Hello All, I'm running FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu, built on Jan 26 2010 at 18:56:10 Copyright (C) 2000-2006 The FreeRADIUS server project on CENTOS, and trying for now, authenticate the same users in my old users file, but now, I set freeradius to sent auth packets to a LDAP server and I don't know what is wrong. Who can help me with this issue? *#* *# MY DEBUG -X -A* *#* [root@radius_server raddb]# radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 60 main: cleanup_delay = 6 main: max_requests = 4096 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 3 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded LDAP ldap: server = "srv01t.MYCOMPANY.net.br <http://srv01t.mycompany.net.br/>" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "CN=AUTHENTIC,CN=Users,DC=MYCOMPANY,DC=NET,DC=BR" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "segredo" ldap: basedn = "CN=USERS,DC=MYCOMPANY,DC=NET,DC=BR" ldap: filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "(null)" ldap: groupname_attribute = "CN=USERS,DC=MYCOMPANY,DC=NET,DC=BR" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message *rlm_ldap: LDAP AcmeUserPrivilege mapped to RADIUS Service-Type <-- Need for authorization and access level* *rlm_ldap: LDAP AcmeUserClass mapped to RADIUS Service-Type **<-- Need for authorization and access level* *rlm_ldap: LDAP AcmeUserPrivilege mapped to RADIUS Login-Service **<-- Need for authorization and access level* conns: 0x9ef47c0 Module: Instantiated ldap (ldap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.253.7.156:1812, id=72, length=69 User-Name = "lveiga" User-Password = "mypassword" NAS-Identifier = "102537156" NAS-IP-Address = 10.253.7.156 NAS-Port = 118751232 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius/radacct/10.253.7.156/auth-detail-20140210' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.253.7.156/auth-detail-20140210 modcall[authorize]: module "auth_log" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for lveiga radius_xlat: '(cn=lveiga)' radius_xlat: 'CN=USERS,DC=MYCOMPANY,DC=NET,DC=BR' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to srv01t.MYCOMPANY.net.br:389<http://srv01t.mycompany.net.br:389/>, authentication 0 rlm_ldap: bind as CN=AUTHENTIC,CN=Users,DC=MYCOMPANY,DC=NET,DC=BR/passwordomitted to srv01t.MYCOMPANY.net.br:389 <http://srv01t.mycompany.net.br:389/> rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in CN=USERS,DC=MYCOMPANY,DC=NET,DC=BR, with filter (cn=lveiga) *rlm_ldap: object not found or got ambiguous search result* *rlm_ldap: search failed* rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 *auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user* *auth: Failed to validate the user.* *Login incorrect (rlm_ldap: User not found): [lveiga/mypassword] (from client myhost80.spoig port 118751232)* Delaying request 0 for 3 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Sending Access-Reject of id 72 to 10.253.7.156 port 1812 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 72 with timestamp 52f8d4df Nothing to do. Sleeping until we see a request. *#* *# MY RLM_LDAP FILE* *#* # Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication. # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks # # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force "Auth-Type = LDAP", and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. # # The solution is to use the default configuration, which does # work. # # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. # ldap { server = "srv01t.MYCOMPANY.net.br <http://srv01t.mycompany.net.br/>" identity = "CN=AUTHENTIC,CN=USERS,DC=MYCOMPANY,DC=NET,DC=BR" password = mypassword basedn = "CN=Users,DC=MYCOMPANY,DC=NET,DC=BR" filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" ldap_connections_number = 5 timeout = 5 timelimit = 3 net_timeout = 1 dictionary_mapping = /etc/raddb/ldap.attrmap access_attr_used_for_allow = no set_auth_type = no compare_check_items = yes do_xlat = yes } # # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. # tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no # cacertfile = /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd # require_cert = "demand" } # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # password_attribute = userPassword # As of 1.1.0, the LDAP module will auto-discover # the password headers (which are non-standard). # It will use the following table to map passwords # to RADIUS attributes. The PAP module (see above) # can then automatically determine the hashing # method to use to authenticate the user. # # Header Attribute # ------ --------- # {clear} User-Password # {cleartext} User-Password # {md5} MD5-Password # {smd5} SMD5-Password # {crypt} Crypt-Password # {sha} SHA-Password # {ssha} SSHA-Password # {nt} NT-Password # {ns-mta-md5} NS-MTA-MD5-Password # # # The headers are compared in a case-insensitive manner. # The format of the password in LDAP (base 64-encoded, hex, # clear-text, whatever) is not that important. The PAP # module will figure it out. # # The default for "auto_header" is "no", to enable backwards # compatibility with the "password_header" directive, # which is now deprecated. If this is set to "yes", # then the above table will be used, and the # "password_header" directive will be ignored. #auto_header = yes # Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # #edir_account_policy_check = no # # Group membership checking. Disabled by default. # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName compare_check_items = yes do_xlat = yes access_attr_used_for_allow = yes # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} set_auth_type = yes } *#* *# MY LDAP.ATTRMAP* *#* [root@syslog01 raddb]# cat ldap.attrmap # # Mapping of RADIUS dictionary attributes to LDAP directory attributes # to be used by LDAP authentication and authorization module (rlm_ldap) # # Format: # ItemType RADIUS-Attribute-Name ldapAttributeName # # Where: # ItemType = checkItem or replyItem # RADIUS-Attribute-Name = attribute name in RADIUS dictionary # ldapAttributeName = attribute name in LDAP schema # # If $GENERIC$ is specified as RADIUS-Attribute-Name, the line specifies # a LDAP attribute which can be used to store any RADIUS # attribute/value-pair in LDAP directory. # # You should edit this file to suit it to your needs. # checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem checkItem Auth-Type radiusAuthType checkItem Simultaneous-Use radiusSimultaneousUse checkItem Called-Station-Id radiusCalledStationId checkItem Calling-Station-Id radiusCallingStationId checkItem LM-Password sambaLMPassword checkItem NT-Password sambaNTPassword checkItem SMB-Account-CTRL-TEXT sambaAcctFlags checkItem Expiration radiusExpiration checkItem NAS-IP-Address radiusNASIpAddress replyItem Service-Type radiusServiceType replyItem Framed-Protocol radiusFramedProtocol replyItem Framed-IP-Address radiusFramedIPAddress replyItem Framed-IP-Netmask radiusFramedIPNetmask replyItem Framed-Route radiusFramedRoute replyItem Framed-Routing radiusFramedRouting replyItem Filter-Id radiusFilterId replyItem Framed-MTU radiusFramedMTU replyItem Framed-Compression radiusFramedCompression replyItem Login-IP-Host radiusLoginIPHost replyItem Login-Service radiusLoginService replyItem Login-TCP-Port radiusLoginTCPPort replyItem Callback-Number radiusCallbackNumber replyItem Callback-Id radiusCallbackId replyItem Framed-IPX-Network radiusFramedIPXNetwork replyItem Class radiusClass replyItem Session-Timeout radiusSessionTimeout replyItem Idle-Timeout radiusIdleTimeout replyItem Termination-Action radiusTerminationAction replyItem Login-LAT-Service radiusLoginLATService replyItem Login-LAT-Node radiusLoginLATNode replyItem Login-LAT-Group radiusLoginLATGroup replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone replyItem Port-Limit radiusPortLimit replyItem Login-LAT-Port radiusLoginLATPort replyItem Reply-Message radiusReplyMessage *replyItem Service-Type AcmeUserPrivilege <- define user authorization* *replyItem Login-Service AcmeUserPrivilege <- define user authorization* *replyItem Service-Type AcmeUserClass <- define user authorization* *#* *# MY RADIUSD.CONF concerns to LDAP* *#* # Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication. # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks # # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force "Auth-Type = LDAP", and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. # # The solution is to use the default configuration, which does # work. # # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. # ldap { server = "srv01t.embratel.net.br" port = 389 password = passwordomitted identity = "CN=AUTHENTIC,CN=Users,DC=MYCONPANY,DC=NET,DC=BR" net_timeout = 1 timeout = 4 timelimit = 3 tls_require_cert = "allow" basedn = "CN=USERS,DC=MYCOMPANY,DC=NET,DC=BR" filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" #groupname_attribute = "CN=USERS,DC=MYCOMPANY,DC=NET,DC=BR" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } # passwd module allows to do authorization via any passwd-like # file and to extract any attributes from these modules # # parameters are: # filename - path to filename # format - format for filename record. This parameters # correlates record in the passwd file and RADIUS # attributes. # # Field marked as '*' is key field. That is, the parameter # with this name from the request is used to search for # the record from passwd file # Attribute marked as '=' is added to reply_itmes instead # of default configure_itmes # Attribute marked as '~' is added to request_items # # Field marked as ',' may contain a comma separated list # of attributes. # authtype - if record found this Auth-Type is used to authenticate # user # hashsize - hashtable size. If 0 or not specified records are not # stored in memory and file is red on every request. # allowmultiplekeys - if few records for every key are allowed # ignorenislike - ignore NIS-related records # delimiter - symbol to use as a field separator in passwd file, # for format ':' symbol is always used. '\0', '\n' are # not allowed # # An example configuration for using /etc/smbpasswd. # #passwd etc_smbpasswd { # filename = /etc/smbpasswd # format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" # authtype = MS-CHAP # hashsize = 100 # ignorenislike = no # allowmultiplekeys = no #} # Similar configuration, for the /etc/group file. Adds a Group-Name # attribute for every group that the user is member of. # #passwd etc_group { # filename = /etc/group # format = "=Group-Name:::*,User-Name" # hashsize = 50 # ignorenislike = yes # allowmultiplekeys = yes # delimiter = ":" #} # Realm module, for proxying. # # You can have multiple instances of the realm module to # support multiple realm syntaxs at the same time. The # search order is defined by the order in the authorize and # preacct sections. # # Four config options: # format - must be 'prefix' or 'suffix' # delimiter - must be a single character # ignore_default - set to 'yes' or 'no' # ignore_null - set to 'yes' or 'no' # # ignore_default and ignore_null can be set to 'yes' to prevent # the module from matching against DEFAULT or NULL realms. This # may be useful if you have have multiple instances of the # realm module. # # They both default to 'no'. # # 'realm/username' # # Using this entry, IPASS users have their realm set to "IPASS". realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } # 'username@realm' # realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } # 'username%realm' # realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } # # 'domain\user' # realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } # A simple value checking module # # It can be used to check if an attribute value in the request # matches a (possibly multi valued) attribute in the check # items This can be used for example for caller-id # authentication. For the module to run, both the request # attribute and the check items attribute must exist # # i.e. # A user has an ldap entry with 2 radiusCallingStationId # attributes with values "12345678" and "12345679". If we # enable rlm_checkval, then any request which contains a # Calling-Station-Id with one of those two values will be # accepted. Requests with other values for # Calling-Station-Id will be rejected. # # Regular expressions in the check attribute value are allowed # as long as the operator is '=~' # checkval { # The attribute to look for in the request item-name = Calling-Station-Id # The attribute to look for in check items. Can be multi valued check-name = Calling-Station-Id # The data type. Can be # string,integer,ipaddr,date,abinary,octets data-type = string # If set to yes and we dont find the item-name attribute in the # request then we send back a reject # DEFAULT is no #notfound-reject = no } # rewrite arbitrary packets. Useful in accounting and authorization. # # # The module can also use the Rewrite-Rule attribute. If it # is set and matches the name of the module instance, then # that module instance will be the only one which runs. # # Also if new_attribute is set to yes then a new attribute # will be created containing the value replacewith and it # will be added to searchin (packet, reply, proxy, proxy_reply or config). # searchfor,ignore_case and max_matches will be ignored in that case. # # Backreferences are supported: %{0} will contain the string the whole match # and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses # # If max_matches is greater than one the backreferences will correspond to the # first match # #attr_rewrite sanecallerid { # attribute = Called-Station-Id # may be "packet", "reply", "proxy", "proxy_reply" or "config" # searchin = packet # searchfor = "[+ ]" # replacewith = "" # ignore_case = no # new_attribute = no # max_matches = 10 # ## If set to yes then the replace string will be appended to the original string # append = no #} # Preprocess the incoming RADIUS request, before handing it off # to other modules. # # This module processes the 'huntgroups' and 'hints' files. # In addition, it re-writes some weird attributes created # by some NASes, and converts the attributes into a form which # is a little more standard. # preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints # This hack changes Ascend's wierd port numberings # to standard 0-??? port numbers so that the "+" works # for IP address assignments. with_ascend_hack = no ascend_channels_per_line = 23 # Windows NT machines often authenticate themselves as # NT_DOMAIN\username # # If this is set to 'yes', then the NT_DOMAIN portion # of the user-name is silently discarded. # # This configuration entry SHOULD NOT be used. # See the "realms" module for a better way to handle # NT domains. with_ntdomain_hack = no # Specialix Jetstream 8500 24 port access server. # # If the user name is 10 characters or longer, a "/" # and the excess characters after the 10th are # appended to the user name. # # If you're not running that NAS, you don't need # this hack. with_specialix_jetstream_hack = no # Cisco (and Quintum in Cisco mode) sends it's VSA attributes # with the attribute name *again* in the string, like: # # H323-Attribute = "h323-attribute=value". # # If this configuration item is set to 'yes', then # the redundant data in the the attribute text is stripped # out. The result is: # # H323-Attribute = "value" # # If you're not running a Cisco or Quintum NAS, you don't # need this hack. with_cisco_vsa_hack = no } # Livingston-style 'users' file # files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users #preproxy_usersfile = ${confdir}/preproxy_users # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } # Write a detailed log of all accounting records received. # detail { # Note that we do NOT use NAS-IP-Address here, as # that attribute MAY BE from the originating NAS, and # NOT from the proxy which actually sent us the # request. The Client-IP-Address attribute is ALWAYS # the address of the client which sent us the # request. # # The following line creates a new detail file for # every radius client (by IP address or hostname). # In addition, a new detail file is created every # day, so that the detail file doesn't have to go # through a 'log rotation' # # If your detail files are large, you may also want # to add a ':%H' (see doc/variables.txt) to the end # of it, to create a new detail file every hour, e.g.: # # ..../detail-%Y%m%d:%H # # This will create a new detail file for every hour. # detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d # # The Unix-style permissions on the 'detail' file. # # The detail file often contains secret or private # information about users. So by keeping the file # permissions restrictive, we can prevent unwanted # people from seeing that information. detailperm = 0600 # # Certain attributes such as User-Password may be # "sensitive", so they should not be printed in the # detail file. This section lists the attributes # that should be suppressed. # # The attributes should be listed one to a line. # #suppress { # User-Password #} } # # Many people want to log authentication requests. # Rather than modifying the server core to print out more # messages, we can use a different instance of the 'detail' # module, to log the authentication requests to a file. # # You will also need to un-comment the 'auth_log' line # in the 'authorize' section, below. # detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d # # This MUST be 0600, otherwise anyone can read # the users passwords! detailperm = 0600 } # # This module logs authentication reply packets sent # to a NAS. Both Access-Accept and Access-Reject packets # are logged. # # You will also need to un-comment the 'reply_log' line # in the 'post-auth' section, below. # # Changed here ---- detail reply_log { detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d # # This MUST be 0600, otherwise anyone can read # the users passwords! detailperm = 0600 } # # Finished here # # # This module logs packets proxied to a home server. # # You will also need to un-comment the 'pre_proxy_log' line # in the 'pre-proxy' section, below. # # detail pre_proxy_log { # detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d # # This MUST be 0600, otherwise anyone can read # the users passwords! # detailperm = 0600 # } # # This module logs response packets from a home server. # # You will also need to un-comment the 'post_proxy_log' line # in the 'post-proxy' section, below. # # detail post_proxy_log { # detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d # # This MUST be 0600, otherwise anyone can read # the users passwords! # detailperm = 0600 # } # # The rlm_sql_log module appends the SQL queries in a log # file which is read later by the radsqlrelay program. # # This module only performs the dynamic expansion of the # variables found in the SQL statements. No operation is # executed on the database server. (this could be done # later by an external program) That means the module is # useful only with non-"SELECT" statements. # # See rlm_sql_log(5) manpage. # # sql_log { # path = ${radacctdir}/sql-relay # acct_table = "radacct" # postauth_table = "radpostauth" # # Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ # NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ # AcctSessionTime, AcctTerminateCause) VALUES \ # ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ # '%{Framed-IP-Address}', '%S', '0', '0', '');" # Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ # NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ # AcctSessionTime, AcctTerminateCause) VALUES \ # ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ # '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \ # '%{Acct-Terminate-Cause}');" # Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ # NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ # AcctSessionTime, AcctTerminateCause) VALUES \ # ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ # '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');" # # Post-Auth = "INSERT INTO ${postauth_table} \ # (user, pass, reply, date) VALUES \ # ('%{User-Name}', '%{User-Password:-Chap-Password}', \ # '%{reply:Packet-Type}', '%S');" # } # # Create a unique accounting session Id. Many NASes re-use # or repeat values for Acct-Session-Id, causing no end of # confusion. # # This module will add a (probably) unique session id # to an accounting packet based on the attributes listed # below found in the packet. See doc/rlm_acct_unique for # more information. # acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } # Include another file that has the SQL-related configuration. # This is another file only because it tends to be big. # # The following configuration file is for use with MySQL. # # For Postgresql, use: ${confdir}/postgresql.conf # For MS-SQL, use: ${confdir}/mssql.conf # For Oracle, use: ${confdir}/oraclesql.conf # # $INCLUDE ${confdir}/sql.conf # For Cisco VoIP specific accounting with Postgresql, # use: ${confdir}/pgsql-voip.conf # # You will also need the sql schema from: # src/billing/cisco_h323_db_schema-postgres.sql # Note: This config can be use AS WELL AS the standard sql # config if you need SQL based Auth # Write a 'utmp' style file, of which users are currently # logged in, and where they've logged in from. # # This file is used mainly for Simultaneous-Use checking, # and also 'radwho', to see who's currently logged in. # radutmp { # Where the file is stored. It's not a log file, # so it doesn't need rotating. # filename = ${logdir}/radutmp # The field in the packet to key on for the # 'user' name, If you have other fields which you want # to use to key on to control Simultaneous-Use, # then you can use them here. # # Note, however, that the size of the field in the # 'utmp' data structure is small, around 32 # characters, so that will limit the possible choices # of keys. # # You may want instead: %{Stripped-User-Name:-%{User-Name}} username = %{User-Name} # Whether or not we want to treat "user" the same # as "USER", or "User". Some systems have problems # with case sensitivity, so this should be set to # 'no' to enable the comparisons of the key attribute # to be case insensitive. # case_sensitive = yes # Accounting information may be lost, so the user MAY # have logged off of the NAS, but we haven't noticed. # If so, we can verify this information with the NAS, # # If we want to believe the 'utmp' file, then this # configuration entry can be set to 'no'. # check_with_nas = yes # Set the file permissions, as the contents of this file # are usually private. perm = 0600 callerid = "yes"