Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 12 participants
- 27047 discussions
Hello,
I am new to Freeradius and need some guidance on how to authenticate vpn
users to active directory through Freeradius.
I have setup Freeradius to authenticate some wireless users to AD, but the
main goal is to setup vpn users to authenticate to AD through Freeradius.
Do I need to configure the ldap module in Freeradius to do this or is there
another way to do this?
The version of Freeradius I am using is 3.0.15 on ubuntu server 16.04. The
vpn users will be coming through a checkpoint firewall.
Debug output:
FreeRADIUS Version 3.0.15
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the
terms of the GNU General Public License For more information about these
matters, see the file named COPYRIGHT Starting - reading configuration
files ...
including dictionary file /usr/share/freeradius/dictionary including
dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary including
configuration file /etc/freeradius/radiusd.conf including configuration
file /etc/freeradius/proxy.conf including configuration file
/etc/freeradius/clients.conf including files in directory
/etc/freeradius/mods-enabled/ including configuration file
/etc/freeradius/mods-enabled/utf8 including configuration file
/etc/freeradius/mods-enabled/soh including configuration file
/etc/freeradius/mods-enabled/chap including configuration file
/etc/freeradius/mods-enabled/unpack
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/exec including
configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/echo including
configuration file /etc/freeradius/mods-enabled/digest
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/expr including
configuration file /etc/freeradius/mods-enabled/date including
configuration file /etc/freeradius/mods-enabled/pap including configuration
file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/cache_eap
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/unix including
configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/eap including
files in directory /etc/freeradius/policy.d/ including configuration file
/etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/cui including
configuration file /etc/freeradius/policy.d/abfab-tr including
configuration file /etc/freeradius/policy.d/filter including configuration
file /etc/freeradius/policy.d/debug including configuration file
/etc/freeradius/policy.d/control including configuration file
/etc/freeradius/policy.d/dhcp including configuration file
/etc/freeradius/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/policy.d/accounting
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/eap including files
in directory /etc/freeradius/sites-enabled/ including configuration file
/etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 76800
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers #### proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client {
ipaddr = x.x.x.x
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client {
ipaddr = x.x.x.x
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client {
ipaddr = x.x.x.x
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = ntlm_auth
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules #### modules {
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/mods-enabled/chap
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file
/etc/freeradius/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/freeradius/mods-enabled/dynamic_clients
# Loaded module rlm_logintime
# Loading module "logintime" from file
/etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_exec
# Loading module "exec" from file /etc/freeradius/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loading module "echo" from file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/mods-enabled/digest
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/mods-enabled/files
files {
filename = "/etc/freeradius/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/freeradius/mods-enabled/detail
detail {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_date
# Loading module "date" from file /etc/freeradius/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_expiration
# Loading module "expiration" from file
/etc/freeradius/mods-enabled/expiration
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/etc/freeradius/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=ULTHQ
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file
/etc/freeradius/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "auth_log" from file
/etc/freeradius/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/etc/freeradius/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/freeradius/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/freeradius/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/etc/freeradius/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/freeradius/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_replicate
# Loading module "replicate" from file
/etc/freeradius/mods-enabled/replicate
# Loading module "ntlm_auth" from file
/etc/freeradius/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=ULTHQ
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file
/etc/freeradius/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 76800
}
instantiate {
}
# Instantiating module "logintime" from file
/etc/freeradius/mods-enabled/logintime
# Instantiating module "files" from file
/etc/freeradius/mods-enabled/files
reading pairlist file /etc/freeradius/mods-config/files/authorize
reading pairlist file /etc/freeradius/mods-config/files/accounting
reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
# Instantiating module "detail" from file
/etc/freeradius/mods-enabled/detail
# Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
# Instantiating module "expiration" from file
/etc/freeradius/mods-enabled/expiration
# Instantiating module "preprocess" from file
/etc/freeradius/mods-enabled/preprocess
reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/mods-config/preprocess/hints
# Instantiating module "reject" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "fail" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
# Instantiating module "handled" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "invalid" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "userlock" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "notfound" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "noop" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "updated" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "mschap" from file
/etc/freeradius/mods-enabled/mschap
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
# Instantiating module "cache_eap" from file
/etc/freeradius/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "auth_log" from file
/etc/freeradius/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/freeradius/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/freeradius/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/freeradius/mods-enabled/detail.log
# Instantiating module "etc_passwd" from file
/etc/freeradius/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "linelog" from file
/etc/freeradius/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/freeradius/mods-enabled/linelog
# Instantiating module "IPASS" from file
/etc/freeradius/mods-enabled/realm
# Instantiating module "suffix" from file
/etc/freeradius/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/freeradius/mods-enabled/realm
# Instantiating module "ntdomain" from file
/etc/freeradius/mods-enabled/realm
# Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/mods-config/attr_filter/accounting_response
# Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.pem"
certificate_file = "/etc/freeradius/certs/server.pem"
ca_file = "/etc/freeradius/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
} # modules
radiusd: #### Loading Virtual Servers #### server { # from file
/etc/freeradius/radiusd.conf } # server server default { # from file
/etc/freeradius/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see
raddb/mods-available/README.rst) # Loading preacct {...} # Loading
accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } #
server default server inner-tunnel { # from file
/etc/freeradius/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/freeradius/sites-enabled/inner-tunnel:333
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports #### listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default Listening on
acct address * port 1813 bound to server default Listening on auth address
:: port 1812 bound to server default Listening on acct address :: port 1813
bound to server default Listening on auth address 127.0.0.1 port 18120
bound to server inner-tunnel Listening on proxy address * port 36406
Listening on proxy address :: port 54277 Ready to process requests
Kind regards,
Daniel
2
1
Hello,
I am new to Freeradius and need some guidance on how to authenticate vpn users to active directory through Freeradius.
I have setup Freeradius to authenticate some wireless users to AD, but the main goal is to setup vpn users to authenticate to AD through Freeradius.
Do I need to configure the ldap module in Freeradius to do this or is there another way to do this?
The version of Freeradius I am using is 3.0.15 on ubuntu server 16.04. The vpn users will be coming through a checkpoint firewall.
Debug output:
FreeRADIUS Version 3.0.15
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/utf8
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/unpack
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/digest
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/date
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/cache_eap
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/eap
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/cui
including configuration file /etc/freeradius/policy.d/abfab-tr
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/debug
including configuration file /etc/freeradius/policy.d/control
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/policy.d/accounting
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/eap
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 76800
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client {
ipaddr = x.x.x.x
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client {
ipaddr = x.x.x.x
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client {
ipaddr = x.x.x.x
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = ntlm_auth
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/mods-enabled/chap
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_exec
# Loading module "exec" from file /etc/freeradius/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loading module "echo" from file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/mods-enabled/digest
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/mods-enabled/files
files {
filename = "/etc/freeradius/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/freeradius/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_date
# Loading module "date" from file /etc/freeradius/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=ULTHQ --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/mods-enabled/replicate
# Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=ULTHQ --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 76800
}
instantiate {
}
# Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime
# Instantiating module "files" from file /etc/freeradius/mods-enabled/files
reading pairlist file /etc/freeradius/mods-config/files/authorize
reading pairlist file /etc/freeradius/mods-config/files/accounting
reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
# Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail
# Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
# Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/mods-config/preprocess/hints
# Instantiating module "reject" from file /etc/freeradius/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/mods-enabled/always
# Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
# Instantiating module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
# Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response
# Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.pem"
certificate_file = "/etc/freeradius/certs/server.pem"
ca_file = "/etc/freeradius/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server default { # from file /etc/freeradius/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:333
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 36406
Listening on proxy address :: port 54277
Ready to process requests
Kind regards,
Daniel
The content of this e-mail (including any attachments) is strictly confidential and may be commercially sensitive. If you are not, or believe you may not be, the intended recipient, please advise the sender immediately by return e-mail, delete this e-mail and destroy any copies.
1
0
Accounting server terminates (when home-server is unavailable for a while)
by Peter Balsianok 14 Nov '17
by Peter Balsianok 14 Nov '17
14 Nov '17
Hi,
I have problem with RADIUS server 3.0.15 (accounting). If home-server is
unavailable, after while RADIUS servers terminates abnormally.
proxy.conf (fragment):
home_server sa_server_prod {
type = acct
ipaddr = 80.81.224.2
port = 1812
secret = "xxx"
# Without status check
status_check = none
}
home_server_pool prod_pool_sa {
home_server = sa_server_prod
}
realm sasro.sk {
nostrip
acct_pool = prod_pool_sa
}
Debug output:
Tue Nov 14 10:22:18 2017 : ERROR: (1252) ERROR: Failing proxied request for
user "56(a)sasro.sk", due to lack of any response from home server
80.81.224.2 port 1812
Tue Nov 14 10:22:18 2017 : ERROR: (1264) ERROR: Failing proxied request for
user "169(a)sasro.sk", due to lack of any response from home server
80.81.224.2 port 1812
Tue Nov 14 10:22:26 2017 : ERROR: (1520) ERROR: Failing proxied request for
user "g34(a)sasro.sk", due to lack of any response from home server
80.81.224.2 port 1812
Tue Nov 14 10:22:28 2017 : ERROR: (1577) ERROR: Failing proxied request for
user "56(a)sasro.sk", due to lack of any response from home server
80.81.224.2 port 1812
Tue Nov 14 10:22:33 2017 : ERROR: (1703) ERROR: Failing proxied request for
user "g34(a)sasro.sk", due to lack of any response from home server
80.81.224.2 port 1812
Tue Nov 14 10:22:38 2017 : Proxy: Marking home server 80.81.224.2 port 1812
as dead.
Tue Nov 14 10:22:39 2017 : ERROR: (1889) ERROR: Failing proxied request for
user "169(a)sasro.sk", due to lack of any response from home server
80.81.224.2 port 1812
Tue Nov 14 10:22:40 2017 : Error: ASSERT FAILED src/main/process.c[3182]:
request->home_server != NULL
CAUGHT SIGNAL: Aborted
Backtrace of last 7 frames:
/app/radius/freeradius-3.0.15/lib/libfreeradius-radius.so(fr_fault+0x10c)[0x8a9166]
/app/radius/freeradius-3.0.15/lib/libfreeradius-server.so(rad_assert_fail+0x49)[0xbdddfe]
/app/radius/freeradius-v3/sbin/radiusd[0x8084145]
/app/radius/freeradius-v3/sbin/radiusd[0x80808f3]
/app/radius/freeradius-v3/sbin/radiusd[0x807c641]
/lib/libpthread.so.0[0x50c912]
/lib/libc.so.6(clone+0x5e)[0x81347e]
Calling: gdb -silent -x /app/radius/conf/acct/panic.gdb
/app/radius/freeradius-v3/sbin/radiusd 3088 2>&1 | tee
/app_log/radius/acct//gdb-acct-3088.log
Panic action exited with 0
_EXIT(0) CALLED src/lib/debug.c[743]
3
5
On a Mac with Xcode 9.1, ./configure complains:
"WARNING: 'missing' script is too old or missing"
The 'missing' script shipped with freeradius is version 0.4. Replacing
it with version 2013-10-28.13 makes the warning go away.
See related older post below.
Is that something that could be fixed for future versions?
Gero.
> Alan DeKok aland at deployingradius.com
> Mon Nov 21 15:29:03 CET 2016
>
> On Nov 20, 2016, at 3:58 AM, Peter Lambrechtsen <peter at crypt.nz> wrote:
>>
>> Noticed something pretty minor but thought I might point it out.
>>
>> When building on Debian on 3.0.x
>>
>> checking for rusers... /usr/bin/rusers
>> /freeradius/freeradius-server/missing: Unknown `--is-lightweight' option
>> Try `/freeradius/freeradius-server/missing --help' for more information
>> configure: WARNING: 'missing' script is too old or missing
>> checking for locate... /usr/bin/locate
>> ...
>> Meh no biggie.. but if anyone was poking around aclocal or missing it might
>> be worth sorting.
>
> The autoconf guys keep changing their code. Substantially. :(
>
> I'll look at a fix.
>
> Alan DeKok.
2
2
Using FreeRADIUS Version 3.0.15 from the packages at
https://launchpad.net/~freeradius/+archive/ubuntu/stable-3.0 on Ubuntu 16.04
<https://launchpad.net/~freeradius/+archive/ubuntu/stable-3.0%20on%20Ubuntu%
2016.04>
Using the SQL Module to create a log of SQL queries for access-accept/reject
and accounting packets. However, the filename used is the un-expanded
version (sql-log-%Y%m%d). The queries are logged as expected, and all the
expansion of the content is fine. The expansion of the ${logdir} works - and
the debug shows the date being expanded, however the file written is without
the expansion
Other modules (detail) are correctly writing to similar filenames in the
same directory
Config :-
mods-enabled/sql-log :-
sql sql_log {
driver="rlm_sql_null"
dialect="mysql"
logfile = ${logdir}/sql-relay-%Y%m%d
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries-relay.conf
}
mods-config/sql/main/mysql/queries-relay.conf
post-auth {
log_table = "radlog"
query = "INSERT INTO ${log_table} set \
stamp=%l, \
nas='%{Client-IP-Address}/%{NAS-IP-Address}', \
port='%{NAS-Port}', \
type='%{reply:Packet-Type}', \
username='%{User-Name}', \
clid='%{Calling-Station-Id}', \
hg='%{Huntgroup-Name}', \
info='%{Connect-Info}', \
tun='%{reply:Tunnel-Server-Endpoint[0]}-%{reply:Tunnel-Server-Endpoint[1]}'
\
"
}
sites-enabled/n3server.cfg
postauth {
sql_log
Post-Auth-Type REJECT {
sql_log
}
}
Debug :-
0) sql_log: EXPAND .query
(0) sql_log: --> .query
(0) sql_log: Using query template 'query'
rlm_sql (sql_log): Reserved connection (0)
(0) sql_log: EXPAND %{User-Name}
(0) sql_log: --> testsql
(0) sql_log: SQL-User-Name set to 'testsql'
(0) sql_log: EXPAND INSERT INTO radlog set stamp=%l,
n
as='%{Client-IP-Address}/%{NAS-IP-Address}', port='%{NAS-Port}',
t
ype='%{reply:Packet-Type}', username='%{User-Name}',
c
lid='%{Calling-Station-Id}', hg='%{Huntgroup-Name}',
i
nfo='%{Connect-Info}',
tun='%{reply:Tunnel-Server-Endpoint[0]}-%{reply:
Tunnel-Server-Endpoint[1]}'
(0) sql_log: --> INSERT INTO radlog set stamp=1510527623,
n
as='10.1.1.30/10.1.1.30', port='0',
type='Access-Acc
ept', username='testsql', clid='',
hg='', i
nfo='', tun='-'
(0) sql_log: EXPAND /space/radmin/log/sql-relay-%Y%m%d
(0) sql_log: --> /space/radmin/log/sql-relay-20171112
(0) sql_log: Executing query: INSERT INTO radlog set
stamp=1510527623
, nas='10.1.1.30/10.1.1.30', port='0',
t
ype='Access-Accept', username='testsql', clid='',
h
g='', info='', tun='-'
(0) sql_log: SQL query returned: success
(0) sql_log: 1 record(s) updated
rlm_sql (sql_log): Released connection (0)
(0) [sql_log] = ok
FileListing :-
-rw-rw---- 1 n3radius n3radius 43373 Nov 12 23:00 sql-relay-%Y%m%d
-rw--w---- 1 n3radius n3radius 879393 Nov 12 23:00 detail-20171112
Any suggestions ?
2
3
Hello,
I'm looking for guidance how to configure following scenario:
If user came from host XXX (client IP) without specifying realm/domain (so ex. bob instead of bob(a)mydomain.com) I need to add it to the request.
I've found many example how to do that in otherway around - so if stripping domain from incoming request.
Can somebody give me some guidance how I can achieve that?
I've had a quick look on config/Proxy and correct me if I'm wrong but I believe this is what I need to use to configure it? It's just getting little bit blurry when I'm going to "What Happens" section and it mentioning hints.
I'm using FreeRadius 3.0.4-6 on Centos7.
Many thanks
Dariusz
2
2
Re: key_expiration variable not defined anywhere (in trustrouter.c in rlm_realm)
by Alejandro Pérez Méndez 12 Nov '17
by Alejandro Pérez Méndez 12 Nov '17
12 Nov '17
I messed up with git. This is the actual PR
(https://github.com/FreeRADIUS/freeradius-server/pull/2114)
El 09/11/17 a las 08:32, Alejandro Pérez Méndez escribió:
> Hi Stefan,
>
> you are right. Sadly the first line of my original commit
> (https://github.com/FreeRADIUS/freeradius-server/pull/2059/commits/c5cebd2e9…)
> was lost. Nothing too serious.
> The following PR should fix it
> (https://github.com/FreeRADIUS/freeradius-server/pull/2113)
>
> Regards,
> Alejandro
>
>
>
> El 09/11/17 a las 00:29, Stefan Paetow escribió:
>> Hi Alan,
>>
>> During the build to make this all work with OpenSSL, I noticed that
>> 'key_expiration' is used for the first time in line 422 of
>> trustrouter.c in the rlm_realm module. According to Github this was a
>> manual merge? Did something go missing (the declaration of
>> key_expiration perhaps)?
>>
>> Build output snippet:
>>
>> -- begin --
>>
>> CC src/modules/rlm_realm/trustrouter.c
>> src/modules/rlm_realm/trustrouter.c: In function
>> ‘srvr_blk_to_home_server’:
>> src/modules/rlm_realm/trustrouter.c:422:36: error: ‘key_expiration’
>> undeclared (first use in this function); did you mean
>> ‘get_realm_expiration’?
>> tid_srvr_get_key_expiration(blk, &key_expiration);
>> ^~~~~~~~~~~~~~
>> get_realm_expiration
>> src/modules/rlm_realm/trustrouter.c:422:36: note: each undeclared
>> identifier is reported only once for each function it appears in
>> make: *** [scripts/boiler.mk:635:
>> build/objs/src/modules/rlm_realm/trustrouter.lo] Error 1
>>
>> -- end --
>>
>> Could you have a look? I've copied Alex in, just in case.
>>
>> Thank you very much!
>>
>> With Regards
>>
>> Stefan Paetow
>> Moonshot Industry & Research Liaison Coordinator
>>
>> t: +44 (0)1235 822 125
>> gpg: 0x3FCE5142
>> xmpp: stefanp(a)jabber.dev.ja.net
>> skype: stefan.paetow.janet
>>
>> jisc.ac.uk
>>
>> Jisc is a registered charity (number 1149740) and a company limited
>> by guarantee which is registered in England under Company No.
>> 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One
>> Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>>
>
2
3
HI Alan
In this case the data is from an upstream proxy (I am trying to edit
one reply attribute from logins that are received from the proxy).
This isn't data from a NAS.
During the testing the upstream radius is another freeradius instance
grabbing data from our SQL server. Moving forward it will be another
radius server we don't control.
However after reading a little more it seems the answer is to use
if (&proxy-reply:Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
Which now finds the data - and the rest of the example just works
Thanks for the pointers
Richard
On Sunday 12/11/2017 at 1:07 pm, Alan DeKok wrote:
> On Nov 12, 2017, at 6:16 AM, Richard J Palmer <richard(a)merula.net>
> wrote:
>>
>>
>> (1) if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>> (1) ERROR: Failed retrieving values required to evaluate
>> condition
>
> That's because the incoming packet doesn't contain Cisco-AVPair.
>
> Again... read the debug output. ALL of it. You'll see the server
> isn't receiving a Cisco-AVPair attribute from the NAS.
>
>>
>> I am reasonably certain there is a issue somewhere with if
>> (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/)
>
> Yes. You can only match a Cisco-AVPair against a regex... if the
> packet contains Cisco-AVPiar.
>
>>
>> Using an online Regex testing tool and using the above as a basis I
>> can see that
>> Cisco-AVPair = \"ip:route=([^ ]+) ([^ ]+)\"
>>
>> This retrieves the data I need - However that is not accepted by the
>> freeradius config (understandably as it's not quote the same thing).
>
> Really? The format of the configuration files is documented. See
> "man unlang".
>
> There should be *no* surprise that random text isn't accepted by
> FreeRADIUS.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
1
0
HI Again
I have now set this login to proxy via another freeradius server and I
have moved the code to post_proxy.
I am now seeing:
(1) Starting proxy to home server 10.0.25.5 port 1645
(1) Proxying request to home server 10.0.25.5 port 1645 timeout
14.000000
(1) Sent Access-Request Id 9 from 0.0.0.0:53508 to 10.0.25.5:1645
length 104
(1) User-Name = "richard2(a)test.login"
(1) User-Password = "12345"
(1) NAS-IP-Address = 10.0.25.8
(1) NAS-Port = 1
(1) Message-Authenticator = 0x369545d0fafed5ff1a2b52ca10bfadd5
(1) Event-Timestamp = "Nov 12 2017 10:16:42 GMT"
(1) Proxy-State = 0x3836
Waking up in 0.3 seconds.
(1) Clearing existing &reply: attributes
(1) Received Access-Accept Id 9 from 10.0.25.5:1645 to 10.0.25.8:53508
length 101
(1) Framed-IP-Address = 1.2.108.10
(1) Framed-IP-Netmask = 255.255.255.248
(1) Cisco-AVPair = "ip:route=1.2.108.8 255.255.255.248"
(1) Filter-Id = "P"
(1) Chargeable-User-Identity = "richard2"
(1) Acct-Interim-Interval = 60
(1) Proxy-State = 0x3836
(1) # Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/default
(1) post-proxy {
(1) post_proxy_log: EXPAND
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
(1) post_proxy_log: -->
/usr/local/var/log/radius/radacct/127.0.0.1/post-proxy-detail-20171112
(1) post_proxy_log:
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/127.0.0.1/post-proxy-detail-20171112
(1) post_proxy_log: EXPAND %t
(1) post_proxy_log: --> Sun Nov 12 10:16:42 2017
(1) [post_proxy_log] = ok
(1) policy rewrite_routes {
(1) if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
(1) ERROR: Failed retrieving values required to evaluate
condition
(1) } # policy rewrite_routes = ok
(1) eap: No pre-existing handler found
(1) [eap] = noop
(1) } # post-proxy = ok
(1) Found Auth-Type = Accept
(1) Auth-Type = Accept, accepting the user
post Proxy log shows:
Sun Nov 12 10:16:42 2017
Packet-Type = Access-Accept
Framed-IP-Address = 1.2.108.10
Framed-IP-Netmask = 255.255.255.248
Cisco-AVPair = "ip:route=1.2.108.8 255.255.255.248"
Filter-Id = "P"
Chargeable-User-Identity = "richard2"
Acct-Interim-Interval = 60
Proxy-State = 0x3836
Timestamp = 1510481802
I am reasonably certain there is a issue somewhere with if
(&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/)
Using an online Regex testing tool and using the above as a basis I
can see that
Cisco-AVPair = \"ip:route=([^ ]+) ([^ ]+)\"
This retrieves the data I need - However that is not accepted by the
freeradius config (understandably as it's not quote the same thing).
My initial thought is the issue could be the quotes - but I am
clutching at straws here. I have looked at the documents - but with
Regex not being my strong point I am not sure what I have missed on
the FR config...
Could I please have one last pointer here ?
Thanks!
Richard
On Saturday 11/11/2017 at 8:42 pm, Alan Buxey wrote:
> Not that remote server, just spin up another server that this one
> talks to,
> replying back with such results.
>
> Run in full debug mode, you should see contents of packets, since this
> isn't in the post-proxy or post-auth (as you are putting things in
> during
> Auth stage and checking/changing them there - which isn't how the real
> server would behave or be configured) the check you make will be
> different
> too
>
> alan
>
> On 11 Nov 2017 8:17 pm, "Richard J Palmer" <richard(a)merula.net> wrote:
>
>>
>> Hi
>>
>> I can almost certainly test this with the remote radius server - I am
>> just
>> waiting for the remote server to be configured to allow me access -
>> and in
>> the mean time was trying to test my config locally.
>>
>> From the log
>>
>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>
>> ERROR: Failed retrieving values required to evaluate condition
>>
>> I assume that &Cisco-AVPair is not available here and I should be
>> using
>> something else (or I could have totally the wrong reason).
>>
>> Ultimately the aim was to check if what had written worked before I
>> had
>> access to the upstream server. If it's easier just to wait I shall.
>>
>> Thanks in advance
>>
>> Richard
>>
>>
>>
>>
>> On Saturday 11/11/2017 at 7:39 pm, Alan Buxey wrote:
>>
>>>
>>> Best test would be to have a remote radius server sending back replies
>>> like
>>> you will have as using some local stuff added via SQL isn't going to
>>> be
>>> the
>>> same , goes through different sections,
>>>
>>> alan
>>>
>>> On 11 Nov 2017 7:33 pm, "Richard J Palmer" <richard(a)merula.net> wrote:
>>>
>>>
>>>>
>>>> HI Alan
>>>>
>>>> I will be using it for Proxy. However I was trying to test / use this
>>>> locally as well while debugging the server / code.
>>>>
>>>> Ideally it would be nice to allow both options to work but I am
>>>> flexible
>>>> if it's easier just to use this for requests that are proxied
>>>>
>>>> Thanks
>>>>
>>>> Richard
>>>>
>>>>
>>>>
>>>>
>>>> On Saturday 11/11/2017 at 7:14 pm, Alan Buxey wrote:
>>>>
>>>>
>>>>>
>>>>> You say you need to modify a reply from their radius server - this
>>>>> will
>>>>> be
>>>>> in the post-proxy section?
>>>>>
>>>>> Also if (&reply:Cisco-AVPair ... ?
>>>>>
>>>>> alan
>>>>>
>>>>>
>>>>> On 11 Nov 2017 6:37 pm, "Richard J Palmer" <richard(a)merula.net> wrote:
>>>>>
>>>>> Hi
>>>>>
>>>>> Sorry for the delay. I am getting close with this I think... BUT
>>>>> something
>>>>> seems to be slightly wrong.
>>>>>
>>>>> Happy to post a full log as needed - BUT I hope the bit I need is
>>>>> here:
>>>>>
>>>>> (2) sql1: Framed-Route = ""
>>>>> (2) sql1: Framed-IP-Address = 1.2.3.1
>>>>> (2) sql1: Framed-IP-Netmask = 255.255.255.248
>>>>> (2) sql1: Cisco-AVPair += "ip:route=1.2.3.0 255.255.255.248"
>>>>> (2) sql1: Filter-Id = "P"
>>>>> (2) sql1: Chargeable-User-Identity = "richard2"
>>>>>
>>>>> <group SQL statements>
>>>>>
>>>>> (2) sql1: Group "Hotspot": Merging reply items
>>>>> (2) sql1: Acct-Interim-Interval = 600
>>>>>
>>>>> (2) [sql1] = ok
>>>>> (2) } # redundant = ok
>>>>> (2) policy rewrite_routes {
>>>>> (2) if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>>>> (2) ERROR: Failed retrieving values required to evaluate
>>>>> condition
>>>>> (2) } # policy rewrite_routes = ok
>>>>>
>>>>> (2) Login OK: [richard2] (from client local port 1)
>>>>> (2) Sent Access-Accept Id 69 from 127.0.0.1:1645 to 127.0.0.1:48919
>>>>> length 0
>>>>> (2) Framed-IP-Address = 1.2.3.1
>>>>> (2) Framed-IP-Netmask = 255.255.255.248
>>>>> (2) Cisco-AVPair = "ip:route=1.2.3.0 255.255.255.248"
>>>>> (2) Filter-Id = "P"
>>>>> (2) Chargeable-User-Identity = "richard2"
>>>>> (2) Acct-Interim-Interval = 600
>>>>> (2) Finished request
>>>>>
>>>>>
>>>>> In my authorise section I have placed:
>>>>>
>>>>> redundant {
>>>>> sql1
>>>>> sql2
>>>>> handled
>>>>> }
>>>>> # -sql
>>>>> rewrite_routes
>>>>>
>>>>> (The other sections are there - this is just to show where what I hope
>>>>> is
>>>>> relevant. The code itself is based on the code provided below
>>>>>
>>>>> rewrite_routes {
>>>>>
>>>>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>>>> switch "%{2}" {
>>>>> case "255.255.255.255" {
>>>>> update reply {
>>>>> Framed-Route =
>>>>> "%{1}/32"
>>>>> }
>>>>> }
>>>>> case "255.255.255.254" {
>>>>> update reply {
>>>>> Framed-Route =
>>>>> "%{1}/31"
>>>>> }
>>>>> }
>>>>>
>>>>>
>>>>> and so on (it is in the policy.d folder)
>>>>>
>>>>> I am aware the key to this is the error
>>>>>
>>>>> (2) ERROR: Failed retrieving values required to evaluate
>>>>> condition
>>>>>
>>>>> What I am unclear about is why this is failing / and what I have done
>>>>> wrong
>>>>> here to cause this. If you can give me one more pointer here I'd
>>>>> appreciate
>>>>> it
>>>>>
>>>>> More than happy to send any of the extra config or log as needed
>>>>>
>>>>> Thanks in advance
>>>>>
>>>>> Richard
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Thursday 09/11/2017 at 1:35 pm, Alan DeKok wrote:
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> On Nov 9, 2017, at 8:19 AM, Richard J Palmer <richard(a)merula.net>
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> This is where my skills are not great (regex) most other areas I can
>>>>>>> work
>>>>>>> with. Ultimately I am happy to pay someone to help write the little
>>>>>>> bit
>>>>>>> of
>>>>>>> code that does this. I do need to cope with Netmasks from /32 to /24
>>>>>>> so a
>>>>>>> few switch cases.
>>>>>>>
>>>>>>>
>>>>>>> It shouldn't be difficult.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Alternatively if someone can provide a few pointers on that bit I can
>>>>>>> probably build from there.
>>>>>>>
>>>>>>>
>>>>>>> If you have:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Cisco-AVPair = "ip:route=1.2.3.1
>>>>>>>>> 255.255.255.240"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Step 1, split it into pieces:
>>>>>>>>
>>>>>>>
>>>>>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>>>>>
>>>>>> This matches the "ip:route" prefix. It
>>>>>> then matches
>>>>>> non-space
>>>>>> data,
>>>>>> then a space, and more non-space data. As per the FR documentation,
>>>>>> the
>>>>>> first match goes into %{1}, and the second into %{2}.
>>>>>>
>>>>>> As there are only a limited number of
>>>>>> net masks, you
>>>>>> can expand
>>>>>> the net
>>>>>> mask, and switch over it (inside of the "if" block from above)
>>>>>>
>>>>>> switch "%{2}" {
>>>>>> case "255.255.255.255" {
>>>>>> update reply {
>>>>>> Framed-Route = "%{1}/32"
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> case "255.255.255.254" {
>>>>>> update reply {
>>>>>> Framed-Route = "%{1}/31"
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> case "255.255.255.252" {
>>>>>> update reply {
>>>>>> Framed-Route = "%{1}/30"
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> ... etc...
>>>>>>
>>>>>> # and the "catch all" case, just mash it to /28
>>>>>> case {
>>>>>> update reply {
>>>>>> Framed-Route = "%{1}/28"
>>>>>> }
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> A little verbose, but it should work.
>>>>>>
>>>>>> Alan DeKok.
>>>>>>
>>>>>>
>>>>>> -
>>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>>>> /users.html
>>>>>>
>>>>>>
>>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>>> /users.html
>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>>> /users.html
>>>>>
>>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>> /users.html
>>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>> /users.html
>>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
2
1
Hi
I can almost certainly test this with the remote radius server - I am
just waiting for the remote server to be configured to allow me access
- and in the mean time was trying to test my config locally.
>From the log
if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
ERROR: Failed retrieving values required to evaluate condition
I assume that &Cisco-AVPair is not available here and I should be
using something else (or I could have totally the wrong reason).
Ultimately the aim was to check if what had written worked before I
had access to the upstream server. If it's easier just to wait I
shall.
Thanks in advance
Richard
On Saturday 11/11/2017 at 7:39 pm, Alan Buxey wrote:
> Best test would be to have a remote radius server sending back replies
> like
> you will have as using some local stuff added via SQL isn't going to
> be the
> same , goes through different sections,
>
> alan
>
> On 11 Nov 2017 7:33 pm, "Richard J Palmer" <richard(a)merula.net> wrote:
>
>>
>> HI Alan
>>
>> I will be using it for Proxy. However I was trying to test / use this
>> locally as well while debugging the server / code.
>>
>> Ideally it would be nice to allow both options to work but I am
>> flexible
>> if it's easier just to use this for requests that are proxied
>>
>> Thanks
>>
>> Richard
>>
>>
>>
>>
>> On Saturday 11/11/2017 at 7:14 pm, Alan Buxey wrote:
>>
>>>
>>> You say you need to modify a reply from their radius server - this
>>> will be
>>> in the post-proxy section?
>>>
>>> Also if (&reply:Cisco-AVPair ... ?
>>>
>>> alan
>>>
>>>
>>> On 11 Nov 2017 6:37 pm, "Richard J Palmer" <richard(a)merula.net> wrote:
>>>
>>> Hi
>>>
>>> Sorry for the delay. I am getting close with this I think... BUT
>>> something
>>> seems to be slightly wrong.
>>>
>>> Happy to post a full log as needed - BUT I hope the bit I need is
>>> here:
>>>
>>> (2) sql1: Framed-Route = ""
>>> (2) sql1: Framed-IP-Address = 1.2.3.1
>>> (2) sql1: Framed-IP-Netmask = 255.255.255.248
>>> (2) sql1: Cisco-AVPair += "ip:route=1.2.3.0 255.255.255.248"
>>> (2) sql1: Filter-Id = "P"
>>> (2) sql1: Chargeable-User-Identity = "richard2"
>>>
>>> <group SQL statements>
>>>
>>> (2) sql1: Group "Hotspot": Merging reply items
>>> (2) sql1: Acct-Interim-Interval = 600
>>>
>>> (2) [sql1] = ok
>>> (2) } # redundant = ok
>>> (2) policy rewrite_routes {
>>> (2) if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>> (2) ERROR: Failed retrieving values required to evaluate
>>> condition
>>> (2) } # policy rewrite_routes = ok
>>>
>>> (2) Login OK: [richard2] (from client local port 1)
>>> (2) Sent Access-Accept Id 69 from 127.0.0.1:1645 to 127.0.0.1:48919
>>> length 0
>>> (2) Framed-IP-Address = 1.2.3.1
>>> (2) Framed-IP-Netmask = 255.255.255.248
>>> (2) Cisco-AVPair = "ip:route=1.2.3.0 255.255.255.248"
>>> (2) Filter-Id = "P"
>>> (2) Chargeable-User-Identity = "richard2"
>>> (2) Acct-Interim-Interval = 600
>>> (2) Finished request
>>>
>>>
>>> In my authorise section I have placed:
>>>
>>> redundant {
>>> sql1
>>> sql2
>>> handled
>>> }
>>> # -sql
>>> rewrite_routes
>>>
>>> (The other sections are there - this is just to show where what I hope
>>> is
>>> relevant. The code itself is based on the code provided below
>>>
>>> rewrite_routes {
>>>
>>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>> switch "%{2}" {
>>> case "255.255.255.255" {
>>> update reply {
>>> Framed-Route = "%{1}/32"
>>> }
>>> }
>>> case "255.255.255.254" {
>>> update reply {
>>> Framed-Route = "%{1}/31"
>>> }
>>> }
>>>
>>>
>>> and so on (it is in the policy.d folder)
>>>
>>> I am aware the key to this is the error
>>>
>>> (2) ERROR: Failed retrieving values required to evaluate
>>> condition
>>>
>>> What I am unclear about is why this is failing / and what I have done
>>> wrong
>>> here to cause this. If you can give me one more pointer here I'd
>>> appreciate
>>> it
>>>
>>> More than happy to send any of the extra config or log as needed
>>>
>>> Thanks in advance
>>>
>>> Richard
>>>
>>>
>>>
>>>
>>>
>>> On Thursday 09/11/2017 at 1:35 pm, Alan DeKok wrote:
>>>
>>>
>>>>
>>>> On Nov 9, 2017, at 8:19 AM, Richard J Palmer <richard(a)merula.net>
>>>> wrote:
>>>>
>>>>
>>>>>
>>>>>
>>>>> This is where my skills are not great (regex) most other areas I can
>>>>> work
>>>>> with. Ultimately I am happy to pay someone to help write the little
>>>>> bit
>>>>> of
>>>>> code that does this. I do need to cope with Netmasks from /32 to /24
>>>>> so a
>>>>> few switch cases.
>>>>>
>>>>>
>>>> It shouldn't be difficult.
>>>>
>>>>
>>>>
>>>>>
>>>>> Alternatively if someone can provide a few pointers on that bit I can
>>>>> probably build from there.
>>>>>
>>>>>
>>>> If you have:
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Cisco-AVPair = "ip:route=1.2.3.1
>>>>>>> 255.255.255.240"
>>>>>>>
>>>>>>>
>>>>>> Step 1, split it into pieces:
>>>>
>>>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>>>
>>>> This matches the "ip:route" prefix. It then matches
>>>> non-space
>>>> data,
>>>> then a space, and more non-space data. As per the FR documentation,
>>>> the
>>>> first match goes into %{1}, and the second into %{2}.
>>>>
>>>> As there are only a limited number of net masks, you
>>>> can expand
>>>> the net
>>>> mask, and switch over it (inside of the "if" block from above)
>>>>
>>>> switch "%{2}" {
>>>> case "255.255.255.255" {
>>>> update reply {
>>>> Framed-Route = "%{1}/32"
>>>> }
>>>> }
>>>>
>>>> case "255.255.255.254" {
>>>> update reply {
>>>> Framed-Route = "%{1}/31"
>>>> }
>>>> }
>>>>
>>>> case "255.255.255.252" {
>>>> update reply {
>>>> Framed-Route = "%{1}/30"
>>>> }
>>>> }
>>>>
>>>> ... etc...
>>>>
>>>> # and the "catch all" case, just mash it to /28
>>>> case {
>>>> update reply {
>>>> Framed-Route = "%{1}/28"
>>>> }
>>>> }
>>>> }
>>>>
>>>> A little verbose, but it should work.
>>>>
>>>> Alan DeKok.
>>>>
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>> /users.html
>>>>
>>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>> /users.html
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>> /users.html
>>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
3
2