Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 11 participants
- 27047 discussions
12 Nov '18
I'm working with an embedded device that needs to authenticate to a
FreeRADIUS server using EAP-TLS or EAP-TTLS. I don't control the
FreeRADIUS server (this means I can't provide debug output, sorry), I
just need to authenticate to it from the device, with the server
configured to talk EAP-TLS/EAP-TTLS. The device runs custom software
that talks RADIUS, EAP, and TLS, but no matter what I try, I can't
find the right combination of messages to get the server to negotiate
one of the two TLS protocols.
I've tried the obvious option of sending a RADIUS Access-Request
containing an EAP-Message TLV with code EAP-Request, type EAP-TLS or
EAP-TTLS, but get no response from the server. It replies to other
random requests with the expected Access-Reject, so it's responding to
requests, just not the TLS ones. All the example message flows I can
find, e.g. in RFC 3579, have three parties involved, the client, a
NAS, and the RADIUS server, so the client ends up sending an
EAP-Response to the NAS rather than anything to the RADIUS server.
Does anyone know what I need to send from the client directly to the
FreeRADIUS server to trigger the EAP-TLS/TTLS process? I'm looking
for something like RADIUS code, EAP code, and EAP type, along with any
other RADIUS and EAP TLVs that may be required.
3
9
Hi all,
I want to use the linelog module to print logs in a machine readable format
for my ELK stack, I would like to print them in json.
I would like to have user controlled fields (like the username) sanitized,
from an old discussion[1] in this mailing list I find out that there is a
"jsonquote" xlat expansion available, so I tried to use it but with little
success since the module is unknown.
(0) linelog: ERROR: %T request [%{jsonquote:request:User-Name}] ....
> (0) linelog: ERROR: ^ Unknown module
>
After a quick search in the wiki[2] I found out that the jsonquote xlat is
provided by the rlm_rest module. So I tried to enable it adding in
`mods-enabled` a symlink to the configuration file, but then the freeradius
server fails to start since the module is not configured (for example it
tries to connect to localhost but i have no web services enabled on the VM).
Is "jsonquote" the right way to achieve this? If it is, how can I use it
without configuring properly (and pointing to a real web server) the rest
module?
Thank you,
Enrico Polesel
[1]
http://lists.freeradius.org/pipermail/freeradius-users/2017-January/086317.…
[2] https://wiki.freeradius.org/config/Xlat#provided-by-modules_rlm_rest
4
4
Hi,
I have problem with pap password normalization when radius fetches
password from ldap in base64 format.
Here is example where it works:
FreeRADIUS Version 3.0.16 Copyright (C) 1999-2017 The FreeRADIUS
server project and contributors There is NO warranty; not even for
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may
redistribute copies of FreeRADIUS under the terms of the GNU General
Public License For more information about these matters, see the file
named COPYRIGHT Starting - reading configuration files ... including
dictionary file /usr/share/freeradius/dictionary including dictionary
file /usr/share/freeradius/dictionary.dhcp including dictionary file
/usr/share/freeradius/dictionary.vqp including dictionary file
/etc/freeradius/3.0/dictionary including configuration file
/etc/freeradius/3.0/radiusd.conf including configuration file
/etc/freeradius/3.0/proxy.conf including configuration file
/etc/freeradius/3.0/clients.conf including files in directory
/etc/freeradius/3.0/mods-enabled/ including configuration file
/etc/freeradius/3.0/mods-enabled/detail including configuration file
/etc/freeradius/3.0/mods-enabled/exec including configuration file
/etc/freeradius/3.0/mods-enabled/detail.log including configuration
file /etc/freeradius/3.0/mods-enabled/ldap2 including configuration
file /etc/freeradius/3.0/mods-enabled/echo including configuration
file /etc/freeradius/3.0/mods-enabled/dynamic_clients including
configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file
/etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration
file /etc/freeradius/3.0/mods-enabled/preprocess including
configuration file /etc/freeradius/3.0/mods-enabled/utf8 including
configuration file /etc/freeradius/3.0/mods-enabled/unpack including
configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file
/etc/freeradius/3.0/mods-enabled/logintime including configuration
file /etc/freeradius/3.0/mods-enabled/ldap1 including configuration
file /etc/freeradius/3.0/mods-enabled/files including configuration
file /etc/freeradius/3.0/mods-enabled/mschap including configuration
file /etc/freeradius/3.0/mods-enabled/digest including configuration
file /etc/freeradius/3.0/mods-enabled/eap including configuration file
/etc/freeradius/3.0/mods-enabled/radutmp including configuration file
/etc/freeradius/3.0/mods-enabled/soh including configuration file
/etc/freeradius/3.0/mods-enabled/cache_eap including configuration
file /etc/freeradius/3.0/mods-enabled/expiration including
configuration file /etc/freeradius/3.0/mods-enabled/chap including
files in directory /etc/freeradius/3.0/policy.d/ including
configuration file /etc/freeradius/3.0/policy.d/group_authorization
including configuration file
/etc/freeradius/3.0/policy.d/canonicalization including configuration
file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including
configuration file /etc/freeradius/3.0/policy.d/filter including
configuration file /etc/freeradius/3.0/policy.d/control including
configuration file /etc/freeradius/3.0/policy.d/accounting including
configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file
/etc/freeradius/3.0/sites-enabled/inner-tunnel main { security { user
= "freerad" group = "freerad" allow_core_dumps = no } name =
"freeradius" prefix = "/usr" localstatedir = "/var" logdir =
"/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name =
"freeradius" prefix = "/usr" localstatedir = "/var" sbindir =
"/usr/sbin" logdir = "/var/log/freeradius" run_dir =
"/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir =
"/var/log/freeradius/radacct" hostname_lookups = no max_request_time =
30 cleanup_delay = 5 max_requests = 16384 pidfile =
"/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad"
debug_level = 0 proxy_requests = yes log { stripped_names = no auth =
no auth_badpass = no auth_goodpass = no colourise = yes msg_denied =
"You are already logged in - access denied" } resources { } security {
max_attributes = 200 reject_delay = 1.000000 status_server = yes } }
radiusd: #### Loading Realms and Home Servers #### proxy server {
retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120
wake_all_if_all_dead = no } home_server localhost { ipaddr =
123.456.789.1 port = 1812 type = "auth" secret = <<< secret >>>
response_window = 20.000000 response_timeouts = 1 max_outstanding =
65536 zombie_period = 40 status_check = "status-server" ping_interval
= 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3
revive_interval = 120 limit { max_connections = 16 max_requests = 0
lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd =
30 } } home_server_pool my_auth_failover { type = fail-over
home_server = localhost } realm example.com { auth_pool =
my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients ####
client localhost { ipaddr = 123.456.789.1
require_message_authenticator = no secret = <<< secret >>> limit {
max_connections = 16 lifetime = 0 idle_timeout = 30 } } client
123.456.789.227/32 { require_message_authenticator = no secret = <<<
secret >>> shortname = "123.456.789.227" limit { max_connections = 16
lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.227/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.96/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.96" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.96/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.21/32 { require_message_authenticator = no secret =
<<< secret >>> shortname = "123.456.789.21" limit { max_connections =
16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.21/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.248/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.248" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.248/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.180/32 { require_message_authenticator = no secret
= <<< secret >>> shortname = "123.456.789.180" limit { max_connections
= 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.180/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.16/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.16" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.16/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.54/32 { require_message_authenticator = no secret =
<<< secret >>> shortname = "123.456.789.54" limit { max_connections =
16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.54/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.83/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.83" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.83/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.65/32 { require_message_authenticator = no secret =
<<< secret >>> shortname = "123.456.789.65" limit { max_connections =
16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.65/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.131/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.131" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.131/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.162/32 { require_message_authenticator = no secret
= <<< secret >>> shortname = "123.456.789.162" limit { max_connections
= 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.162/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.147/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.147" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.147/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.220/32 { require_message_authenticator = no secret
= <<< secret >>> shortname = "123.456.789.220" limit { max_connections
= 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.220/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.171/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.171" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.171/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.150/32 { require_message_authenticator = no secret
= <<< secret >>> shortname = "123.456.789.150" limit { max_connections
= 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.150/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.116/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.116" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.116/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.6/32 { require_message_authenticator = no secret =
<<< secret >>> shortname = "123.456.789.6" limit { max_connections =
16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.6/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.116/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.116" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.116/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.117/32 { require_message_authenticator = no secret
= <<< secret >>> shortname = "123.456.789.117" limit { max_connections
= 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.117/32. Please fix your
configuration Support for old-style clients will be removed in a
future release Debugger not attached # Creating Auth-Type = mschap #
Creating Auth-Type = digest # Creating Auth-Type = eap # Creating
Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type =
MS-CHAP # Creating Auth-Type = LDAP radiusd: #### Instantiating
modules #### modules { # Loaded module rlm_detail # Loading module
"detail" from file /etc/freeradius/3.0/mods-enabled/detail detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t" permissions = 384 locking = no escape_filenames = no
log_packet_header = no } # Loaded module rlm_exec # Loading module
"exec" from file /etc/freeradius/3.0/mods-enabled/exec exec { wait =
no input_pairs = "request" shell_escape = yes timeout = 10 } # Loading
module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename
= "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t" permissions = 384 locking = no escape_filenames = no
log_packet_header = no } # Loading module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t" permissions = 384 locking = no escape_filenames = no
log_packet_header = no } # Loading module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t" permissions = 384 locking = no escape_filenames = no
log_packet_header = no } # Loading module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t" permissions = 384 locking = no escape_filenames = no
log_packet_header = no } # Loaded module rlm_ldap # Loading module
"ldap2" from file /etc/freeradius/3.0/mods-enabled/ldap2 ldap ldap2 {
server = "123.456.789.201" port = 636 identity =
"cn=admin,LDAP_SUFFIX" password = <<< secret >>> sasl { } user { scope
= "sub" access_positive = yes sasl { } } group { filter =
"(objectClass=groupOfNames)" scope = "sub" name_attribute = "cn"
membership_attribute = "memberOf" membership_filter =
"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
cacheable_name = no cacheable_dn = no } client { scope = "sub" base_dn
= "" } profile { } options { ldap_debug = 40 chase_referrals = yes
rebind = yes net_timeout = 1 res_timeout = 10 srv_timelimit = 3 idle =
60 probes = 3 interval = 3 } tls { ca_file =
"/etc/freeradius/3.0/certs/ca.pem" ca_path =
"/etc/freeradius/3.0/certs/" certificate_file =
"/etc/freeradius/3.0/certs/server.pem" private_key_file =
"/etc/freeradius/3.0/certs/server.key" start_tls = no require_cert =
"allow" } } Creating attribute ldap2-LDAP-Group # Loading module
"echo" from file /etc/freeradius/3.0/mods-enabled/echo exec echo {
wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request"
output_pairs = "reply" shell_escape = yes } # Loaded module
rlm_dynamic_clients # Loading module "dynamic_clients" from file
/etc/freeradius/3.0/mods-enabled/dynamic_clients # Loaded module
rlm_attr_filter # Loading module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter attr_filter
attr_filter.post-proxy { filename =
"/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key =
"%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy"
from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter
attr_filter.pre-proxy { filename =
"/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key =
"%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject"
from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter
attr_filter.access_reject { filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key =
"%{User-Name}" relaxed = no } # Loading module
"attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter attr_filter
attr_filter.access_challenge { filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key =
"%{User-Name}" relaxed = no } # Loading module
"attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter attr_filter
attr_filter.accounting_response { filename =
"/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key
= "%{User-Name}" relaxed = no } # Loading module "ntlm_auth" from file
/etc/freeradius/3.0/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes } # Loaded module rlm_preprocess # Loading module
"preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
preprocess { huntgroups =
"/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints =
"/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack =
no ascend_channels_per_line = 23 with_ntdomain_hack = no
with_specialix_jetstream_hack = no with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no } # Loaded module rlm_utf8 # Loading
module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8 # Loaded
module rlm_unpack # Loading module "unpack" from file
/etc/freeradius/3.0/mods-enabled/unpack # Loaded module rlm_replicate
# Loading module "replicate" from file
/etc/freeradius/3.0/mods-enabled/replicate # Loaded module rlm_realm #
Loading module "IPASS" from file
/etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix"
delimiter = "/" ignore_default = no ignore_null = no } # Loading
module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm
suffix { format = "suffix" delimiter = "@" ignore_default = no
ignore_null = no } # Loading module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format =
"suffix" delimiter = "%" ignore_default = no ignore_null = no } #
Loading module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format =
"prefix" delimiter = "\\" ignore_default = no ignore_null = no } #
Loaded module rlm_pap # Loading module "pap" from file
/etc/freeradius/3.0/mods-enabled/pap pap { normalise = no } # Loaded
module rlm_always # Loading module "reject" from file
/etc/freeradius/3.0/mods-enabled/always always reject { rcode =
"reject" simulcount = 0 mpp = no } # Loading module "fail" from file
/etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail"
simulcount = 0 mpp = no } # Loading module "ok" from file
/etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok"
simulcount = 0 mpp = no } # Loading module "handled" from file
/etc/freeradius/3.0/mods-enabled/always always handled { rcode =
"handled" simulcount = 0 mpp = no } # Loading module "invalid" from
file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode =
"invalid" simulcount = 0 mpp = no } # Loading module "userlock" from
file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode =
"userlock" simulcount = 0 mpp = no } # Loading module "notfound" from
file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode =
"notfound" simulcount = 0 mpp = no } # Loading module "noop" from file
/etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop"
simulcount = 0 mpp = no } # Loading module "updated" from file
/etc/freeradius/3.0/mods-enabled/always always updated { rcode =
"updated" simulcount = 0 mpp = no } # Loaded module rlm_expr # Loading
module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module
rlm_linelog # Loading module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog linelog { filename =
"/var/log/freeradius/linelog" escape_filenames = no syslog_severity =
"info" permissions = 384 format = "This is a log message for
%{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}"
} # Loading module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting" escape_filenames =
no syslog_severity = "info" permissions = 384 format = "" reference =
"Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module
rlm_unix # Loading module "unix" from file
/etc/freeradius/3.0/mods-enabled/unix unix { radwtmp =
"/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loaded
module rlm_passwd # Loading module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd passwd etc_passwd { filename =
"/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":"
ignore_nislike = no ignore_empty = yes allow_multiple_keys = no
hash_size = 100 } # Loaded module rlm_radutmp # Loading module
"sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp radutmp
sradutmp { filename = "/var/log/freeradius/sradutmp" username =
"%{User-Name}" case_sensitive = yes check_with_nas = yes permissions =
420 caller_id = no } # Loaded module rlm_logintime # Loading module
"logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
logintime { minimum_timeout = 60 } # Loading module "ldap1" from file
/etc/freeradius/3.0/mods-enabled/ldap1 ldap ldap1 { server =
"123.456.789.121" port = 636 identity = "cn=admin,LDAP_SUFFIX"
password = <<< secret >>> sasl { } user { scope = "sub"
access_positive = yes sasl { } } group { filter =
"(objectClass=groupOfNames)" scope = "sub" name_attribute = "cn"
membership_attribute = "memberOf" membership_filter =
"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
cacheable_name = no cacheable_dn = no } client { scope = "sub" base_dn
= "" } profile { } options { ldap_debug = 40 chase_referrals = yes
rebind = yes net_timeout = 1 res_timeout = 10 srv_timelimit = 3 idle =
60 probes = 3 interval = 3 } tls { ca_file =
"/etc/freeradius/3.0/certs/ca.pem" ca_path =
"/etc/freeradius/3.0/certs/" certificate_file =
"/etc/freeradius/3.0/certs/server.pem" private_key_file =
"/etc/freeradius/3.0/certs/server.key" start_tls = no require_cert =
"allow" } } Creating attribute ldap1-LDAP-Group # Loaded module
rlm_files # Loading module "files" from file
/etc/freeradius/3.0/mods-enabled/files files { filename =
"/etc/freeradius/3.0/mods-config/files/authorize" acctusersfile =
"/etc/freeradius/3.0/mods-config/files/accounting" preproxy_usersfile
= "/etc/freeradius/3.0/mods-config/files/pre-proxy" } # Loaded module
rlm_mschap # Loading module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap mschap { use_mppe = yes
require_encryption = no require_strong = no with_ntdomain_hack = yes
passchange { } allow_retry = yes
winbind_retry_with_normalised_username = no } # Loaded module
rlm_digest # Loading module "digest" from file
/etc/freeradius/3.0/mods-enabled/digest # Loaded module rlm_eap #
Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap { default_eap_type = "peap" timer_expire = 60
ignore_unknown_eap_types = no cisco_accounting_username_bug = no
max_sessions = 16384 } # Loading module "radutmp" from file
/etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename =
"/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive
= yes check_with_nas = yes permissions = 384 caller_id = yes } #
Loaded module rlm_soh # Loading module "soh" from file
/etc/freeradius/3.0/mods-enabled/soh soh { dhcp = yes } # Loaded
module rlm_cache # Loading module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap cache cache_eap { driver =
"rlm_cache_rbtree" key =
"%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15
max_entries = 0 epoch = 0 add_stats = no } # Loaded module
rlm_expiration # Loading module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration # Loaded module rlm_chap #
Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
instantiate { } # Instantiating module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail # Instantiating module
"auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output # Instantiating module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module
"pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module
"ldap2" from file /etc/freeradius/3.0/mods-enabled/ldap2 rlm_ldap:
libldap vendor: OpenLDAP, version: 20445 rlm_ldap (ldap2): Couldn't
find configuration for accounting, will return NOOP for calls from
this section post-auth { reference = "." } rlm_ldap (ldap2):
Initialising connection pool pool { start = 5 min = 5 max = 10 spare =
3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60
retry_delay = 1 spread = no } rlm_ldap (ldap2): Opening additional
connection (0), 1 of 10 pending slots used rlm_ldap (ldap2):
Connecting to ldap://123.456.789.201:636 TLS: warning: cacertdir not
implemented for gnutls rlm_ldap (ldap2): Waiting for bind result...
rlm_ldap (ldap2): Bind successful rlm_ldap (ldap2): Opening additional
connection (1), 1 of 9 pending slots used rlm_ldap (ldap2): Connecting
to ldap://123.456.789.201:636 TLS: warning: cacertdir not implemented
for gnutls rlm_ldap (ldap2): Waiting for bind result... rlm_ldap
(ldap2): Bind successful rlm_ldap (ldap2): Opening additional
connection (2), 1 of 8 pending slots used rlm_ldap (ldap2): Connecting
to ldap://123.456.789.201:636 TLS: warning: cacertdir not implemented
for gnutls rlm_ldap (ldap2): Waiting for bind result... rlm_ldap
(ldap2): Bind successful rlm_ldap (ldap2): Opening additional
connection (3), 1 of 7 pending slots used rlm_ldap (ldap2): Connecting
to ldap://123.456.789.201:636 TLS: warning: cacertdir not implemented
for gnutls rlm_ldap (ldap2): Waiting for bind result... rlm_ldap
(ldap2): Bind successful rlm_ldap (ldap2): Opening additional
connection (4), 1 of 6 pending slots used rlm_ldap (ldap2): Connecting
to ldap://123.456.789.201:636 TLS: warning: cacertdir not implemented
for gnutls rlm_ldap (ldap2): Waiting for bind result... rlm_ldap
(ldap2): Bind successful # Instantiating module
"attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating
module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating
module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_reject
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay" found in filter list for realm
"DEFAULT". [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11
Check item "FreeRADIUS-Response-Delay-USec" found in filter list for
realm "DEFAULT". # Instantiating module "attr_filter.access_challenge"
from file /etc/freeradius/3.0/mods-enabled/attr_filter reading
pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/accounting_response #
Instantiating module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess reading pairlist file
/etc/freeradius/3.0/mods-config/preprocess/huntgroups reading pairlist
file /etc/freeradius/3.0/mods-config/preprocess/hints # Instantiating
module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm #
Instantiating module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm # Instantiating module
"realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm #
Instantiating module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm # Instantiating module "pap"
from file /etc/freeradius/3.0/mods-enabled/pap # Instantiating module
"reject" from file /etc/freeradius/3.0/mods-enabled/always #
Instantiating module "fail" from file
/etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok"
from file /etc/freeradius/3.0/mods-enabled/always # Instantiating
module "handled" from file /etc/freeradius/3.0/mods-enabled/always #
Instantiating module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always # Instantiating module
"userlock" from file /etc/freeradius/3.0/mods-enabled/always #
Instantiating module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop"
from file /etc/freeradius/3.0/mods-enabled/always # Instantiating
module "updated" from file /etc/freeradius/3.0/mods-enabled/always #
Instantiating module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog # Instantiating module
"log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog #
Instantiating module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd rlm_passwd: nfields: 3
keyfield 0(User-Name) listable: no # Instantiating module "logintime"
from file /etc/freeradius/3.0/mods-enabled/logintime # Instantiating
module "ldap1" from file /etc/freeradius/3.0/mods-enabled/ldap1
rlm_ldap (ldap1): Couldn't find configuration for accounting, will
return NOOP for calls from this section post-auth { reference = "." }
rlm_ldap (ldap1): Initialising connection pool pool { start = 5 min =
5 max = 10 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30
idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap1):
Opening additional connection (0), 1 of 10 pending slots used rlm_ldap
(ldap1): Connecting to ldap://123.456.789.121:636 TLS: warning:
cacertdir not implemented for gnutls rlm_ldap (ldap1): Waiting for
bind result... rlm_ldap (ldap1): Bind successful rlm_ldap (ldap1):
Opening additional connection (1), 1 of 9 pending slots used rlm_ldap
(ldap1): Connecting to ldap://123.456.789.121:636 TLS: warning:
cacertdir not implemented for gnutls rlm_ldap (ldap1): Waiting for
bind result... rlm_ldap (ldap1): Bind successful rlm_ldap (ldap1):
Opening additional connection (2), 1 of 8 pending slots used rlm_ldap
(ldap1): Connecting to ldap://123.456.789.121:636 TLS: warning:
cacertdir not implemented for gnutls rlm_ldap (ldap1): Waiting for
bind result... rlm_ldap (ldap1): Bind successful rlm_ldap (ldap1):
Opening additional connection (3), 1 of 7 pending slots used rlm_ldap
(ldap1): Connecting to ldap://123.456.789.121:636 TLS: warning:
cacertdir not implemented for gnutls rlm_ldap (ldap1): Waiting for
bind result... rlm_ldap (ldap1): Bind successful rlm_ldap (ldap1):
Opening additional connection (4), 1 of 6 pending slots used rlm_ldap
(ldap1): Connecting to ldap://123.456.789.121:636 TLS: warning:
cacertdir not implemented for gnutls rlm_ldap (ldap1): Waiting for
bind result... rlm_ldap (ldap1): Bind successful # Instantiating
module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap rlm_mschap (mschap): using
internal authentication # Instantiating module "eap" from file
/etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module
rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module
rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } #
Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config
tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes private_key_file =
"/etc/freeradius/3.0/certs/server.key" certificate_file =
"/etc/freeradius/3.0/certs/server.pem" ca_file =
"/etc/freeradius/3.0/certs/ca.pem" dh_file =
"/etc/freeradius/3.0/certs/dh" fragment_size = 1024 include_length =
yes auto_chain = yes check_crl = no check_all_crl = no cipher_list =
"DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1"
tls_max_version = "" tls_min_version = "1.0" cache { enable = no
lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp
{ enable = no override_cert_url = yes url =
"http://123.456.789.1/ocsp/" use_nonce = yes timeout = 0 softfail = no
} } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common"
default_eap_type = "md5" copy_request_to_tunnel = no
use_tunneled_reply = no virtual_server = "inner-tunnel" include_length
= yes require_client_cert = no } tls: Using cached TLS configuration
from previous invocation # Linked to sub-module rlm_eap_peap peap {
tls = "tls-common" default_eap_type = "mschapv2"
copy_request_to_tunnel = no use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel"
soh = no require_client_cert = no } tls: Using cached TLS
configuration from previous invocation # Linked to sub-module
rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no }
# Instantiating module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap rlm_cache (cache_eap):
Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked #
Instantiating module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration } # modules radiusd: ####
Loading Virtual Servers #### server { # from file
/etc/freeradius/3.0/radiusd.conf } # server server default { # from
file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate
{...} # Loading authorize {...} Ignoring "sql" (see
raddb/mods-available/README.rst) Ignoring "ldap" (see
raddb/mods-available/README.rst) # Loading preacct {...} # Loading
accounting {...} # Loading post-proxy {...} # Loading post-auth {...}
} # server default server inner-tunnel { # from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate
{...} # Loading authorize {...} # Loading session {...} # Loading
post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if'
as it is always 'false' --
/etc/freeradius/3.0/sites-enabled/inner-tunnel:44 } # server
inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen
{ type = "auth" ipaddr = * port = 0 limit { max_connections = 16
lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = *
port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }
} listen { type = "auth" ipaddr = 123.456.789.1 port = 18120 }
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address 123.456.789.1 port 18120 bound to server
inner-tunnel Listening on proxy address * port 41010 Ready to process
requests (0) Received Access-Request Id 64 from 123.456.789.116:33131
to 123.456.789.32:1812 length 166 (0) User-Name = "USERNAME" (0)
User-Password = "PASSWORD" (0) NAS-IP-Address = 123.456.789.1 (0)
NAS-Port = 2 (0) Service-Type = Outbound-User (0) Calling-Station-Id =
"123.456.789.90" (0) NAS-Identifier = "OpenVpn" (0) Acct-Session-Id =
"C9806713021203E5866CEBC480846902" (0) NAS-Port-Type = Virtual (0) #
Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy
filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE
(0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name
=~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if
(&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) &&
(&User-Name !~ /(a)(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) &&
(&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/)
{ (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE (0) } # if (&User-Name) =
notfound (0) } # policy filter_username = notfound (0) [preprocess] =
ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0)
suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name
= "USERNAME", looking up realm NULL (0) suffix: No such realm "NULL"
(0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] =
noop (0) [files] = noop (0) redundant-load-balance group { rlm_ldap
(ldap2): Reserved connection (0) (0) ldap2: EXPAND
(uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap2: -->
(uid=USERNAME) (0) ldap2: Performing search in "LDAP_SUFFIX" with
filter "(uid=USERNAME)", scope "sub" (0) ldap2: Waiting for search
result... (0) ldap2: User object found at DN
"uid=USERNAME,LDAP_SUFFIX" (0) ldap2: Processing user attributes (0)
ldap2: control:Password-With-Header += 'PASSWORD' rlm_ldap (ldap2):
Released connection (0) (0) [ldap2] = updated (0) } #
redundant-load-balance group = updated (0) [expiration] = noop (0)
[logintime] = noop (0) pap: No {...} in Password-With-Header,
re-writing to Cleartext-Password (0) pap: Removing
&control:Password-With-Header (0) [pap] = updated (0) policy
group_authorization { (0) if ((&ldap1-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX") || (&ldap2-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX")) { (0) Searching for user in group
"cn=rad_users,LDAP_SUFFIX" rlm_ldap (ldap1): Reserved connection (0)
(0) Using user DN from request "uid=USERNAME,LDAP_SUFFIX" (0) Checking
for user in group objects (0) EXPAND
(&(objectClass=groupOfNames)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(0) --> (&(objectClass=groupOfNames)(|(member=uid\3dUSERNAME,LDAP_SUFFIX)(memberUid=USERNAME)))
(0) Performing search in "cn=rad_users,LDAP_SUFFIX" with filter
"(&(objectClass=groupOfNames)(|(member=uid\3dUSERNAME,LDAP_SUFFIX)(memberUid=USERNAME)))",
scope "sub" (0) Waiting for search result... ber_get_next failed. (0)
User found in group object "cn=rad_users,LDAP_SUFFIX" rlm_ldap
(ldap1): Released connection (0) (0) if ((&ldap1-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX") || (&ldap2-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX")) -> TRUE (0) if ((&ldap1-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX") || (&ldap2-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX")) { (0) [ok] = ok (0) } # if
((&ldap1-LDAP-Group[*] == "cn=rad_users,LDAP_SUFFIX") ||
(&ldap2-LDAP-Group[*] == "cn=rad_users,LDAP_SUFFIX")) = ok (0) ...
skipping else: Preceding "if" was taken (0) } # policy
group_authorization = ok (0) } # authorize = updated (0) Found
Auth-Type = PAP (0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default (0) Auth-Type PAP { (0) pap:
Login attempt with password (0) pap: Comparing with "known good"
Cleartext-Password (0) pap: User authenticated successfully (0) [pap]
= ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from
file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0)
update { (0) No attributes updated (0) } # update = noop (0) [exec] =
noop (0) policy remove_reply_message_if_eap { (0) if
(&reply:EAP-Message && &reply:Reply-Message) { (0) if
(&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0)
[noop] = noop (0) } # else = noop (0) } # policy
remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent
Access-Accept Id 64 from 123.456.789.32:1812 to 123.456.789.116:33131
length 0 (0) Finished request Waking up in 4.9 seconds. (1) Received
Accounting-Request Id 114 from 123.456.789.116:59396 to
123.456.789.32:1813 length 150 (1) User-Name = "USERNAME" (1)
NAS-IP-Address = 123.456.789.1 (1) NAS-Port = 2 (1) Service-Type =
Outbound-User (1) Framed-Protocol = PPP (1) Framed-IP-Address =
123.456.789.2 (1) Calling-Station-Id = "123.456.789.90" (1)
NAS-Identifier = "OpenVpn" (1) Acct-Status-Type = Start (1)
Acct-Session-Id = "C9806713021203E5866CEBC480846902" (1) NAS-Port-Type
= Virtual (1) # Executing section preacct from file
/etc/freeradius/3.0/sites-enabled/default (1) preacct { (1)
[preprocess] = ok (1) policy acct_unique { (1) update request { (1)
&Tmp-String-9 := "ai:" (1) } # update request = noop (1) if
(("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}"
=~ /^ai:([0-9a-f]{32})/i)) { (1) EXPAND %{hex:&Class} (1) --> (1)
EXPAND ^%{hex:&Tmp-String-9} (1) --> ^61693a (1) if (("%{hex:&Class}"
=~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~
/^ai:([0-9a-f]{32})/i)) -> FALSE (1) else { (1) update request { (1)
EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(1) --> e921af7d96c3c96c1a861f22b003bdf1 (1) &Acct-Unique-Session-Id
:= e921af7d96c3c96c1a861f22b003bdf1 (1) } # update request = noop (1)
} # else = noop (1) } # policy acct_unique = noop (1) suffix: Checking
for suffix after "@" (1) suffix: No '@' in User-Name = "USERNAME",
looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] =
noop (1) [files] = noop (1) } # preacct = ok (1) # Executing section
accounting from file /etc/freeradius/3.0/sites-enabled/default (1)
accounting { (1) detail: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(1) detail: -->
/var/log/freeradius/radacct/123.456.789.116/detail-20181106 (1)
detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/123.456.789.116/detail-20181106
(1) detail: EXPAND %t (1) detail: --> Tue Nov 6 15:04:28 2018 (1)
[detail] = ok (1) [unix] = ok (1) [exec] = noop (1)
attr_filter.accounting_response: EXPAND %{User-Name} (1)
attr_filter.accounting_response: --> USERNAME (1)
attr_filter.accounting_response: Matched entry DEFAULT at line 12 (1)
[attr_filter.accounting_response] = updated (1) } # accounting =
updated (1) Sent Accounting-Response Id 114 from 123.456.789.32:1813
to 123.456.789.116:59396 length 0 (1) Finished request (1) Cleaning up
request packet ID 114 with timestamp +16 Waking up in 4.7 seconds. (0)
Cleaning up request packet ID 64 with timestamp +15 Ready to process
requests
Notice (0) pap: No {...} in Password-With-Header, re-writing to
Cleartext-Password
Request with error:
FreeRADIUS Version 3.0.16 Copyright (C) 1999-2017 The FreeRADIUS
server project and contributors There is NO warranty; not even for
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may
redistribute copies of FreeRADIUS under the terms of the GNU General
Public License For more information about these matters, see the file
named COPYRIGHT Starting - reading configuration files ... including
dictionary file /usr/share/freeradius/dictionary including dictionary
file /usr/share/freeradius/dictionary.dhcp including dictionary file
/usr/share/freeradius/dictionary.vqp including dictionary file
/etc/freeradius/3.0/dictionary including configuration file
/etc/freeradius/3.0/radiusd.conf including configuration file
/etc/freeradius/3.0/proxy.conf including configuration file
/etc/freeradius/3.0/clients.conf including files in directory
/etc/freeradius/3.0/mods-enabled/ including configuration file
/etc/freeradius/3.0/mods-enabled/detail including configuration file
/etc/freeradius/3.0/mods-enabled/exec including configuration file
/etc/freeradius/3.0/mods-enabled/detail.log including configuration
file /etc/freeradius/3.0/mods-enabled/ldap2 including configuration
file /etc/freeradius/3.0/mods-enabled/echo including configuration
file /etc/freeradius/3.0/mods-enabled/dynamic_clients including
configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file
/etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration
file /etc/freeradius/3.0/mods-enabled/preprocess including
configuration file /etc/freeradius/3.0/mods-enabled/utf8 including
configuration file /etc/freeradius/3.0/mods-enabled/unpack including
configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file
/etc/freeradius/3.0/mods-enabled/logintime including configuration
file /etc/freeradius/3.0/mods-enabled/ldap1 including configuration
file /etc/freeradius/3.0/mods-enabled/files including configuration
file /etc/freeradius/3.0/mods-enabled/mschap including configuration
file /etc/freeradius/3.0/mods-enabled/digest including configuration
file /etc/freeradius/3.0/mods-enabled/eap including configuration file
/etc/freeradius/3.0/mods-enabled/radutmp including configuration file
/etc/freeradius/3.0/mods-enabled/soh including configuration file
/etc/freeradius/3.0/mods-enabled/cache_eap including configuration
file /etc/freeradius/3.0/mods-enabled/expiration including
configuration file /etc/freeradius/3.0/mods-enabled/chap including
files in directory /etc/freeradius/3.0/policy.d/ including
configuration file /etc/freeradius/3.0/policy.d/group_authorization
including configuration file
/etc/freeradius/3.0/policy.d/canonicalization including configuration
file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including
configuration file /etc/freeradius/3.0/policy.d/filter including
configuration file /etc/freeradius/3.0/policy.d/control including
configuration file /etc/freeradius/3.0/policy.d/accounting including
configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file
/etc/freeradius/3.0/sites-enabled/inner-tunnel main { security { user
= "freerad" group = "freerad" allow_core_dumps = no } name =
"freeradius" prefix = "/usr" localstatedir = "/var" logdir =
"/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name =
"freeradius" prefix = "/usr" localstatedir = "/var" sbindir =
"/usr/sbin" logdir = "/var/log/freeradius" run_dir =
"/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir =
"/var/log/freeradius/radacct" hostname_lookups = no max_request_time =
30 cleanup_delay = 5 max_requests = 16384 pidfile =
"/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad"
debug_level = 0 proxy_requests = yes log { stripped_names = no auth =
no auth_badpass = no auth_goodpass = no colourise = yes msg_denied =
"You are already logged in - access denied" } resources { } security {
max_attributes = 200 reject_delay = 1.000000 status_server = yes } }
radiusd: #### Loading Realms and Home Servers #### proxy server {
retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120
wake_all_if_all_dead = no } home_server localhost { ipaddr =
123.456.789.1 port = 1812 type = "auth" secret = <<< secret >>>
response_window = 20.000000 response_timeouts = 1 max_outstanding =
65536 zombie_period = 40 status_check = "status-server" ping_interval
= 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3
revive_interval = 120 limit { max_connections = 16 max_requests = 0
lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd =
30 } } home_server_pool my_auth_failover { type = fail-over
home_server = localhost } realm example.com { auth_pool =
my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients ####
client localhost { ipaddr = 123.456.789.1
require_message_authenticator = no secret = <<< secret >>> limit {
max_connections = 16 lifetime = 0 idle_timeout = 30 } } client
123.456.789.227/32 { require_message_authenticator = no secret = <<<
secret >>> shortname = "123.456.789.227" limit { max_connections = 16
lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.227/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.96/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.96" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.96/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.21/32 { require_message_authenticator = no secret =
<<< secret >>> shortname = "123.456.789.21" limit { max_connections =
16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.21/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.248/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.248" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.248/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.180/32 { require_message_authenticator = no secret
= <<< secret >>> shortname = "123.456.789.180" limit { max_connections
= 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.180/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.16/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.16" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.16/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.54/32 { require_message_authenticator = no secret =
<<< secret >>> shortname = "123.456.789.54" limit { max_connections =
16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.54/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.83/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.83" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.83/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.65/32 { require_message_authenticator = no secret =
<<< secret >>> shortname = "123.456.789.65" limit { max_connections =
16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.65/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.131/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.131" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.131/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.162/32 { require_message_authenticator = no secret
= <<< secret >>> shortname = "123.456.789.162" limit { max_connections
= 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.162/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.147/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.147" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.147/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.220/32 { require_message_authenticator = no secret
= <<< secret >>> shortname = "123.456.789.220" limit { max_connections
= 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.220/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.171/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.171" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.171/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.150/32 { require_message_authenticator = no secret
= <<< secret >>> shortname = "123.456.789.150" limit { max_connections
= 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.150/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.116/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.116" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.116/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.6/32 { require_message_authenticator = no secret =
<<< secret >>> shortname = "123.456.789.6" limit { max_connections =
16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.6/32. Please fix your
configuration Support for old-style clients will be removed in a
future release client 123.456.789.116/32 {
require_message_authenticator = no secret = <<< secret >>> shortname =
"123.456.789.116" limit { max_connections = 16 lifetime = 0
idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field
found in client 123.456.789.116/32. Please fix your configuration
Support for old-style clients will be removed in a future release
client 123.456.789.117/32 { require_message_authenticator = no secret
= <<< secret >>> shortname = "123.456.789.117" limit { max_connections
= 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or
'ipv6addr' field found in client 123.456.789.117/32. Please fix your
configuration Support for old-style clients will be removed in a
future release Debugger not attached # Creating Auth-Type = mschap #
Creating Auth-Type = digest # Creating Auth-Type = eap # Creating
Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type =
MS-CHAP # Creating Auth-Type = LDAP radiusd: #### Instantiating
modules #### modules { # Loaded module rlm_detail # Loading module
"detail" from file /etc/freeradius/3.0/mods-enabled/detail detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t" permissions = 384 locking = no escape_filenames = no
log_packet_header = no } # Loaded module rlm_exec # Loading module
"exec" from file /etc/freeradius/3.0/mods-enabled/exec exec { wait =
no input_pairs = "request" shell_escape = yes timeout = 10 } # Loading
module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename
= "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t" permissions = 384 locking = no escape_filenames = no
log_packet_header = no } # Loading module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t" permissions = 384 locking = no escape_filenames = no
log_packet_header = no } # Loading module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t" permissions = 384 locking = no escape_filenames = no
log_packet_header = no } # Loading module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t" permissions = 384 locking = no escape_filenames = no
log_packet_header = no } # Loaded module rlm_ldap # Loading module
"ldap2" from file /etc/freeradius/3.0/mods-enabled/ldap2 ldap ldap2 {
server = "123.456.789.201" port = 636 identity =
"cn=admin,LDAP_SUFFIX" password = <<< secret >>> sasl { } user { scope
= "sub" access_positive = yes sasl { } } group { filter =
"(objectClass=groupOfNames)" scope = "sub" name_attribute = "cn"
membership_attribute = "memberOf" membership_filter =
"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
cacheable_name = no cacheable_dn = no } client { scope = "sub" base_dn
= "" } profile { } options { ldap_debug = 40 chase_referrals = yes
rebind = yes net_timeout = 1 res_timeout = 10 srv_timelimit = 3 idle =
60 probes = 3 interval = 3 } tls { ca_file =
"/etc/freeradius/3.0/certs/ca.pem" ca_path =
"/etc/freeradius/3.0/certs/" certificate_file =
"/etc/freeradius/3.0/certs/server.pem" private_key_file =
"/etc/freeradius/3.0/certs/server.key" start_tls = no require_cert =
"allow" } } Creating attribute ldap2-LDAP-Group # Loading module
"echo" from file /etc/freeradius/3.0/mods-enabled/echo exec echo {
wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request"
output_pairs = "reply" shell_escape = yes } # Loaded module
rlm_dynamic_clients # Loading module "dynamic_clients" from file
/etc/freeradius/3.0/mods-enabled/dynamic_clients # Loaded module
rlm_attr_filter # Loading module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter attr_filter
attr_filter.post-proxy { filename =
"/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key =
"%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy"
from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter
attr_filter.pre-proxy { filename =
"/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key =
"%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject"
from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter
attr_filter.access_reject { filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key =
"%{User-Name}" relaxed = no } # Loading module
"attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter attr_filter
attr_filter.access_challenge { filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key =
"%{User-Name}" relaxed = no } # Loading module
"attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter attr_filter
attr_filter.accounting_response { filename =
"/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key
= "%{User-Name}" relaxed = no } # Loading module "ntlm_auth" from file
/etc/freeradius/3.0/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes } # Loaded module rlm_preprocess # Loading module
"preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
preprocess { huntgroups =
"/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints =
"/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack =
no ascend_channels_per_line = 23 with_ntdomain_hack = no
with_specialix_jetstream_hack = no with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no } # Loaded module rlm_utf8 # Loading
module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8 # Loaded
module rlm_unpack # Loading module "unpack" from file
/etc/freeradius/3.0/mods-enabled/unpack # Loaded module rlm_replicate
# Loading module "replicate" from file
/etc/freeradius/3.0/mods-enabled/replicate # Loaded module rlm_realm #
Loading module "IPASS" from file
/etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix"
delimiter = "/" ignore_default = no ignore_null = no } # Loading
module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm
suffix { format = "suffix" delimiter = "@" ignore_default = no
ignore_null = no } # Loading module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format =
"suffix" delimiter = "%" ignore_default = no ignore_null = no } #
Loading module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format =
"prefix" delimiter = "\\" ignore_default = no ignore_null = no } #
Loaded module rlm_pap # Loading module "pap" from file
/etc/freeradius/3.0/mods-enabled/pap pap { normalise = no } # Loaded
module rlm_always # Loading module "reject" from file
/etc/freeradius/3.0/mods-enabled/always always reject { rcode =
"reject" simulcount = 0 mpp = no } # Loading module "fail" from file
/etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail"
simulcount = 0 mpp = no } # Loading module "ok" from file
/etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok"
simulcount = 0 mpp = no } # Loading module "handled" from file
/etc/freeradius/3.0/mods-enabled/always always handled { rcode =
"handled" simulcount = 0 mpp = no } # Loading module "invalid" from
file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode =
"invalid" simulcount = 0 mpp = no } # Loading module "userlock" from
file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode =
"userlock" simulcount = 0 mpp = no } # Loading module "notfound" from
file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode =
"notfound" simulcount = 0 mpp = no } # Loading module "noop" from file
/etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop"
simulcount = 0 mpp = no } # Loading module "updated" from file
/etc/freeradius/3.0/mods-enabled/always always updated { rcode =
"updated" simulcount = 0 mpp = no } # Loaded module rlm_expr # Loading
module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module
rlm_linelog # Loading module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog linelog { filename =
"/var/log/freeradius/linelog" escape_filenames = no syslog_severity =
"info" permissions = 384 format = "This is a log message for
%{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}"
} # Loading module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting" escape_filenames =
no syslog_severity = "info" permissions = 384 format = "" reference =
"Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module
rlm_unix # Loading module "unix" from file
/etc/freeradius/3.0/mods-enabled/unix unix { radwtmp =
"/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loaded
module rlm_passwd # Loading module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd passwd etc_passwd { filename =
"/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":"
ignore_nislike = no ignore_empty = yes allow_multiple_keys = no
hash_size = 100 } # Loaded module rlm_radutmp # Loading module
"sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp radutmp
sradutmp { filename = "/var/log/freeradius/sradutmp" username =
"%{User-Name}" case_sensitive = yes check_with_nas = yes permissions =
420 caller_id = no } # Loaded module rlm_logintime # Loading module
"logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
logintime { minimum_timeout = 60 } # Loading module "ldap1" from file
/etc/freeradius/3.0/mods-enabled/ldap1 ldap ldap1 { server =
"123.456.789.121" port = 636 identity = "cn=admin,LDAP_SUFFIX"
password = <<< secret >>> sasl { } user { scope = "sub"
access_positive = yes sasl { } } group { filter =
"(objectClass=groupOfNames)" scope = "sub" name_attribute = "cn"
membership_attribute = "memberOf" membership_filter =
"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
cacheable_name = no cacheable_dn = no } client { scope = "sub" base_dn
= "" } profile { } options { ldap_debug = 40 chase_referrals = yes
rebind = yes net_timeout = 1 res_timeout = 10 srv_timelimit = 3 idle =
60 probes = 3 interval = 3 } tls { ca_file =
"/etc/freeradius/3.0/certs/ca.pem" ca_path =
"/etc/freeradius/3.0/certs/" certificate_file =
"/etc/freeradius/3.0/certs/server.pem" private_key_file =
"/etc/freeradius/3.0/certs/server.key" start_tls = no require_cert =
"allow" } } Creating attribute ldap1-LDAP-Group # Loaded module
rlm_files # Loading module "files" from file
/etc/freeradius/3.0/mods-enabled/files files { filename =
"/etc/freeradius/3.0/mods-config/files/authorize" acctusersfile =
"/etc/freeradius/3.0/mods-config/files/accounting" preproxy_usersfile
= "/etc/freeradius/3.0/mods-config/files/pre-proxy" } # Loaded module
rlm_mschap # Loading module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap mschap { use_mppe = yes
require_encryption = no require_strong = no with_ntdomain_hack = yes
passchange { } allow_retry = yes
winbind_retry_with_normalised_username = no } # Loaded module
rlm_digest # Loading module "digest" from file
/etc/freeradius/3.0/mods-enabled/digest # Loaded module rlm_eap #
Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap { default_eap_type = "peap" timer_expire = 60
ignore_unknown_eap_types = no cisco_accounting_username_bug = no
max_sessions = 16384 } # Loading module "radutmp" from file
/etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename =
"/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive
= yes check_with_nas = yes permissions = 384 caller_id = yes } #
Loaded module rlm_soh # Loading module "soh" from file
/etc/freeradius/3.0/mods-enabled/soh soh { dhcp = yes } # Loaded
module rlm_cache # Loading module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap cache cache_eap { driver =
"rlm_cache_rbtree" key =
"%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15
max_entries = 0 epoch = 0 add_stats = no } # Loaded module
rlm_expiration # Loading module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration # Loaded module rlm_chap #
Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
instantiate { } # Instantiating module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail # Instantiating module
"auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output # Instantiating module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module
"pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module
"ldap2" from file /etc/freeradius/3.0/mods-enabled/ldap2 rlm_ldap:
libldap vendor: OpenLDAP, version: 20445 rlm_ldap (ldap2): Couldn't
find configuration for accounting, will return NOOP for calls from
this section post-auth { reference = "." } rlm_ldap (ldap2):
Initialising connection pool pool { start = 5 min = 5 max = 10 spare =
3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60
retry_delay = 1 spread = no } rlm_ldap (ldap2): Opening additional
connection (0), 1 of 10 pending slots used rlm_ldap (ldap2):
Connecting to ldap://123.456.789.201:636 TLS: warning: cacertdir not
implemented for gnutls rlm_ldap (ldap2): Waiting for bind result...
rlm_ldap (ldap2): Bind successful rlm_ldap (ldap2): Opening additional
connection (1), 1 of 9 pending slots used rlm_ldap (ldap2): Connecting
to ldap://123.456.789.201:636 TLS: warning: cacertdir not implemented
for gnutls rlm_ldap (ldap2): Waiting for bind result... rlm_ldap
(ldap2): Bind successful rlm_ldap (ldap2): Opening additional
connection (2), 1 of 8 pending slots used rlm_ldap (ldap2): Connecting
to ldap://123.456.789.201:636 TLS: warning: cacertdir not implemented
for gnutls rlm_ldap (ldap2): Waiting for bind result... rlm_ldap
(ldap2): Bind successful rlm_ldap (ldap2): Opening additional
connection (3), 1 of 7 pending slots used rlm_ldap (ldap2): Connecting
to ldap://123.456.789.201:636 TLS: warning: cacertdir not implemented
for gnutls rlm_ldap (ldap2): Waiting for bind result... rlm_ldap
(ldap2): Bind successful rlm_ldap (ldap2): Opening additional
connection (4), 1 of 6 pending slots used rlm_ldap (ldap2): Connecting
to ldap://123.456.789.201:636 TLS: warning: cacertdir not implemented
for gnutls rlm_ldap (ldap2): Waiting for bind result... rlm_ldap
(ldap2): Bind successful # Instantiating module
"attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating
module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating
module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_reject
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay" found in filter list for realm
"DEFAULT". [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11
Check item "FreeRADIUS-Response-Delay-USec" found in filter list for
realm "DEFAULT". # Instantiating module "attr_filter.access_challenge"
from file /etc/freeradius/3.0/mods-enabled/attr_filter reading
pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/accounting_response #
Instantiating module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess reading pairlist file
/etc/freeradius/3.0/mods-config/preprocess/huntgroups reading pairlist
file /etc/freeradius/3.0/mods-config/preprocess/hints # Instantiating
module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm #
Instantiating module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm # Instantiating module
"realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm #
Instantiating module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm # Instantiating module "pap"
from file /etc/freeradius/3.0/mods-enabled/pap # Instantiating module
"reject" from file /etc/freeradius/3.0/mods-enabled/always #
Instantiating module "fail" from file
/etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok"
from file /etc/freeradius/3.0/mods-enabled/always # Instantiating
module "handled" from file /etc/freeradius/3.0/mods-enabled/always #
Instantiating module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always # Instantiating module
"userlock" from file /etc/freeradius/3.0/mods-enabled/always #
Instantiating module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop"
from file /etc/freeradius/3.0/mods-enabled/always # Instantiating
module "updated" from file /etc/freeradius/3.0/mods-enabled/always #
Instantiating module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog # Instantiating module
"log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog #
Instantiating module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd rlm_passwd: nfields: 3
keyfield 0(User-Name) listable: no # Instantiating module "logintime"
from file /etc/freeradius/3.0/mods-enabled/logintime # Instantiating
module "ldap1" from file /etc/freeradius/3.0/mods-enabled/ldap1
rlm_ldap (ldap1): Couldn't find configuration for accounting, will
return NOOP for calls from this section post-auth { reference = "." }
rlm_ldap (ldap1): Initialising connection pool pool { start = 5 min =
5 max = 10 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30
idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap1):
Opening additional connection (0), 1 of 10 pending slots used rlm_ldap
(ldap1): Connecting to ldap://123.456.789.121:636 TLS: warning:
cacertdir not implemented for gnutls rlm_ldap (ldap1): Waiting for
bind result... rlm_ldap (ldap1): Bind successful rlm_ldap (ldap1):
Opening additional connection (1), 1 of 9 pending slots used rlm_ldap
(ldap1): Connecting to ldap://123.456.789.121:636 TLS: warning:
cacertdir not implemented for gnutls rlm_ldap (ldap1): Waiting for
bind result... rlm_ldap (ldap1): Bind successful rlm_ldap (ldap1):
Opening additional connection (2), 1 of 8 pending slots used rlm_ldap
(ldap1): Connecting to ldap://123.456.789.121:636 TLS: warning:
cacertdir not implemented for gnutls rlm_ldap (ldap1): Waiting for
bind result... rlm_ldap (ldap1): Bind successful rlm_ldap (ldap1):
Opening additional connection (3), 1 of 7 pending slots used rlm_ldap
(ldap1): Connecting to ldap://123.456.789.121:636 TLS: warning:
cacertdir not implemented for gnutls rlm_ldap (ldap1): Waiting for
bind result... rlm_ldap (ldap1): Bind successful rlm_ldap (ldap1):
Opening additional connection (4), 1 of 6 pending slots used rlm_ldap
(ldap1): Connecting to ldap://123.456.789.121:636 TLS: warning:
cacertdir not implemented for gnutls rlm_ldap (ldap1): Waiting for
bind result... rlm_ldap (ldap1): Bind successful # Instantiating
module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap rlm_mschap (mschap): using
internal authentication # Instantiating module "eap" from file
/etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module
rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module
rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } #
Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config
tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes private_key_file =
"/etc/freeradius/3.0/certs/server.key" certificate_file =
"/etc/freeradius/3.0/certs/server.pem" ca_file =
"/etc/freeradius/3.0/certs/ca.pem" dh_file =
"/etc/freeradius/3.0/certs/dh" fragment_size = 1024 include_length =
yes auto_chain = yes check_crl = no check_all_crl = no cipher_list =
"DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1"
tls_max_version = "" tls_min_version = "1.0" cache { enable = no
lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp
{ enable = no override_cert_url = yes url =
"http://123.456.789.1/ocsp/" use_nonce = yes timeout = 0 softfail = no
} } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common"
default_eap_type = "md5" copy_request_to_tunnel = no
use_tunneled_reply = no virtual_server = "inner-tunnel" include_length
= yes require_client_cert = no } tls: Using cached TLS configuration
from previous invocation # Linked to sub-module rlm_eap_peap peap {
tls = "tls-common" default_eap_type = "mschapv2"
copy_request_to_tunnel = no use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel"
soh = no require_client_cert = no } tls: Using cached TLS
configuration from previous invocation # Linked to sub-module
rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no }
# Instantiating module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap rlm_cache (cache_eap):
Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked #
Instantiating module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration } # modules radiusd: ####
Loading Virtual Servers #### server { # from file
/etc/freeradius/3.0/radiusd.conf } # server server default { # from
file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate
{...} # Loading authorize {...} Ignoring "sql" (see
raddb/mods-available/README.rst) Ignoring "ldap" (see
raddb/mods-available/README.rst) # Loading preacct {...} # Loading
accounting {...} # Loading post-proxy {...} # Loading post-auth {...}
} # server default server inner-tunnel { # from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate
{...} # Loading authorize {...} # Loading session {...} # Loading
post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if'
as it is always 'false' --
/etc/freeradius/3.0/sites-enabled/inner-tunnel:44 } # server
inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen
{ type = "auth" ipaddr = * port = 0 limit { max_connections = 16
lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = *
port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }
} listen { type = "auth" ipaddr = 123.456.789.1 port = 18120 }
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address 123.456.789.1 port 18120 bound to server
inner-tunnel Listening on proxy address * port 50185 Ready to process
requests (0) Received Access-Request Id 182 from 123.456.789.116:38689
to 123.456.789.32:1812 length 166 (0) User-Name = "USERNAME" (0)
User-Password = "PASSWORD" (0) NAS-IP-Address = 123.456.789.1 (0)
NAS-Port = 3 (0) Service-Type = Outbound-User (0) Calling-Station-Id =
"123.456.789.90" (0) NAS-Identifier = "OpenVpn" (0) Acct-Session-Id =
"032D1A71E0B09B5DEA33B7C16E4006AB" (0) NAS-Port-Type = Virtual (0) #
Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy
filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE
(0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name
=~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if
(&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) &&
(&User-Name !~ /(a)(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) &&
(&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/)
{ (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE (0) } # if (&User-Name) =
notfound (0) } # policy filter_username = notfound (0) [preprocess] =
ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0)
suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name
= "USERNAME", looking up realm NULL (0) suffix: No such realm "NULL"
(0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] =
noop (0) [files] = noop (0) redundant-load-balance group { rlm_ldap
(ldap2): Closing connection (0): Hit idle_timeout, was idle for 61
seconds rlm_ldap (ldap2): You probably need to lower "min" rlm_ldap
(ldap2): Closing connection (1): Hit idle_timeout, was idle for 61
seconds rlm_ldap (ldap2): You probably need to lower "min" rlm_ldap
(ldap2): Closing connection (2): Hit idle_timeout, was idle for 61
seconds rlm_ldap (ldap2): You probably need to lower "min" rlm_ldap
(ldap2): Closing connection (3): Hit idle_timeout, was idle for 61
seconds rlm_ldap (ldap2): You probably need to lower "min" rlm_ldap
(ldap2): Closing connection (4): Hit idle_timeout, was idle for 61
seconds rlm_ldap (ldap2): You probably need to lower "min" rlm_ldap
(ldap2): 0 of 0 connections in use. You may need to increase "spare"
rlm_ldap (ldap2): Opening additional connection (5), 1 of 10 pending
slots used rlm_ldap (ldap2): Connecting to ldap://123.456.789.201:636
TLS: warning: cacertdir not implemented for gnutls rlm_ldap (ldap2):
Waiting for bind result... rlm_ldap (ldap2): Bind successful rlm_ldap
(ldap2): Reserved connection (5) (0) ldap2: EXPAND
(uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap2: -->
(uid=USERNAME) (0) ldap2: Performing search in "LDAP_SUFFIX" with
filter "(uid=USERNAME)", scope "sub" (0) ldap2: Waiting for search
result... (0) ldap2: User object found at DN
"uid=USERNAME,LDAP_SUFFIX" (0) ldap2: Processing user attributes (0)
ldap2: control:Password-With-Header += 'PASSWORD' rlm_ldap (ldap2):
Released connection (5) Need 4 more connections to reach min
connections (5) rlm_ldap (ldap2): Opening additional connection (6), 1
of 9 pending slots used rlm_ldap (ldap2): Connecting to
ldap://123.456.789.201:636 TLS: warning: cacertdir not implemented for
gnutls rlm_ldap (ldap2): Waiting for bind result... rlm_ldap (ldap2):
Bind successful (0) [ldap2] = updated (0) } # redundant-load-balance
group = updated (0) [expiration] = noop (0) [logintime] = noop (0)
pap: Normalizing Password-With-Header from base64 encoding, 28 bytes
-> 21 bytes (0) pap: Unknown header {{?v??w}} in Password-With-Header,
re-writing to Cleartext-Password (0) pap: Removing
&control:Password-With-Header (0) [pap] = updated (0) policy
group_authorization { (0) if ((&ldap1-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX") || (&ldap2-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX")) { (0) Searching for user in group
"cn=rad_users,LDAP_SUFFIX" rlm_ldap (ldap1): Closing connection (0):
Hit idle_timeout, was idle for 61 seconds rlm_ldap (ldap1): You
probably need to lower "min" rlm_ldap (ldap1): Closing connection (1):
Hit idle_timeout, was idle for 61 seconds rlm_ldap (ldap1): You
probably need to lower "min" rlm_ldap (ldap1): Closing connection (2):
Hit idle_timeout, was idle for 61 seconds rlm_ldap (ldap1): You
probably need to lower "min" rlm_ldap (ldap1): Closing connection (3):
Hit idle_timeout, was idle for 61 seconds rlm_ldap (ldap1): You
probably need to lower "min" rlm_ldap (ldap1): Closing connection (4):
Hit idle_timeout, was idle for 61 seconds rlm_ldap (ldap1): You
probably need to lower "min" rlm_ldap (ldap1): 0 of 0 connections in
use. You may need to increase "spare" rlm_ldap (ldap1): Opening
additional connection (5), 1 of 10 pending slots used rlm_ldap
(ldap1): Connecting to ldap://123.456.789.121:636 TLS: warning:
cacertdir not implemented for gnutls rlm_ldap (ldap1): Waiting for
bind result... rlm_ldap (ldap1): Bind successful rlm_ldap (ldap1):
Reserved connection (5) (0) Using user DN from request
"uid=USERNAME,LDAP_SUFFIX" (0) Checking for user in group objects (0)
EXPAND (&(objectClass=groupOfNames)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(0) --> (&(objectClass=groupOfNames)(|(member=uid\3dUSERNAME\2cdc\3d5eurovpn\2cdc\3dcom)(memberUid=USERNAME)))
(0) Performing search in "cn=rad_users,LDAP_SUFFIX" with filter
"(&(objectClass=groupOfNames)(|(member=uid\3dUSERNAME\2cdc\3d5eurovpn\2cdc\3dcom)(memberUid=USERNAME)))",
scope "sub" (0) Waiting for search result... ber_get_next failed. (0)
User found in group object "cn=rad_users,LDAP_SUFFIX" rlm_ldap
(ldap1): Released connection (5) Need 4 more connections to reach min
connections (5) rlm_ldap (ldap1): Opening additional connection (6), 1
of 9 pending slots used rlm_ldap (ldap1): Connecting to
ldap://123.456.789.121:636 TLS: warning: cacertdir not implemented for
gnutls rlm_ldap (ldap1): Waiting for bind result... rlm_ldap (ldap1):
Bind successful (0) if ((&ldap1-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX") || (&ldap2-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX")) -> TRUE (0) if ((&ldap1-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX") || (&ldap2-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX")) { (0) [ok] = ok (0) } # if
((&ldap1-LDAP-Group[*] == "cn=rad_users,LDAP_SUFFIX") ||
(&ldap2-LDAP-Group[*] == "cn=rad_users,LDAP_SUFFIX")) = ok (0) ...
skipping else: Preceding "if" was taken (0) } # policy
group_authorization = ok (0) } # authorize = updated (0) Found
Auth-Type = PAP (0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default (0) Auth-Type PAP { (0) pap:
Login attempt with password (0) pap: Comparing with "known good"
Cleartext-Password (0) pap: ERROR: Cleartext password does not match
"known good" password (0) pap: Passwords don't match (0) [pap] =
reject (0) } # Auth-Type PAP = reject (0) Failed to authenticate the
user (0) Using Post-Auth-Type Reject (0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name} (0)
attr_filter.access_reject: --> USERNAME (0) attr_filter.access_reject:
Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] =
updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0)
if (&reply:EAP-Message && &reply:Reply-Message) { (0) if
(&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0)
[noop] = noop (0) } # else = noop (0) } # policy
remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT =
updated (0) Delaying response for 1.000000 seconds Waking up in 0.2
seconds. Waking up in 0.7 seconds. (1) Received Access-Request Id 182
from 123.456.789.116:41404 to 123.456.789.32:1812 length 166 (1)
User-Name = "USERNAME" (1) User-Password = "PASSWORD" (1)
NAS-IP-Address = 123.456.789.1 (1) NAS-Port = 3 (1) Service-Type =
Outbound-User (1) Calling-Station-Id = "123.456.789.90" (1)
NAS-Identifier = "OpenVpn" (1) Acct-Session-Id =
"032D1A71E0B09B5DEA33B7C16E4006AB" (1) NAS-Port-Type = Virtual (1) #
Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy
filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE
(1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name
=~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if
(&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) &&
(&User-Name !~ /(a)(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) &&
(&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/)
{ (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE (1) } # if (&User-Name) =
notfound (1) } # policy filter_username = notfound (1) [preprocess] =
ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1)
suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name
= "USERNAME", looking up realm NULL (1) suffix: No such realm "NULL"
(1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] =
noop (1) [files] = noop (1) redundant-load-balance group { rlm_ldap
(ldap2): Reserved connection (5) (1) ldap2: EXPAND
(uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap2: -->
(uid=USERNAME) (1) ldap2: Performing search in "LDAP_SUFFIX" with
filter "(uid=USERNAME)", scope "sub" (1) ldap2: Waiting for search
result... (1) ldap2: User object found at DN
"uid=USERNAME,LDAP_SUFFIX" (1) ldap2: Processing user attributes (1)
ldap2: control:Password-With-Header += 'PASSWORD' rlm_ldap (ldap2):
Released connection (5) Need 3 more connections to reach min
connections (5) rlm_ldap (ldap2): Opening additional connection (7), 1
of 8 pending slots used rlm_ldap (ldap2): Connecting to
ldap://123.456.789.201:636 TLS: warning: cacertdir not implemented for
gnutls rlm_ldap (ldap2): Waiting for bind result... rlm_ldap (ldap2):
Bind successful (1) [ldap2] = updated (1) } # redundant-load-balance
group = updated (1) [expiration] = noop (1) [logintime] = noop (1)
pap: Normalizing Password-With-Header from base64 encoding, 28 bytes
-> 21 bytes (1) pap: Unknown header {{?v??w}} in Password-With-Header,
re-writing to Cleartext-Password (1) pap: Removing
&control:Password-With-Header (1) [pap] = updated (1) policy
group_authorization { (1) if ((&ldap1-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX") || (&ldap2-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX")) { (1) Searching for user in group
"cn=rad_users,LDAP_SUFFIX" rlm_ldap (ldap1): Reserved connection (5)
(1) Using user DN from request "uid=USERNAME,LDAP_SUFFIX" (1) Checking
for user in group objects (1) EXPAND
(&(objectClass=groupOfNames)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(1) --> (&(objectClass=groupOfNames)(|(member=uid\3dUSERNAME,LDAP_SUFFIX)(memberUid=USERNAME)))
(1) Performing search in "cn=rad_users,LDAP_SUFFIX" with filter
"(&(objectClass=groupOfNames)(|(member=uid\3dUSERNAME,LDAP_SUFFIX)(memberUid=USERNAME)))",
scope "sub" (1) Waiting for search result... ber_get_next failed. (1)
User found in group object "cn=rad_users,LDAP_SUFFIX" rlm_ldap
(ldap1): Released connection (5) Need 3 more connections to reach min
connections (5) rlm_ldap (ldap1): Opening additional connection (7), 1
of 8 pending slots used rlm_ldap (ldap1): Connecting to
ldap://123.456.789.121:636 TLS: warning: cacertdir not implemented for
gnutls rlm_ldap (ldap1): Waiting for bind result... rlm_ldap (ldap1):
Bind successful (1) if ((&ldap1-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX") || (&ldap2-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX")) -> TRUE (1) if ((&ldap1-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX") || (&ldap2-LDAP-Group[*] ==
"cn=rad_users,LDAP_SUFFIX")) { (1) [ok] = ok (1) } # if
((&ldap1-LDAP-Group[*] == "cn=rad_users,LDAP_SUFFIX") ||
(&ldap2-LDAP-Group[*] == "cn=rad_users,LDAP_SUFFIX")) = ok (1) ...
skipping else: Preceding "if" was taken (1) } # policy
group_authorization = ok (1) } # authorize = updated (1) Found
Auth-Type = PAP (1) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default (1) Auth-Type PAP { (1) pap:
Login attempt with password (1) pap: Comparing with "known good"
Cleartext-Password (1) pap: ERROR: Cleartext password does not match
"known good" password (1) pap: Passwords don't match (1) [pap] =
reject (1) } # Auth-Type PAP = reject (1) Failed to authenticate the
user (1) Using Post-Auth-Type Reject (1) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default (1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name} (1)
attr_filter.access_reject: --> USERNAME (1) attr_filter.access_reject:
Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] =
updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1)
if (&reply:EAP-Message && &reply:Reply-Message) { (1) if
(&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1)
[noop] = noop (1) } # else = noop (1) } # policy
remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT =
updated (1) Delaying response for 1.000000 seconds (0) Sending delayed
response (0) Sent Access-Reject Id 182 from 123.456.789.32:1812 to
123.456.789.116:38689 length 20 Waking up in 0.2 seconds. Waking up in
0.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id
182 from 123.456.789.32:1812 to 123.456.789.116:41404 length 20 Waking
up in 3.0 seconds. (0) Cleaning up request packet ID 182 with
timestamp +61 Waking up in 0.9 seconds. (1) Cleaning up request packet
ID 182 with timestamp +62 Ready to process requests
I think line:
(1) pap: Normalizing Password-With-Header from base64 encoding, 28
bytes -> 21 bytes (1) pap: Unknown header {{?v??w}} in
Password-With-Header, re-writing to Cleartext-Password (1) pap:
Removing &control:Password-With-Header
is making this problem. pap module is trying to normalize password
from ldap no matter that
pap { normalise = no } is set.
Please help.
Regards,
Kreso
2
2
hi,
i just started using FreeRadius on a raspberrypi along with mikrotik
routers for hotspot, everything works fine except that to make FR send a
CoA to mikrotik NAS i have to put the secret, port and ip of the NAS in
clients.conf even though im using a sql DB, i came across a old thread
which said reading clients from DB for sending CoA wasnt supported so just
wanted to confirm if its still the case or no?
Regards,
Bipin
2
2
11 Nov '18
hi my name es Manuel Nogales, I'm from Bolivia, South America
i need help with a configuration of freeradius 2.1.12
I inherited this infrastructure
i have got these devices: Switch 3COM, AD DC SERVER WINDOWS 2008 and a
server radius 2.1.12 in Redhat, with AAA configuration under thesse files
/etc/raddb/modules/ntlm_auth
-------inside-----------
>exec ntlm_auth{
>wait = yes
>program = "/usr/bin/ntlm_auth --request-nt-key --domain=mydomain
--username=% {mschap:UserName} --password=%{User-Password}"
>}
/etc/raddb/modules/mschap
-------inside-----------
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-mydomain}
>--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
/etc/raddb/proxy.conf
-------inside-----------
>realm mydomain.com{
> auth_pool = my_auth_failover
>}
i need to add a new domain Active Directory Zentyal with linuxmint users
without lose actual configuration, please any help will be granted, thanks.
Bolivia, South America
i need help with a configuration of freeradius 2.1.12
I inherited this infrastructure
i have got these devices: Switch 3COM, AD DC SERVER WINDOWS 2008 and a
server radius 2.1.12 in Redhat, with AAA configuration under thesse files
/etc/raddb/modules/ntlm_auth
-------inside-----------
>exec ntlm_auth{
>wait = yes
>program = "/usr/bin/ntlm_auth --request-nt-key --domain=mydomain
--username=% {mschap:UserName} --password=%{User-Password}"
>}
/etc/raddb/modules/mschap
-------inside-----------
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-mydomain}
>--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
/etc/raddb/proxy.conf
-------inside-----------
>realm mydomain.com{
> auth_pool = my_auth_failover
>}
i need to add a new domain Active Directory Zentyal with linuxmint users
without lose actual configuration, plea
2
1
Hello,
I have configured freeradius v3.0.18 and successfully authenticate using pap, eap MSCHAP. Here i am using custom mysql proc calls. It is working fine. Now, i am using rlm_rest module (https://github.com/fgsants/REST-API-FreeRADIUS) and authenticate user if user name a and password is present in access request. Now once i move to eap mschapv2, now things are not working. because once auth type eap is selected (from received request) i want to call rest api (as in case of sql). Even if i disable the eap from authorize and forcefully select rest as auth type then receive error (You set 'Auth-Type = REST' for a request that does not contain a User-Password attribute!) i think this is genuine. Can any body help me. From my point of view i need to call rest api after i extract a password from mschap (dont know how to do it)
Regards
Siraj
2
1
Hey there
I was wondering if you could help me with some logic
I'm working with some pretty limited attributes on some APs. They support
radius, but only these attributes:
Session-timeout
Idle-timeout
Bandwidth-up
Bandwidth-down
It sadly doesn't understand WISPr-Session-Terminate-Time
Our application needs to timeout a user account and all devices with
activate sessions on that account at a specific time. Our Service is
offered monthly and are unlimited data.
Is SQL counter or some other module able to send session timeout
dynamically on the fly to accounts for a session that should only be 200min
vs 1440 for an session that needs to expire at a specific moment on all
devices?
I was thinking to make a sql query script to do a Delta calculation between
now and WISPr-Session-Terminate-Time and if that number is less than
session-timeout, to use that value.
I feel like there may be a module in freeradius that may do this but I
could not figure if SQL counter does this.
Any tips in what direction to go would be great!
3
20
Hi!
We are getting close to a workable solution with freeradius!
When running freeradius in debug mode we can see that sometimes it comes in
correctly, and other times in some kind of junky value.
We need some help to see if this is an encrypt/decrypt issue, and where we
may be able to align things to have 100% success rate with password
traversing.
some interesting things. When we login and get a =failed, we can generally
get a success the 2nd time when trying again right away.
here is some of the data pulled from debug. both times password was 000000
rad_recv: Access-Request packet from host 67.168.xxx.6 port 44529, id=58,
length=173
User-Name = "freetest01"
Acct-Session-Id = "1848a37b"
NAS-Identifier = "712-xxxxxx"
Framed-IP-Address = 10.255.10.51
NAS-Port-Id = "ssid1_1848a37b"
Calling-Station-Id = "2C-6E-85-95-C1-C6"
Called-Station-Id = "AC-86-74-7A-35-10"
Class = 0x47726f75703d33362c5376633d3531
Event-Timestamp = "Nov 1 2018 08:37:03 UTC"
Service-Type = Login-User
User-Password = "`\033\244\361\310\337H"
NAS-Port = 35
NAS-IP-Address = 192.168.1.128
# Executing section authorize from file
/etc/freeradius/sites-enabled/xxxxxx.rad
then
rad_recv: Access-Request packet from host 67.168.xxx.6 port 57254, id=178,
length=173
User-Name = "freetest01"
Acct-Session-Id = "3b6dcf1b"
NAS-Identifier = "712-xxxxxx"
Framed-IP-Address = 10.255.10.51
NAS-Port-Id = "ssid1_3b6dcf1b"
Calling-Station-Id = "2C-6E-85-95-C1-C6"
Called-Station-Id = "AC-86-74-7A-35-10"
Class = 0x47726f75703d33362c5376633d3531
Event-Timestamp = "Nov 1 2018 08:32:55 UTC"
Service-Type = Login-User
User-Password = "000000"
NAS-Port = 35
NAS-IP-Address = 192.168.1.128
3
4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hi,
my FR v.3.0.12 up and running, eap works as expected, users DB is in LDAP
now I'm trying to get accounting data in SQL ( to have all the data written to files
/usr/local/var/log/radius/radacct/X.X.X.X/auth-detail-YYYYmmddand )
but I'm failing to get it working ...
all SQL tables except radpostauth are empty ... I have no idea why
here are details:
- ---[ `ls -al mods-enabled/' quotation start ]-------------------------------------------
...
lrwxrwxr-x 1 radius radius 21 Apr 26 2016 eap -> ../mods-available/eap
...
lrwxrwxr-x 1 radius radius 22 Apr 26 2016 ldap -> ../mods-available/ldap
...
- ---[ `ls -al mods-enabled/' quotation end ]-------------------------------------------
- ---[ sites-enabled/default quotation start ]-------------------------------------------
authorize {
...
eap {
ok = return
}
...
}
authenticate {
eap
}
accounting {
detail
sql
attr_filter.accounting_response
}
session {
sql
}
post-auth {
update {
&reply: += &session-state:
}
sql
}
- ---[ sites-enabled/default quotation end ]-------------------------------------------
/usr/local/var/log/radius/radacct/X.X.X.X/auth-detail-YYYYmmdd files are created and updated ...
what can be the cause why SQL table radacct is empty then?
- --
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQQYIXL6FUmD7SUfqoOveOk+D/ejKgUCW+R15QAKCRCveOk+D/ej
KoUjAJ9UUxqLHKWpUH5J16/tuWP/2d6d7gCggz9NjGYhjsRj63ZvFtxRIk8t39Q=
=29MD
-----END PGP SIGNATURE-----
2
1
Hello Everyone.
I'm using FreeRadius 3-3.0.17_2 and I want to pick an IP from Pool
to a user who uses Fixed IP and tries to connect with wrong password.
I tried to put this set in my default file and Fixed IP always
overrides the pool IP.
Auth-Type MS-CHAP {
mschap {
reject = 1
}
if(reject) {
update control {
Pool-Name := "mkt_pool"
}
update reply {
Mikrotik-Rate-Limit := "300K/2M 600K/2200K
450K/1500K 10/10"
}
ok
}
}
Some hint?
Thanks
Aurélio
1
0