State = 0xd875364fd87732b7119778626ac41c2c
(1) Message-Authenticator = 0x4e18580f32a8f48298fa2412fb1cc65e
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "kettlespace.com" for User-Name = "
sean(a)kettlespace.com"
(1) suffix: No such realm "kettlespace.com"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 8
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry DEFAULT at line 46
(1) [files] = ok
rlm_rest (rest): Closing connection (0): Hit idle_timeout, was idle for 64
seconds
rlm_rest (rest): Closing connection (1): Hit idle_timeout, was idle for 64
seconds
rlm_rest (rest): Closing connection (2): Hit idle_timeout, was idle for 63
seconds
rlm_rest (rest): Closing connection (3): Hit idle_timeout, was idle for 63
seconds
rlm_rest (rest): Closing connection (4): Hit idle_timeout, was idle for 63
seconds
rlm_rest (rest): 0 of 0 connections in use. You may need to increase
"spare"
rlm_rest (rest): Opening additional connection (5), 1 of 32 pending slots
used
rlm_rest (rest): Connecting to "https://bla-spire-29862.herokuapp.com/"
rlm_rest (rest): Reserved connection (5)
(1) rest: Expanding URI components
(1) rest: EXPAND https://bla-spire-29862.herokuapp.com
(1) rest: --> https://bla-spire-29862.herokuapp.com
(1) rest: EXPAND /auth/authorize
(1) rest: --> /auth/authorize
(1) rest: Sending HTTP POST to "
https://bla-spire-29862.herokuapp.com/auth/authorize"
(1) rest: EXPAND { "username": "%{User-Name}", "password":
"%{User-Password}" }
(1) rest: --> { "username": "sean(a)kettlespace.com", "password": "" }
(1) rest: Processing response header
(1) rest: Status : 200 (OK)
(1) rest: Skipping attribute processing, no valid body data received
rlm_rest (rest): Released connection (5)
Need 9 more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (6), 1 of 31 pending slots
used
rlm_rest (rest): Connecting to "https://bla-spire-29862.herokuapp.com/"
(1) [rest] = ok
(1) if (ok) {
(1) if (ok) -> TRUE
(1) if (ok) {
(1) update control {
(1) Auth-Type := rest
(1) } # update control = noop
(1) } # if (ok) = noop
(1) [expiration] = noop
(1) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = rest
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Auth-Type rest {
(1) rest: ERROR: You set 'Auth-Type = REST' for a request that does not
contain a User-Password attribute!
(1) [rest] = invalid
(1) } # Auth-Type rest = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> sean(a)kettlespace.com
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) eap: Expiring EAP session with state 0xd875364fd87732b7
(1) eap: Finished EAP session with state 0xd875364fd87732b7
(1) eap: Previous EAP request found for state 0xd875364fd87732b7, released
from the list
(1) eap: Request was previously rejected, inserting EAP-Failure
(1) eap: Sending EAP Failure (code 4) ID 2 length 4
(1) [eap] = updated
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
(0) Cleaning up request packet ID 1 with timestamp +62
(1) (1) Discarding duplicate request from client 0.0.0.0/0 port 39189 - ID:
2 due to delayed response
Waking up in 0.9 seconds.
(2) Received Access-Request Id 3 from 172.254.122.110:39189 to
172.31.54.190:1812 length 237
(2) User-Name = "sean(a)kettlespace.com"
(2) NAS-IP-Address = 10.1.3.100
(2) NAS-Identifier = "f09fc2cba179"
(2) Called-Station-Id = "02-9F-C2-CC-A1-79:SeanRadiusTest"
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Calling-Station-Id = "6C-E8-5C-66-76-FD"
(2) Connect-Info = "CONNECT 0Mbps 802.11b"
(2) Acct-Session-Id = "4AF926FF85930522"
(2) WLAN-Pairwise-Cipher = 1027076
(2) WLAN-Group-Cipher = 1027076
(2) WLAN-AKM-Suite = 1027073
(2) Framed-MTU = 1400
(2) EAP-Message = 0x02160019017365616e406b6574746c6573706163652e636f6d
(2) Message-Authenticator = 0x0a560958e2ccdb52cf3f09ed3680add3
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "kettlespace.com" for User-Name = "
sean(a)kettlespace.com"
(2) suffix: No such realm "kettlespace.com"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 22 length 25
(2) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Peer sent packet with method EAP Identity (1)
(2) eap: Calling submodule eap_md5 to process data
(2) eap_md5: Issuing MD5 Challenge
(2) eap: Sending EAP Request (code 1) ID 23 length 22
(2) eap: EAP session adding &reply:State = 0x715c6fc2714b6bab
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 3 from 172.31.54.190:1812 to
172.254.122.110:39189 length 0
(2) EAP-Message = 0x011700160410237e8eb9de9a23f603d18c150e64006e
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x715c6fc2714b6bab969d003cc2468653
(2) Finished request
2
1
My understanding is that, when a Linux server delegates authentication
chores (via PAM) to a RADIUS server, the information having to do with the
groups that the authenticated user belongs to is retrieved either locally -
from the relevant entry in /etc/passwd - or from a remote server via NSS -
for example, from an LDAP server.
Is there anything preventing one from getting the group information from
the RADIUS server itself? The RADIUS server could be configured so that,
when a user has been successfully authenticated by said server, this server
would send back the authentication OK RADIUS message together with one or
more attributes containing the groups information.
The reason I am asking this is because I have interacted with some devices
in the past that were able to get these data from a RADIUS server alone.
However, I don't know if this was achieved with the concourse of a
mechanism similar to what I described, or something totally different.
2
1
22 Apr '19
Our GGSN is configured to send Radius accounting in multicast to multiple servers and ignore accounting response (unacknowledge mode).
In this case, GGSN (which sends several thousand requests per second) reuses emitter UDP port and Radius ID pairs rather quickly.
On the FreeRadius side, we then encounter multiples cases of "Received conflicting packet" in the logs.
Would it not be possible for FreeRadius to process all Accounting, in this particular case where the GGSN is configured in unacknowledge mode?
3
3