Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 13 participants
- 27047 discussions
Hi,
I configured a freeradius server for proxying request to other radius
server.
I have a router (openwrt) and the idea is that wifi authenticate using
my radius server and my radius server proxy the request to other radius
server (I can't get much info of this server).
installed on OpenSUSE 13.2
freeradius-server-utils-3.0.11-93.1.x86_64
freeradius-server-libs-3.0.11-93.1.x86_64
freeradius-server-doc-3.0.11-93.1.x86_64
freeradius-server-3.0.11-93.1.x86_64
I have this probblem:
when I execute the command in my radius server:
radtest <USER> <PASSWORD> localhost 0 testing123
works fine proxy the request fine and I have "Received Access-Accept",
but when I try to connect via openwrt wifi, it proxy the request fine
but I got "Received Access-Reject"
I read in the log and I think what makes diffrence is the request that
is sent:
request that works is:
(10) Sent Access-Request Id 192 from 0.0.0.0:52999 to
<destination-radius-IP>:1812 length 92
(10) User-Name = "USER"
(10) User-Password = "PASSWD"
(10) NAS-IP-Address = <my-server-IP>
(10) NAS-Port = 0
(10) Message-Authenticator = 0xb11e070a06c7366aed5ca12968f70a00
(10) Event-Timestamp = "Apr 15 2016 09:50:20 UYT"
(10) Proxy-State = 0x3832
request that fails is:
(11) Sent Access-Request Id 46 from 0.0.0.0:52999 to
<destination-radius-IP>:1812 length 216
(11) User-Name = "USER"
(11) Called-Station-Id = "32-B5-C2-38-41-74:<WIFI-SSID>"
(11) NAS-Port-Type = Wireless-802.11
(11) NAS-Port = 1
(11) Calling-Station-Id = "78-4B-87-78-8C-FB"
(11) Connect-Info = "CONNECT 54Mbps 802.11g"
(11) Acct-Session-Id = "56FBFBAD-000000BD"
(11) WLAN-Pairwise-Cipher = 1027076
(11) WLAN-Group-Cipher = 1027076
(11) WLAN-AKM-Suite = 1027073
(11) Framed-MTU = 1400
(11) EAP-Message = 0x0291001101343137343233344066696e67
(11) Message-Authenticator = 0x78a31b183ce622957bdb13eaf6b3e984
(11) Event-Timestamp = "Apr 15 2016 10:10:14 UYT"
(11) NAS-IP-Address = <SOME-IP>
(11) Proxy-State = 0x3730
my question is:
How can I modify the request received from router (openwrt) to make it
looks like the working one?
sorry my english.
and thanks.
sds, Nicolás
2
1
We have been running 3.0.4 on CentOS, authenticating against
openldap 2.3.43 on Centos 5. That seemed to work reliably, but we needed
functionality only available in 3.0.11.
I build 3.0.12 as an RPM on CentOS 6 using the 3.0.12 tarball from
github and the 3.0.4 specfile as a template, so that the same
directories and settings were used as for 3.0.4.
We are using ldap on port 389 with start_tls
The client certificate is loaded from a PEM file in /etc/raddb/certs/
The server certificate is loaded from the NSS database
/etc/raddb/certs/cert8.db
Initially after radiusd is started, authentication works properly.
We see in debug output
...
(1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
...
rlm_ldap (ldap): Opening additional connection (6), 1 of 30 pending slots used
rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
TLS: certificate '/etc/raddb/certs/xxx' successfully loaded from moznss database.
rlm_ldap (ldap): Bind successful
..(1) Sent Access-Accept Id 170
after running for a bit, with the same radius client request, we get
TLS: could not shutdown NSS - error -8053:NSS could not shutdown.
Objects are still in use..
rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (7), 1 of 32 pending
slots used
rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
TLS: could not initialize moznss - error -8018:Unknown PKCS #11 error..
TLS: could not perform TLS system initialization.
TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error.
TLS: can't create ssl handle.
rlm_ldap (ldap): Could not start TLS: Connect error
... (2) Sent Access-Reject Id 217
On the openldap server in debug mode, I get an error
TLS trace: SSL3 alert read:warning:close notify
ldap_read: want=8, got=0
Any ideas ?
The openldap logs are somewhat cryptic
--
Andrew Daviel, TRIUMF, Canada
4
6
Hi everybody
We have been using freeradius to authenticate about 1000 network users for quite some years without any issues. Last week we experienced problems with one of the NAS our network providers use. Please be aware of the fact that we do not have direct influence on the configuration of this machine. While roughly 100 NASs use PAP for authentication against our LDAP-datastore getting an access accept, this NAS uses CHAP, leading radius to reject the request. In consequence the network users frequenting this NAS fall back on a more expensive means of connection, creating additional cost for us.
In parallel to requesting the provider to fix this issue we are investigating now how to make LDAP work with CHAP. We followed FAQ to this link and others in this section
http://wiki.freeradius.org/guide/FAQ#how-do-i_how-do-i-make-chap-work-with-…
but found no real clue. We recreated the scenario in our testing environment and one guess so far is :
vt1radius:/etc/raddb # cat sites-enabled/vt1pppoe_localhost
# WEINM 2015-01-21 : vt1pppoe login realization
server vt1pppoe_login {
# WEINM 2015-01-21 : listen on 1825, auth only no acct
listen {
type = auth
ipaddr = 127.0.0.1
port = 1825
}
authorize {
ldap_vt1pppoe
if ((ok || updated) && (User-Password || CHAP-Password)) {
update {
control:Auth-Type = LDAP
}
}
}
authenticate {
Auth-Type LDAP {
ldap
}
}
}
vt1radius:/etc/raddb # cat mods-enabled/ldap_vt1pppoe
ldap ldap_vt1pppoe {
server = 10.193.1.144
identity = "cn=admin,dc=lotto-rlp,dc=de"
password = secret
update {
control:Password-With-Header += 'userPassword'
control:Cleartext-Password := 'userPassword'
}
user {
base_dn = "ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
tls {
start_tls = no
}
pool {
# Number of connections to start
start = 1
min = 1
max = ${thread[pool].max_servers}
spare = 10
uses = 300
lifetime = 0
idle_timeout = 60
}
}
resulting to
vt1radius:/etc/raddb/sites-enabled # radiusd -X
radiusd: FreeRADIUS Version 3.0.3, for host x86_64-suse-linux-gnu, built on Dec 3 2014 at 10:31
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/ldap_dtag
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/ldap
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/ldap_vt1pppoe
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/ldap_ptlux
including configuration file /etc/raddb/mods-enabled/ldap_arcor
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/cui
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/ptlux_localhost
including configuration file /etc/raddb/sites-enabled/dtag_localhost
including configuration file /etc/raddb/sites-enabled/vt1pppoe_localhost
including configuration file /etc/raddb/sites-enabled/arcor_localhost
including configuration file /etc/raddb/sites-enabled/proxy_decode_realm
main {
security {
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 10
cleanup_delay = 2
max_requests = 30720
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
msg_denied = "You are already logged in - access denied"
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server dtag_localhost {
ipaddr = 127.0.0.1
port = 1822
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server arcor_localhost {
ipaddr = 127.0.0.1
port = 1823
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server ptlux_localhost {
ipaddr = 127.0.0.1
port = 1824
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server vt1pppoe_localhost {
ipaddr = 127.0.0.1
port = 1825
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server_pool dtag_pool {
type = fail-over
home_server = dtag_localhost
}
realm lotto-rlp {
auth_pool = dtag_pool
}
home_server_pool arcor_pool {
type = fail-over
home_server = arcor_localhost
}
realm lotto-rlp.de {
auth_pool = arcor_pool
}
home_server_pool ptlux_pool {
type = fail-over
home_server = ptlux_localhost
}
realm pt.lotto-rlp.de {
auth_pool = ptlux_pool
}
home_server_pool vt1pppoe_pool {
type = fail-over
home_server = vt1pppoe_localhost
}
realm lotto-rlp.vt1 {
auth_pool = vt1pppoe_pool
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "localhost"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client vt1pppoe1 {
ipaddr = 10.193.1.51
require_message_authenticator = no
secret = <<< secret >>>
shortname = "vt1pppoe1"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
# Loaded module rlm_ldap
# Instantiating module "ldap_dtag" from file /etc/raddb/mods-enabled/ldap_dtag
ldap ldap_dtag {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=dtag-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap_dtag): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_dtag): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_dtag): Initialising connection pool
pool {
start = 1
min = 1
max = 130
spare = 10
uses = 300
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_dtag): Opening additional connection (0)
rlm_ldap (ldap_dtag): Connecting to 10.193.1.144:389
rlm_ldap (ldap_dtag): Waiting for bind result...
rlm_ldap (ldap_dtag): Bind successful
# Loaded module rlm_exec
# Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_chap
# Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Loaded module rlm_always
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
ldap {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=dtag-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap): Initialising connection pool
rlm_ldap (ldap): Opening additional connection (0)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Instantiating module "ldap_vt1pppoe" from file /etc/raddb/mods-enabled/ldap_vt1pppoe
ldap ldap_vt1pppoe {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap_vt1pppoe): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_vt1pppoe): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_vt1pppoe): Initialising connection pool
pool {
start = 1
min = 1
max = 130
spare = 10
uses = 300
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_vt1pppoe): Opening additional connection (0)
rlm_ldap (ldap_vt1pppoe): Connecting to 10.193.1.144:389
rlm_ldap (ldap_vt1pppoe): Waiting for bind result...
rlm_ldap (ldap_vt1pppoe): Bind successful
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Instantiating module "ldap_ptlux" from file /etc/raddb/mods-enabled/ldap_ptlux
ldap ldap_ptlux {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=ptlux-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap_ptlux): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_ptlux): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_ptlux): Initialising connection pool
pool {
start = 1
min = 1
max = 130
spare = 10
uses = 300
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_ptlux): Opening additional connection (0)
rlm_ldap (ldap_ptlux): Connecting to 10.193.1.144:389
rlm_ldap (ldap_ptlux): Waiting for bind result...
rlm_ldap (ldap_ptlux): Bind successful
# Instantiating module "ldap_arcor" from file /etc/raddb/mods-enabled/ldap_arcor
ldap ldap_arcor {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=arcor-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap_arcor): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_arcor): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_arcor): Initialising connection pool
pool {
start = 1
min = 1
max = 130
spare = 10
uses = 300
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_arcor): Opening additional connection (0)
rlm_ldap (ldap_arcor): Connecting to 10.193.1.144:389
rlm_ldap (ldap_arcor): Waiting for bind result...
rlm_ldap (ldap_arcor): Bind successful
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
} # server default
server ptlux_login { # from file /etc/raddb/sites-enabled/ptlux_localhost
# Creating Auth-Type = LDAP
# Loading authenticate {...}
# Loading authorize {...}
} # server ptlux_login
server dtag_login { # from file /etc/raddb/sites-enabled/dtag_localhost
# Loading authenticate {...}
# Loading authorize {...}
# Loading post-auth {...}
} # server dtag_login
server vt1pppoe_login { # from file /etc/raddb/sites-enabled/vt1pppoe_localhost
# Loading authenticate {...}
# Loading authorize {...}
} # server vt1pppoe_login
server arcor_login { # from file /etc/raddb/sites-enabled/arcor_localhost
# Loading authenticate {...}
# Loading authorize {...}
} # server arcor_login
server decode_realm { # from file /etc/raddb/sites-enabled/proxy_decode_realm
# Loading authorize {...}
} # server decode_realm
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1824
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1822
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1825
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1823
}
listen {
type = "auth"
ipaddr = *
port = 1812
}
Listening on auth address 127.0.0.1 port 1824 as server ptlux_login
Listening on auth address 127.0.0.1 port 1822 as server dtag_login
Listening on auth address 127.0.0.1 port 1825 as server vt1pppoe_login
Listening on auth address 127.0.0.1 port 1823 as server arcor_login
Listening on auth address * port 1812 as server decode_realm
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 47272
Ready to process requests.
A PAP request to this server gets accepted :
client:
vt1radius:/etc/raddb # echo "User-Name = 88078(a)lotto-rlp.vt1 , USER-Password = jWd53332J0jCtWu , Framed-Protocol = PPP" | radclient -r 1 -xs localhost:1812 auth testing123
Sending Access-Request Id 53 from 0.0.0.0:57005 to 127.0.0.1:1812
User-Name = '88078(a)lotto-rlp.vt1'
User-Password = 'jWd53332J0jCtWu'
Framed-Protocol = PPP
Received Access-Accept Id 53 from 127.0.0.1:1812 to 127.0.0.1:57005 length 20
Packet summary:
Access-Accepts : 1
Access-Rejects : 0
Lost : 0
Passed filter : 1
Failed filter : 0
server:
Received Access-Request Id 53 from 127.0.0.1:57005 to 127.0.0.1:1812 length 65
User-Name = '88078(a)lotto-rlp.vt1'
User-Password = 'jWd53332J0jCtWu'
Framed-Protocol = PPP
(0) # Executing section authorize from file /etc/raddb/sites-enabled/proxy_decode_realm
(0) authorize {
(0) filter_username filter_username {
(0) if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0) --> 88078(a)lotto-rlp.vt1
(0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) if (User-Name =~ / /)
(0) if (User-Name =~ / /) -> FALSE
(0) if (User-Name =~ /@.*@/ )
(0) if (User-Name =~ /@.*@/ ) -> FALSE
(0) if (User-Name =~ /\\.\\./ )
(0) if (User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(0) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(0) if (User-Name =~ /\\.$/)
(0) if (User-Name =~ /\\.$/) -> FALSE
(0) if (User-Name =~ /(a)\\./)
(0) if (User-Name =~ /(a)\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) IPASS : No '/' in User-Name = "88078(a)lotto-rlp.vt1", looking up realm NULL
(0) IPASS : No such realm "NULL"
(0) [IPASS] = noop
(0) suffix : Looking up realm "lotto-rlp.vt1" for User-Name = "88078(a)lotto-rlp.vt1"
(0) suffix : Found realm "lotto-rlp.vt1"
(0) suffix : Adding Stripped-User-Name = "88078"
(0) suffix : Adding Realm = "lotto-rlp.vt1"
(0) suffix : Proxying request from user 88078 to realm lotto-rlp.vt1
(0) suffix : Preparing to proxy authentication request to realm "lotto-rlp.vt1"
(0) [suffix] = updated
(0) } # authorize = updated
(0) Proxying request to home server 127.0.0.1 port 1825
Sending Access-Request Id 121 from 0.0.0.0:47272 to 127.0.0.1:1825
User-Name = '88078'
User-Password = 'jWd53332J0jCtWu'
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
Message-Authenticator := 0x00
Proxy-State = 0x3533
Waking up in 0.3 seconds.
Received Access-Request Id 121 from 127.0.0.1:47272 to 127.0.0.1:1825 length 85
User-Name = '88078'
User-Password = 'jWd53332J0jCtWu'
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
Message-Authenticator = 0xa02d25ed4e815243b4aea79c8c70682c
Proxy-State = 0x3533
(1) # Executing section authorize from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(1) authorize {
rlm_ldap (ldap_vt1pppoe): Reserved connection (0)
(1) ldap_vt1pppoe : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap_vt1pppoe : --> (uid=88078)
(1) ldap_vt1pppoe : EXPAND ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(1) ldap_vt1pppoe : --> ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(1) ldap_vt1pppoe : Performing search in 'ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de' with filter '(uid=88078)', scope 'sub'
(1) ldap_vt1pppoe : Waiting for search result...
(1) ldap_vt1pppoe : User object found at DN "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de"
(1) ldap_vt1pppoe : Processing user attributes
(1) ldap_vt1pppoe : control:Password-With-Header += ''jWd53332J0jCtWu''
(1) ldap_vt1pppoe : control:Cleartext-Password := ''jWd53332J0jCtWu''
rlm_ldap (ldap_vt1pppoe): Released connection (0)
(1) [ldap_vt1pppoe] = ok
(1) if ((ok || updated) && (User-Password || CHAP-Password))
(1) if ((ok || updated) && (User-Password || CHAP-Password)) -> TRUE
(1) if ((ok || updated) && (User-Password || CHAP-Password)) {
(1) update {
(1) control:Auth-Type = LDAP
(1) } # update = noop
(1) } # if ((ok || updated) && (User-Password || CHAP-Password)) = noop
(1) } # authorize = ok
(1) Found Auth-Type = LDAP
(1) # Executing group from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(1) Auth-Type LDAP {
(1) ldap : Login attempt by "88078"
rlm_ldap (ldap): Reserved connection (4)
(1) ldap : Using user DN from request "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de"
(1) ldap : Waiting for bind result...
(1) ldap : Bind successful
(1) ldap : Bind as user "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de" was successful
rlm_ldap (ldap): Released connection (4)
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 92 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 92 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 92 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 92 seconds
rlm_ldap (ldap): You probably need to lower "min"
(1) [ldap] = ok
(1) } # Auth-Type LDAP = ok
(1) Login OK: [88078] (from client localhost port 0)
Sending Access-Accept Id 121 from 127.0.0.1:1825 to 127.0.0.1:47272
Proxy-State = 0x3533
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Accept Id 121 from 127.0.0.1:1825 to 127.0.0.1:47272 length 24
Proxy-State = 0x3533
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) Login OK: [88078(a)lotto-rlp.vt1] (from client localhost port 0)
Sending Access-Accept Id 53 from 127.0.0.1:1812 to 127.0.0.1:57005
(0) Finished request
Waking up in 0.3 seconds.
Waking up in 1.6 seconds.
(1) Cleaning up request packet ID 121 with timestamp +92
(0) Cleaning up request packet ID 53 with timestamp +92
Ready to process requests.
Doing the same with CHAP instead leads to a reject
client:
vt1radius:/etc/raddb # echo "User-Name = 88078(a)lotto-rlp.vt1 , CHAP-Password = jWd53332J0jCtWu , Framed-Protocol = PPP" | radclient -r 1 -xs localhost:1812 auth testing123
Sending Access-Request Id 12 from 0.0.0.0:57335 to 127.0.0.1:1812
User-Name = '88078(a)lotto-rlp.vt1'
CHAP-Password = 0xb17a77b9f6401f7b06bb5e9f3e78351cac
Framed-Protocol = PPP
Received Access-Reject Id 12 from 127.0.0.1:1812 to 127.0.0.1:57335 length 20
(0) Expected Access-Accept got Access-Reject
Packet summary:
Access-Accepts : 0
Access-Rejects : 1
Lost : 0
Passed filter : 0
Failed filter : 1
server :
Received Access-Request Id 12 from 127.0.0.1:57335 to 127.0.0.1:1812 length 66
User-Name = '88078(a)lotto-rlp.vt1'
CHAP-Password = 0xb17a77b9f6401f7b06bb5e9f3e78351cac
Framed-Protocol = PPP
(2) # Executing section authorize from file /etc/raddb/sites-enabled/proxy_decode_realm
(2) authorize {
(2) filter_username filter_username {
(2) if (User-Name != "%{tolower:%{User-Name}}")
(2) EXPAND %{tolower:%{User-Name}}
(2) --> 88078(a)lotto-rlp.vt1
(2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(2) if (User-Name =~ / /)
(2) if (User-Name =~ / /) -> FALSE
(2) if (User-Name =~ /@.*@/ )
(2) if (User-Name =~ /@.*@/ ) -> FALSE
(2) if (User-Name =~ /\\.\\./ )
(2) if (User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(2) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(2) if (User-Name =~ /\\.$/)
(2) if (User-Name =~ /\\.$/) -> FALSE
(2) if (User-Name =~ /(a)\\./)
(2) if (User-Name =~ /(a)\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) IPASS : No '/' in User-Name = "88078(a)lotto-rlp.vt1", looking up realm NULL
(2) IPASS : No such realm "NULL"
(2) [IPASS] = noop
(2) suffix : Looking up realm "lotto-rlp.vt1" for User-Name = "88078(a)lotto-rlp.vt1"
(2) suffix : Found realm "lotto-rlp.vt1"
(2) suffix : Adding Stripped-User-Name = "88078"
(2) suffix : Adding Realm = "lotto-rlp.vt1"
(2) suffix : Proxying request from user 88078 to realm lotto-rlp.vt1
(2) suffix : Preparing to proxy authentication request to realm "lotto-rlp.vt1"
(2) [suffix] = updated
(2) } # authorize = updated
(2) Proxying request to home server 127.0.0.1 port 1825
Sending Access-Request Id 95 from 0.0.0.0:47272 to 127.0.0.1:1825
User-Name = '88078'
CHAP-Password = 0xb17a77b9f6401f7b06bb5e9f3e78351cac
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
CHAP-Challenge = 0x52d88f63c38460ffbfb0f8d5c456c555
Message-Authenticator := 0x00
Proxy-State = 0x3132
Waking up in 0.3 seconds.
Received Access-Request Id 95 from 127.0.0.1:47272 to 127.0.0.1:1825 length 104
User-Name = '88078'
CHAP-Password = 0xb17a77b9f6401f7b06bb5e9f3e78351cac
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
CHAP-Challenge = 0x52d88f63c38460ffbfb0f8d5c456c555
Message-Authenticator = 0x3b9362d72f7dcf5365986f984cda2d43
Proxy-State = 0x3132
(3) # Executing section authorize from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(3) authorize {
rlm_ldap (ldap_vt1pppoe): Reserved connection (0)
(3) ldap_vt1pppoe : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(3) ldap_vt1pppoe : --> (uid=88078)
(3) ldap_vt1pppoe : EXPAND ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(3) ldap_vt1pppoe : --> ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(3) ldap_vt1pppoe : Performing search in 'ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de' with filter '(uid=88078)', scope 'sub'
(3) ldap_vt1pppoe : Waiting for search result...
(3) ldap_vt1pppoe : User object found at DN "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de"
(3) ldap_vt1pppoe : Processing user attributes
(3) ldap_vt1pppoe : control:Password-With-Header += ''jWd53332J0jCtWu''
(3) ldap_vt1pppoe : control:Cleartext-Password := ''jWd53332J0jCtWu''
rlm_ldap (ldap_vt1pppoe): Released connection (0)
(3) [ldap_vt1pppoe] = ok
(3) if ((ok || updated) && (User-Password || CHAP-Password))
(3) if ((ok || updated) && (User-Password || CHAP-Password)) -> TRUE
(3) if ((ok || updated) && (User-Password || CHAP-Password)) {
(3) update {
(3) control:Auth-Type = LDAP
(3) } # update = noop
(3) } # if ((ok || updated) && (User-Password || CHAP-Password)) = noop
(3) } # authorize = ok
(3) Found Auth-Type = LDAP
(3) # Executing group from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(3) Auth-Type LDAP {
(3) WARNING: ldap : You have set "Auth-Type := LDAP" somewhere.
(3) WARNING: ldap : *********************************************
(3) WARNING: ldap : * THAT CONFIGURATION IS WRONG. DELETE IT.
(3) WARNING: ldap : * YOU ARE PREVENTING THE SERVER FROM WORKING.
(3) WARNING: ldap : *********************************************
(3) ERROR: ldap : Attribute "User-Password" is required for authentication.
(3) [ldap] = invalid
(3) } # Auth-Type LDAP = invalid
(3) Failed to authenticate the user.
(3) Login incorrect (ldap: Attribute "User-Password" is required for authentication.): [88078] (from client localhost port 0)
(3) Using Post-Auth-Type Reject
(3) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.4 seconds.
(2) Expecting proxy response no later than 5 seconds from now
Waking up in 0.1 seconds.
(3) Sending delayed response
Sending Access-Reject Id 95 from 127.0.0.1:1825 to 127.0.0.1:47272
Proxy-State = 0x3132
Waking up in 0.9 seconds.
Received Access-Reject Id 95 from 127.0.0.1:1825 to 127.0.0.1:47272 length 24
Proxy-State = 0x3132
(2) Login incorrect (Home Server says so): [88078(a)lotto-rlp.vt1] (from client localhost port 0)
(2) Using Post-Auth-Type Reject
(2) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(3) Cleaning up request packet ID 95 with timestamp +227
(2) Sending delayed response
Sending Access-Reject Id 12 from 127.0.0.1:1812 to 127.0.0.1:57335
Waking up in 0.9 seconds.
(2) Cleaning up request packet ID 12 with timestamp +227
Ready to process requests.
Another line of approach is
vt1radius:/etc/raddb/sites-enabled # cat vt1pppoe_localhost | grep "[a-z,A_Z,\}]"
# WEINM 2015-01-21 : vt1pppoe login realization
server vt1pppoe_login {
# WEINM 2015-01-21 : listen on 1825, auth only no acct
listen {
type = auth
ipaddr = 127.0.0.1
port = 1825
}
authorize {
ldap_vt1pppoe
if ((ok || updated) && User-Password) {
update {
control:Auth-Type = LDAP
}
}
if ((ok || updated) && CHAP-Password) {
update {
control:Auth-Type = CHAP
}
}
}
authenticate {
Auth-Type LDAP {
ldap
}
}
}
vt1radius:/etc/raddb/sites-enabled # radiusd -X
radiusd: FreeRADIUS Version 3.0.3, for host x86_64-suse-linux-gnu, built on Dec 3 2014 at 10:31
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/ldap_dtag
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/ldap
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/ldap_vt1pppoe
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/ldap_ptlux
including configuration file /etc/raddb/mods-enabled/ldap_arcor
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/cui
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/ptlux_localhost
including configuration file /etc/raddb/sites-enabled/dtag_localhost
including configuration file /etc/raddb/sites-enabled/vt1pppoe_localhost
including configuration file /etc/raddb/sites-enabled/arcor_localhost
including configuration file /etc/raddb/sites-enabled/proxy_decode_realm
main {
security {
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 10
cleanup_delay = 2
max_requests = 30720
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
msg_denied = "You are already logged in - access denied"
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server dtag_localhost {
ipaddr = 127.0.0.1
port = 1822
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server arcor_localhost {
ipaddr = 127.0.0.1
port = 1823
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server ptlux_localhost {
ipaddr = 127.0.0.1
port = 1824
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server vt1pppoe_localhost {
ipaddr = 127.0.0.1
port = 1825
type = "auth"
secret = <<< secret >>>
response_window = 5
max_outstanding = 65536
zombie_period = 20
status_check = "status-server"
ping_interval = 30
check_interval = 7
num_answers_to_alive = 4
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server_pool dtag_pool {
type = fail-over
home_server = dtag_localhost
}
realm lotto-rlp {
auth_pool = dtag_pool
}
home_server_pool arcor_pool {
type = fail-over
home_server = arcor_localhost
}
realm lotto-rlp.de {
auth_pool = arcor_pool
}
home_server_pool ptlux_pool {
type = fail-over
home_server = ptlux_localhost
}
realm pt.lotto-rlp.de {
auth_pool = ptlux_pool
}
home_server_pool vt1pppoe_pool {
type = fail-over
home_server = vt1pppoe_localhost
}
realm lotto-rlp.vt1 {
auth_pool = vt1pppoe_pool
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "localhost"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client vt1pppoe1 {
ipaddr = 10.193.1.51
require_message_authenticator = no
secret = <<< secret >>>
shortname = "vt1pppoe1"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
# Loaded module rlm_ldap
# Instantiating module "ldap_dtag" from file /etc/raddb/mods-enabled/ldap_dtag
ldap ldap_dtag {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=dtag-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap_dtag): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_dtag): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_dtag): Initialising connection pool
pool {
start = 1
min = 1
max = 130
spare = 10
uses = 300
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_dtag): Opening additional connection (0)
rlm_ldap (ldap_dtag): Connecting to 10.193.1.144:389
rlm_ldap (ldap_dtag): Waiting for bind result...
rlm_ldap (ldap_dtag): Bind successful
# Loaded module rlm_exec
# Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_chap
# Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Loaded module rlm_always
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
ldap {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=dtag-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap): Initialising connection pool
rlm_ldap (ldap): Opening additional connection (0)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Instantiating module "ldap_vt1pppoe" from file /etc/raddb/mods-enabled/ldap_vt1pppoe
ldap ldap_vt1pppoe {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap_vt1pppoe): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_vt1pppoe): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_vt1pppoe): Initialising connection pool
pool {
start = 1
min = 1
max = 130
spare = 10
uses = 300
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_vt1pppoe): Opening additional connection (0)
rlm_ldap (ldap_vt1pppoe): Connecting to 10.193.1.144:389
rlm_ldap (ldap_vt1pppoe): Waiting for bind result...
rlm_ldap (ldap_vt1pppoe): Bind successful
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Instantiating module "ldap_ptlux" from file /etc/raddb/mods-enabled/ldap_ptlux
ldap ldap_ptlux {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=ptlux-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap_ptlux): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_ptlux): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_ptlux): Initialising connection pool
pool {
start = 1
min = 1
max = 130
spare = 10
uses = 300
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_ptlux): Opening additional connection (0)
rlm_ldap (ldap_ptlux): Connecting to 10.193.1.144:389
rlm_ldap (ldap_ptlux): Waiting for bind result...
rlm_ldap (ldap_ptlux): Bind successful
# Instantiating module "ldap_arcor" from file /etc/raddb/mods-enabled/ldap_arcor
ldap ldap_arcor {
server = "10.193.1.144"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=lotto-rlp,dc=de"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=arcor-users,ou=radius,dc=lotto-rlp, dc=de"
access_positive = yes
}
group {
scope = "sub"
base_dn = ""
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
attribute {
identifier = "host"
shortname = "cn"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 0
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
rlm_ldap (ldap_arcor): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_arcor): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_arcor): Initialising connection pool
pool {
start = 1
min = 1
max = 130
spare = 10
uses = 300
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_arcor): Opening additional connection (0)
rlm_ldap (ldap_arcor): Connecting to 10.193.1.144:389
rlm_ldap (ldap_arcor): Waiting for bind result...
rlm_ldap (ldap_arcor): Bind successful
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
} # server default
server ptlux_login { # from file /etc/raddb/sites-enabled/ptlux_localhost
# Creating Auth-Type = LDAP
# Loading authenticate {...}
# Loading authorize {...}
} # server ptlux_login
server dtag_login { # from file /etc/raddb/sites-enabled/dtag_localhost
# Loading authenticate {...}
# Loading authorize {...}
# Loading post-auth {...}
} # server dtag_login
server vt1pppoe_login { # from file /etc/raddb/sites-enabled/vt1pppoe_localhost
# Loading authenticate {...}
# Loading authorize {...}
} # server vt1pppoe_login
server arcor_login { # from file /etc/raddb/sites-enabled/arcor_localhost
# Loading authenticate {...}
# Loading authorize {...}
} # server arcor_login
server decode_realm { # from file /etc/raddb/sites-enabled/proxy_decode_realm
# Loading authorize {...}
} # server decode_realm
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1824
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1822
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1825
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1823
}
listen {
type = "auth"
ipaddr = *
port = 1812
}
Listening on auth address 127.0.0.1 port 1824 as server ptlux_login
Listening on auth address 127.0.0.1 port 1822 as server dtag_login
Listening on auth address 127.0.0.1 port 1825 as server vt1pppoe_login
Listening on auth address 127.0.0.1 port 1823 as server arcor_login
Listening on auth address * port 1812 as server decode_realm
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 36069
Ready to process requests.
Reject as seen from client
vt1radius:/etc/raddb # echo "User-Name = 88078(a)lotto-rlp.vt1 , CHAP-Password = jWd53332J0jCtWu , Framed-Protocol = PPP" | radclient -r 1 -xs localhost:1812 auth testing123
Sending Access-Request Id 57 from 0.0.0.0:38849 to 127.0.0.1:1812
User-Name = '88078(a)lotto-rlp.vt1'
CHAP-Password = 0x679cdd78fcdd041a354d207cb081023188
Framed-Protocol = PPP
Received Access-Reject Id 57 from 127.0.0.1:1812 to 127.0.0.1:38849 length 20
(0) Expected Access-Accept got Access-Reject
Packet summary:
Access-Accepts : 0
Access-Rejects : 1
Lost : 0
Passed filter : 0
Failed filter : 1
server :
Received Access-Request Id 57 from 127.0.0.1:38849 to 127.0.0.1:1812 length 66
User-Name = '88078(a)lotto-rlp.vt1'
CHAP-Password = 0x679cdd78fcdd041a354d207cb081023188
Framed-Protocol = PPP
(0) # Executing section authorize from file /etc/raddb/sites-enabled/proxy_decode_realm
(0) authorize {
(0) filter_username filter_username {
(0) if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0) --> 88078(a)lotto-rlp.vt1
(0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) if (User-Name =~ / /)
(0) if (User-Name =~ / /) -> FALSE
(0) if (User-Name =~ /@.*@/ )
(0) if (User-Name =~ /@.*@/ ) -> FALSE
(0) if (User-Name =~ /\\.\\./ )
(0) if (User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(0) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(0) if (User-Name =~ /\\.$/)
(0) if (User-Name =~ /\\.$/) -> FALSE
(0) if (User-Name =~ /(a)\\./)
(0) if (User-Name =~ /(a)\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) IPASS : No '/' in User-Name = "88078(a)lotto-rlp.vt1", looking up realm NULL
(0) IPASS : No such realm "NULL"
(0) [IPASS] = noop
(0) suffix : Looking up realm "lotto-rlp.vt1" for User-Name = "88078(a)lotto-rlp.vt1"
(0) suffix : Found realm "lotto-rlp.vt1"
(0) suffix : Adding Stripped-User-Name = "88078"
(0) suffix : Adding Realm = "lotto-rlp.vt1"
(0) suffix : Proxying request from user 88078 to realm lotto-rlp.vt1
(0) suffix : Preparing to proxy authentication request to realm "lotto-rlp.vt1"
(0) [suffix] = updated
(0) } # authorize = updated
(0) Proxying request to home server 127.0.0.1 port 1825
Sending Access-Request Id 214 from 0.0.0.0:36069 to 127.0.0.1:1825
User-Name = '88078'
CHAP-Password = 0x679cdd78fcdd041a354d207cb081023188
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
CHAP-Challenge = 0x843194cd5adeebeedf6b33dfab7a7873
Message-Authenticator := 0x00
Proxy-State = 0x3537
Waking up in 0.3 seconds.
Received Access-Request Id 214 from 127.0.0.1:36069 to 127.0.0.1:1825 length 104
User-Name = '88078'
CHAP-Password = 0x679cdd78fcdd041a354d207cb081023188
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
CHAP-Challenge = 0x843194cd5adeebeedf6b33dfab7a7873
Message-Authenticator = 0x4eb73a374b5f5b8752e00b60f989d407
Proxy-State = 0x3537
(1) # Executing section authorize from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(1) authorize {
rlm_ldap (ldap_vt1pppoe): Reserved connection (0)
(1) ldap_vt1pppoe : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap_vt1pppoe : --> (uid=88078)
(1) ldap_vt1pppoe : EXPAND ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(1) ldap_vt1pppoe : --> ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(1) ldap_vt1pppoe : Performing search in 'ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de' with filter '(uid=88078)', scope 'sub'
(1) ldap_vt1pppoe : Waiting for search result...
(1) ldap_vt1pppoe : User object found at DN "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de"
(1) ldap_vt1pppoe : Processing user attributes
(1) ldap_vt1pppoe : control:Password-With-Header += ''jWd53332J0jCtWu''
(1) ldap_vt1pppoe : control:Cleartext-Password := ''jWd53332J0jCtWu''
rlm_ldap (ldap_vt1pppoe): Released connection (0)
(1) [ldap_vt1pppoe] = ok
(1) if ((ok || updated) && User-Password)
(1) if ((ok || updated) && User-Password) -> FALSE
(1) if ((ok || updated) && CHAP-Password)
(1) if ((ok || updated) && CHAP-Password) -> TRUE
(1) if ((ok || updated) && CHAP-Password) {
(1) update {
(1) control:Auth-Type = CHAP
(1) } # update = noop
(1) } # if ((ok || updated) && CHAP-Password) = noop
(1) } # authorize = ok
(1) Found Auth-Type = CHAP
(1) # Executing group from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(1) Failed to authenticate the user.
(1) Login incorrect: [88078] (from client localhost port 0)
(1) Using Post-Auth-Type Reject
(1) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.4 seconds.
(0) Expecting proxy response no later than 5 seconds from now
Waking up in 0.1 seconds.
(1) Sending delayed response
Sending Access-Reject Id 214 from 127.0.0.1:1825 to 127.0.0.1:36069
Proxy-State = 0x3537
Waking up in 0.9 seconds.
Received Access-Reject Id 214 from 127.0.0.1:1825 to 127.0.0.1:36069 length 24
Proxy-State = 0x3537
(0) Login incorrect (Home Server says so): [88078(a)lotto-rlp.vt1] (from client localhost port 0)
(0) Using Post-Auth-Type Reject
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Cleaning up request packet ID 214 with timestamp +58
(0) Sending delayed response
Sending Access-Reject Id 57 from 127.0.0.1:1812 to 127.0.0.1:38849
Waking up in 0.9 seconds.
(0) Cleaning up request packet ID 57 with timestamp +58
Ready to process requests.
Now we are somewhat at a loss. Are we missing something
Best regards
Michael Wein
2
1
Hi experts,
In order to integrate to Active Directory, We have been using samba utils winbindd/net/ntlm_auth to integrate to Active Directory. Is there any other way to do integration? Can you give me some advice?
Thanks,John.
2
1
Hello All,
It appears that the LDAP pool configuration isn't reusing the LDAP
connections as configured. I am running the following version of FreeRADIUS:
>
> FreeRADIUS Version 3.0.12 (git #34f7ba7), built on Apr 6 2016 at 08:07:17
Below is the debug output of the pool initialization:
> rlm_ldap (ldap): Initialising connection pool
> pool {
> start = 5
> min = 3
> max = 32
> spare = 10
> uses = 0
> lifetime = 0
> cleanup_interval = 30
> idle_timeout = 60
> retry_delay = 30
> spread = no
> }
> rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://<server>:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://<server>:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://<server>:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://<server>:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://<server>:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
Debug Output:
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://ForestDnsZones.<domain>/DC=ForestDnsZones,DC=DC=<domain>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://<domain>/CN=Configuration,DC=DC=<domain>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(7) Search returned no results
(7) Checking user object's memberOf attributes
(7) Waiting for bind result...
(7) Bind successful
(7) Performing unfiltered search in "<user-DN>", scope "base"
(7) Waiting for search result...
(7) No group membership attribute(s) found in user object
rlm_ldap (ldap): Deleting connection (2)
(7) User is not a member of "BOE"
(7) Searching for user in group "Admin-Users"
rlm_ldap (ldap): Reserved connection (3)
(7) Using user DN from request "<user-DN>"
(7) Checking for user in group objects
(7) EXPAND
(&(cn=Admin-Users)(objectClass=group)(&(objectClass=group)(member=%{Ldap-UserDn})))
(7) -->
(&(cn=Admin-Users)(objectClass=group)(&(objectClass=group)(member=)))
(7) Performing search in "<domain>" with filter
"(&(cn=Admin-Users)(objectClass=group)(&(objectClass=group)(member=)))",
scope "sub"
(7) Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldap://DomainDnsZones.<domain>/DC=DomainDnsZones,DC=DC=<domain>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://ForestDnsZones.<domain>/DC=ForestDnsZones,DC=DC=<domain>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://<domain>/CN=Configuration,DC=DC=<domain>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(7) Search returned no results
(7) Checking user object's memberOf attributes
(7) Waiting for bind result...
(7) Bind successful
(7) Performing unfiltered search in "<user-DN>", scope "base"
(7) Waiting for search result...
(7) No group membership attribute(s) found in user object
rlm_ldap (ldap): Deleting connection (3)
(7) User is not a member of "Admin-Users"
(7) Searching for user in group "Admin-Computers"
rlm_ldap (ldap): Reserved connection (4)
(7) Using user DN from request "<user-DN>"
(7) Checking for user in group objects
(7) EXPAND
(&(cn=Admin-Computers)(objectClass=group)(&(objectClass=group)(member=%{Ldap-UserDn})))
(7) -->
(&(cn=Admin-Computers)(objectClass=group)(&(objectClass=group)(member=)))
(7) Performing search in "<domain>" with filter
"(&(cn=Admin-Computers)(objectClass=group)(&(objectClass=group)(member=)))",
scope "sub"
(7) Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldap://DomainDnsZones.<domain>/DC=DomainDnsZones,DC=DC=<domain>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://ForestDnsZones.<domain>/DC=ForestDnsZones,DC=DC=<domain>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://<domain>/CN=Configuration,DC=DC=<domain>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(7) Search returned no results
(7) Checking user object's memberOf attributes
(7) Waiting for bind result...
(7) Bind successful
(7) Performing unfiltered search in "<user-DN>", scope "base"
(7) Waiting for search result...
(7) No group membership attribute(s) found in user object
rlm_ldap (ldap): Deleting connection (4)
--
Jonathan Gryak
Infrastructure Manager
Westport Public Schools
Technology Center
136 Riverside Avenue
Westport, CT 06880
(203) 341-1211
3
8
I am attempting to cache multiple LDAP groups for use post-authentication
This is an EAP-PEAP connection. Only the last group added to the cache is
available. How can I cache (and access) all of the groups?
I am running FreeRADIUS Version 3.0.12 (git #34f7ba7), built on Apr 6
2016 at 08:07:17. Below is the relevant debug output:
Expanding LDAP groups:
> (7) ldap: Adding cacheable user object memberships
> (7) ldap: &control:LDAP-Cached-Membership += "Group1"
> (7) ldap: &control:LDAP-Cached-Membership += "Group2"
> (7) ldap: &control:LDAP-Cached-Membership += "Group3"
> (7) ldap: &control:LDAP-Cached-Membership += "Group4"
> (7) ldap: &control:LDAP-Cached-Membership += "Group5"
> (7) ldap: &control:LDAP-Cached-Membership += "Group6"
> (7) ldap: &control:LDAP-Cached-Membership += "Group7"
> (7) ldap: &control:LDAP-Cached-Membership += "Group8"
Cache Update:
> (7) [ldap] = ok
> (7) } # if (notfound) = ok
> (7) cache: EXPAND %{User-Name}
> (7) cache: --> jgryak
> (7) cache: No cache entry found for "jgryak"
> (7) cache: Creating new cache entry
> (7) cache: EXPAND Cache last updated at %t
> (7) cache: --> Cache last updated at Thu Apr 14 13:51:49 2016
> (7) cache: &reply:Reply-Message += Cache last updated at Thu Apr 14
> 13:51:49 2016
> (7) cache: EXPAND %{randstr:ssssssssssssssssssssssssssssssss}
> (7) cache: --> DWiDAixrzMh3hzN93m5QB9rWClbz.cMl
> (7) cache: &reply:Class :=
> 0x44576944416978727a4d6833687a4e39336d355142397257436c627a2e634d6c
> (7) cache: control:LDAP-Cached-Membership +=
> &control:LDAP-Cached-Membership -> 'Group8'
> (7) cache: Merging cache entry into request
> (7) cache: &reply:Reply-Message += "Cache last updated at Thu Apr 14
> 13:51:49 2016"
> (7) cache: &reply:Class :=
> 0x44576944416978727a4d6833687a4e39336d355142397257436c627a2e634d6c
> (7) cache: &control:LDAP-Cached-Membership += "Group8"
> (7) cache: Committed entry, TTL 3600 seconds
Post-Auth section:
(8) # Executing section post-auth from file
/opt/fr3/etc/raddb/sites-enabled/inner-tunnel
(8) post-auth {
(8) policy set_role_or_vlan {
(8) if (NAS-Port-Type == "Wireless-802.11") {
(8) if (NAS-Port-Type == "Wireless-802.11") -> TRUE
(8) if (NAS-Port-Type == "Wireless-802.11") {
(8) foreach &control:LDAP-Cached-Membership
(8) switch %{Foreach-Variable-0} {
(8) EXPAND Foreach-Variable-0
(8) --> Group8
(8) EXPAND %{Foreach-Variable-0}
(8) --> Group8
(8) } # switch %{Foreach-Variable-0} = noop
(8) } # foreach &control:LDAP-Cached-Membership = noop
(8) if ("%{mschap:User-Name}" =~/\$$/) {
Thank you for your help.
--
Jonathan Gryak
Infrastructure Manager
Westport Public Schools
Technology Center
136 Riverside Avenue
Westport, CT 06880
(203) 341-1211
2
2
Before I spend time researching/configuring this (like I did several years ago, failed and joined the FR box to AD), I would love it if someone can tell me if this is doable now, some pointers on HOW would be great too if it is.
I have a need to put together a freeradius box that can authenticate wireless users using MSCHAPv2 PEAP. I do not want to join the Linux box running FR to AD domain, I simply want to use LDAP and authenticate wireless users, the LDAP is really windows AD runing on server 2012.
so is this a support config or must I join the FR Linux box to MS AD environment for this to work?
Thanks,
3
2
Trying to get freeradius 2.1.12 to work with a citrix netscaler.
my setup works will a pile of other vendors, so i figured it would also be
just as simple as adding a new reply-item to my ldap profile.
>From the output below you can see my other vsa's are being sent back to the
nas no problem. But I can't figure out it can't parse my latest one.
[ldap] extracted attribute Juniper-Local-User-Name from generic item
Juniper-Local-User-Name := "super-users"
[ldap] extracted attribute Cisco-AVPair from generic item Cisco-AVPair+=
"shell:priv-lvl=15"
[ldap] extracted attribute Fortinet-Group-Name from generic item
Fortinet-Group-Name = "SUPER_ADMIN"
[ldap] parsing radiusReplyItem failed: Citrix-User-Groups =
"SUPER_ADMIN_CTX"
Not sure if it's supposed to be Citrix-User-Groups, or CTXUserGroups, but
i'll figure that out once I can get freeradius to even send the reply-item.
I tried adding a dictionary that I googled. attached below:
# -*- text -*-
# Copyright (C) 2015 The FreeRADIUS Server project and contributors
##############################################################################
#
# Citrix VSAs
#
# $Id: 868b203ab45b47533d9b53862cfc271251aa7f17 $
#
##############################################################################
VENDOR Citrix 66
BEGIN-VENDOR Citrix
ATTRIBUTE Citrix-UID 10 integer
ATTRIBUTE Citrix-GID 11 integer
ATTRIBUTE Citrix-Home 12 string
ATTRIBUTE Citrix-Shell 13 string
ATTRIBUTE Citrix-Group-Names 14 string
ATTRIBUTE Citrix-Group-Ids 15 string
ATTRIBUTE Citrix-User-Groups 16 string
END-VENDOR Citrix
Thanks,
Dan
2
1
Ok. Now I do not understand anything.
At logs I see so:
Mon Apr 11 20:15:00 2016 : Debug: including configuration file /etc/freeradius2/policy.conf
Mon Apr 11 20:15:00 2016 : Debug: including files in directory /etc/freeradius2/sites/
Mon Apr 11 20:15:00 2016 : Debug: including configuration file /etc/freeradius2/sites/default
Mon Apr 11 20:15:00 2016 : Debug: main {
Mon Apr 11 20:15:00 2016 : Debug: allow_core_dumps = no
Mon Apr 11 20:15:00 2016 : Debug: }
Mon Apr 11 20:15:00 2016 : Debug: including dictionary file /etc/freeradius2/dictionary
This mean, as I understand:
First load /etc/freeradius2/sites/default
Next load /etc/freeradius2/dictionary
But if "updated" declare in dictionary - ofcourse it will be know anything about "updated" in "/etc/freeradius2/sites/default".
In the instructions http://wiki.freeradius.org/guide/Mac-Auth , "rewrite.calling_station_id" must be added to the file "/etc/freeradius2/sites/default".
I newbie...
--
ilya Gafarov
2
1
Hi,
I wanted to ask how much effect would disabling the session resumption would make on the server? If any?
Would it reduce number of simultaneous eap sessions server can handle in any manner?
BR,
Anirudh Malhotra
8zero2
Mail: 8zero2.in(a)gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in
3
6