Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 10 participants
- 27046 discussions
Hello everyone,
I am currently testing version 4. I am using the latest commit (3b422574). I noticed that if the LDAP module is configured with an Active Directory, a user can successfully log in with an empty password. I think that this behaviour is not correct or?
It also works with the Radius protocol instead of Tacacs and with Alpha version 4.
First I perform the login with the correct password and then with an empty password.
This is the output of freeradius -X:
Info : Copyright 1999-2024 The FreeRADIUS server project and contributors
Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info : PARTICULAR PURPOSE
Info : You may redistribute copies of FreeRADIUS under the terms of the
Info : GNU General Public License
Info : For more information about these matters, see the file named COPYRIGHT
Info : Starting - reading configuration files ...
Debug : Including dictionary file "/etc/raddb/dictionary"
including configuration file /etc/raddb/radiusd.conf
Including files in directory "/etc/raddb/template.d/"
including configuration file /etc/raddb/template.d/default
including configuration file /etc/raddb/clients.conf
Including files in directory "/etc/raddb/global.d/"
including configuration file /etc/raddb/global.d/ldap
including configuration file /etc/raddb/global.d/python
Including files in directory "/etc/raddb/mods-enabled/"
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/client
including configuration file /etc/raddb/mods-enabled/delay
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/eap_inner
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/escape
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/ldap
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/stats
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
Including files in directory "/etc/raddb/policy.d/"
including configuration file /etc/raddb/policy.d/abfab-tr
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalisation
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/time
including configuration file /etc/raddb/policy.d/vendor
Including files in directory "/etc/raddb/sites-enabled/"
including configuration file /etc/raddb/sites-enabled/default
Loaded module process_radius
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/tacacs
Loaded module process_tacacs
Parsing initial logging configuration.
main {
prefix = /usr/local/freeradius
log {
destination = file
syslog_facility = daemon
local_state_dir = "/usr/local/freeradius/var"
logdir = "/usr/local/freeradius/var/log"
file = /usr/local/freeradius/var/log/radius/radius.log
suppress_secrets = no
}
}
Parsing security rules to bootstrap UID / GID / chroot / etc.
main {
log {
}
security {
allow_core_dumps = no
allow_vulnerable_openssl = no
openssl_fips_mode = no
}
name = radiusd
local_state_dir = "/usr/local/freeradius/var"
run_dir = /usr/local/freeradius/var/run/radiusd
}
Parsing main configuration
main {
server default {
namespace = radius
radius {
Access-Request {
session {
timeout = 15
max = 4096
}
}
}
Loaded module proto_radius
listen {
type = Access-Request
type = Status-Server
transport = udp
Loaded module proto_radius_udp
udp {
ipaddr = *
port = 1812
networks {
allow = 127/8
allow = 192.0.2/24
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 5.0
idle_timeout = 60.0
nak_lifetime = 30.0
max_connections = 256
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
listen tcp_auth {
type = Access-Request
type = Status-Server
transport = tcp
Loaded module proto_radius_tcp
tcp {
ipaddr = *
port = 1812
networks {
allow = 127/8
allow = 192.0.2/24
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 5.0
idle_timeout = 30.0
nak_lifetime = 30.0
max_connections = 1024
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
listen udp_acct {
type = Accounting-Request
transport = udp
udp {
ipaddr = *
port = 1813
networks {
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 5.0
idle_timeout = 30.0
nak_lifetime = 30.0
max_connections = 1024
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
}
server inner-tunnel {
namespace = radius
radius {
Access-Request {
session {
timeout = 15
max = 4096
}
}
}
listen {
type = Access-Request
transport = udp
udp {
ipaddr = 127.0.0.1
port = 18120
networks {
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 5.0
idle_timeout = 30.0
nak_lifetime = 30.0
max_connections = 1024
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
}
server tacacs {
namespace = tacacs
tacacs {
Authentication {
session {
timeout = 15
max = 4096
max_rounds = 4
}
}
}
Loaded module proto_tacacs
listen {
type = Authentication-Start
type = Authentication-Continue
type = Authorization-Request
type = Accounting-Request
transport = tcp
Loaded module proto_tacacs_tcp
tcp {
ipaddr = *
port = 49
networks {
}
max_packet_size = 4096
max_attributes = 256
}
limit {
idle_timeout = 60.0
max_connections = 256
}
priority {
Authentication-Start = high
Authentication-Continue = high
Authorization-Request = normal
Accounting-Request = low
}
}
}
log {
colourise = yes
}
security {
}
sbin_dir = "/usr/local/freeradius/sbin"
logdir = /usr/local/freeradius/var/log/radius
radacctdir = /usr/local/freeradius/var/log/radius/radacct
reverse_lookups = no
hostname_lookups = yes
max_request_time = 30
pidfile = /usr/local/freeradius/var/run/radiusd/radiusd.pid
debug_level = 0
max_requests = 16384
resources {
}
thread pool {
num_networks = 1
Dynamically determined thread.workers = 15
num_workers = 15
openssl_async_pool_init = 64
openssl_async_pool_max = 1024
}
migrate {
rewrite_update = false
forbid_update = false
}
interpret {
}
}
Switching to configured log settings
log debug {
destination = null
timestamp = yes
colourise = no
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
secret = <<< secret >>>
require_message_authenticator = no
proto = *
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30s
}
}
Debugger not attached
trigger { ... } subsection not found, triggers will be disabled
#### Instantiating libraries ####
#### Bootstrapping process modules ####
Bootstrapping process_radius "default"
Creating Auth-Type = pap
Creating Auth-Type = chap
Creating Auth-Type = mschap
Creating Auth-Type = digest
Creating Auth-Type = ldap
Creating Auth-Type = eap
Bootstrapping process_radius "inner-tunnel"
Bootstrapping process_tacacs "tacacs"
Creating Auth-Type = ASCII
#### Bootstrapping protocol modules ####
Bootstrapping proto_radius "default.radius"
client localhost {
ipaddr = 192.0.2.1
secret = <<< secret >>>
shortname = sample
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30s
}
}
Bootstrapping proto_radius "default.tcp_auth"
Bootstrapping proto_radius "default.udp_acct"
Bootstrapping proto_radius "inner-tunnel.radius"
Bootstrapping proto_tacacs "tacacs.tacacs"
Ignoring "nak_lifetime = 0", forcing to "nak_lifetime = 1"
client tacacs {
ipaddr = 127.0.0.1
secret = <<< secret >>>
proto = tcp
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30s
}
}
#### Instantiating libraries ####
#### Bootstrapping modules ####
modules {
Loaded module rlm_always
always reject {
rcode = reject
simulcount = 0
mpp = no
}
always fail {
rcode = fail
simulcount = 0
mpp = no
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
always handled {
rcode = handled
simulcount = 0
mpp = no
}
always invalid {
rcode = invalid
simulcount = 0
mpp = no
}
always disallow {
rcode = disallow
simulcount = 0
mpp = no
}
always notfound {
rcode = notfound
simulcount = 0
mpp = no
}
always noop {
rcode = noop
simulcount = 0
mpp = no
}
always updated {
rcode = updated
simulcount = 0
mpp = no
}
Loaded module rlm_attr_filter
attr_filter attr_filter.pre-proxy {
filename = /etc/raddb/mods-config/attr_filter/pre-proxy
key = "%{Realm}"
relaxed = no
}
attr_filter attr_filter.post-proxy {
filename = /etc/raddb/mods-config/attr_filter/post-proxy
key = "%{Realm}"
relaxed = no
}
attr_filter attr_filter.access_reject {
filename = /etc/raddb/mods-config/attr_filter/access_reject
key = "%{User-Name}"
relaxed = no
}
attr_filter attr_filter.access_challenge {
filename = /etc/raddb/mods-config/attr_filter/access_challenge
key = "%{User-Name}"
relaxed = no
}
attr_filter attr_filter.accounting_response {
filename = /etc/raddb/mods-config/attr_filter/accounting_response
key = "%{User-Name}"
relaxed = no
}
Loaded module rlm_cache
cache cache_eap {
driver = rbtree
Loaded module rlm_cache_rbtree
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
Loaded module rlm_chap
chap {
min_challenge_len = 16
}
Loaded module rlm_client
Loaded module rlm_delay
delay {
delay = 1.0s
relative = no
force_reschedule = no
}
delay delay_reject {
delay = "%{&reply.FreeRADIUS-Response-Delay || 1}"
relative = yes
force_reschedule = no
}
Loaded module rlm_detail
detail {
permissions = 0600
locking = no
escape_filenames = no
log_packet_header = no
}
detail auth_log {
permissions = 0600
locking = no
escape_filenames = no
log_packet_header = no
}
detail reply_log {
permissions = 0600
locking = no
escape_filenames = no
log_packet_header = no
}
detail pre_proxy_log {
permissions = 0600
locking = no
escape_filenames = no
log_packet_header = no
}
detail post_proxy_log {
permissions = 0600
locking = no
escape_filenames = no
log_packet_header = no
}
Loaded module rlm_digest
Loaded module rlm_eap
eap {
require_identity_realm = nai
type = md5
Loaded module rlm_eap_md5
type = gtc
Loaded module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = PAP
}
type = tls
Loaded module rlm_eap_tls
tls {
tls = tls-common
require_client_cert = yes
include_length = yes
}
type = ttls
Loaded module rlm_eap_ttls
ttls {
tls = tls-common
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
type = mschapv2
Loaded module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
auth_type = mschap
send_error = no
}
type = peap
Loaded module rlm_eap_peap
peap {
tls = tls-common
virtual_server = "inner-tunnel"
require_client_cert = no
}
ignore_unknown_eap_types = no
}
eap inner-eap {
require_identity_realm = nai
default_eap_type = mschapv2
type = md5
type = gtc
gtc {
challenge = "Password: "
auth_type = PAP
}
type = mschapv2
mschapv2 {
with_ntdomain_hack = no
auth_type = mschap
send_error = no
}
type = tls
tls {
tls = tls-peer
require_client_cert = yes
include_length = yes
}
ignore_unknown_eap_types = no
}
Loaded module rlm_exec
exec echo {
wait = yes
input_pairs = &request
output_pairs = &reply
shell_escape = yes
env_inherit = no
}
Loaded module rlm_escape
escape {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
exec {
wait = yes
input_pairs = &request
shell_escape = yes
env_inherit = no
timeout = 10
}
Loaded module rlm_files
files {
filename = /etc/raddb/mods-config/files/authorize
}
files files_accounting {
filename = /etc/raddb/mods-config/files/accounting
}
Instantiating ldap
ldap {
ldap_debug = 0x0000
}
global - ldap - libldap vendor: OpenLDAP, version: 20517
global - ldap - extension: X_OPENLDAP
global - ldap - extension: THREAD_SAFE
global - ldap - extension: SESSION_THREAD_SAFE
global - ldap - extension: OPERATION_THREAD_SAFE
global - ldap - extension: X_OPENLDAP_REENTRANT
global - ldap - extension: X_OPENLDAP_THREAD_SAFE
Loaded module rlm_ldap
ldap {
server = 'ldaps://WIN-DV0HIUUHTPI.freeradius.local:636'
identity = 'cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local'
password = <<< secret >>>
sasl {
}
options {
chase_referrals = yes
use_referral_credentials = no
referral_depth = 5
rebind = yes
net_timeout = 10
idle = 60
probes = 3
interval = 3
srv_timelimit = 3
res_timeout = 10
idle_timeout = 300
reconnection_delay = 10
}
tls {
ca_file = /etc/raddb/certs/cacert.pem
start_tls = no
}
session_tracking = no
user {
scope = sub
access_positive = yes
access_value_negate = "false"
access_value_suspend = "suspended"
}
group {
filter = '(objectClass=posixGroup)'
scope = sub
name_attribute = "cn"
membership_attribute = 'memberOf'
cacheable_name = yes
cacheable_dn = no
group_attribute = "ldap-Group"
allow_dangling_group_ref = no
skip_on_suspend = yes
}
profile {
scope = base
}
pool {
start = 0
min = 1
max = 5
connecting = 2
uses = 0
lifetime = 0
open_delay = 0.2
close_delay = 10.0
manage_interval = 0.2
connection {
connect_timeout = 3.0
reconnect_delay = 1
}
request {
per_connection_max = 2000
per_connection_target = 1000
free_delay = 10.0
}
}
bind_pool {
start = 0
min = 1
max = 1000
connecting = 2
uses = 0
lifetime = 0
open_delay = 0.2
close_delay = 10.0
manage_interval = 0.2
connection {
connect_timeout = 3.0
reconnect_delay = 1
}
request {
per_connection_max = 2000
per_connection_target = 1000
free_delay = 10.0
}
}
}
Loaded module rlm_linelog
linelog {
destination = file
delimiter = "\n"
file {
permissions = 0600
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
server = localhost
port = 514
timeout = 2.0
}
udp {
server = localhost
port = 514
timeout = 2.0
}
}
linelog log_accounting {
destination = file
delimiter = "\n"
file {
permissions = 0600
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
timeout = 1000
}
udp {
timeout = 1000
}
}
linelog log_auth_access_accept {
destination = file
delimiter = "\n"
file {
permissions = 0600
escape_filenames = no
}
syslog {
facility = daemon
severity = notice
}
unix {
}
tcp {
timeout = 1000
}
udp {
timeout = 1000
}
}
linelog log_auth_access_reject {
destination = file
delimiter = "\n"
file {
permissions = 0600
escape_filenames = no
}
syslog {
facility = daemon
severity = notice
}
unix {
}
tcp {
timeout = 1000
}
udp {
timeout = 1000
}
}
linelog log_auth_authentication_pass {
destination = file
delimiter = "\n"
file {
permissions = 0600
escape_filenames = no
}
syslog {
facility = daemon
severity = notice
}
unix {
}
tcp {
timeout = 1000
}
udp {
timeout = 1000
}
}
linelog log_auth_authentication_fail {
destination = file
delimiter = "\n"
file {
permissions = 0600
escape_filenames = no
}
syslog {
facility = daemon
severity = notice
}
unix {
}
tcp {
timeout = 1000
}
udp {
timeout = 1000
}
}
Loaded module rlm_mschap
mschap {
normalise = yes
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind {
}
}
exec ntlm_auth {
wait = yes
shell_escape = yes
env_inherit = no
}
Loaded module rlm_pap
pap {
normalise = yes
}
Loaded module rlm_passwd
passwd etc_passwd {
filename = /etc/passwd
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
Loaded module rlm_radutmp
radutmp {
check_with_nas = yes
permissions = 0600
caller_id = no
}
radutmp sradutmp {
check_with_nas = yes
permissions = 0644
caller_id = no
}
Loaded module rlm_stats
stats {
}
Loaded module rlm_unix
unix {
}
Loaded module rlm_unpack
Loaded module rlm_utf8
#### Bootstrapping rlm modules ####
Bootstrapping rlm_cache "cache_eap"
Bootstrapping rlm_chap "chap"
Bootstrapping rlm_delay "delay"
Bootstrapping rlm_delay "delay_reject"
Bootstrapping rlm_always "disallow"
Bootstrapping rlm_eap "eap"
Bootstrapping rlm_exec "echo"
Bootstrapping rlm_escape "escape"
Bootstrapping rlm_exec "exec"
Bootstrapping rlm_always "fail"
Bootstrapping rlm_always "handled"
Bootstrapping rlm_eap "inner-eap"
Bootstrapping rlm_always "invalid"
Bootstrapping rlm_ldap "ldap"
Bootstrapping rlm_linelog "linelog"
Bootstrapping rlm_linelog "log_accounting"
Bootstrapping rlm_linelog "log_auth_access_accept"
Bootstrapping rlm_linelog "log_auth_access_reject"
Bootstrapping rlm_linelog "log_auth_authentication_fail"
Bootstrapping rlm_linelog "log_auth_authentication_pass"
Bootstrapping rlm_mschap "mschap"
Bootstrapping rlm_always "noop"
Bootstrapping rlm_always "notfound"
Bootstrapping rlm_exec "ntlm_auth"
Bootstrapping rlm_always "ok"
Bootstrapping rlm_always "reject"
Bootstrapping rlm_unix "unix"
Bootstrapping rlm_always "updated"
} # modules
#### Instantiating listeners ####
Compiling policies in server default { ... }
Instantiating proto_radius "default.radius"
Instantiating proto_radius "default.tcp_auth"
Instantiating proto_radius "default.udp_acct"
Instantiating process_radius "default"
Compiling policies in - recv Access-Request {...}
Reading file /etc/raddb/mods-config/files/authorize
/etc/raddb/sites-enabled/default[785]: Ignoring "-sql" as the "sql" module is not enabled.
/etc/raddb/policy.d/time[13]: Skipping remaining instructions due to 'return'
/etc/raddb/policy.d/time[18]: Please use the 'filter' keyword for attribute filtering
Compiling policies in - send Access-Accept {...}
/etc/raddb/sites-enabled/default[1104]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - send Access-Challenge {...}
Compiling policies in - send Access-Reject {...}
/etc/raddb/sites-enabled/default[1219]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - recv Accounting-Request {...}
Reading file /etc/raddb/mods-config/files/accounting
Compiling policies in - send Accounting-Response {...}
Compiling policies in - recv Status-Server {...}
Compiling policies in - authenticate pap {...}
Compiling policies in - authenticate chap {...}
Compiling policies in - authenticate mschap {...}
Compiling policies in - authenticate digest {...}
Compiling policies in - authenticate ldap {...}
Compiling policies in - authenticate eap {...}
Compiling policies in - accounting Start {...}
/etc/raddb/sites-enabled/default[1340]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - accounting Stop {...}
/etc/raddb/sites-enabled/default[1359]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - accounting Interim-Update {...}
/etc/raddb/sites-enabled/default[1389]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - accounting Accounting-On {...}
/etc/raddb/sites-enabled/default[1404]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - accounting Accounting-Off {...}
/etc/raddb/sites-enabled/default[1419]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - accounting Failed {...}
/etc/raddb/sites-enabled/default[80]: radius { ... } section is unused
/etc/raddb/sites-enabled/default[150]: dictionary { ... } section is unused
Compiling policies in server inner-tunnel { ... }
Instantiating proto_radius "inner-tunnel.radius"
Instantiating process_radius "inner-tunnel"
Compiling policies in - recv Access-Request {...}
Reading file /etc/raddb/mods-config/files/authorize
/etc/raddb/sites-enabled/inner-tunnel[124]: Ignoring "-sql" as the "sql" module is not enabled.
/etc/raddb/policy.d/time[13]: Skipping remaining instructions due to 'return'
/etc/raddb/policy.d/time[18]: Please use the 'filter' keyword for attribute filtering
Compiling policies in - send Access-Accept {...}
/etc/raddb/sites-enabled/inner-tunnel[266]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - send Access-Reject {...}
/etc/raddb/sites-enabled/inner-tunnel[308]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - authenticate pap {...}
Compiling policies in - authenticate chap {...}
Compiling policies in - authenticate mschap {...}
Compiling policies in - authenticate eap {...}
src/lib/server/virtual_servers.c[311]: radius { ... } section is unused
Compiling policies in server tacacs { ... }
Instantiating proto_tacacs "tacacs.tacacs"
Instantiating process_tacacs "tacacs"
Compiling policies in - recv Authentication-Start {...}
/etc/raddb/sites-enabled/tacacs[232]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - send Authentication-Pass {...}
Compiling policies in - send Authentication-Fail {...}
Compiling policies in - send Authentication-GetUser {...}
Compiling policies in - send Authentication-GetPass {...}
Compiling policies in - recv Authentication-Continue {...}
Compiling policies in - authenticate PAP {...}
Compiling policies in - authenticate CHAP {...}
Compiling policies in - authenticate ldap {...}
Compiling policies in - authenticate ASCII {...}
Compiling policies in - recv Authorization-Request {...}
Compiling policies in - send Authorization-Pass-Add {...}
Compiling policies in - recv Accounting-Request {...}
Compiling policies in - send Accounting-Success {...}
Compiling policies in - send Accounting-Error {...}
Compiling policies in - accounting Start {...}
Compiling policies in - accounting Watchdog-Update {...}
Compiling policies in - accounting Watchdog {...}
Compiling policies in - accounting Stop {...}
/etc/raddb/sites-enabled/tacacs[32]: tacacs { ... } section is unused
#### Instantiating rlm modules ####
Instantiating rlm_attr_filter "attr_filter.access_challenge"
Reading file /etc/raddb/mods-config/attr_filter/access_challenge
Instantiating rlm_attr_filter "attr_filter.access_reject"
Reading file /etc/raddb/mods-config/attr_filter/access_reject
Instantiating rlm_attr_filter "attr_filter.accounting_response"
Reading file /etc/raddb/mods-config/attr_filter/accounting_response
Instantiating rlm_attr_filter "attr_filter.post-proxy"
Reading file /etc/raddb/mods-config/attr_filter/post-proxy
Instantiating rlm_attr_filter "attr_filter.pre-proxy"
Reading file /etc/raddb/mods-config/attr_filter/pre-proxy
Instantiating rlm_detail "auth_log"
Instantiating rlm_cache "cache_eap"
Instantiating rlm_chap "chap"
Instantiating rlm_detail "detail"
Instantiating rlm_digest "digest"
Instantiating rlm_always "disallow"
Instantiating rlm_eap "eap"
Instantiating rlm_passwd "etc_passwd"
Instantiating rlm_always "fail"
Instantiating rlm_always "handled"
Instantiating rlm_eap "inner-eap"
inner-eap - Failed to find 'authenticate inner-eap {...}' section. EAP authentication will likely not work
Instantiating rlm_always "invalid"
Instantiating rlm_ldap "ldap"
accounting {
reference = "%tolower(type.%{Acct-Status-Type})"
}
post-auth {
reference = "."
}
Instantiating rlm_linelog "linelog"
Instantiating rlm_linelog "log_accounting"
Instantiating rlm_linelog "log_auth_access_accept"
Instantiating rlm_linelog "log_auth_access_reject"
Instantiating rlm_linelog "log_auth_authentication_fail"
Instantiating rlm_linelog "log_auth_authentication_pass"
Instantiating rlm_mschap "mschap"
mschap - Using internal authentication
Instantiating rlm_always "noop"
Instantiating rlm_always "notfound"
Instantiating rlm_always "ok"
Instantiating rlm_pap "pap"
Instantiating rlm_detail "post_proxy_log"
Instantiating rlm_detail "pre_proxy_log"
Instantiating rlm_always "reject"
Instantiating rlm_detail "reply_log"
Instantiating rlm_stats "stats"
Instantiating rlm_always "updated"
Instantiating _cache_rbtree "cache_eap.rbtree"
Instantiating _eap_mschapv2 "eap.mschapv2"
Instantiating _eap_peap "eap.peap"
tls-config tls-common {
chain rsa {
format = pem
certificate_file = /etc/raddb/certs/rsa/server.pem
private_key_password = <<< secret >>>
private_key_file = /etc/raddb/certs/rsa/server.key
ca_file = /etc/raddb/certs/rsa/ca.pem
verify_mode = hard
include_root_ca = no
}
verify_depth = 0
ca_path = /etc/raddb/certs
ca_file = /etc/raddb/certs/rsa/ca.pem
dh_file = /etc/raddb/certs/dh
fragment_size = 1024
cipher_list = "DEFAULT"
cipher_server_preference = yes
allow_renegotiation = no
ecdh_curve = prime256v1
tls_min_version = 1.2
session {
mode = auto
tls - A virtual_server must be provided for stateful caching. cache.mode = "auto" rewritten to cache.mode = "stateless"
name = "%{EAP-Type}%interpreter(server)"
lifetime = 1d
require_extended_master_secret = yes
require_perfect_forward_secrecy = no
}
verify {
mode = all
attribute_mode = client-and-issuer
check_crl = no
}
}
Instantiating _eap_tls "eap.tls"
tls - Using cached TLS configuration from previous invocation
Instantiating _eap_ttls "eap.ttls"
tls - Using cached TLS configuration from previous invocation
Instantiating _eap_mschapv2 "inner-eap.mschapv2"
Instantiating _eap_tls "inner-eap.tls"
tls-config tls-peer {
chain {
format = pem
certificate_file = /etc/raddb/certs/rsa/server.pem
private_key_password = <<< secret >>>
private_key_file = /etc/raddb/certs/rsa/server.key
ca_file = /etc/raddb/certs/rsa/ca.pem
verify_mode = hard
include_root_ca = no
}
verify_depth = 0
ca_path = /etc/raddb/certs
ca_file = /etc/raddb/certs/rsa/ca.pem
dh_file = /etc/raddb/certs/dh
fragment_size = 16384
cipher_server_preference = yes
allow_renegotiation = no
ecdh_curve = "prime256v1"
tls_min_version = 1.2
session {
mode = auto
tls - A virtual_server must be provided for stateful caching. cache.mode = "auto" rewritten to cache.mode = "stateless"
name = "%{EAP-Type}%interpreter(server)"
lifetime = 1d
require_extended_master_secret = yes
require_perfect_forward_secrecy = no
}
verify {
mode = all
attribute_mode = client-and-issuer
check_crl = no
}
}
Looking for LDAP connection to "ldaps://WIN-DV0HIUUHTPI.freeradius.local:636" bound as "cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local"
No existing connection found - creating new one
Scheduler created in single-threaded mode
#### Opening listener interfaces ####
Listening on radius_udp server * port 1812 bound to virtual server default
Listening on radius_tcp server * port 1812 bound to virtual server default
Listening on radius_udp server * port 1813 bound to virtual server default
Listening on radius_udp server 127.0.0.1 port 18120 bound to virtual server inner-tunnel
Listening on tacacs_tcp server * port 49 bound to virtual server tacacs
Ready to process requests
rlm_ldap - [1] - Signalled to start from HALTED state
rlm_ldap - [1] - Connection changed state HALTED -> INIT
rlm_ldap - [1] Trunk connection changed state HALTED -> INIT
Starting bind operation
rlm_ldap - [1] - Connection changed state INIT -> CONNECTING
rlm_ldap - [1] Trunk connection changed state INIT -> CONNECTING
Bind as "cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local" to "ldaps://WIN-DV0HIUUHTPI.freeradius.local:636" successful
rlm_ldap - [1] - Signalled connected from CONNECTING state
rlm_ldap - [1] - Connection changed state CONNECTING -> CONNECTED
rlm_ldap - [1] - Connection established
rlm_ldap - [1] Trunk connection changed state CONNECTING -> ACTIVE
rlm_ldap (ldap) - Performing search in "" with filter "(objectclass=*)", scope "base"
Got search entry response for message 2
rlm_ldap (ldap) - Directory type: Active Directory
rlm_ldap (ldap) - Directory supports LDAP_SERVER_NOTIFICATION_OID
proto_tacacs_tcp - starting connection tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49
Listening on tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49 bound to virtual server tacacs
proto_tacacs_tcp - Received Authentication seq_no 1 length 64 tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49
(0) Received Authentication-Start ID 1 from 127.0.0.1:53534 to 127.0.0.1:49 length 64 via socket tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49
(0) Packet {
(0) Version-Major = Plus
(0) Version-Minor = 1
(0) Packet-Type = Authentication
(0) Sequence-Number = 1
(0) Flags = None
(0) Session-Id = 1085304268
(0) Length = 52
(0) }
(0) Packet-Body-Type = Start
(0) Action = LOGIN
(0) Privilege-Level = Minimum
(0) Authentication-Type = PAP
(0) Authentication-Service = LOGIN
(0) User-Name = "test"
(0) Client-Port = "python_tty0"
(0) Remote-Address = "python_device"
(0) User-Password = "RUrMV9nmkQUSthyy"
Worker - Resetting cleanup timer to +30
(0) tacacs {
(0) Running 'recv Authentication-Start' from file /etc/raddb/sites-enabled/tacacs
(0) recv Authentication-Start {
(0) &control.Auth-Type := 658583602
(0) } # recv Authentication-Start (noop)
(0) Running 'authenticate ldap' from file /etc/raddb/sites-enabled/tacacs
(0) authenticate ldap {
(0) | %{&Stripped-User-Name || &User-Name}
(0) | ||
(0) | &Stripped-User-Name
(0) | %logical_or()
(0) | &Stripped-User-Name
(0) (null)
(0) | &User-Name
(0) | %logical_or(...)
(0) | &User-Name
(0) | --> test
(0) | %logical_or(...)
(0) | --> test
(0) ldap - Login attempt with password
(0) Looking for LDAP connection to "ldaps://WIN-DV0HIUUHTPI.freeradius.local:636" bound as "cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local"
(0) rlm_ldap - [1] Trunk connection assigned request 2
(0) ldap - Performing search in "dc=freeradius,dc=local" with filter "(sAMAccountName=test)", scope "sub"
(0) ldap - Got search entry response for message 3
(0) ldap - function - Resuming execution
(0) User object found at DN "CN=test,CN=Users,DC=freeradius,DC=local"
(0) Using user DN from request "CN=test,CN=Users,DC=freeradius,DC=local"
(0) Login attempt as "CN=test,CN=Users,DC=freeradius,DC=local"
rlm_ldap bind auth - [2] - Signalled to start from HALTED state
rlm_ldap bind auth - [2] - Connection changed state HALTED -> INIT
rlm_ldap bind auth - [2] Trunk connection changed state HALTED -> INIT
Starting bind operation
rlm_ldap bind auth - [2] - Connection changed state INIT -> CONNECTING
rlm_ldap bind auth - [2] Trunk connection changed state INIT -> CONNECTING
Bind as "cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local" to "ldaps://WIN-DV0HIUUHTPI.freeradius.local:636" successful
rlm_ldap bind auth - [2] - Signalled connected from CONNECTING state
rlm_ldap bind auth - [2] - Connection changed state CONNECTING -> CONNECTED
rlm_ldap bind auth - [2] - Connection established
rlm_ldap bind auth - [2] Trunk connection changed state CONNECTING -> ACTIVE
(0) ldap - rlm_ldap bind auth - [2] Trunk connection assigned request 3
rlm_ldap bind auth - [2] Trunk connection changed state ACTIVE -> FULL
(0) ldap - Starting bind auth operation as CN=test,CN=Users,DC=freeradius,DC=local
(0) ldap - function - Resuming execution
(0) Bind as user "CN=test,CN=Users,DC=freeradius,DC=local" was successful
rlm_ldap bind auth - [2] Trunk connection changed state FULL -> ACTIVE
(0) ldap - ldap (ok)
(0) } # authenticate ldap (ok)
(0) Running 'send Authentication-Pass' from file /etc/raddb/sites-enabled/tacacs
(0) send Authentication-Pass {
(0) | %{User-Name}
(0) | --> test
(0) &reply.Server-Message := Hello test
(0) } # send Authentication-Pass (noop)
(0) tacacs (ok)
(0) } # tacacs (ok)
(0) Done request
(0) Sending Authentication-Pass ID 2 from 127.0.0.1:49 to 127.0.0.1:53534 length 28 via socket tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49
(0) Packet-Type = Authentication-Pass
(0) Server-Message = "Hello test"
(0) Finished request
proto_tacacs_tcp - cleaning up
TIMER - setting idle timeout for connection from client tacacs
Network - Socket tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49 closed by peer
Closing connection tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49
proto_tacacs_tcp - starting connection tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49
Listening on tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49 bound to virtual server tacacs
proto_tacacs_tcp - Received Authentication seq_no 1 length 48 tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49
(1) Received Authentication-Start ID 1 from 127.0.0.1:53476 to 127.0.0.1:49 length 48 via socket tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49
(1) Packet {
(1) Version-Major = Plus
(1) Version-Minor = 1
(1) Packet-Type = Authentication
(1) Sequence-Number = 1
(1) Flags = None
(1) Session-Id = 718923347
(1) Length = 36
(1) }
(1) Packet-Body-Type = Start
(1) Action = LOGIN
(1) Privilege-Level = Minimum
(1) Authentication-Type = PAP
(1) Authentication-Service = LOGIN
(1) User-Name = "test"
(1) Client-Port = "python_tty0"
(1) Remote-Address = "python_device"
(1) User-Password = ""
(1) tacacs {
(1) Running 'recv Authentication-Start' from file /etc/raddb/sites-enabled/tacacs
(1) recv Authentication-Start {
(1) &control.Auth-Type := 658583602
(1) } # recv Authentication-Start (noop)
(1) Running 'authenticate ldap' from file /etc/raddb/sites-enabled/tacacs
(1) authenticate ldap {
(1) | %{&Stripped-User-Name || &User-Name}
(1) | ||
(1) | &Stripped-User-Name
(1) | %logical_or()
(1) | &Stripped-User-Name
(1) (null)
(1) | &User-Name
(1) | %logical_or(...)
(1) | &User-Name
(1) | --> test
(1) | %logical_or(...)
(1) | --> test
(1) ldap - Login attempt with password
(1) Looking for LDAP connection to "ldaps://WIN-DV0HIUUHTPI.freeradius.local:636" bound as "cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local"
(1) rlm_ldap - [1] Trunk connection assigned request 4
(1) ldap - Performing search in "dc=freeradius,dc=local" with filter "(sAMAccountName=test)", scope "sub"
(1) ldap - Got search entry response for message 4
(1) ldap - function - Resuming execution
(1) User object found at DN "CN=test,CN=Users,DC=freeradius,DC=local"
(1) Using user DN from request "CN=test,CN=Users,DC=freeradius,DC=local"
(1) Login attempt as "CN=test,CN=Users,DC=freeradius,DC=local"
(1) rlm_ldap bind auth - [2] Trunk connection assigned request 5
rlm_ldap bind auth - [2] Trunk connection changed state ACTIVE -> FULL
(1) ldap - Starting bind auth operation as CN=test,CN=Users,DC=freeradius,DC=local
(1) ldap - function - Resuming execution
(1) Bind as user "CN=test,CN=Users,DC=freeradius,DC=local" was successful
rlm_ldap bind auth - [2] Trunk connection changed state FULL -> ACTIVE
(1) ldap - ldap (ok)
(1) } # authenticate ldap (ok)
(1) Running 'send Authentication-Pass' from file /etc/raddb/sites-enabled/tacacs
(1) send Authentication-Pass {
(1) | %{User-Name}
(1) | --> test
(1) &reply.Server-Message := Hello test
(1) } # send Authentication-Pass (noop)
(1) tacacs (ok)
(1) } # tacacs (ok)
(1) Done request
(1) Sending Authentication-Pass ID 2 from 127.0.0.1:49 to 127.0.0.1:53476 length 28 via socket tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49
(1) Packet-Type = Authentication-Pass
(1) Server-Message = "Hello test"
(1) Finished request
proto_tacacs_tcp - cleaning up
TIMER - setting idle timeout for connection from client tacacs
Network - Socket tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49 closed by peer
Closing connection tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49
^CSignalled to terminate
Exiting normally
rlm_ldap - [1] - Signalled to halt from CONNECTED state
rlm_ldap - [1] - Connection changed state CONNECTED -> CLOSED
rlm_ldap - [1] Trunk connection changed state ACTIVE -> CLOSED
rlm_ldap - [1] - Connection changed state CLOSED -> HALTED
rlm_ldap - [1] Trunk connection changed state CLOSED -> HALTED
rlm_ldap bind auth - [2] - Signalled to halt from CONNECTED state
rlm_ldap bind auth - [2] - Connection changed state CONNECTED -> CLOSED
rlm_ldap bind auth - [2] Trunk connection changed state ACTIVE -> CLOSED
rlm_ldap bind auth - [2] - Connection changed state CLOSED -> HALTEDrlm_ldap bind auth - [2] Trunk connection changed state CLOSED -> HALTED
Thanks in advance for any help,
Simon
2
2
05 May '24
We recently updated freeradius, and noticed that it came with a
"dictionary.infinera".
Generally we're looking to see if this project is interested in some
updates to this file.
What's listed in the file that comes with FreeRADIUS is actually
"transmode" (an infinera acquisition).
We have 3 definition files we use for Inffinera, one is "actual
infinera", one is "coriant" and one is "transmode".
Posting here with hopes they get integrated into FreeRADIUS, as many
of htem were barely documented things deep inside these vendor's docs.
If it's kosher to put vendor acquisitions inside their current
vendor's file, then adding them to "dictionary.infinera" is good. If
not, I'd split off what is currently in the infinera dictionary to be
transmode.
file details below:
# dictionary.coriant:
VENDOR Coriant 42229
BEGIN-VENDOR Coriant
#g30 chassis
ATTRIBUTE Coriant-Priv-Lvl 1 integer
ATTRIBUTE Coriant-User-Class 2 string
ATTRIBUTE Coriant-Timeout 3 integer
ATTRIBUTE Coriant-Max-Sessions 5 integer
#tnms
ATTRIBUTE Coriant-TNMS-UserGroup 6 string
END-VENDOR Coriant
# dictionary.transmode
VENDOR Transmode 8708
BEGIN-VENDOR Transmode
ATTRIBUTE Infinera-User-Category 1 string
ATTRIBUTE Infinera-ENM-User-Category 2 string
END-VENDOR Transmode
# dictionary.infinera
VENDOR Infinera 21296
BEGIN-VENDOR Infinera
# For privilege attributes 1 - 16
ATTRIBUTE Infinera-User-Priv-SA 1 integer
ATTRIBUTE Infinera-User-Priv-NA 2 integer
ATTRIBUTE Infinera-User-Priv-NE 3 integer
ATTRIBUTE Infinera-User-Priv-PR 4 integer
ATTRIBUTE Infinera-User-Priv-TT 5 integer
ATTRIBUTE Infinera-User-Priv-MA 6 integer
ATTRIBUTE Infinera-User-Priv-RA 7 integer
ATTRIBUTE Infinera-User-AdminDomain 100 string
ATTRIBUTE Infinera-User-Max-Concurrent-Session 101 integer
ATTRIBUTE Infinera-User-Allowed-Timezone-Config 102 integer
ATTRIBUTE Infinera-User-TimeZone 103 string
ATTRIBUTE Infinera-User-Email-ID 110 string
ATTRIBUTE Infinera-User-Email-Notification 111 integer
ATTRIBUTE Infinera-User-Email-Alarm-Type 112 integer
ATTRIBUTE Infinera-User-Email-Filter-Name 113 string
ATTRIBUTE Infinera-User-Email-AdminDomain 114 string
# For Misc Session Attributes 17 - 32
ATTRIBUTE Infinera-User-SessionTimeout 17 integer
ATTRIBUTE Infinera-User-LockedOut 19 integer
ATTRIBUTE Infinera-User-CanUseResSession 20 integer
#For Mgmt Type based privileges 33 - 40
ATTRIBUTE Infinera-User-MgmtType-EMS 33 integer
ATTRIBUTE Infinera-User-MgmtType-GNM 34 integer
ATTRIBUTE Infinera-User-MgmtType-TL1 35 integer
ATTRIBUTE Infinera-User-MgmtType-CLI 36 integer
ATTRIBUTE Infinera-User-MgmtType-NETCONF 37 integer
#reserved attributes 240 - 255
#240 - 248 for reserved strings
ATTRIBUTE Infinera-Rsvd-Str-Attribute1 240 string
ATTRIBUTE Infinera-Rsvd-Str-Attribute2 241 string
#249 - 255 for reserved strings
ATTRIBUTE Infinera-Rsvd-Int-Attribute1 249 integer
ATTRIBUTE Infinera-Rsvd-Int-Attribute2 250 integer
#Values for corresponding attributes.
#SA,NA,NE,PR,TT Values
VALUE Infinera-User-Priv-SA SA-NONPRIVILEGED 0
VALUE Infinera-User-Priv-SA SA-PRIVILEGED 1
VALUE Infinera-User-Priv-NA NA-NONPRIVILEGED 0
VALUE Infinera-User-Priv-NA NA-PRIVILEGED 1
VALUE Infinera-User-Priv-NE NE-NONPRIVILEGED 0
VALUE Infinera-User-Priv-NE NE-PRIVILEGED 1
VALUE Infinera-User-Priv-PR PR-NONPRIVILEGED 0
VALUE Infinera-User-Priv-PR PR-PRIVILEGED 1
VALUE Infinera-User-Priv-TT TT-NONPRIVILEGED 0
VALUE Infinera-User-Priv-TT TT-PRIVILEGED 1
VALUE Infinera-User-Priv-MA MA-NONPRIVILEGED 0
VALUE Infinera-User-Priv-MA MA-PRIVILEGED 1
VALUE Infinera-User-Priv-RA RA-NONPRIVILEGED 0
VALUE Infinera-User-Priv-RA RA-PRIVILEGED 1
VALUE Infinera-User-Allowed-Timezone-Config TIMEZONE-CONFIG-ALLOW 1
VALUE Infinera-User-Allowed-Timezone-Config TIMEZONE-CONFIG-NOT-ALLOW 0
VALUE Infinera-User-Email-Notification EMAIL-NOTIFICATION-ENABLE 1
VALUE Infinera-User-Email-Notification EMAIL-NOTIFICATION-DISABLE 0
VALUE Infinera-User-Email-Alarm-Type EMAIL-ALARM-TYPE-ALL 0
VALUE Infinera-User-Email-Alarm-Type EMAIL-ALARM-TYPE-NEW 1
VALUE Infinera-User-Email-Alarm-Type EMAIL-ALARM-TYPE-CLEAR 2
#Misc Attributes's values setting
VALUE Infinera-User-CanUseResSession CANNOT-USE-RES-SESSION 0
VALUE Infinera-User-CanUseResSession CAN-USE-RES-SESSION 1
#Mgmt Type Values
VALUE Infinera-User-MgmtType-EMS MGMTTYPE-EMS-DISALLOWED 0
VALUE Infinera-User-MgmtType-EMS MGMTTYPE-EMS-ALLOWED 1
VALUE Infinera-User-MgmtType-TL1 MGMTTYPE-TL1-DISALLOWED 0
VALUE Infinera-User-MgmtType-TL1 MGMTTYPE-TL1-ALLOWED 1
VALUE Infinera-User-MgmtType-GNM MGMTTYPE-GNM-DISALLOWED 0
VALUE Infinera-User-MgmtType-GNM MGMTTYPE-GNM-ALLOWED 1
VALUE Infinera-User-MgmtType-GNM MGMTTYPE-CLI-DISALLOWED 0
VALUE Infinera-User-MgmtType-GNM MGMTTYPE-CLI-ALLOWED 1
VALUE Infinera-User-MgmtType-GNM MGMTTYPE-NETCONF-DISALLOWED 0
VALUE Infinera-User-MgmtType-GNM MGMTTYPE-NETCONF-ALLOWED 1
VALUE Infinera-Rsvd-Int-Attribute1 INFINERA 1
END-VENDOR Infinera
2
1
Hi,
In the 3.2.x branch, with the `Autz-Type New-TLS-Connection` it is possible to log the certificate details of the client trying to connect and check some additional things.
Is there also a Post-Autz or something similar to log the certificate details if the client certificate has been rejected?
I’m not able to find something in the documentation so the answer may be `no` but in case I’ve missed something would be great to point me to the docs.
BR,
Lineconnect
2
5
Hi,
I use freeradius 3.0 and rlm_sql and I would like to create
hostgroup/usergroup ACL for login access.
In postgres SQL i created:
SELECT * FROM nasgroup;
id | nasgroupname | nasname
----+--------------+---------------
1 | restricted | 172.20.2.42
freeradius=# SELECT * FROM radusergroup;
id | username | groupname | priority
----+-------------+-----------+----------
4 | user1 | adm | 1
5 | user2 | adm | 1
6 | user3 | adm | 1
1 | user4 | superadm | 1
2 | user5 | superadm | 1
3 | user6 | superadm | 1
7 | user7 | read | 1
So in this example I would like to restrict access for all hosts in
group restricted (172.20.2.42) only for users in group superadm (user4,
user5, user6).
How to this in proper way?
--
Jarosław Kłopotek - INTERDUO
2
1
G'day,
Background:
Debian GNU/Linux 11 (bullseye)
FreeRADIUS Version 3.0.21
Samba Version 4.16.11-Debian (AD)
Freeradius does user authentication against the Samba AD backend using
ntlm_auth/mschapv2 and this works flawlessly.
Problem:
I'm looking at the doc for ldap xlat syntax:
https://wiki.freeradius.org/modules/Rlm_ldap#ldap-xlat
The following ldapsearch query works and returns a list of
sAMAccountNames which are members of the 'staff' group.
ldapsearch -D "cn=Administrator,cn=Users,dc=foo,dc=bar,dc=com" -w
super_secret! -h "localhost" -b "cn=Users,dc=foo,dc=bar,dc=com" -s sub
"(&(objectclass=user)(memberOf=CN=staff,CN=Users,DC=foo,DC=bar,DC=com))"
sAMAccountName
I am trying to replicate this in an ldap xlate inside the post-auth
section like so:
update reply {
Reply-Message += "AD-Group:
%{ldap:ldap:///cn=Users,dc=foo,dc=bar,dc=com?(&(objectclass=user)(memberOf=CN=staff,CN=Users,DC=foo,DC=bar,DC=com))?sAMAccountName}",
}
However, freeradius complains:
(12) update reply {
(12) ERROR: Parsing LDAP URL failed
(12) EXPAND AD-Group:
%{ldap:ldap:///cn=Users,dc=foo,dc=bar,dc=com?(&(objectclass=user)(memberOf=CN=staff,CN=Users,DC=foo,DC=bar,DC=com))?sAMAccountName}
(12) --> AD-Group:
(12) Reply-Message += AD-Group:
Questions:
1. Is this sort of query possible using ldap xlat?
2. If so, am I missing something obvious?
3. Is there a way to test/debug ldap xlat expressions which is more
efficient/simple than embedding them in the config and testing?
Thanks,
Chris
2
2
We're rebuilding some radius servers from Centos 7 to Ubuntu 22, due
to the Centos 8 debacle.
Both are 3.0.x. We ported our config over, which uses LDAPS:// on 636
on a Microsoft Windows 2022 AD server. We do not want to use TLS on
389.
Something seems different behaviourally between the servers, the new
Ubuntu server (FreeRADIUS 3.0.26) appears to be attempting to validate
the certificate much more heavily.
This must be an AD thing, but we get this stuff about "DomainDnsZones"
and "ForestDnsZones" when we attempt to authenticate, and it hence
fails. The bind is successful and omitted below:
========================================
TLS: hostname (ForestDnsZones.ad.MYDOMAIN.net) does not match common
name in certificate (ad.MYDOMAIN.net)
TLS: can't connect: (unknown error code).
Unable to chase referral
"ldaps://ForestDnsZones.ad.MYDOMAIN.net/DC=ForestDnsZones,DC=ad,DC=MYDOMAIN,…"
(-1: Can't contact LDAP server)
TLS: hostname (DomainDnsZones.ad.MYDOMAIN.net) does not match common
name in certificate (ad.MYDOMAIN.net)
TLS: can't connect: (unknown error code).
Unable to chase referral
"ldaps://DomainDnsZones.ad.MYDOMAIN.net/DC=DomainDnsZones,DC=ad,DC=MYDOMAIN,…"
(-1: Can't contact LDAP server)
========================================
While debugging I saw somewhere that Centos OpenSSL may be compiled or
configured differently than Ubuntu, and perhaps that's why.
>From our ldap conf:
server = "ldaps://ad.MYDOMAIN.net"
port = 636
identity = "CN=freeradius,OU=Applications,DC=ad,DC=MYDOMAIN,DC=net"
password = <>
base_dn = "DC=ad,DC=MYDOMAIN,DC=net"
options {
chase_referrals = yes
#chase_referrals = no
}
tls {
ca_file = ${certdir}/DigiCertGlobalRootG2.crt.pem
start_tls = no
}
Seeing if any options exist outside of regenerating/re-issueing /
re-installing this cerficate, adding "DomainDnsZones" and
"ForestDnsZones" to it?
I can't find any docs for this, but is there any type of "don't
validate" flag? I've set chase_referrals to no, and it still won't
work (but it doesn't give the above error).
Cheers
Chris
3
7
So an EAP 802.1x supplicant can do one of the following if it receives no response from the NAS:
1) Restart EAP from the top.
2) Retransmit packets from the ongoing EAP session.
3) Just wait and maybe the NAS retransmits for it.
4) (Hopefully not) have a really old proxy in the chain that does retransmits for the NAS/client.
If anyone has had the time to go down this rabbithole, is there any uniformity of client behavior here?
That's really all I want to know... just trying to figure out if turning off NAS-initiiated retransmits is a wise move.
But, if you'd like to hear a scary story, pull up a chair, I am glad to oblige:
Lately we've had quite a few eduroam guest clients show up sending to lame servers that do not respond.
Also, lately, supplicants have seem to have been getting quite aggressive at re-launching frequent authentication attempts after failures.
But what good zombie doesn't enjoy bumping repeatedly against the door?
Our NAS units serve these clients and our home users on the same SSID
(we do fortunately have an additional non-"eduroam" one as well, where one can seek refuge, but many of our users are... adventurous)
The NAS units have no idea that these two groups of users are different. So... in the wee hours of the night...
...when not many people are around to provide good authentications,
...when a lame eduroam guest client manages to authenticate three times
(cue withered hand lifting a cast iron door knocker, spooky music, three loud knocks)
...the NAS declares our proxy dead.
It then rolls over to another proxy, and declares it dead as well, if it happens again.
Despite all that is evident to the naked eye, this NAS does not believe in zombies.
So... it won't retry any of the dead servers until a generous timeout goes by.
Oh yeah, and no Status-Server support.
(cue suspensful music) the serial proxy killer is on the loose.
Once all proxies are dead, no client can authenticate for quite a few minutes (cue tumbleweed)
Our front-end proxy is a FreeRADIUS server. This then proxies to... a haunted old house owned by a mysterious vendor.
Which... retransmits proxied requests. Yes. That old.
There appears (sigh) to be no way to turn this behavior off. It also has a maximum 5 second timeout between retransmits, and though it will respond to Status-Server requests, it will not send them to upstream proxies.
You can imagine the mess that makes (cue pixelized gore)
On the other side... well we're special we have backend servers... but this could happen to anyone, since all eduroam requests go to the same TLRS system.
You may be able to protect your own users, but you are not able to keep your guests safe from one another.
If just one zombie gets into the guest house, all your friends may find themselves... well...
So we have been trying to kill the zombies on the back-end... but 5 seconds, minus 1 for the reject-delay, minus 1 for the DMZ proxy reject delay... 3 seconds is perhaps a bit tight for a 7-way handshake zig-zagging across the globe as it trickles through the federation servers.
Now we're resorting to slaughtering zombies on the front end before they manage to get to the haunted house on clearpass lane. Ooops. Did I just name names? So sorry. Forget I said that.
This of course messes up our logs, since only the NAS and the front end server see the rejection.
Not that the logs were in great condition to start out, since it appears plenty of clients are now configured to just drop their EAP conversation if they are rejected in the inner tunnel, before issuing the outer tunnel challenge to get an outer tunnel Access-Reject.
And finally, the haunted house... it logs all such occurences simply as just "timeout"s, unless you drill down to see whether the timeout was client or server side. But what's a little salt in the headwound, after all.
Anyway, thank you for patronizing our hanted-house ride. Remember to collect your belongings as you leave the carts and... try to get a good night's sleep.
2
2
Hi there,
I have a configuration which operates successfully with ‘use_tunneled_reply” set to yes.
I am trying to remove the depreciated use_tunneled_reply in place of updating the outer.session-state but can’t seem to get it working. Users are not authorised after adjusting the config to the following… what am I missing?
This is the output of freeradius -X for currently not working config:
FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/eap
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/3.0/sites-enabled/default
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 3KL-Management {
ipaddr = 10.165.11.0/27
require_message_authenticator = yes
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
# Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
instantiate {
}
# Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
# Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
# Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
ca_file = "/etc/ssl/certs/ca-certificates.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/3.0/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "HIGH"
ecdh_curve = "prime256v1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-peap"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls-config tls-peap {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/3.0/certs/letsencrypt/privkey.pem"
certificate_file = "/etc/freeradius/3.0/certs/letsencrypt/fullchain.pem"
dh_file = "/etc/freeradius/3.0/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "HIGH"
ecdh_curve = "prime256v1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
Failed binding to auth address 127.0.0.1 port 18120 bound to server inner-tunnel: Address already in use
/etc/freeradius/3.0/sites-enabled/inner-tunnel[33]: Error binding to port for 127.0.0.1 port 18120
Many thanks in advance for any assistance,
Jack
3
11
Hi everyone
This is my very first contact with the FreeRadius users mailing list, so please feel free to point me into the right direction about the interaction with this mailing list. Happy to learn how to use it correctly / efficiently.
What I am trying to do and why I am trying to do it:
I am also very new to FreeRadius per se and I am in the middle of a server lifecycle. Our actual production servers run on version 3.0.12 and the new ones have version 3.0.26 installed. As we are an University with a lot of BYOD clients, we still support TLS 1.0 and TLS 1.1 and want to get rid of TLS 1.0 and TLS 1.1 in the near future. To know about the consequences, I would like to get a rough number of how many clients still using those old TLS versions.
I know I can enable / increase the debug level in /etc/freeradius/3.0/radiusd.conf to see the TLS version used for all authentications, BUT this will fill up our logging partition pretty quick.
***
What you expect the server to do:
I would like to have a way to log the client TLS version used in /var/log/authz.log via the linelog module. At the moment, the linelog configuration (/etc/freeradius/3.0/mods-available/linelog) looks like this:
linelog 802.1x_authz_log {
filename = ${logdir}/authz.log
reference = "sp.%{%{reply:Packet-Type}:-format}"
sp {
Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS=%{%{TLS-Client-Version}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})"
}
}
The post-auth configuration in /etc/freeradius/3.0/sites-available/default looks like this:
post-auth {
update {
&reply: += &session-state:
}
if (EAP-Message) {
802.1x_authz_log
}
Is there a way to print out the TLS version in the AuthZ part and if yes, how?
freeradius -X:
id-radiustest1:~# freeradius -X
FreeRADIUS Version 3.0.26
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/control
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel
including configuration file /etc/freeradius/3.0/sites-enabled/control-socket
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
postauth_client_lost = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
...
radiusd: #### Loading Clients ####
...
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = eap
# Creating Auth-Type = mschap
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_linelog
# Loading module "802.1x_authz_log" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog 802.1x_authz_log {
filename = "/var/log/freeradius/authz.log"
escape_filenames = no
syslog_severity = "info"
permissions = 384
reference = "sp.%{%{reply:Packet-Type}:-format}"
}
# Loading module "acct_log" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog acct_log {
filename = "/var/log/freeradius/acct.log"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "Something has gone wrong with the acct_log"
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "PEAP"
timer_expire = 60
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no
max_sessions = 8192
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.coa {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
# Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
instantiate {
}
# Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
# Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "802.1x_authz_log" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "acct_log" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "proxy-inner-tunnel"
soh = no
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/3.0/certs/server.key"
certificate_file = "/etc/freeradius/3.0/certs/server.crt"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT@SECLEVEL=0"
reject_unknown_intermediate_ca = no
ecdh_curve = "prime256v1"
tls_max_version = "1.3"
tls_min_version = "1.0"
cache {
enable = no
lifetime = 12
name = "EAP module"
max_entries = 0
persist_dir = "/var/log/freeradius/tlscache"
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.coa" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/coa
# Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
Compiling Auth-Type eap for attr Auth-Type
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading pre-proxy {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server default
server proxy-inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type mschap for attr Auth-Type
# Loading authorize {...}
} # server proxy-inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "control"
listen {
socket = "/var/run/freeradius/control/freeradius.sock"
uid = "freerad"
gid = "freerad"
mode = "rw"
peercred = no
}
Thanks a lot for any advice and best regards
Dominic
2
5
Hi Everyone,
I am testing Freeradius v3.2.3 with cache module. the driver
"rlm_cache_memcached". We plan to build a freeradius cluster with
distributed memcached to cache user login status. During the test, I
notice if memcached is offline, freeradius will either reject all new
auth request or failed to start. The libmemcached document website is
offline (http://docs.libmemcached.org) and I tried to search related
information on google, but no luck. Does anyone know how to make
rlm_cache_memcached to handle failed memcached server?
the cache module config is
cache {
driver = "rlm_cache_memcached"
memcached {
# Memcached configuration options, as documented here:
#
http://docs.libmemcached.org/libmemcached_configuration.htmlmemcached
options = "--SERVER=10.4.4.5 --SERVER=10.4.4.6
--SERVER=10.4.4.7"
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
lifetime = 0
idle_timeout = 60
}
}
key = "%{sha256:%{User-Name}}/%{sha256:%{User-Password}}"
ttl = 150
update {
# <list>:<attribute> <op> <value>
# Cache all instances of Reply-Message in the reply list
&reply:Reply-Message += &reply:Reply-Message[*]
# Add our own to show when the cache was last updated
&reply:Reply-Message += "Cache last updated at %t"
}
}
also, the option --REMOVE_FAILED_SERVERS is not supported
Regards,
Eric
2
2