Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 10 participants
- 27046 discussions
Hi
I have just installed freeradius 3.0.9
Didnot modify any files
the only files i touched were
1. users to include my record
2. clients.conf to include my client
started radius server
and tried to authenticate the user
i get the following messages
I checked on the forum and saw various threads dealing with default config deleted etc
I have just installed this radius server and not deleted or over written any config ,
just added a few lines in the 2 files above
i have also given a cat of the sites-enabled/default
Any help would be highly appreciated
Mon Jul 20 07:19:13 2015 : Debug: radiusd: #### Opening IP addresses and Ports ####
Mon Jul 20 07:19:14 2015 : Debug: Listening on auth address 50.50.1.1 port 1900
Mon Jul 20 07:19:14 2015 : Debug: Listening on acct address 50.50.1.1 port 1901
Mon Jul 20 07:19:14 2015 : Debug: Opening new proxy socket 'proxy address 50.50.1.1 port 0'
Mon Jul 20 07:19:14 2015 : Debug: Listening on proxy address 50.50.1.1 port 45887
Mon Jul 20 07:19:14 2015 : Info: Ready to process requests
Mon Jul 20 07:20:57 2015 : Debug: (0) Received Access-Request Id 237 from 50.50.1.2:1812 to 50.50.1.1:1900 length 119
Mon Jul 20 07:20:57 2015 : Debug: (0) User-Name = "00:19:95:20:00:02"
Mon Jul 20 07:20:57 2015 : Debug: (0) User-Password = "xxxx"
Mon Jul 20 07:20:57 2015 : Debug: (0) NAS-Identifier = "S"
Mon Jul 20 07:20:57 2015 : Debug: (0) NAS-Port = 16842817
Mon Jul 20 07:20:57 2015 : Debug: (0) NAS-Port-Type = Async
Mon Jul 20 07:20:57 2015 : Debug: (0) session-state: No State attribute
Mon Jul 20 07:20:57 2015 : Debug: (0) Empty authorize section. Using default return values.
Mon Jul 20 07:20:57 2015 : ERROR: (0) No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
Mon Jul 20 07:20:57 2015 : Debug: (0) Failed to authenticate the user
Mon Jul 20 07:20:57 2015 : Debug: (0) Using Post-Auth-Type Reject
Mon Jul 20 07:20:57 2015 : Debug: (0) Post-Auth-Type sub-section not found. Ignoring.
Mon Jul 20 07:20:57 2015 : Debug: (0) Delaying response for 1.000000 seconds
Mon Jul 20 07:20:57 2015 : Debug: Waking up in 0.3 seconds.
Mon Jul 20 07:20:57 2015 : Debug: Waking up in 0.6 seconds.
Mon Jul 20 07:20:58 2015 : Debug: (0) <delay>: Sending delayed response
Mon Jul 20 07:20:58 2015 : Debug: (0) <delay>: Sent Access-Reject Id 237 from 50.50.1.1:1900 to 50.50.1.2:1812 length 20
Mon Jul 20 07:20:58 2015 : Debug: Waking up in 3.9 seconds.
Mon Jul 20 07:21:02 2015 : Debug: (0) <delay>: Cleaning up request packet ID 237 with timestamp +104
Mon Jul 20 07:21:02 2015 : Info: Ready to process requests
[linux raddb]# cd /usr/local/etc/raddb/
[linux sites-enabled]# pwd
/usr/local/etc/raddb/sites-enabled
[linux sites-enabled]# ls -ltr
total 0
lrwxrwxrwx 1 root root 26 Jul 20 06:25 default -> ../sites-available/default
lrwxrwxrwx 1 root root 31 Jul 20 06:25 inner-tunnel -> ../sites-available/inner-tunnel
[linux sites-enabled]#
[linux sites-enabled]# cat default
######################################################################
#
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
# "server" section, and configuration directives.
#
# Virtual hosts should be put into the "sites-available"
# directory. Soft links should be created in the "sites-enabled"
# directory to these files. This is done in a normal installation.
#
# If you are using 802.1X (EAP) authentication, please see also
# the "inner-tunnel" virtual server. You will likely have to edit
# that, too, for authentication to work.
#
# $Id: e16363f12d3b8ba38a4c056dd09ffa9c2d5e7de1 $
#
######################################################################
#
# Read "man radiusd" before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble. See also "man unlang", which documents the format
# of this file.
#
# This configuration is designed to work in the widest possible
# set of circumstances, with the widest possible number of
# authentication methods. This means that in general, you should
# need to make very few changes to this file.
#
# The best way to configure the server for your local system
# is to CAREFULLY edit this file. Most attempts to make large
# edits to this file will BREAK THE SERVER. Any edits should
# be small, and tested by running the server with "radiusd -X".
# Once the edits have been verified to work, save a copy of these
# configuration files somewhere. (e.g. as a "tar" file). Then,
# make more edits, and test, as above.
#
# There are many "commented out" references to modules such
# as ldap, sql, etc. These references serve as place-holders.
# If you need the functionality of that module, then configure
# it in radiusd.conf, and un-comment the references to it in
# this file. In most cases, those small changes will result
# in the server being able to connect to the DB, and to
# authenticate users.
#
######################################################################
server default {
#
# If you want the server to listen on additional addresses, or on
# additional ports, you can use multiple "listen" sections.
#
# Each section make the server listen for only one type of packet,
# therefore authentication and accounting have to be configured in
# different sections.
#
# The server ignore all "listen" section if you are using '-i' and '-p'
# on the command line.
#
listen {
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
# proxy IP to use for sending proxied packets
# detail Read from the detail file. For examples, see
# raddb/sites-available/copy-acct-to-home-server
# status listen for Status-Server packets. For examples,
# see raddb/sites-available/status
# coa listen for CoA-Request and Disconnect-Request
# packets. For examples, see the file
# raddb/sites-available/coa
#
type = auth
# Note: "type = proxy" lets you control the source IP used for
# proxying packets, with some limitations:
#
# * A proxy listener CANNOT be used in a virtual server section.
# * You should probably set "port = 0".
# * Any "clients" configuration will be ignored.
#
# See also proxy.conf, and the "src_ipaddr" configuration entry
# in the sample "home_server" section. When you specify the
# source IP address for packets sent to a home server, the
# proxy listeners are automatically created.
# ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
# Out of several options the first one will be used.
#
# Allowed values are:
# IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr)
# IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr)
# hostname (radius.example.com,
# A record for ipv4addr,
# AAAA record for ipv6addr,
# A or AAAA record for ipaddr)
# wildcard (*)
#
# ipv4addr = *
# ipv6addr = *
ipaddr = *
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
port = 0
# Some systems support binding to an interface, in addition
# to the IP address. This feature isn't strictly necessary,
# but for sites with many IP addresses on one interface,
# it's useful to say "listen on all addresses for eth0".
#
# If your system does not support this feature, you will
# get an error if you try to use it.
#
# interface = eth0
# Per-socket lists of clients. This is a very useful feature.
#
# The name here is a reference to a section elsewhere in
# radiusd.conf, or clients.conf. Having the name as
# a reference allows multiple sockets to use the same
# set of clients.
#
# If this configuration is used, then the global list of clients
# is IGNORED for this "listen" section. Take care configuring
# this feature, to ensure you don't accidentally disable a
# client you need.
#
# See clients.conf for the configuration of "per_socket_clients".
#
# clients = per_socket_clients
#
# Connection limiting for sockets with "proto = tcp".
#
# This section is ignored for other kinds of sockets.
#
limit {
#
# Limit the number of simultaneous TCP connections to the socket
#
# The default is 16.
# Setting this to 0 means "no limit"
max_connections = 16
# The per-socket "max_requests" option does not exist.
#
# The lifetime, in seconds, of a TCP connection. After
# this lifetime, the connection will be closed.
#
# Setting this to 0 means "forever".
lifetime = 0
#
# The idle timeout, in seconds, of a TCP connection.
# If no packets have been received over the connection for
# this time, the connection will be closed.
#
# Setting this to 0 means "no timeout".
#
# We STRONGLY RECOMMEND that you set an idle timeout.
#
idle_timeout = 30
}
}
#
# This second "listen" section is for listening on the accounting
# port, too.
#
listen {
ipaddr = *
# ipv6addr = ::
port = 0
type = acct
# interface = eth0
# clients = per_socket_clients
limit {
# The number of packets received can be rate limited via the
# "max_pps" configuration item. When it is set, the server
# tracks the total number of packets received in the previous
# second. If the count is greater than "max_pps", then the
# new packet is silently discarded. This helps the server
# deal with overload situations.
#
# The packets/s counter is tracked in a sliding window. This
# means that the pps calculation is done for the second
# before the current packet was received. NOT for the current
# wall-clock second, and NOT for the previous wall-clock second.
#
# Useful values are 0 (no limit), or 100 to 10000.
# Values lower than 100 will likely cause the server to ignore
# normal traffic. Few systems are capable of handling more than
# 10K packets/s.
#
# It is most useful for accounting systems. Set it to 50%
# more than the normal accounting load, and you can be sure that
# the server will never get overloaded
#
# max_pps = 0
# Only for "proto = tcp". These are ignored for "udp" sockets.
#
# idle_timeout = 0
# lifetime = 0
# max_connections = 0
}
}
# IPv6 versions of the above - read their full config to understand options
listen {
type = auth
ipv6addr = :: # any. ::1 == localhost
port = 0
# interface = eth0
# clients = per_socket_clients
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
# interface = eth0
# clients = per_socket_clients
limit {
# max_pps = 0
# idle_timeout = 0
# lifetime = 0
# max_connections = 0
}
}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# Any changes made here should also be made to the "inner-tunnel"
# virtual server.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# Take a User-Name, and perform some checks on it, for spaces and other
# invalid characters. If the User-Name appears invalid, reject the
# request.
#
# See policy.d/filter for the definition of the filter_username policy.
#
filter_username
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
preprocess
# If you intend to use CUI and you require that the Operator-Name
# be set for CUI generation and you want to generate CUI also
# for your local clients then uncomment the operator-name
# below and set the operator-name for your clients in clients.conf
# operator-name
#
# If you want to generate CUI for some clients that do not
# send proper CUI requests, then uncomment the
# cui below and set "add_cui = yes" for these clients in clients.conf
# cui
#
# If you want to have a log of authentication requests,
# un-comment the following line.
# auth_log
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
digest
#
# The WiMAX specification says that the Calling-Station-Id
# is 6 octets of the MAC. This definition conflicts with
# RFC 3580, and all common RADIUS practices. Un-commenting
# the "wimax" module here means that it will fix the
# Calling-Station-Id attribute to the normal format as
# specified in RFC 3580 Section 3.21
# wimax
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
# ntdomain
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# The EAP module returns "ok" if it is not yet ready to
# authenticate the user. The configuration below checks for
# that code, and stops processing the "authorize" section if
# so.
#
# Any LDAP and/or SQL servers will not be queried for the
# initial set of packets that go back and forth to set up
# TTLS or PEAP.
#
eap {
ok = return
}
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# mods-available/passwd module.
#
# unix
#
# Read the 'users' file. In v3, this is located in
# raddb/mods-config/files/authorize
files
#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in mods-available/sql
-sql
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'smbpasswd' module.
# smbpasswd
#
# The ldap module reads passwords from the LDAP database.
-ldap
#
# Enforce daily limits on time spent logged in.
# daily
#
expiration
logintime
#
# If no other module has claimed responsibility for
# authentication, then try to use PAP. This allows the
# other modules listed above to add a "known good" password
# to the request, and to do nothing else. The PAP module
# will then see that password, and use it to do PAP
# authentication.
#
# This module should be listed last, so that the other modules
# get a chance to set Auth-Type for themselves.
#
pap
#
# If "status_server = yes", then Status-Server messages are passed
# through the following section, and ONLY the following section.
# This permits you to do DB queries, for example. If the modules
# listed here return "fail", then NO response is sent.
#
# Autz-Type Status-Server {
#
# }
}
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the appropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user (Auth-Type := Reject),
# or to or forcibly accept the user (Auth-Type := Accept).
#
# Note that Auth-Type := Accept will NOT work with EAP.
#
# Please do not put "unlang" configurations into the "authenticate"
# section. Put them in the "post-auth" section instead. That's what
# the post-auth section is for.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
digest
#
# Pluggable Authentication Modules.
# pam
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
#
# We do NOT recommend using this. LDAP servers are databases.
# They are NOT authentication servers. FreeRADIUS is an
# authentication server, and knows what to do with authentication.
# LDAP servers do not.
#
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
#
# The older configurations sent a number of attributes in
# Access-Challenge packets, which wasn't strictly correct.
# If you want to filter out these attributes, uncomment
# the following lines.
#
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled && (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the "updated" code from attr_filter
# }
# }
}
#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess
#
# Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
# into a single 64bit counter Acct-[Input|Output]-Octets64.
#
# acct_counters64
#
# Session start times are *implied* in RADIUS.
# The NAS never sends a "start time". Instead, it sends
# a start packet, *possibly* with an Acct-Delay-Time.
# The server is supposed to conclude that the start time
# was "Acct-Delay-Time" seconds in the past.
#
# The code below creates an explicit start time, which can
# then be used in other modules. It will be *mostly* correct.
# Any errors are due to the 1-second resolution of RADIUS,
# and the possibility that the time on the NAS may be off.
#
# The start time is: NOW - delay - session_length
#
# update request {
# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
# }
#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique
#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
# IPASS
suffix
# ntdomain
#
# Read the 'acct_users' file
files
}
#
# Accounting. Log the accounting data.
#
accounting {
# Update accounting packet by adding the CUI attribute
# recorded from the corresponding Access-Accept
# use it only if your NAS boxes do not support CUI themselves
# cui
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
# daily
# Update the wtmp file
#
# If you don't use "radlast", you can delete this line.
unix
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
# radutmp
# sradutmp
# Return an address to the IP Pool when we see a stop record.
# main_pool
#
# Log traffic to an SQL database.
#
# See "Accounting queries" in mods-available/sql
-sql
#
# If you receive stop packets with zero session length,
# they will NOT be logged in the database. The SQL module
# will print a message (only in debugging mode), and will
# return "noop".
#
# You can ignore these packets by uncommenting the following
# three lines. Otherwise, the server will not respond to the
# accounting request, and the NAS will retransmit.
#
# if (noop) {
# ok
# }
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log
# Cisco VoIP specific bulk accounting
# pgsql-voip
# For Exec-Program and Exec-Program-Wait
exec
# Filter attributes from the accounting response.
attr_filter.accounting_response
#
# See "Autz-Type Status-Server" for how this works.
#
# Acct-Type Status-Server {
#
# }
}
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
# radutmp
#
# See "Simultaneous Use Checking Queries" in mods-available/sql
# sql
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
#
# If you need to have a State attribute, you can
# add it here. e.g. for later CoA-Request with
# State, and Service-Type = Authorize-Only.
#
# if (!&reply:State) {
# update reply {
# State := "0x%{randstr:16h}"
# }
# }
#
# For EAP-TTLS and PEAP, add the cached attributes to the reply.
# The "session-state" attributes are automatically cached when
# an Access-Challenge is sent, and automatically retrieved
# when an Access-Request is received.
#
# The session-state attributes are automatically deleted after
# an Access-Reject or Access-Accept is sent.
#
update {
&reply: += &session-state:
}
# Get an address from the IP Pool.
# main_pool
# Create the CUI value and add the attribute to Access-Accept.
# Uncomment the line below if *returning* the CUI.
# cui
#
# If you want to have a log of authentication replies,
# un-comment the following line, and enable the
# 'detail reply_log' module.
# reply_log
#
# After authenticating the user, do another SQL query.
#
# See "Authentication Logging Queries" in mods-available/sql
-sql
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log
#
# Un-comment the following if you want to modify the user's object
# in LDAP after a successful login.
#
# ldap
# For Exec-Program and Exec-Program-Wait
exec
#
# Calculate the various WiMAX keys. In order for this to work,
# you will need to define the WiMAX NAI, usually via
#
# update request {
# WiMAX-MN-NAI = "%{User-Name}"
# }
#
# If you want various keys to be calculated, you will need to
# update the reply with "template" values. The module will see
# this, and replace the template values with the correct ones
# taken from the cryptographic calculations. e.g.
#
# update reply {
# WiMAX-FA-RK-Key = 0x00
# WiMAX-MSK = "%{EAP-MSK}"
# }
#
# You may want to delete the MS-MPPE-*-Keys from the reply,
# as some WiMAX clients behave badly when those attributes
# are included. See "raddb/modules/wimax", configuration
# entry "delete_mppe_keys" for more information.
#
# wimax
# If there is a client certificate (EAP-TLS, sometimes PEAP
# and TTLS), then some attributes are filled out after the
# certificate verification has been performed. These fields
# MAY be available during the authentication, or they may be
# available only in the "post-auth" section.
#
# The first set of attributes contains information about the
# issuing certificate which is being used. The second
# contains information about the client certificate (if
# available).
#
# update reply {
# Reply-Message += "%{TLS-Cert-Serial}"
# Reply-Message += "%{TLS-Cert-Expiration}"
# Reply-Message += "%{TLS-Cert-Subject}"
# Reply-Message += "%{TLS-Cert-Issuer}"
# Reply-Message += "%{TLS-Cert-Common-Name}"
# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
#
# Reply-Message += "%{TLS-Client-Cert-Serial}"
# Reply-Message += "%{TLS-Client-Cert-Expiration}"
# Reply-Message += "%{TLS-Client-Cert-Subject}"
# Reply-Message += "%{TLS-Client-Cert-Issuer}"
# Reply-Message += "%{TLS-Client-Cert-Common-Name}"
# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
# }
# Insert class attribute (with unique value) into response,
# aids matching auth and acct records, and protects against duplicate
# Acct-Session-Id. Note: Only works if the NAS has implemented
# RFC 2865 behaviour for the class attribute, AND if the NAS
# supports long Class attributes. Many older or cheap NASes
# only support 16-octet Class attributes.
# insert_acct_class
# MacSEC requires the use of EAP-Key-Name. However, we don't
# want to send it for all EAP sessions. Therefore, the EAP
# modules put required data into the EAP-Session-Id attribute.
# This attribute is never put into a request or reply packet.
#
# Uncomment the next few lines to copy the required data into
# the EAP-Key-Name attribute
# if (&reply:EAP-Session-Id) {
# update reply {
# EAP-Key-Name := &reply:EAP-Session-Id
# }
# }
# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
# Add the ldap module name (or instance) if you have set
# 'edir_account_policy_check = yes' in the ldap module configuration
#
# The "session-state" attributes are not available here.
#
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
-sql
attr_filter.access_reject
# Insert EAP-Failure message if the request was
# rejected by policy instead of because of an
# authentication failure
eap
# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
}
}
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# Before proxing the request add an Operator-Name attribute identifying
# if the operator-name is found for this client.
# No need to uncomment this if you have already enabled this in
# the authorize section.
# operator-name
# The client requests the CUI by sending a CUI attribute
# containing one zero byte.
# Uncomment the line below if *requesting* the CUI.
# cui
# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files
# Uncomment the following line if you want to filter requests
# sent to remote servers based on the rules defined in the
# 'attrs.pre-proxy' file.
# attr_filter.pre-proxy
# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# pre_proxy_log
}
#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {
# If you want to have a log of replies from a home server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
# post_proxy_log
# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter.post-proxy
#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap
#
# If the server tries to proxy a request and fails, then the
# request is processed through the modules in this section.
#
# The main use of this section is to permit robust proxying
# of accounting packets. The server can be configured to
# proxy accounting packets as part of normal processing.
# Then, if the home server goes down, accounting packets can
# be logged to a local "detail" file, for processing with
# radrelay. When the home server comes back up, radrelay
# will read the detail file, and send the packets to the
# home server.
#
# With this configuration, the server always responds to
# Accounting-Requests from the NAS, but only writes
# accounting packets to disk if the home server is down.
#
# Post-Proxy-Type Fail-Accounting {
# detail
# }
}
}
5
7
I am compiling FreeRADIUS version 3.1.x from source and I get the following error:
[]# cd freeradius-server-3.1.x[]# ./configure --with-openssl-lib-dir=/usr/local/ssl/lib --with-openssl-include-dir=/usr/local/ssl/include[]# make
[ .... SNIP ....]
CC src/lib/version.c
/usr/bin/ld: /usr/local/ssl/lib/libcrypto.a(md4_dgst.o): relocation R_X86_64_PC32 against undefined symbol `memset@@GLIBC_2.2.5' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Bad value
collect2: error: ld returned 1 exit status
make: *** [build/lib/local/libfreeradius-radius.la] Error 1
So I recompile openssl:
[]# cd openssl-1.0.2d
[]# ./config -fPIC[]# make[]# make install
Trying make again, different module but same suggestion?
[]# cd freeradius-server-3.1.x[]# make
[ .... SNIP ....]
CC src/modules/rlm_wimax/rlm_wimax.c
/usr/bin/ld: /usr/local/ssl/lib/libcrypto.a(rsaz_exp.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/local/ssl/lib/libcrypto.a: could not read symbols: Bad value
collect2: error: ld returned 1 exit status
make: *** [build/lib/local/rlm_wimax.la] Error 1
3
3
Hi,
Here is a trace of crash
Starting program: /usr/local/sbin/radiusd -fxx
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffebbf8700 (LWP 116866)]
[New Thread 0x7fffeb3f7700 (LWP 116867)]
[New Thread 0x7fffeabf6700 (LWP 116868)]
[New Thread 0x7fffea3f5700 (LWP 116869)]
[New Thread 0x7fffe9bf4700 (LWP 116870)]
[New Thread 0x7fffe93f3700 (LWP 116871)]
[New Thread 0x7fffe8bf2700 (LWP 116872)]
[New Thread 0x7fffe83f1700 (LWP 116873)]
[New Thread 0x7fffe7bf0700 (LWP 116874)]
[New Thread 0x7fffe73ef700 (LWP 116875)]
[New Thread 0x7fffe6bee700 (LWP 116876)]
[New Thread 0x7fffe63ed700 (LWP 116877)]
[New Thread 0x7fffe5bec700 (LWP 116878)]
[New Thread 0x7fffe53eb700 (LWP 116879)]
[New Thread 0x7fffe4bea700 (LWP 116880)]
[New Thread 0x7fffe43e9700 (LWP 116881)]
[New Thread 0x7fffe3be8700 (LWP 116882)]
[New Thread 0x7fffe33e7700 (LWP 116883)]
[New Thread 0x7fffe2be6700 (LWP 116884)]
[New Thread 0x7fffe23e5700 (LWP 116885)]
[New Thread 0x7fffe1be4700 (LWP 116886)]
[New Thread 0x7fffe13e3700 (LWP 116887)]
[New Thread 0x7fffe0be2700 (LWP 116888)]
[New Thread 0x7fffe03e1700 (LWP 116889)]
[New Thread 0x7fffdfbe0700 (LWP 116890)]
[New Thread 0x7fffdf3df700 (LWP 116891)]
[New Thread 0x7fffdebde700 (LWP 116892)]
[New Thread 0x7fffde3dd700 (LWP 116893)]
[New Thread 0x7fffddbdc700 (LWP 116894)]
[New Thread 0x7fffdd3db700 (LWP 116895)]
[New Thread 0x7fffdcbda700 (LWP 116896)]
[New Thread 0x7fffdc3d9700 (LWP 116897)]
[New Thread 0x7fffdbbd8700 (LWP 116898)]
[New Thread 0x7fffdb3d7700 (LWP 116899)]
[New Thread 0x7fffdabd6700 (LWP 116900)]
[New Thread 0x7fffda3d5700 (LWP 116901)]
[New Thread 0x7fffd9bd4700 (LWP 116902)]
[New Thread 0x7fffd93d3700 (LWP 116903)]
[New Thread 0x7fffd8bd2700 (LWP 116904)]
[New Thread 0x7fffd83d1700 (LWP 116905)]
[New Thread 0x7fffd7bd0700 (LWP 116906)]
[New Thread 0x7fffd73cf700 (LWP 116907)]
[New Thread 0x7fffd6bce700 (LWP 116908)]
[New Thread 0x7fffd63cd700 (LWP 116909)]
[New Thread 0x7fffd5bcc700 (LWP 116910)]
[New Thread 0x7fffd53cb700 (LWP 116911)]
[New Thread 0x7fffd4bca700 (LWP 116912)]
[New Thread 0x7fffd43c9700 (LWP 116913)]
[New Thread 0x7fffd3bc8700 (LWP 116914)]
[New Thread 0x7fffd33c7700 (LWP 116915)]
[New Thread 0x7fffd2bc6700 (LWP 118007)]
[New Thread 0x7fffd23c5700 (LWP 118008)]
[New Thread 0x7fffd1bc4700 (LWP 118009)]
[New Thread 0x7fffd13c3700 (LWP 118010)]
Thread 34 "radiusd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdbbd8700 (LWP 116898)]
0x0000000000442c62 in insert_into_proxy_hash (request=0x7fff500039d0)
at src/main/process.c:2303
2303 request->home_server->currently_outstanding++;
Id Target Id Frame
32 Thread 0x7fffdcbda700 (LWP 116896) "radiusd" 0x00007ffff6c74827 in
futex_abstimed_wait_cancelable (private=0, abstime=0x0, expected=0,
futex_word=0x6873e8 <thread_pool+168>)
at ../sysdeps/unix/sysv/linux/futex-internal.h:205
33 Thread 0x7fffdc3d9700 (LWP 116897) "radiusd" 0x00007ffff6c74827 in
futex_abstimed_wait_cancelable (private=0, abstime=0x0, expected=0,
futex_word=0x6873e8 <thread_pool+168>)
at ../sysdeps/unix/sysv/linux/futex-internal.h:205
* 34 Thread 0x7fffdbbd8700 (LWP 116898) "radiusd" 0x0000000000442c62 in
insert_into_proxy_hash (request=0x7fff500039d0) at src/main/process.c:2303
35 Thread 0x7fffdb3d7700 (LWP 116899) "radiusd" 0x00007ffff6c74827 in
futex_abstimed_wait_cancelable (private=0, abstime=0x0, expected=0,
futex_word=0x6873e8 <thread_pool+168>)
at ../sysdeps/unix/sysv/linux/futex-internal.h:205
36 Thread 0x7fffdabd6700 (LWP 116900) "radiusd" 0x00007ffff6c74827 in
futex_abstimed_wait_cancelable (private=0, abstime=0x0, expected=0,
futex_word=0x6873e8 <thread_pool+168>)
at ../sysdeps/unix/sysv/linux/futex-internal.h:205
Thread 38 (Thread 0x7fffd9bd4700 (LWP 116902)):
#0 0x00007ffff6c74827 in futex_abstimed_wait_cancelable (private=0,
abstime=0x0, expected=0, futex_word=0x6873e8 <thread_pool+168>)
at ../sysdeps/unix/sysv/linux/futex-internal.h:205
__ret = -512
oldtype = 0
err = <optimized out>
#1 do_futex_wait (sem=sem@entry=0x6873e8 <thread_pool+168>, abstime=0x0)
at sem_waitcommon.c:111
No locals.
#2 0x00007ffff6c748d4 in __new_sem_wait_slow (sem=0x6873e8
<thread_pool+168>,
abstime=0x0) at sem_waitcommon.c:181
_buffer = {__routine = 0x7ffff6c747e0 <__sem_wait_cleanup>,
__arg = 0x6873e8 <thread_pool+168>, __canceltype = 0, __prev =
0x0}
err = <optimized out>
d = 227633266688
#3 0x00007ffff6c7497a in __new_sem_wait (sem=<optimized out>) at
sem_wait.c:29
No locals.
#4 0x000000000043c8ae in request_handler_thread (arg=0xb68680)
at src/main/threads.c:755
self = 0xb68680
#5 0x00007ffff6c6c6ba in start_thread (arg=0x7fffd9bd4700)
at pthread_create.c:333
__res = <optimized out>
pd = 0x7fffd9bd4700
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140736846448384,
-8854724666266409425, 0, 140737488346975, 140736846449088,
0,
8854641668176815663, 8854744653752641071},
mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0},
data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
pagesize_m1 = <optimized out>
sp = <optimized out>
freesize = <optimized out>
__PRETTY_FUNCTION__ = "start_thread"
#6 0x00007ffff676a41d in clone ()
at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
No locals.
Thread 37 (Thread 0x7fffda3d5700 (LWP 116901)):
#0 0x00007ffff6c74827 in futex_abstimed_wait_cancelable (private=0,
abstime=0x0, expected=0, futex_word=0x6873e8 <thread_pool+168>)
at ../sysdeps/unix/sysv/linux/futex-internal.h:205
__ret = -512
oldtype = 0
err = <optimized out>
#1 do_futex_wait (sem=sem@entry=0x6873e8 <thread_pool+168>, abstime=0x0)
at sem_waitcommon.c:111
No locals.
#2 0x00007ffff6c748d4 in __new_sem_wait_slow (sem=0x6873e8
<thread_pool+168>,
abstime=0x0) at sem_waitcommon.c:181
_buffer = {__routine = 0x7ffff6c747e0 <__sem_wait_cleanup>,
__arg = 0x6873e8 <thread_pool+168>, __canceltype = 0, __prev =
0x0}
err = <optimized out>
d = 214748364800
#3 0x00007ffff6c7497a in __new_sem_wait (sem=<optimized out>) at
sem_wait.c:29
No locals.
#4 0x000000000043c8ae in request_handler_thread (arg=0xb67ea0)
at src/main/threads.c:755
self = 0xb67ea0
#5 0x00007ffff6c6c6ba in start_thread (arg=0x7fffda3d5700)
at pthread_create.c:333
__res = <optimized out>
pd = 0x7fffda3d5700
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140736854841088,
-8854724666266409425, 0, 140737488346975, 140736854841792,
0,
8854647161976858159, 8854744653752641071},
mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0},
data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
pagesize_m1 = <optimized out>
sp = <optimized out>
freesize = <optimized out>
__PRETTY_FUNCTION__ = "start_thread"
#6 0x00007ffff676a41d in clone ()
at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
No locals.
Thread 36 (Thread 0x7fffdabd6700 (LWP 116900)):
#0 0x00007ffff6c74827 in futex_abstimed_wait_cancelable (private=0,
abstime=0x0, expected=0, futex_word=0x6873e8 <thread_pool+168>)
at ../sysdeps/unix/sysv/linux/futex-internal.h:205
__ret = -512
oldtype = 0
err = <optimized out>
#1 do_futex_wait (sem=sem@entry=0x6873e8 <thread_pool+168>, abstime=0x0)
at sem_waitcommon.c:111
No locals.
#2 0x00007ffff6c748d4 in __new_sem_wait_slow (sem=0x6873e8
<thread_pool+168>,
abstime=0x0) at sem_waitcommon.c:181
_buffer = {__routine = 0x7ffff6c747e0 <__sem_wait_cleanup>,
__arg = 0x6873e8 <thread_pool+168>, __canceltype = 0, __prev =
0x0}
err = <optimized out>
d = 227633266688
#3 0x00007ffff6c7497a in __new_sem_wait (sem=<optimized out>) at
sem_wait.c:29
No locals.
#4 0x000000000043c8ae in request_handler_thread (arg=0xb67770)
at src/main/threads.c:755
self = 0xb67770
#5 0x00007ffff6c6c6ba in start_thread (arg=0x7fffdabd6700)
at pthread_create.c:333
__res = <optimized out>
pd = 0x7fffdabd6700
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140736863233792,
-8854724666266409425, 0, 140737488346975, 140736863234496,
0,
8854648262025356847, 8854744653752641071},
mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0},
data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
pagesize_m1 = <optimized out>
sp = <optimized out>
freesize = <optimized out>
__PRETTY_FUNCTION__ = "start_thread"
#6 0x00007ffff676a41d in clone ()
at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
No locals.
Thread 35 (Thread 0x7fffdb3d7700 (LWP 116899)):
#0 0x00007ffff6c74827 in futex_abstimed_wait_cancelable (private=0,
abstime=0x0, expected=0, futex_word=0x6873e8 <thread_pool+168>)
at ../sysdeps/unix/sysv/linux/futex-internal.h:205
__ret = -512
oldtype = 0
err = <optimized out>
#1 do_futex_wait (sem=sem@entry=0x6873e8 <thread_pool+168>, abstime=0x0)
at sem_waitcommon.c:111
No locals.
#2 0x00007ffff6c748d4 in __new_sem_wait_slow (sem=0x6873e8
<thread_pool+168>,
abstime=0x0) at sem_waitcommon.c:181
_buffer = {__routine = 0x7ffff6c747e0 <__sem_wait_cleanup>,
__arg = 0x6873e8 <thread_pool+168>, __canceltype = 0, __prev =
0x0}
err = <optimized out>
d = 219043332096
#3 0x00007ffff6c7497a in __new_sem_wait (sem=<optimized out>) at
sem_wait.c:29
No locals.
#4 0x000000000043c8ae in request_handler_thread (arg=0xb671b0)
at src/main/threads.c:755
self = 0xb671b0
#5 0x00007ffff6c6c6ba in start_thread (arg=0x7fffdb3d7700)
at pthread_create.c:333
__res = <optimized out>
pd = 0x7fffdb3d7700
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140736871626496,
-8854724666266409425, 0, 140737488346975, 140736871627200,
0,
8854644964027344431, 8854744653752641071},
mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0},
data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
pagesize_m1 = <optimized out>
sp = <optimized out>
freesize = <optimized out>
__PRETTY_FUNCTION__ = "start_thread"
#6 0x00007ffff676a41d in clone ()
at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
No locals.
Thread 34 (Thread 0x7fffdbbd8700 (LWP 116898)):
#0 0x0000000000442c62 in insert_into_proxy_hash (request=0x7fff500039d0)
at src/main/process.c:2303
buf = '\000' <repeats 48 times>,
"x|\275\333\230\000\000\000\000\234\240F\367&\270\037\220|\275\333\377\177\000\000\212\214B\000\000\000\000\000\320\071\000P\377\177\000\000\000\000\000\000\005\000\000\000\000\000\000\000\a",
'\000' <repeats 11 times>, "`^\256", '\000' <repeats 12 times>
tries = 0
success = true
proxy_listener = 0xb8a510
#1 0x0000000000448396 in request_coa_originate (request=0xb98270)
at src/main/process.c:4266
rcode = 7
pre_proxy_type = 0
vp = 0x0
coa = 0x7fff500039d0
ipaddr = {af = 2, ipaddr = {ip4addr = {s_addr = 1275110922},
ip6addr = {__in6_u = {
__u6_addr8 = "\n\246\000L", '\000' <repeats 11 times>,
__u6_addr16 = {42506, 19456, 0, 0, 0, 0, 0, 0}, __u6_addr32
= {
1275110922, 0, 0, 0}}}}, prefix = 32 ' ', scope = 0}
buffer =
"\000\207\275\333\377\177\000\000\000\234\240F\367&\270\037\240}\275\333\377\177\000\000\355l\226\367\377\177\000\000\260}\275\333\377\177\000\000pE\000P\377\177\000\000\340}\275\333\243\000\000\000\320\t\230\367\377\177\000\000\031\000\000\000S\000\000\000\270\321\203\000\000\000\000\000\220\236\271\000\000\000\000\000
z\202\000\000\000\000\000\004\000\000\000\000\000\000\000pE\000P\377\177\000\000\000\000\000\000\000\000\000\000\020~\275\333\377\177\000\000\340}\275\333\377\177\000\000.4\225\367\377\177\000\000\340}\275\333\377\177\000\000\315\061\225\367\200\177\000\000\000\000\000\000\070\004\000\000\020~\275\333\377\177\000\000\b~\275\333\377\177\000\000\000\000\000\000\000\000\000\000@
~\275\333\377\177\000\000"...
#2 0x0000000000440ad3 in request_finish (request=0xb98270, action=1)
at src/main/process.c:1376
vp = 0x0
#3 0x000000000044128f in request_running (request=0xb98270, action=1)
at src/main/process.c:1604
__FUNCTION__ = "request_running"
#4 0x000000000043ca0b in request_handler_thread (arg=0xb66d60)
at src/main/threads.c:826
self = 0xb66d60
#5 0x00007ffff6c6c6ba in start_thread (arg=0x7fffdbbd8700)
at pthread_create.c:333
__res = <optimized out>
pd = 0x7fffdbbd8700
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140736880019200,
-8854724666266409425, 0, 140737488346975, 140736880019904,
0,
8854646064075843119, 8854744653752641071},
mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0},
data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
pagesize_m1 = <optimized out>
sp = <optimized out>
freesize = <optimized out>
__PRETTY_FUNCTION__ = "start_thread"
#6 0x00007ffff676a41d in clone ()
at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
No locals.
Regards,
Mail: 8zero2.in(a)gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in
3
6
19 Nov '18
Greetings all. Let me first say I'm a huge newbie on this whole subject
and have not used freeradius with any more than the default configs and
some user lines along the line of "bob Cleartext-Password := password",
but I've been working on putting together a docker cluster/whatever
using freeradius, postgresql, and a small django project using
django-freeradius to manage users and such. I've tried, to the best of
my ability, to configure freeradius to use rest with their api endpoints
to authenticate users, but I can't get anything other than radtest to
work.
If you clone https://bitbucket.org/hanetzer/radius.git and
docker-compose up --build, you should get a close approximation of my
current setup. You will also need a .env file in the repo's root, which
has a format like this:
DATABASE_URL=db://postgres:changeme@db/postgres #not yet configurable
DJANGO_DEBUG=false # whether DEBUG=True or not in django
DJANGO_FREERADIUS_API_TOKEN=longasstokenhere # django-freeradius thing
DJANGO_MANAGEPY_COLLECTSTATIC=off #django thing, not yet right so you may get glitchy assets on the admin site
DJANGO_MANAGEPY_MAKEMIGRATIONS=on
DJANGO_MANAGEPY_MIGRATE=on # apply changes to the postgresql db to set up schemas
DJANGO_SETTINGS_MODULE=radius.settings # needed for now
POSTGRES_DB=postgres # not yet configurable
POSTGRES_PASSWORD=changeme # not yet configurable
POSTGRES_USER=postgres # not yet configurable
SECRET_KEY=somesecretkey # django specific
FREERADIUS_SECRET=testing123 # havent' got all the spots yet so best to stick to this value
The setup is supposed to make a json post to api/v1/... which contains,
among other things, { "user":"%{User-Name}", "password":"%{User-Password}" }.
But, %{User-Password} always evaluates to "", an empty string. A manual curl to
the api endpoints works, however.
You'll need to enter the docker container running the webserver like
this 'docker exec -it radius_freeradius_xxxxxx sh' and source /venv/bin/activate,
at which point you run ./manage.py createsuperuser. Follow the prompts
and the admin/root user will be created. You can add a testing normal
user with ./manage.py batch_add_users --name test --file some.csv, where
some.csv contains the following:
username,cleartext$password,username(a)somehost.com,FirstName,LastName
the password must either be encrypted using the django scheme or
prefaced with the cleartext$ token.
You can access the admin interface and login with the superuser
credentials created above with the url http://localhost:8000/admin
If anyone could provide any help/suggestions on this matter I'd greately
appreciate it.
Marty
3
5
Hi,
I'm currently in the process of integration FreeRADIUS with 802.1x
(EAP-TTLS/PAP) and FreeIPA (LDAP). If I don't perform group membership
checking credential verification is working just fine. But when I try to
validate membership of a user to an LDAP group it's failing during the
check of the "groupOf" attribute. The user I am testing (
*"uid=rolo,cn=users,cn=accounts,dc=example,dc=org"*) is member to many
groups (*"cn=XXXX,cn=groups,cn=accounts,dc=example,dc=org"*) in FreeIPA,
and also has admin rights to the server so has many entries in the
style *"cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org"* (for example).
As FreeRADIUS goes down the list of groups to resolve the DN to a group
name for comparison it seems to hit a wall with the second entry in the
list. I thinking it could be because of the space in the first CN portion.
It then returns the message *"ERROR: Group DN "cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org" did not resolve to
an object"*.
(0) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(0) post-auth {
(0) if (LDAP-Group == "aaa-admins") {
(0) Searching for user in group "aaa-admins"
rlm_ldap (ldap): Reserved connection (2)
(0) Using user DN from request
"uid=rolo,cn=users,cn=accounts,dc=example,dc=org"
(0) Checking user object's memberOf attributes
(0) Performing unfiltered search in
"uid=rolo,cn=users,cn=accounts,dc=example,dc=org", scope "base"
(0) Waiting for search result...
(0) Processing memberOf value
"cn=admins,cn=groups,cn=accounts,dc=example,dc=org" as a DN
(0) Resolving group DN
"cn=admins,cn=groups,cn=accounts,dc=example,dc=org" to group name
(0) Performing unfiltered search in
"cn=admins,cn=groups,cn=accounts,dc=example,dc=org", scope "base"
(0) Waiting for search result...
(0) Group DN "cn=admins,cn=groups,cn=accounts,dc=example,dc=org"
resolves to name "admins"
(0) Processing memberOf value "cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org" as a DN
(0) Resolving group DN "cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org" to group name
(0) Performing unfiltered search in "cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org", scope "base"
(0) Waiting for search result...
(0) Search returned no results
(0) ERROR: Group DN "cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org" did not resolve to
an object
rlm_ldap (ldap): Released connection (2)
Using a standard 'ldapsearch' on the command line I *am* able to retrieve
the *"cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org"* object
successfully, so I'm not sure why it said it does not resolve to an object.
I tried taking a look at src/modules/rlm_ldap/groups.c and
src/modules/rlm_ldap/ldap.c but, not being a C programmer, I got lost
fairly quickly.
Is it the space that's causing the error (that's all I can see)?
Thanks,
-Martin
1
1
Hello,
I have on sqlcounter :
sqlcounter counterChilliSpotMaxTotalOctetsAll {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
counter_name = ChilliSpot-Max-Total-Octets
check_name = CS-Total-Octets
counter-type = data
reply_name =
ChilliSpot-Max-Total-Octets
key = User-Name
reset = never
query = "SELECT
IFNULL((SUM(AcctInputOctets + AcctOutputOctets)),0) FROM radacct WHERE
UserName='%%{${key}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime >
'%%b'"
}
When I start : Freeradius -X
I have this error :
/etc/freeradius/3.0/mods-enabled/sqlcounter[357]: Counter attribute
ChilliSpot-Max-Total-Octets MUST be integer64
/etc/freeradius/3.0/mods-enabled/sqlcounter[357]: Instantiation failed for
module "counterChilliSpotMaxTotalOctetsAll"
How can I solve this ?
JMLZ
---
L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel antivirus Avast.
https://www.avast.com/antivirus
3
4
17 Nov '18
Hi, i'm trying to work with freeradius (ver 3.0.17 on ubuntu server 16.04)
and a mssql db as backend, using odbc drivers.
I've installed odbc driver from:
https://docs.microsoft.com/it-it/sql/connect/odbc/linux-mac/installing-the-…
my odbc.ini:
"
[test]
Driver = ODBC Driver 17 for SQL Server
Database = radius
Server = 10.196.200.74
"
connection test:
"
root@radius:~# isql -v test sa ************
+---------------------------------------+
| Connected! |
| |
| sql-statement |
| help [tablename] |
| quit |
| |
+---------------------------------------+
SQL>
"
then i setup the database schema on mssql and i setup the freeradius
config's files:
my /etc/freeradius/mods-enabled/sql:
"
sql {
driver = "rlm_sql_iodbc"
dialect = "mssql"
server = "test"
login = "sa"
password = "*********"
radius_db = "radius"
acct_table1 = "radacct"
..........
"
but if i try to start freeradius in debug mode, the attempt to connect to
database fail and freeradius do not start
"
root@radius:~# freeradius -X
FreeRADIUS Version 3.0.17
...
# Loaded module rlm_sql
# Loading module "sql" from file /etc/freeradius/mods-enabled/sql
sql {
driver = "rlm_sql_iodbc"
server = "test"
port = 1433
login = "sa"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
........
rlm_sql (sql): Driver rlm_sql_iodbc (module rlm_sql_iodbc) loaded
and linked
........
# Instantiating module "sql" from file
/etc/freeradius/mods-enabled/sql
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending
slots used
rlm_sql_iodbc: SQLConnectfailed
"
Could you please help how to fix the problem?
Thanks in advance.
Gioele
3
3
Hello everyone, I promise I red the docs and examples, but either they
refer to older versions of FreeRADIUS or don't match my scenario. Maybe
there are assumptions that I am not aware of.
I have a Juniper network where we assign devices to vlans based on their
MAC. The MACS are stored in an LDAP with the MAC as username and password.
The group membership is what distinguishes the vlan needed.
I managed to configure the ldap and enable the ldap module. FreeRADIUS
starts fine with it. I also added all the switches as clients.
I need help figuring out:
1. Where do I tell FreeRADIUS to look for users in ldap (vs the users file)?
2. Where do I match the group in ldap with the vlan number that needs to be
sent to the client (switch)? For example, for group Staff value is 10 (vlan
10).
Thank you in advance for your help!
Victor
2
1
Is there a way to add a custom auth script just for PAP?
If have the following
authorize {
filter_username
preprocess
mschap
eap {
ok = return
}
-ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
mschap
eap
}
I tried the following solution but it handles all auth methods
https://stackoverflow.com/a/13870838/935122 <https://stackoverflow.com/a/13870838/935122>
2
7
Hi,
I try to use LDAP server for the testing, I facing issue
here is the configuration I am trying to use
l
*dap { # Note that this needs to match the name(s) in the LDAP
server # certificate, if you're using ldaps. See OpenLDAP
documentation # for the behavioral semantics of specifying more
than one host. # # Depending on the libldap in use, server
may be an LDAP URI. # In the case of OpenLDAP this allows
additional the following # additional schemes: # - ldaps://
(LDAP over SSL) # - ldapi:// (LDAP over Unix socket) # -
ldapc:// (Connectionless LDAP) server = 'ldap://127.0.0.1
<http://127.0.0.1>'# server = 'ldap://ldap.slc10yyj.us.oracle.com
<http://ldap.slc10yyj.us.oracle.com>'# server =
'ldap.rrdns.example.org <http://ldap.rrdns.example.org>'# server =
'ldap.rrdns.example.org <http://ldap.rrdns.example.org>' # Port to
connect on, defaults to 389, will be ignored for LDAP URIs. port =
1389 # Administrator account for searching and possibly
modifying. # If using SASL + KRB5 these should be commented
out. identity = 'cn=Directory Manager' password =
welcome1 # Unless overridden in another section, the dn from which
all # searches will start from. base_dn =
'dc=example,dc=com'*
}
I given the server adress with hotsname and with ldap.prefix also
like
* server = 'ldap://ldap.slc10yyj.us.oracle.com
<http://ldap.slc10yyj.us.oracle.com>'*
* server = 'ldap.slc10yyj.us.oracle.com
<http://ldap.slc10yyj.us.oracle.com>'*
* server = 'slc10yyj.us.oracle.com <http://slc10yyj.us.oracle.com>'*
But I getting below error
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/ldap[8]: Parsing
LDAP URL "ldap://127.0.0.1" failed
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/ldap[8]:
Instantiation failed for module "ldap"
Full debug log is here:
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = idcs
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_exec
# Loading module "echo" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_logintime
# Loading module "logintime" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_replicate
# Loading module "replicate" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/replicate
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_expr
# Loading module "expr" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïô\u0153ùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔ\u0152ÙÛÜ\u0178"
}
# Loaded module rlm_files
# Loading module "files" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/files
files {
filename =
"/usr/local/freeradius-server-3.0.17/etc/raddb/mods-config/files/authorize"
acctusersfile =
"/usr/local/freeradius-server-3.0.17/etc/raddb/mods-config/files/accounting"
preproxy_usersfile =
"/usr/local/freeradius-server-3.0.17/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_eap
# Loading module "eap" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loading module "ntlm_auth" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_linelog
# Loading module "linelog" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/linelog
linelog {
filename =
"/usr/local/freeradius-server-3.0.17/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename =
"/usr/local/freeradius-server-3.0.17/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_idcs
# Loading module "idcs" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/idcs
idcs {
idcs_server_url = "
https://idcs-e5ed1fc566f04a8ea9e1da46c6dcee26.identity.preprod.oraclecloud.…
"
wallet_location = "/scratch/shivap/"
scopes = "urn:opc:idm:__myscopes__"
connect_timeout = 70.000000
}
# Loaded module rlm_unix
# Loading module "unix" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/usr/local/freeradius-server-3.0.17/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_detail
# Loading module "detail" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail
detail {
filename =
"/usr/local/freeradius-server-3.0.17/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/usr/local/freeradius-server-3.0.17/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/usr/local/freeradius-server-3.0.17/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/usr/local/freeradius-server-3.0.17/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/usr/local/freeradius-server-3.0.17/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_pap
# Loading module "pap" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_soh
# Loading module "soh" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_expiration
# Loading module "expiration" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/expiration
# Loaded module rlm_cache
# Loading module "cache_eap" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_digest
# Loading module "digest" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/digest
# Loaded module rlm_unpack
# Loading module "unpack" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/unpack
# Loaded module rlm_ldap
# Loading module "ldap" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/ldap
ldap {
server = "ldap://127.0.0.1"
port = 1389
identity = "cn=Directory Manager"
password = <<< secret >>>
sasl {
}
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=posixGroup)"
scope = "sub"
name_attribute = "cn"
membership_attribute = "memberOf"
cacheable_name = no
cacheable_dn = no
}
client {
filter = "(objectClass=radiusClient)"
scope = "sub"
base_dn = "dc=example,dc=com"
}
profile {
}
options {
ldap_debug = 40
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 10
srv_timelimit = 3
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = no
}
}
Creating attribute LDAP-Group
# Loaded module rlm_mschap
# Loading module "mschap" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_date
# Loading module "date" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_radutmp
# Loading module "radutmp" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/radutmp
radutmp {
filename =
"/usr/local/freeradius-server-3.0.17/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_always
# Loading module "reject" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename =
"/usr/local/freeradius-server-3.0.17/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename =
"/usr/local/freeradius-server-3.0.17/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename =
"/usr/local/freeradius-server-3.0.17/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/usr/local/freeradius-server-3.0.17/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/usr/local/freeradius-server-3.0.17/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_chap
# Loading module "chap" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/chap
# Loaded module rlm_realm
# Loading module "IPASS" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_utf8
# Loading module "utf8" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/utf8
# Loading module "sradutmp" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename =
"/usr/local/freeradius-server-3.0.17/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loading module "exec" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups =
"/usr/local/freeradius-server-3.0.17/etc/raddb/mods-config/preprocess/huntgroups"
hints =
"/usr/local/freeradius-server-3.0.17/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
instantiate {
}
# Instantiating module "logintime" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/logintime
# Instantiating module "etc_passwd" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "files" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/files
reading pairlist file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-config/files/authorize
reading pairlist file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-config/files/accounting
reading pairlist file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "eap" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/usr/local/freeradius-server-3.0.17/etc/raddb/certs"
pem_file_type = yes
private_key_file =
"/usr/local/freeradius-server-3.0.17/etc/raddb/certs/server.pem"
certificate_file =
"/usr/local/freeradius-server-3.0.17/etc/raddb/certs/server.pem"
ca_file =
"/usr/local/freeradius-server-3.0.17/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/usr/local/freeradius-server-3.0.17/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "linelog" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/linelog
# Instantiating module "idcs" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/idcs
----------------------Entered mod_instantiate-------------------------
-------------------- idcs_server_url[
https://idcs-e5ed1fc566f04a8ea9e1da46c6dcee26.identity.preprod.oraclecloud.…
]-------------------------
----------------------End mod_instantiate-------------------------
# Instantiating module "detail" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/detail.log
# Instantiating module "pap" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/pap
# Instantiating module "expiration" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/expiration
# Instantiating module "cache_eap" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "ldap" from file
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/ldap
rlm_ldap: Falling back to build time libldap version info. Query for
LDAP_OPT_API_INFO returned: 89
rlm_ldap: libldap vendor: OpenLDAP, version: 2.4.40
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
k val = 89
value = ldap://127.0.0.1
res = 89
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/ldap[8]: Parsing
LDAP URL "ldap://127.0.0.1" failed
/usr/local/freeradius-server-3.0.17/etc/raddb/mods-enabled/ldap[8]:
Instantiation failed for module "ldap"
Regards,
Shivaprasad
2
1