hi,
i need help to configurate the MAC based
authentication.
I use freeradius 1.0.1 and openldap 2.0.27-17. The config
from the
HP Switch to the Radius is ok.
In the LDAP there are the MAC
Adresses from all my Laptops like "macAdress".
LDAP:
ldapsearch -LL -x -H ldap://atmacldapsr01 -D
cn=Manager,o=wuestenrot,c=at -w secret -b
ou=workstation,o=wuestenrot,c=at macAddress=00:1E:37:1C:5F:D4
wueroRechnername: ATTSBGVARR40
macAddress:
00:06:1B:CA:53:64
I only want that radius check at the LDAP, if the
MAC Address
exists. IF the MAC exists go to VLAN 5 else go to VLAN 10.
Have anyone an idea were my problem is??? or an good Howto??
Is it right
to make this with the checkval? users File?
Have anyone an
example?
Next step, I want to make checks over an extern
script? Where to I
activate this feature?
Please help me.
thanks a lot
andi
RADIUS:
[root@atmacradsr01 raddb]# radiusd
-Xf
Starting - reading configuration files ...
reread_config:
reading radiusd.conf
Config: including file:
/etc/raddb/proxy.conf
Config: including file:
/etc/raddb/clients.conf
Config: including file:
/etc/raddb/snmp.conf
Config: including file:
/etc/raddb/eap.conf
main: prefix = "/usr"
main: localstatedir
= "/var"
main: logdir = "/var/log/radius"
main: libdir =
"/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main:
hostname_lookups = no
main: max_request_time = 30
main:
cleanup_delay = 5
main: max_requests = 1024
main:
delete_blocked_requests = 0
main: port = 0
main:
allow_core_dumps = no
main: log_stripped_names = no
main:
log_file = "/var/log/radius/radius.log"
main: log_auth =
yes
main: log_auth_badpass = no
main: log_auth_goodpass =
no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user =
"radiusd"
main: group = "radiusd"
main: usercollide =
no
main: lower_user = "yes"
main: lower_pass =
"yes"
main: nospace_user = "no"
main: nospace_pass =
"no"
main: checkrad = "/usr/sbin/checkrad"
main:
proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count
= 3
proxy: synchronous = no
proxy: default_fallback =
yes
proxy: dead_time = 120
proxy: post_proxy_authorize =
yes
proxy: wake_all_if_all_dead = no
security: max_attributes
= 200
security: reject_delay = 1
security: status_server =
no
main: debug_level = 0
read_config_files: reading
dictionary
read_config_files: reading naslist
Using deprecated
naslist file. Support for this will go away
soon.
read_config_files: reading clients
read_config_files:
reading realms
radiusd: entering modules setup
Module: Library
search path is /usr/lib
Module: Loaded exec
exec: wait =
yes
exec: program = "(null)"
exec: input_pairs =
"request"
exec: output_pairs = "(null)"
exec: packet_type =
"(null)"
rlm_exec: Wait=yes but no output defined. Did you mean
output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded LDAP
ldap:
server = "atmacldapsr01"
ldap: port = 389
ldap: net_timeout =
1
ldap: timeout = 4
ldap: timelimit = 3
ldap:
identity = "cn=Manager,o=wuestenrot,c=at"
ldap: tls_mode =
no
ldap: start_tls = no
ldap: tls_cacertfile =
"(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile =
"(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile =
"(null)"
ldap: tls_require_cert = "allow"
ldap: password =
"secret"
ldap: basedn =
"ou=workstation,o=wuestenrot,c=at"
ldap: filter =
"(macAddress=%{User-Name})"
ldap: base_filter =
"(objectclass=radiusprofile)"
ldap: default_profile =
"(null)"
ldap: profile_attribute = "(null)"
ldap:
password_header = "(null)"
ldap: password_attribute =
"(null)"
ldap: access_attr = "(null)"
ldap:
groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)
(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)
(uniquemember=%{Ldap-UserDn})))"
ldap:
groupmembership_attribute = "(null)"
ldap: dictionary_mapping =
"/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap:
ldap_connections_number = 5
ldap: compare_check_items =
no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat =
yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap:
Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading
ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP
radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem
mapped to RADIUS $GENERIC$
rlm_ldap: LDAP macAddress mapped to RADIUS
User-Name
rlm_ldap: LDAP radiusAuthType mapped to RADIUS
Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS
Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS
Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
Calling-Station-Id
rlm_ldap: LDAP sambaLMPassword mapped to RADIUS
LM-Password
rlm_ldap: LDAP sambaNTPassword mapped to RADIUS
NT-Password
rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS
SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS
Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS
Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS
Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS
Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS
Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS
Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS
Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS
Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS
Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS
Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS
Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS
Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS
Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS
Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS
Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS
Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS
Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS
Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS
Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS
Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS
Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS
Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS
Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-
AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped
to RADIUS Framed-
AppleTalk-Network
rlm_ldap: LDAP
radiusFramedAppleTalkZone mapped to RADIUS
Framed-
AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS
Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS
Login-LAT-Port
conns: 0x8bb05a8
Module: Instantiated ldap (ldap)
Module: Loaded preprocess
preprocess: huntgroups =
"/etc/raddb/huntgroups"
preprocess: hints =
"/etc/raddb/hints"
preprocess: with_ascend_hack =
no
preprocess: ascend_channels_per_line = 23
preprocess:
with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack =
no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated
preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/
auth-detail-%Y%m%d"
detail:
detailperm = 384
detail: dirperm = 493
detail: locking =
no
Module: Instantiated detail (auth_log)
Module: Loaded checkval
checkval: item-name = "User-Name"
checkval: check-name =
"macAddress"
checkval: data-type = "string"
checkval:
notfound-reject = no
rlm_checkval: Registered name macAddress for attribute
1671
Module: Instantiated checkval (checkval)
Module: Loaded
Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id,
NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated
acct_unique (acct_unique)
Module: Loaded realm
realm: format =
"suffix"
realm: delimiter = "@"
realm: ignore_default =
no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile =
"/etc/raddb/users"
files: acctusersfile =
"/etc/raddb/acct_users"
files: preproxy_usersfile =
"/etc/raddb/preproxy_users"
files: compat = "no"
Module:
Instantiated files (files)
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/
detail-%Y%m%d"
detail:
detailperm = 384
detail: dirperm = 493
detail: locking =
no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp:
username = "%{User-Name}"
radutmp: case_sensitive =
yes
radutmp: check_with_nas = yes
radutmp: perm =
384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Module: Loaded eap
eap: default_eap_type = "md5"
eap:
timer_expire = 60
eap: ignore_unknown_eap_types = no
eap:
cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type
md5
rlm_eap: Loaded and initialized type leap
gtc: challenge =
"Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized
type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and
initialized type mschapv2
Module: Instantiated eap (eap)
Listening on
authentication *:1812
Listening on accounting *:1813
Listening on proxy
*:1814
Ready to process requests.
Now I connect an Laptop on the switch and this is
shown on the radius:
rad_recv: Access-Request packet from host
192.168.10.1:1024,
id=241,length=183
Framed-MTU =
9178
NAS-IP-Address =
192.168.10.1
NAS-Identifier =
"MAC-VAR"
User-Name =
"00:06:1b:ca:53:64"
Service-Type =
Framed-User
Framed-Protocol =
PPP
NAS-Port =
17
NAS-Port-Type =
Ethernet
NAS-Port-Id =
"17"
Called-Station-Id =
"00-18-fe-e6-36-ef"
Calling-Station-Id =
"00-06-1b-ca-53-64"
Connect-Info =
"CONNECT Ethernet 100Mbps Full
duplex"
CHAP-Password =
0x50eec0218f3e8b36308a4c070b9eca0267
Processing the authorize section
of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request
0
radius_xlat:
'/var/log/radius/radacct/192.168.10.1/auth-detail-20080328'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-
detail-%Y%m%d expands to
/var/log/radius/radacct/192.168.10.1/auth-
detail-20080328
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_ldap: -
authorize
rlm_ldap: performing user authorization for
00:06:1b:ca:53:64
radius_xlat:
'(macAddress=00:06:1b:ca:53:64)'
radius_xlat:
'ou=workstation,o=wuestenrot,c=at'
rlm_ldap: ldap_get_conn: Checking Id:
0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP
reconnection
rlm_ldap: (re)connect to atmacldapsr01:389, authentication
0
rlm_ldap: bind as cn=Manager,o=wuestenrot,c=at/secret to
atmacldapsr01:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was
successful
rlm_ldap: performing search in ou=workstation,o=wuestenrot,c=at,
with filter (macAddress=00:06:1b:ca:53:64)
rlm_ldap: looking for check
items in directory...
rlm_ldap: Adding macAddress as User-Name, value
00:06:1B:CA:53:64 & op=21
rlm_ldap: looking for reply items in
directory...
rlm_ldap: user 00:06:1b:ca:53:64 authorized to use remote
access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_checkval: Item
Name: User-Name, Value: 00:06:1b:ca:53:64
rlm_checkval: Could not find
attribute named macAddress in check pairs
modcall[authorize]: module
"checkval" returns notfound for request 0
modcall: group authorize returns ok
for request 0
rad_check_password: Found Auth-Type LDAP
auth:
type "LDAP"
Processing the authenticate section of
radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: -
authenticate
rlm_ldap: Attribute "User-Password" is required for
authentication.
Cannot use "CHAP-Password".
modcall[authenticate]:
module "ldap" returns invalid for request 0
modcall: group Auth-Type returns
invalid for request 0
auth: Failed to validate the user.
Login incorrect:
[00:06:1b:ca:53:64] (from client private-network-1
port 17 cli
00-06-1b-ca-53-64)
Delaying request 0 for 1 seconds
Finished request
0
Going to the next request
--- Walking the entire request list
---
Waking up in 1 seconds...
--- Walking the entire request list
---
Waking up in 1 seconds...
--- Walking the entire request list
---
Sending Access-Reject of id 241 to 192.168.10.1:1024
Waking up in 4
seconds...
--- Walking the entire request list ---
Cleaning up request 0
ID 241 with timestamp 47eca277
Nothing to do. Sleeping until we see a
request.
This are my config Files:
cat ldap.attrmap
checkItem
$GENERIC$
radiusCheckItem
replyItem
$GENERIC$
radiusReplyItem
checkItem
User-Name
macAddress
checkItem
Auth-Type
radiusAuthType
checkItem
Simultaneous-Use
radiusSimultaneousUse
checkItem
Called-Station-Id
radiusCalledStationId
checkItem
Calling-Station-Id
radiusCallingStationId
checkItem
LM-Password
sambaLMPassword
checkItem
NT-Password
sambaNTPassword
checkItem
SMB-Account-CTRL-TEXT
sambaAcctFlags
checkItem
Expiration
radiusExpiration
replyItem
Service-Type
radiusServiceType
replyItem
Framed-Protocol
radiusFramedProtocol
replyItem
Framed-IP-Address
radiusFramedIPAddress
replyItem
Framed-IP-Netmask
radiusFramedIPNetmask
replyItem
Framed-Route
radiusFramedRoute
replyItem
Framed-Routing
radiusFramedRouting
replyItem
Filter-Id
radiusFilterId
replyItem
Framed-MTU
radiusFramedMTU
replyItem
Framed-Compression
radiusFramedCompression
replyItem
Login-IP-Host
radiusLoginIPHost
replyItem
Login-Service
radiusLoginService
replyItem
Login-TCP-Port
radiusLoginTCPPort
replyItem
Callback-Number
radiusCallbackNumber
replyItem
Callback-Id
radiusCallbackId
replyItem
Framed-IPX-Network
radiusFramedIPXNetwork
replyItem
Class
radiusClass
replyItem
Session-Timeout
radiusSessionTimeout
replyItem
Idle-Timeout
radiusIdleTimeout
replyItem
Termination-Action
radiusTerminationAction
replyItem
Login-LAT-Service
radiusLoginLATService
replyItem
Login-LAT-Node
radiusLoginLATNode
replyItem
Login-LAT-Group
radiusLoginLATGroup
replyItem
Framed-AppleTalk-Link
radiusFramedAppleTalkLink
replyItem
Framed-AppleTalk-Network
radiusFramedAppleTalkNetwork
replyItem
Framed-AppleTalk-Zone
radiusFramedAppleTalkZone
replyItem
Port-Limit
radiusPortLimit
replyItem
Login-LAT-Port
radiusLoginLATPort
file: clients.conf: only add my segment
client
192.168.10.0/24 {
secret
= testing123-1
shortname = private-network-1
}
file: users: only add LDAP as Auth-Type
# First
setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a
password was already given earlier in this file).
#
DEFAULT Auth-Type = LDAP
Fall-Through = 1
#
# Set up different IP address pools for the
terminal servers.
# Note that the "+" behind the IP address means that this
is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
file: radius.conf
prefix = /usr
exec_prefix = /usr
sysconfdir =
/etc
localstatedir = /var
sbindir = /usr/sbin
logdir =
${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir =
${logdir}/radacct
confdir = ${raddbdir}
run_dir =
${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
#listen {
# IP address on which to
listen.
# Allowed values are:
# dotted quad
(1.2.3.4)
#
hostname
(radius.example.com)
#
wildcard (*)
# ipaddr = *
# Port on which to
listen.
# Allowed values are:
# integer port number
(1812)
# 0 means "use /etc/services for the proper port"
# port =
0
# Type of packets to listen
for.
# Allowed values are:
# auth listen for
authentication packets
# acct listen for accounting
packets
#
# type = auth
#}
# hostname_lookups: Log the names of clients
or just their IP addresses
# allowed values: {no,
yes}
#
hostname_lookups = no
# Core dumps are a bad thing. This
should only be set to 'yes'
# if you're debugging a problem with the
server.
# allowed values: {no, yes}
allow_core_dumps =
no
regular_expressions = yes
extended_expressions =
yes
# Log the full User-Name attribute, as it was
found in the request.
#
# allowed values: {no,
yes}
#
log_stripped_names = no
# Log authentication requests to the log
file.
#
# allowed values: {no, yes}
#
log_auth =
yes
# Log passwords with the authentication
requests.
# log_auth_badpass - logs password if it's
rejected
# log_auth_goodpass - logs password if it's
correct
#
# allowed values: {no, yes}
#
log_auth_badpass =
no
log_auth_goodpass = no
# usercollide: Turn "username collision" code
on and off. See the
# "doc/duplicate-users" file
usercollide =
no
# Default is 'no' (don't lowercase values)
#
Valid values = "before" / "after" / "no"
#
#lower_user = no
#lower_pass
= no
lower_user = yes
lower_pass = yes
# nospace_user / nospace_pass:
# Some
users like to enter spaces in their username or password
#
incorrectly. To save yourself the tech support call, you can
#
eliminate those spaces here:
# Default is 'no' (don't remove spaces)
#
Valid values = "before" / "after" / "no" (explanation above)
nospace_user =
no
nospace_pass = no
# The program to execute to do concurrency
checks.
checkrad = ${sbindir}/checkrad
# SECURITY CONFIGURATION
#
security
{
#
max_attributes = 200
reject_delay = 1
status_server = no
}
# PROXY CONFIGURATION
# proxy_requests:
Turns proxying of RADIUS requests on or off.
# allowed values: {no,
yes}
proxy_requests = yes
$INCLUDE
${confdir}/proxy.conf
# CLIENTS CONFIGURATION
# The
'clients.conf' file contains all of the information from the old
#
'clients' and 'naslist' configuration files. We recommend that
you
# do NOT use 'client's or 'naslist', although they are
still
# supported.
# Anything listed in 'clients.conf' will
take precedence over the
# information from the old-style configuration
files.
$INCLUDE ${confdir}/clients.conf
# SNMP CONFIGURATION
# 'snmp' attribute to
'yes'
snmp = no
$INCLUDE ${confdir}/snmp.conf
# THREAD POOL CONFIGURATION
# The thread
pool is a long-lived group of threads which
# take turns (round-robin)
handling any incoming requests.
#
thread pool {
# Number of
servers to start initially --- should be a reasonable
# ballpark
figure.
start_servers = 5
# Limit on the total number of servers
running.
#
max_servers = 32
# Server-pool size regulation.
Rather than making you guess
min_spare_servers =
3
max_spare_servers = 10
# '0' is a special value meaning
'infinity', or 'the servers never
#
exit'
max_requests_per_server = 0
}
# MODULE CONFIGURATION
#
modules
{
#
# Each module has a configuration as
follows:
#
# name [ instance ] {
# config_item
= value
# ...
# }
#
# The 'name'
is used to load the 'rlm_name' library
# which implements the
functionality of the module.
#
# Supports multiple
encryption schemes
# clear: Clear text
# crypt:
Unix crypt
# md5: MD5
ecnryption
# sha1: SHA1 encryption.
#
DEFAULT: crypt
#auskommentiert
#pap {
#
encryption_scheme = crypt
#}
# CHAP module
#
# To
authenticate requests containing a CHAP-Password
attribute.
#
#aukommentiert
#chap {
#
authtype = CHAP
#}
# Pluggable Authentication
Modules
#
# For Linux, see:
# http://www.kernel.org/pub/linux/libs/pam/index.html
#
#
WARNING: On many systems, the system PAM libraries
have
#
memory leaks! We STRONGLY SUGGEST that you do
not
# use PAM for authentication, due to those
memory leaks.
#
#pam {
#
#}
#
$INCLUDE
${confdir}/eap.conf
# Lightweight Directory Access Protocol
(LDAP)
#
# This module definition allows you to use LDAP
for
# authorization and authentication (Auth-Type :=
LDAP)
#
# See doc/rlm_ldap for description of
configuration options
# and sample authorize{} and
authenticate{} blocks
ldap {
server =
"atmacldapsr01"
identity = "cn=Manager,o=wuestenrot,c=at"
password = secret
basedn =
"ou=workstation,o=wuestenrot,c=at"
#filter =
"(uid=%{Stripped-User-Name:-%{User-Name}})"
filter =
"(macAddress=%{User-Name})"
#filter =
"(macAddress=%{Stripped-User-Name:-%{User-Name}})"
# base_filter =
"(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS
extended
# operation.
# The StartTLS operation is supposed
to be used with normal
# ldap connections instead of using ldaps (port
689) connections
start_tls = no
# tls_cacertfile =
/path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile =
/path/to/radius.key
# tls_randfile = /path/to/rnd
#
tls_require_cert = "demand"
# default_profile =
"cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute =
"radiusProfileDn"
#aukommendiert
#access_attr =
"dialupAccess"
# Mapping of RADIUS dictionary attributes to
LDAP
# directory attributes.
dictionary_mapping =
${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# password_attribute =
userPassword
# groupname_attribute = cn
#
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)
(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)
(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items =
yes
# do_xlat = yes
# access_attr_used_for_allow =
yes
}
#
'realm/username'
#
# Using this entry, IPASS users have
their realm set to "IPASS".
realm IPASS {
format =
prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
# 'username@realm'
#
realm
suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
#
'username%realm'
#
realm realmpercent {
format =
suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
#
#
'domain\user'
#
realm ntdomain {
format =
prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# A simple value checking
module
#
#
# Regular expressions in the check
attribute value are allowed
# as long as the operator is
'=~'
#
checkval {
# The attribute to look for in the
request
#item-name = Calling-Station-Id
item-name =
User-Name
# The attribute to look for in check items. Can
be multi valued
#check-name = Calling-Station-Id
check-name
= macAddress
# The data type. Can be
#
string,integer,ipaddr,date,abinary,octets
data-type =
string
# If set to yes and we dont find the
item-name attribute in the
# request then we send back a
reject
# DEFAULT is no
#notfound-reject = no
#notfound-reject = no
}
# rewrite arbitrary
packets. Useful in accounting and authorization.
# Backreferences
are supported: %{0} will contain the string the whole match
# and %{1}
to %{8} will contain the contents of the 1st to the 8th
parentheses
#
# If max_matches is greater than one the
backreferences will
correspond to the
# first match
#
#attr_rewrite sanecallerid
{
# attribute = Called-Station-Id
# may be "packet", "reply",
"proxy", "proxy_reply" or "config"
# searchin = packet
#
searchfor = "[+ ]"
# replacewith = ""
# ignore_case =
no
# new_attribute = no
# max_matches = 10
# ## If
set to yes then the replace string will be appended to the
original
string
# append = no
#}
# Preprocess the incoming RADIUS request,
before handing it off
# to other
modules.
#
preprocess {
huntgroups =
${confdir}/huntgroups
hints = ${confdir}/hints
# This hack changes Ascend's wierd port
numberings
# to standard 0-??? port numbers so that the "+"
works
# for IP address assignments.
with_ascend_hack =
no
ascend_channels_per_line = 23
# Windows NT machines often authenticate
themselves as
with_ntdomain_hack = no
#
# If you're not running a
Cisco NAS, you don't need
# this hack.
with_cisco_vsa_hack =
no
}
# Livingston-style 'users'
file
#
files {
usersfile =
${confdir}/users
acctusersfile = ${confdir}/acct_users
# If you want to use the old Cistron
'users' file
# with FreeRADIUS, you should change the next
line
# to 'compat = cistron'. You can the copy your
'users'
# file from Cistron.
compat =
no
}
# Write a detailed log of all accounting
records received.
#
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm =
0600
}
detail auth_log {
detailfile =
${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
#
# This MUST be 0600,
otherwise anyone can read
# the users passwords!
#
detailperm = 0600
}
# Create a unique accounting session
Id. Many NASes re-use or
# repeat values for Acct-Session-Id,
causing no end of
# confusion.
acct_unique {
key =
"User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-
Address,
NAS-Port"
}
radutmp {
# Where the file is
stored. It's not a log file,
# so it doesn't need
rotating.
#
filename = ${logdir}/radutmp
#
# You may want instead:
%{Stripped-User-Name:-%{User-Name}}
username =
%{User-Name}
#
case_sensitive =
yes
#
check_with_nas = yes
# Set the file permissions, as the contents
of this file
# are usually private.
perm = 0600
callerid = "yes"
}
# "Safe" radutmp - does not contain caller
ID, so it can be
# world-readable, and radwho can work for normal
users, without
# exposing any information that isn't already exposed by
who(1).
#
# This is another 'instance' of the radutmp module,
but it is given
# then name "sradutmp" to identify it later in the
"accounting"
# section.
radutmp sradutmp {
filename
= ${logdir}/sradutmp
perm = 0644
callerid =
"no"
}
# attr_filter - filters the attributes
received in replies from
# proxied servers, to make sure we send back
to our RADIUS client
# only allowed attributes.
attr_filter
{
attrsfile = ${confdir}/attrs
}
# counter module:
#
DEFAULT Max-Daily-Session :=
36000
#
Fall-Through = 1
#
# 'check-name'
attribute.
#
counter daily {
filename =
${raddbdir}/db.daily
key = User-Name
count-attribute =
Acct-Session-Time
reset = daily
counter-name =
Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size =
5000
}
# The "ALways" module is here for debugging
purposes. Each
# instance simply returns the same result, always,
without
# doing anything.
always fail {
rcode =
fail
}
always reject {
rcode =
reject
}
always ok {
rcode = ok
simulcount
= 0
mpp = no
}
#
# The 'expression' module
currently has no configuration.
#
# Attribute-Name =
`%{expr:2 + 3 + %{exec: uid -u}}`
#
# The value of the
attribute will be replaced with the output
# of the program which
is executed. Due to RADIUS protocol
# limitations, any
output over 253 bytes will be ignored.
expr {
}
#
# The 'digest' module
currently has no configuration.
#
# "Digest"
authentication against a Cisco SIP server.
# See
'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on
performing digest authentication for Cisco SIP
servers.
#
digest {
}
#
# Execute external
programs
#
exec {
wait = yes
programm =
"/bin/echo %{User-Name}"
input_pairs = request
}
execok {
rcode =
ok
}
#
# This is a more general example of the
execute module.
#
exec echo {
#
#
Wait for the program to finish.
#
# If we do NOT wait,
then the program is "fire and
# forget", and any output
attributes from it are ignored.
#
# If we are looking
for the program to output
# attributes, and want to add those
attributes to the
# request, then we MUST wait for the program
to
# finish, and therefore set 'wait=yes'
#
# allowed values: {no, yes}
wait = yes
#
# The name of the program
to execute, and it's
# arguments. Dynamic translation is
done on this
# field, so things like the following example
will
# work.
#
program = "/bin/echo
%{User-Name}"
#
# The attributes which are
placed into the
# environment variables for the
program.
#
input_pairs = request
#
# Where to place the
output attributes (if any) from
#
output_pairs =
reply
#
#
#packet_type =
Access-Accept
}
# Do server side ip pool management.
Should be added in post-auth and
# accounting
sections.
*********
#
ippool main_pool {
# range-start,range-stop: The start
and end ip
# addresses for the ip pool
range-start =
192.168.1.1
range-stop = 192.168.3.254
# netmask: The network mask used for
the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for
the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 800
# session-db: The main db file used to
allocate ip's to clients
session-db =
${raddbdir}/db.ippool
# ip-index: Helper db index file used in
multilink
ip-index = ${raddbdir}/db.ipindex
# override: Will this ippool override a
Framed-IP-Address already set
override = no
# maximum-timeout: If not zero specifies the
maximum time in seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
# ANSI X9.9 token support. Not included
by default.
# $INCLUDE ${confdir}/x99.conf
}
# Instantiation
#
# This section orders
the loading of the modules. Modules
# listed here will get loaded
BEFORE the later sections like
# authorize, authenticate, etc. get
examined.
#
instantiate {
#
# Allows the execution
of external scripts.
# The entire command line (and output) must
fit into 253 bytes.
#
# e.g. Framed-Pool =
`%{exec:/bin/echo foo}`
exec
#
# The expression module
doesn't do authorization,
# authentication, or accounting.
It only does dynamic
# translation, of the
form:
#
# Session-Timeout = `%{expr:2 +
3}`
#
#
expr
#
# We add the counter module here
so that it registers
# the check-name attribute before any module which
sets
# it
# daily
}
# Authorization. First preprocess (hints and
huntgroups files),
# then realms, and finally look in the "users"
file.
authorize {
#
# The preprocess module takes
care of sanitizing some bizarre
# attributes in the request, and
turning them into attributes
# which are more
standard.
#
# It takes care of processing the
'raddb/hints' and the
# 'raddb/huntgroups'
files.
#
# It also adds the %{Client-IP-Address}
attribute to the request.
preprocess
#
# If you want to have a log
of authentication requests,
# un-comment the following line, and
the 'detail auth_log'
# section, above.
auth_log
#
attr_filter
#
# The chap module will set
'Auth-Type := CHAP' if we are
# handling a CHAP request and
Auth-Type has not already been set
#chap
#
# If the users are logging
in with an MS-CHAP-Challenge
#mschap
#
# If you have a Cisco SIP
server authenticating against
# FreeRADIUS, uncomment the
following line, and the 'digest'
# line in the 'authenticate'
section.
# digest
#
# Look for IPASS style
'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based
on
# that.
# IPASS
#
# If you are using multiple
kinds of realms, you probably
# want to set "ignore_null = yes"
for all of them.
# Otherwise, when the first style of realm
doesn't match,
# the other styles won't be
checked.
#
# suffIx
# ntdomain
#
# This module takes care of
EAP-MD5, EAP-TLS, and EAP-LEAP
#
authentication.
#
# It also sets the EAP-Type attribute
in the request
# attribute list to the EAP type from the
packet.
#auskommentiert
#eap
#
# Read the 'users'
file
#auskommentiert
#files
#
# The ldap module will set
Auth-Type to LDAP if it has not
# already been
set
ldap
#
# Enforce daily limits on time spent
logged in.
# daily
#
# Use the checkval
module
##auskommentiert
checkval
}
# Authentication.
#
# The common reasons to set the Auth-Type attribute by
hand
# is to either forcibly reject the user, or forcibly accept
him.
#
authenticate {
Auth-Type LDAP {
#exec
ldap
}
}
#
# Pre-accounting. Decide which
accounting type to use.
#
preacct {
preprocess
#
# Ensure that we have a
semi-unique identifier for every
# request, and many NAS boxes
are broken.
acct_unique
# IPASS
suffix
# ntdomain
#
# Read the 'acct_users'
file
files
}
#
# Accounting. Log the accounting
data.
#
accounting {
#
detail
# daily
radutmp
# sradutmp
# Return an address to the IP Pool when
we see a stop record.
# main_pool
# Cisco VoIP specific bulk accounting
#
pgsql-voip
}
# Session database, used for checking
Simultaneous-Use. Either the radutmp
# The rlm_sql module is *much*
faster
session {
radutmp
#
# See "Simultaneous Use
Checking Querie" in sql.conf
# sql
}
# Post-Authentication
# Once we KNOW
that the user has been authenticated, there are
# additional steps we
can take.
post-auth {
# Get an address from the IP Pool.
#
main_pool
#
# If you want to have a log
of authentication replies,
# un-comment the following line, and
the 'detail reply_log'
# section, above.
#
reply_log
#
# After authenticating the
user, do another SQL qeury.
#
# See "Authentication
Logging Queries" in sql.conf
# sql
#
# Access-Reject packets are
sent through the REJECT sub-section
# of the post-auth
section.
#
# Post-Auth-Type REJECT {
#
insert-module-name-here
# }
}
#
#
# Only a few modules currently have
this method.
#
pre-proxy {
# attr_rewrite
# pre_proxy_log
}
#
post-proxy {
# post_proxy_log
# attr_rewrite
# Uncomment the following line if you
want to filter replies from
# remote proxies based on the rules
defined in the 'attrs' file.
# attr_filter
#
# If you are proxying LEAP,
you MUST configure the EAP
# module, and you MUST list it here,
in the post-proxy
#
eap
}