After upgrading from 3.0.6 to 3.0.7, I now see the following errors when loading my config that were not present before. radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf /usr/local/etc/raddb/radiusd.conf[210]: The authenticate section should be inside of a 'server { ... }' block! # Loading authenticate {...} /usr/local/etc/raddb/radiusd.conf[204]: The authorize section should be inside of a 'server { ... }' block! # Loading authorize {...} /usr/local/etc/raddb/radiusd.conf[217]: The preacct section should be inside of a 'server { ... }' block! # Loading preacct {...} /usr/local/etc/raddb/radiusd.conf[222]: The accounting section should be inside of a 'server { ... }' block! # Loading accounting {...} /usr/local/etc/raddb/radiusd.conf[226]: The post-proxy section should be inside of a 'server { ... }' block! } # server radiusd: #### Opening IP addresses and Ports #### This has me rather perplexed, as clearly the sections are within a server { } block. The server still behaves and responds to requests correctly. Is there something obvious that I am overlooking? Below is full debug output and my conf: fbsd101-vm# radiusd -X Copyright (C) 1999-2015 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/local/share/freeradius/dictionary including dictionary file /usr/local/share/freeradius/dictionary.dhcp including dictionary file /usr/local/share/freeradius/dictionary.vqp including dictionary file /usr/local/etc/raddb/dictionary including configuration file /usr/local/etc/raddb/radiusd.conf main { security { user = "freeradius" group = "freeradius" allow_core_dumps = no } } main { name = "radiusd" prefix = "/usr/local" localstatedir = "/var" sbindir = "/usr/local/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 10 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client 192.168.92.0/24 { ipaddr = 192.168.92.0/24 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = PERL radiusd: #### Instantiating modules #### # Loaded module rlm_perl # Instantiating module "perl" from file /usr/local/etc/raddb/radiusd.conf perl { filename = "/space/rxg/rxgd/bin/freeradius_hook" func_authorize = "authorize" func_authenticate = "authenticate" func_post_auth = "post_auth" func_accounting = "accounting" func_preacct = "preacct" func_checksimul = "checksimul" func_detach = "detach" func_xlat = "xlat" func_pre_proxy = "pre_proxy" func_post_proxy = "post_proxy" func_recv_coa = "recv_coa" func_send_coa = "send_coa" } # Loaded module rlm_detail # Instantiating module "detail" from file /usr/local/etc/raddb/radiusd.conf detail { filename = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" permissions = 420 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_expr # Instantiating module "expr" from file /usr/local/etc/raddb/radiusd.conf expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_eap # Instantiating module "eap" from file /usr/local/etc/raddb/radiusd.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no mod_accounting_username_bug = no max_sessions = 2048 } # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "perl" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/ssl/server.key" certificate_file = "/etc/ssl/server.crt" ca_file = "/etc/ssl/server.crt" dh_file = "/usr/local/etc/raddb/dhparam" random_file = "/space/rxg/rxgd/bin/random" fragment_size = 1024 include_length = yes check_crl = no ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = no use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "gtc" copy_request_to_tunnel = yes use_tunneled_reply = yes include_length = yes require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_method = "gtc" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes soh = no require_client_cert = no } Using cached TLS configuration from previous invocation # Loaded module rlm_radutmp # Instantiating module "radutmp" from file /usr/local/etc/raddb/radiusd.conf radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = yes } # Instantiating module "sradutmp" from file /usr/local/etc/raddb/radiusd.conf radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_attr_filter # Instantiating module "attr_filter" from file /usr/local/etc/raddb/radiusd.conf attr_filter { filename = "/usr/local/etc/raddb/attrs" key = "%{Realm}" relaxed = no } reading pairlist file /usr/local/etc/raddb/attrs # Loaded module rlm_preprocess # Instantiating module "preprocess" from file /usr/local/etc/raddb/radiusd.conf preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /usr/local/etc/raddb/huntgroups reading pairlist file /usr/local/etc/raddb/hints radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf /usr/local/etc/raddb/radiusd.conf[210]: The authenticate section should be inside of a 'server { ... }' block! # Loading authenticate {...} /usr/local/etc/raddb/radiusd.conf[204]: The authorize section should be inside of a 'server { ... }' block! # Loading authorize {...} /usr/local/etc/raddb/radiusd.conf[217]: The preacct section should be inside of a 'server { ... }' block! # Loading preacct {...} /usr/local/etc/raddb/radiusd.conf[222]: The accounting section should be inside of a 'server { ... }' block! # Loading accounting {...} /usr/local/etc/raddb/radiusd.conf[226]: The post-proxy section should be inside of a 'server { ... }' block! } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1812 } listen { type = "acct" ipaddr = * port = 1813 } Listening on auth address * port 1812 Listening on acct address * port 1813 Ready to process requests cat /usr/local/etc/raddb/radiusd.conf client 192.168.92.0/24 { ipaddr = 192.168.92.0/24 secret = d0ee524f6cb9966ce134d251a3e820c7 } prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} pidfile = /var/run/radiusd/radiusd.pid checkrad = ${sbindir}/checkrad listen { ipaddr = * port = 1812 type = auth } listen { ipaddr = * port = 1813 type = acct } log { #destination = files #colourise = yes #file = ${logdir}/radius.log #syslog_facility = daemon stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { user = freeradius group = freeradius allow_core_dumps = no max_attributes = 200 reject_delay = 1 status_server = yes } thread pool { start_servers = 1 max_servers = 4 min_spare_servers = 1 max_spare_servers = 2 max_requests_per_server = 0 } max_request_time = 30 cleanup_delay = 5 max_requests = 10 hostname_lookups = no delete_blocked_requests = no regular_expressions = yes extended_expressions = yes usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no snmp = no proxy_requests = no modules { perl { filename = /space/rxg/rxgd/bin/freeradius_hook } detail { filename = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d permissions = 0644 } expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no gtc { challenge = "Password: " auth_type = perl } tls-config tls-common { private_key_password = private_key_file = /etc/ssl/server.key certificate_file = /etc/ssl/server.crt ca_file = /etc/ssl/server.crt dh_file = /usr/local/etc/raddb/dhparam random_file = /space/rxg/rxgd/bin/random } tls { tls = tls-common } ttls { tls = tls-common default_eap_type = gtc copy_request_to_tunnel = yes use_tunneled_reply = yes } peap { tls = tls-common default_eap_type = gtc default_method = gtc copy_request_to_tunnel = yes use_tunneled_reply = yes } } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes caller_id = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp permissions = 0644 caller_id = "no" } attr_filter { filename = ${confdir}/attrs } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } } policy { class_value_prefix = 'ai:' acct_unique { if ("%{string:Class}" =~ /${policy.class_value_prefix}([0-9a-f]{32})/i) { update request { &Acct-Unique-Session-Id := "%{md5:%{1},%{Acct-Session-ID}}" } } else { update request { &Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}" } } } insert_acct_class { update reply { &Class = "${policy.class_value_prefix}%{md5:%t,%I,%{Packet-Src-Port},%{Packet-Src-IP-Address},%{NAS-IP-Address},%{Calling-Station-ID},%{User-Name}}" } } acct_counters64.preacct { update request { &Acct-Input-Octets64 = "%{expr:(&Acct-Input-Gigawords << 32) | &Acct-Input-Octets}" &Acct-Output-Octets64 = "%{expr:(&Acct-Output-Gigawords << 32) | &Acct-Output-Octets}" } } } server { authorize { preprocess eap perl } authenticate { Auth-Type PERL { perl } eap } preacct { preprocess acct_unique } accounting { perl } post-proxy { eap perl } }