Exec and dropped attributes between v2.0 and 3.0
Hi All, I am upgrading a V2.0 instance to 3.0... They use EXEC to run a perl script which passes in the username and Framed-IP-Address to update there bind DNS server of the clients IP. I know Framed-IP-Address Attribute has been dropped. Has anyone got any ideas how can I achieve the same thing?
On Dec 4, 2019, at 9:56 AM, Luke Cameron <lukessi@gmail.com> wrote:
I am upgrading a V2.0 instance to 3.0... They use EXEC to run a perl script which passes in the username and Framed-IP-Address to update there bind DNS server of the clients IP.
I know Framed-IP-Address Attribute has been dropped.
No it hasn't. It still exists.
Has anyone got any ideas how can I achieve the same thing?
It should work the same way as in v2. As always, run the server in debug mode to see what's going on. Alan DeKok.
Hi Alan, If I run the follow snippet of code it doesn't work. But works as expected on 2.0. All I get is a blank entry Exec-Program-Wait = "/etc/raddb/var.sh %{User-Name} %{Framed-IP-Address}" /etc/raddb/var.sh echo "$1" >> /tmp/tempvar.txt echo "$2" >> /tmp/tempvar.txt shows the username no Framed IP just blank. If I do printenv NAS_PORT=1812 MESSAGE_AUTHENTICATOR=0x8122daeddfe1723def91026630cff460 USER_NAME="testuser" USER_PASSWORD="xxxxxxr" HUNTGROUP_NAME="xxx41" PWD=/etc/raddb/mods-enabled EVENT_TIMESTAMP="Dec 4 2019 15:37:42 GMT" NAS_IP_ADDRESS=xxx.xxx.xxx.xxx SHLVL=1 _=/usr/bin/printenv But my reply to my test client has Framed-IP-Address. Have I missed something? I have tried adding %{reply:Framed-IP-Address} as well still gives a blank output. On Wed, 4 Dec 2019, 15:35 Alan DeKok, <aland@deployingradius.com> wrote:
On Dec 4, 2019, at 9:56 AM, Luke Cameron <lukessi@gmail.com> wrote:
I am upgrading a V2.0 instance to 3.0... They use EXEC to run a perl
script
which passes in the username and Framed-IP-Address to update there bind DNS server of the clients IP.
I know Framed-IP-Address Attribute has been dropped.
No it hasn't. It still exists.
Has anyone got any ideas how can I achieve the same thing?
It should work the same way as in v2.
As always, run the server in debug mode to see what's going on.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 4, 2019, at 11:01 AM, Luke Cameron <lukessi@gmail.com> wrote:
If I run the follow snippet of code it doesn't work.
<sigh> You already said "it doesn't work". Repeating that is not helpful.
But works as expected on 2.0.
You already said that, too. If only there was some kind of debug output which let you know what was going on. There is absolutely no reason to post questions to the list and then ignore the answers. We give advice for a reason. If you're not going to follow our advice, there's no point in asking questions. Alan DeKok.
Alan, I was explaining in full of what I tired, I have ran the server in debug mode and it says exec: Program executed successfully. It also shows the Framed-IP going back to the user... What it doesn't tell me why the variable is blank. Looking at your document and hence the original question is no longer there... https://wiki.freeradius.org/config/run_time_variables#one-character-variable... I have coded around it now using the detail log function... but if I can avoid that method, it would be most helpful. On Wed, 4 Dec 2019 at 16:16, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 4, 2019, at 11:01 AM, Luke Cameron <lukessi@gmail.com> wrote:
If I run the follow snippet of code it doesn't work.
<sigh> You already said "it doesn't work". Repeating that is not helpful.
But works as expected on 2.0.
You already said that, too.
If only there was some kind of debug output which let you know what was going on.
There is absolutely no reason to post questions to the list and then ignore the answers. We give advice for a reason. If you're not going to follow our advice, there's no point in asking questions.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, 2019-12-04 at 16:20 +0000, Luke Cameron wrote:
I was explaining in full of what I tired, I have ran the server in debug mode and it says exec: Program executed successfully.
http://wiki.freeradius.org/list-help -- Matthew
Thanks Mathew as explained, I have got it in debug mode and it doesn't tell me anything. https://wiki.freeradius.org/config/run_time_variables#one-character-variable... This doc says its not longer there, yet Alan believes it is... I just want to know if I can get the variable as I need to run a exec script that uses it. On Wed, 4 Dec 2019 at 16:23, Matthew Newton <mcn@freeradius.org> wrote:
On Wed, 2019-12-04 at 16:20 +0000, Luke Cameron wrote:
I was explaining in full of what I tired, I have ran the server in debug mode and it says exec: Program executed successfully.
http://wiki.freeradius.org/list-help
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, 2019-12-04 at 16:25 +0000, Luke Cameron wrote:
Thanks Mathew as explained, I have got it in debug mode and it doesn't tell me anything.
Sure. It will probably tell *us* something if we could see it. Every single day we waste time asking people to run FreeRADIUS in debug mode (-X) and posting the output to the list, because that really matters. I'm sure you understand the duplication here gets very annoying very fast. So we wrote it up on a wiki page. Which was a waste of time really, because nobody reads the wiki page and does what it says. Which is to *post the output here*. It even tells you what commands to run and how to capture the output. Then we usually end up getting complaints that we're being unhelpful. <sigh> We know that you can't see stuff in the debug output. Maybe let people who've read it thousands of times to have a look, too, to find the bits you missed or didn't understand? -- Matthew
On Dec 4, 2019, at 11:20 AM, Luke Cameron <lukessi@gmail.com> wrote:
I was explaining in full of what I tired, I have ran the server in debug mode and it says exec: Program executed successfully.
Perhaps you didn't read my message or understand it. You need to post the FULL DEBUG OUTPUT HERE. That lets *us* see what's going on. Every time you say "no, I'm NOT going to follow instructions", you make it harder for us to help you. You choices are: a) post the full debug log and get help b) keep ignoring our help, and we will ignore all further messages from you. Alan DeKok.
Hi Alan, Sorry I did misunderstand here is a copy of the debug log... FreeRADIUS Version 3.0.13 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/date including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/dhcp including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/gprsh01-ippool including configuration file /etc/raddb/mods-enabled/gprsh02-ippool including configuration file /etc/raddb/mods-enabled/loglac including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/debug including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/operator-name including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { security { user = "radiusd" group = "radiusd" allow_core_dumps = no } name = "radiusd" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client 10.57.40.10 { require_message_authenticator = no secret = <<< secret >>> shortname = "lampor41" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.57.40.10. Please fix your configuration Support for old-style clients will be removed in a future release client xxx.xxx.40.10 { require_message_authenticator = no secret = <<< secret >>> shortname = "pegpor41" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client xxx.xxx.40.10. Please fix your configuration Support for old-style clients will be removed in a future release client 10.31.40.51 { require_message_authenticator = no secret = <<< secret >>> shortname = "nagiosxi" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.31.40.51. Please fix your configuration Support for old-style clients will be removed in a future release client xxx.xxx.64.1 { require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client xxx.xxx.64.1. Please fix your configuration Support for old-style clients will be removed in a future release client xxx.xxx.96.1 { require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client xxx.xxx.96.1. Please fix your configuration Support for old-style clients will be removed in a future release client xxx.xxx.128.1 { require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client xxx.xxx.128.1. Please fix your configuration Support for old-style clients will be removed in a future release client xxx.xxx.130.1 { require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client xxx.xxx.130.1. Please fix your configuration Support for old-style clients will be removed in a future release client xxx.xxx.132.1 { require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client xxx.xxx.132.1. Please fix your configuration Support for old-style clients will be removed in a future release client xxx.xxx.134.1 { require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client xxx.xxx.134.1. Please fix your configuration Support for old-style clients will be removed in a future release Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_chap # Loading module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module rlm_date # Loading module "date" from file /etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" } # Loaded module rlm_detail # Loading module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_dhcp # Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp # Loaded module rlm_digest # Loading module "digest" from file /etc/raddb/mods-enabled/digest # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_eap # Loading module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_exec # Loading module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "reply" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /дйцьавжзийклопфњщыьaяДЙЦЬЯАВЖЗИЙКЛОПФЊЩЫЬџ" } # Loaded module rlm_files # Loading module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_pap # Loading module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Loading module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_unpack # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8 # Loaded module rlm_ippool # Loading module "gprsh01-ippool" from file /etc/raddb/mods-enabled/gprsh01-ippool ippool gprsh01-ippool { filename = "/var/lib/radiusd/db.gprsh01-ippool" ip_index = "/var/lib/radiusd/db.gprsh01-ipindex" key = "%{Calling-Station-Id}" range_start = xxx.xxx.95.0 range_stop = xxx.xxx.95.254 netmask = 255.255.192.0 cache_size = 255 override = no maximum_timeout = 0 } # Loading module "gprsh02-ippool" from file /etc/raddb/mods-enabled/gprsh02-ippool ippool gprsh02-ippool { filename = "/var/lib/radiusd/db.gprsh02-ippool" ip_index = "/var/lib/radiusd/db.gprsh02-ipindex" key = "%{Calling-Station-Id}" range_start = xxx.xxx.127.0 range_stop = xxx.xxx.127.254 netmask = 255.255.192.0 cache_size = 255 override = no maximum_timeout = 0 } # Loading module "reply_log_xxx" from file /etc/raddb/mods-enabled/loglac detail reply_log_xxx { filename = "/var/log/radius/radacct/%{User-Name}/reply-detail" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } instantiate { } # Instantiating module "reject" from file /etc/raddb/mods-enabled/always # Instantiating module "fail" from file /etc/raddb/mods-enabled/always # Instantiating module "ok" from file /etc/raddb/mods-enabled/always # Instantiating module "handled" from file /etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always # Instantiating module "noop" from file /etc/raddb/mods-enabled/always # Instantiating module "updated" from file /etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Instantiating module "files" from file /etc/raddb/mods-enabled/files reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/users.cn_gprs_rtu reading pairlist file /etc/raddb/mods-config/files/users.local.test reading pairlist file /etc/raddb/mods-config/files/users.rezap_grps_rtu reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm # Instantiating module "gprsh01-ippool" from file /etc/raddb/mods-enabled/gprsh01-ippool # Instantiating module "gprsh02-ippool" from file /etc/raddb/mods-enabled/gprsh02-ippool # Instantiating module "reply_log_xxx" from file /etc/raddb/mods-enabled/loglac } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server default { # from file /etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:330 } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 33060 Listening on proxy address :: port 37210 Ready to process requests (0) Received Access-Request Id 31 from xxx.xxx.40.10:49430 to xxx.xxx.40.10:1812 length 78 (0) User-Name = "testuser" (0) User-Password = "testuser" (0) NAS-IP-Address = xxx.xxx.40.10 (0) NAS-Port = 1812 (0) Message-Authenticator = 0x4ea342f707f8b90e09291fe54a2e09e2 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "testuser", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry testuser at line 1 (0) files: EXPAND /etc/raddb/var.sh %{User-Name} %{reply:Framed-IP-Address} (0) files: --> /etc/raddb/var.sh testuser (0) files: EXPAND Hello, %{User-Name} (0) files: --> Hello, testuser (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known good" Cleartext-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) gprsh01-ippool: Could not find Pool-Name attribute (0) [gprsh01-ippool] = noop (0) gprsh02-ippool: Could not find Pool-Name attribute (0) [gprsh02-ippool] = noop (0) reply_log_xxx: EXPAND /var/log/radius/radacct/%{User-Name}/reply-detail (0) reply_log_xxx: --> /var/log/radius/radacct/testuser/reply-detail (0) reply_log_xxx: /var/log/radius/radacct/%{User-Name}/reply-detail expands to /var/log/radius/radacct/testuser/reply-detail (0) reply_log_xxx: EXPAND %t (0) reply_log_xxx: --> Wed Dec 4 16:31:00 2019 (0) [reply_log_xxx] = ok (0) exec: Executing: /etc/raddb/var.sh testuser : (0) exec: Program returned code (0) and output '' (0) exec: Program executed successfully (0) [exec] = ok (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 31 from xxx.xxx.40.10:1812 to xxx.xxx.40.10:49430 length 0 (0) Framed-IP-Address = 10.199.0.1 (0) Reply-Message = "Hello, testuser" (0) Finished request Waking up in 4.9 seconds.FreeRADIUS Version 3.0.13 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/date including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/dhcp including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/gprsh01-ippool including configuration file /etc/raddb/mods-enabled/gprsh02-ippool including configuration file /etc/raddb/mods-enabled/loglac including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/debug including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/operator-name including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { security { user = "radiusd" group = "radiusd" allow_core_dumps = no } name = "radiusd" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client 10.57.40.10 { require_message_authenticator = no secret = <<< secret >>> shortname = "lampor41" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.57.40.10. Please fix your configuration Support for old-style clients will be removed in a future release client xxx.xxx.40.10 { require_message_authenticator = no secret = <<< secret >>> shortname = "pegpor41" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client xxx.xxx.40.10. Please fix your configuration Support for old-style clients will be removed in a future release client 10.31.40.51 { require_message_authenticator = no secret = <<< secret >>> shortname = "nagiosxi" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.31.40.51. Please fix your configuration Support for old-style clients will be removed in a future release client xxx.xxx.64.1 { require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client xxx.xxx.64.1. Please fix your configuration Support for old-style clients will be removed in a future release client xxx.xxx.96.1 { require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client xxx.xxx.96.1. Please fix your configuration Support for old-style clients will be removed in a future release client xxx.xxx.128.1 { require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client xxx.xxx.128.1. Please fix your configuration Support for old-style clients will be removed in a future release client xxx.xxx.130.1 { require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client xxx.xxx.130.1. Please fix your configuration Support for old-style clients will be removed in a future release client xxx.xxx.132.1 { require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client xxx.xxx.132.1. Please fix your configuration Support for old-style clients will be removed in a future release client xxx.xxx.134.1 { require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client xxx.xxx.134.1. Please fix your configuration Support for old-style clients will be removed in a future release Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_chap # Loading module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module rlm_date # Loading module "date" from file /etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" } # Loaded module rlm_detail # Loading module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_dhcp # Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp # Loaded module rlm_digest # Loading module "digest" from file /etc/raddb/mods-enabled/digest # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_eap # Loading module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_exec # Loading module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "reply" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /дйцьавжзийклопфњщыьaяДЙЦЬЯАВЖЗИЙКЛОПФЊЩЫЬџ" } # Loaded module rlm_files # Loading module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_pap # Loading module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Loading module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_unpack # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8 # Loaded module rlm_ippool # Loading module "gprsh01-ippool" from file /etc/raddb/mods-enabled/gprsh01-ippool ippool gprsh01-ippool { filename = "/var/lib/radiusd/db.gprsh01-ippool" ip_index = "/var/lib/radiusd/db.gprsh01-ipindex" key = "%{Calling-Station-Id}" range_start = xxx.xxx.95.0 range_stop = xxx.xxx.95.254 netmask = 255.255.192.0 cache_size = 255 override = no maximum_timeout = 0 } # Loading module "gprsh02-ippool" from file /etc/raddb/mods-enabled/gprsh02-ippool ippool gprsh02-ippool { filename = "/var/lib/radiusd/db.gprsh02-ippool" ip_index = "/var/lib/radiusd/db.gprsh02-ipindex" key = "%{Calling-Station-Id}" range_start = xxx.xxx.127.0 range_stop = xxx.xxx.127.254 netmask = 255.255.192.0 cache_size = 255 override = no maximum_timeout = 0 } # Loading module "reply_log_xxx" from file /etc/raddb/mods-enabled/loglac detail reply_log_xxx { filename = "/var/log/radius/radacct/%{User-Name}/reply-detail" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } instantiate { } # Instantiating module "reject" from file /etc/raddb/mods-enabled/always # Instantiating module "fail" from file /etc/raddb/mods-enabled/always # Instantiating module "ok" from file /etc/raddb/mods-enabled/always # Instantiating module "handled" from file /etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always # Instantiating module "noop" from file /etc/raddb/mods-enabled/always # Instantiating module "updated" from file /etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Instantiating module "files" from file /etc/raddb/mods-enabled/files reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/users.cn_gprs_rtu reading pairlist file /etc/raddb/mods-config/files/users.local.test reading pairlist file /etc/raddb/mods-config/files/users.rezap_grps_rtu reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm # Instantiating module "gprsh01-ippool" from file /etc/raddb/mods-enabled/gprsh01-ippool # Instantiating module "gprsh02-ippool" from file /etc/raddb/mods-enabled/gprsh02-ippool # Instantiating module "reply_log_xxx" from file /etc/raddb/mods-enabled/loglac } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server default { # from file /etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:330 } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 33060 Listening on proxy address :: port 37210 Ready to process requests (0) Received Access-Request Id 31 from xxx.xxx.40.10:49430 to xxx.xxx.40.10:1812 length 78 (0) User-Name = "testuser" (0) User-Password = "testuser" (0) NAS-IP-Address = xxx.xxx.40.10 (0) NAS-Port = 1812 (0) Message-Authenticator = 0x4ea342f707f8b90e09291fe54a2e09e2 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "testuser", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry testuser at line 1 (0) files: EXPAND /etc/raddb/var.sh %{User-Name} %{reply:Framed-IP-Address} (0) files: --> /etc/raddb/var.sh testuser (0) files: EXPAND Hello, %{User-Name} (0) files: --> Hello, testuser (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known good" Cleartext-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) gprsh01-ippool: Could not find Pool-Name attribute (0) [gprsh01-ippool] = noop (0) gprsh02-ippool: Could not find Pool-Name attribute (0) [gprsh02-ippool] = noop (0) reply_log_xxx: EXPAND /var/log/radius/radacct/%{User-Name}/reply-detail (0) reply_log_xxx: --> /var/log/radius/radacct/testuser/reply-detail (0) reply_log_xxx: /var/log/radius/radacct/%{User-Name}/reply-detail expands to /var/log/radius/radacct/testuser/reply-detail (0) reply_log_xxx: EXPAND %t (0) reply_log_xxx: --> Wed Dec 4 16:31:00 2019 (0) [reply_log_xxx] = ok (0) exec: Executing: /etc/raddb/var.sh testuser : (0) exec: Program returned code (0) and output '' (0) exec: Program executed successfully (0) [exec] = ok (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 31 from xxx.xxx.40.10:1812 to xxx.xxx.40.10:49430 length 0 (0) Framed-IP-Address = 10.199.0.1 (0) Reply-Message = "Hello, testuser" (0) Finished request Waking up in 4.9 seconds. On Wed, 4 Dec 2019 at 16:26, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 4, 2019, at 11:20 AM, Luke Cameron <lukessi@gmail.com> wrote:
I was explaining in full of what I tired, I have ran the server in debug mode and it says exec: Program executed successfully.
Perhaps you didn't read my message or understand it.
You need to post the FULL DEBUG OUTPUT HERE. That lets *us* see what's going on.
Every time you say "no, I'm NOT going to follow instructions", you make it harder for us to help you.
You choices are:
a) post the full debug log and get help
b) keep ignoring our help, and we will ignore all further messages from you.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 4, 2019, at 11:35 AM, Luke Cameron <lukessi@gmail.com> wrote:
Sorry I did misunderstand here is a copy of the debug log...
The web page Matthew pointed you to is VERY clear. VERY VERY VERY clear. As was my original message. The web page ALSO points to a page which gives explicit instructions on how to read the debug output. It is very frustrating to write documentation and then have people ignore it. Especially when they ignore it after being told explicitly to follow it.
FreeRADIUS Version 3.0.13
You should really upgrade. And PLEASE don't post double-spaced text. It's annoying. And PLEASE, there's no need to post the SAME debug output TWICE. Again, every time you make it hard for us to help you, we're inclined to give up and go away.
Ready to process requests
(0) Received Access-Request Id 31 from xxx.xxx.40.10:49430 to xxx.xxx.40.10:1812 length 78 (0) User-Name = "testuser" (0) User-Password = "testuser" (0) NAS-IP-Address = xxx.xxx.40.10 (0) NAS-Port = 1812 (0) Message-Authenticator = 0x4ea342f707f8b90e09291fe54a2e09e2 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize {
There's no Framed-IP-Address in the input packet. Where do you expect the server to get a Framed-IP-Address from, if it's not in the packet? And why do you think that one-letter variable expansions have anything to do with Framed-IP-Address? If the server receives a packet with a Framed-IP-Address attribute, then you can look at the value of that attribute. If there's no Framed-IP-Address attribute in the packet, then the server can't look at the value. Because it doesn't exist. Alan DeKok.
On Wed, 2019-12-04 at 16:35 +0000, Luke Cameron wrote:
Ready to process requests (0) Received Access-Request Id 31 from xxx.xxx.40.10:49430 to xxx.xxx.40.10:1812 length 78 (0) User-Name = "testuser" (0) User-Password = "testuser" (0) NAS-IP-Address = xxx.xxx.40.10 (0) NAS-Port = 1812 (0) Message-Authenticator = 0x4ea342f707f8b90e09291fe54a2e09e2 (0) # Executing section authorize from file /etc/raddb/sites- enabled/default
As Alan pointed out, there's no Framed-IP-Address in the request, so there's nothing to log there. But there _is_ one in the reply, which means you've added it somewhere in FreeRADIUS. What are you trying to log? One sent by the NAS? In which case fix the NAS to send it. Or one generated by FreeRADIUS, in which case you stand a chance, as long as you log it *after* it's been added.
(0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "testuser", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry testuser at line 1 (0) files: EXPAND /etc/raddb/var.sh %{User-Name} %{reply:Framed-IP- Address} (0) files: --> /etc/raddb/var.sh testuser (0) files: EXPAND Hello, %{User-Name} (0) files: --> Hello, testuser (0) [files] = ok
This looks like a likely suspect. Have you added a reply attribute in the users file? There's nothing going to get logged if you call your script here, as there's no attribute already existing, as you've found out.
(0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) gprsh01-ippool: Could not find Pool-Name attribute (0) [gprsh01-ippool] = noop (0) gprsh02-ippool: Could not find Pool-Name attribute (0) [gprsh02-ippool] = noop
Returning noop, so doesn't look like these added the Framed-IP-Address attribute. So my suspicion is the users file. You can add "debug_reply" into the config in places to discover at which point it gets added, if you need to. There's no point logging it before it's added, as it won't exist.
(0) Sent Access-Accept Id 31 from xxx.xxx.40.10:1812 to xxx.xxx.40.10:49430 length 0 (0) Framed-IP-Address = 10.199.0.1 (0) Reply-Message = "Hello, testuser" (0) Finished request
-- Matthew
Thanks Alan and Mathew for your help so far. I do apologies if I frustrated you that wasn't what I wanted to do. Please see my replies below in Bold, the gmail web app isn't great. On Wed, 4 Dec 2019 at 16:59, Matthew Newton <mcn@freeradius.org> wrote:
On Wed, 2019-12-04 at 16:35 +0000, Luke Cameron wrote:
Ready to process requests (0) Received Access-Request Id 31 from xxx.xxx.40.10:49430 to xxx.xxx.40.10:1812 length 78 (0) User-Name = "testuser" (0) User-Password = "testuser" (0) NAS-IP-Address = xxx.xxx.40.10 (0) NAS-Port = 1812 (0) Message-Authenticator = 0x4ea342f707f8b90e09291fe54a2e09e2 (0) # Executing section authorize from file /etc/raddb/sites- enabled/default
As Alan pointed out, there's no Framed-IP-Address in the request, so there's nothing to log there.
But there _is_ one in the reply, which means you've added it somewhere in FreeRADIUS.
What are you trying to log? One sent by the NAS? In which case fix the NAS to send it. Or one generated by FreeRADIUS, in which case you stand a chance, as long as you log it *after* it's been added.
* FreeRADIUS is generating it. *
(0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "testuser", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry testuser at line 1 (0) files: EXPAND /etc/raddb/var.sh %{User-Name} %{reply:Framed-IP- Address} (0) files: --> /etc/raddb/var.sh testuser (0) files: EXPAND Hello, %{User-Name} (0) files: --> Hello, testuser (0) [files] = ok
This looks like a likely suspect. Have you added a reply attribute in the users file?
*Correct *
There's nothing going to get logged if you call your script here, as there's no attribute already existing, as you've found out.
(0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) gprsh01-ippool: Could not find Pool-Name attribute (0) [gprsh01-ippool] = noop (0) gprsh02-ippool: Could not find Pool-Name attribute (0) [gprsh02-ippool] = noop
Returning noop, so doesn't look like these added the Framed-IP-Address attribute. So my suspicion is the users file.
*Yes it gets added from the users file. Logging is working and shows the Framed-IP-Address but not my script. Which is weird as I believe the log module is before the exec module. *
You can add "debug_reply" into the config in places to discover at which point it gets added, if you need to.
*Cool Thanks I will add that tomorrow and see where it gets added. *
There's no point logging it before it's added, as it won't exist.
(0) Sent Access-Accept Id 31 from xxx.xxx.40.10:1812 to xxx.xxx.40.10:49430 length 0 (0) Framed-IP-Address = 10.199.0.1 (0) Reply-Message = "Hello, testuser" (0) Finished request
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 4, 2019, at 1:40 PM, Luke Cameron <lukessi@gmail.com> wrote:
*Yes it gets added from the users file. Logging is working and shows the Framed-IP-Address but not my script. Which is weird as I believe the log module is before the exec module. *
The debug log shows what's going on. Please *read* it. The "exec" is done *while* the files module is being run. i.e. BEFORE the log module. So the Framed-IP-Address is available after the "files" module has run. You *cannot* add an attribute via the "users" file, and immediately check for it's existence in the same "users" file entry. You will need to change the configuration. Alan DeKok.
Thanks Alan and Michael, All sorted now. I made a copy of the echo module to deal with it if a client connects with certain hostnames to run that module. Thanks again and for replying so quickly. Regards Luke On Wed, 4 Dec 2019, 18:49 Alan DeKok, <aland@deployingradius.com> wrote:
On Dec 4, 2019, at 1:40 PM, Luke Cameron <lukessi@gmail.com> wrote:
*Yes it gets added from the users file. Logging is working and shows the Framed-IP-Address but not my script. Which is weird as I believe the log module is before the exec module. *
The debug log shows what's going on. Please *read* it.
The "exec" is done *while* the files module is being run. i.e. BEFORE the log module. So the Framed-IP-Address is available after the "files" module has run.
You *cannot* add an attribute via the "users" file, and immediately check for it's existence in the same "users" file entry. You will need to change the configuration.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Luke Cameron -
Matthew Newton