Unifi wifi SSHA passwords freeradius
Hi! I have Unifi wifi — freeradius — ldap In LDAP i have SSHA password for users. This config on github help me to setup normal auth with SSHA passwords (instead plaintext) https://github.com/hacor/unifi-freeradius-ldap i use ttls + pap All ok, but i have some troubles with timeout (or something else) After a few hours wifi on clients (ios,android,pc) stops working. And users must manually reconnect to the wifi network When we use plaintext password and auth PEAP — all it’s ok. Clients do not stops working Logs Info: rlm_ldap (ldap): Closing connection (11428): Hit idle_timeout, was idle for 61 seconds Info: rlm_ldap (ldap): Closing connection (11433): Hit idle_timeout, was idle for 61 seconds Info: Need 6 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11440), 1 of 28 pending slots used Info: Need 5 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11441), 1 of 27 pending slots used Info: Need 4 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11442), 1 of 26 pending slots used Info: Need 3 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11443), 1 of 25 pending slots used Info: rlm_ldap (ldap): Closing connection (11440): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11438): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11426): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11439): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11445): Hit idle_timeout, was idle for 105 seconds Info: rlm_ldap (ldap): Closing connection (11442): Hit idle_timeout, was idle for 105 seconds Info: rlm_ldap (ldap): Closing connection (11429): Hit idle_timeout, was idle for 105 seconds Info: rlm_ldap (ldap): Closing connection (11443): Hit idle_timeout, was idle for 105 seconds An here is my config freeradius EAP eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } leap { } gtc { auth_type = PAP } tls-config tls-common { private_key_password = XXX private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem ca_file = ${cadir}/ca.pem dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 # hours } verify { } ocsp { enable = no override_cert_url = yes url = " http://127.0.0.1/ocsp/ " } } tls { tls = tls-common } ttls { tls = tls-common default_eap_type = gtc copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } } DEFAULT server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } authorize { filter_username preprocess digest suffix eap { ok = return #updated = return } files -sql ldap expiration logintime pap if (User-Password) { update control { Auth-Type := ldap } } } authenticate { Auth-Type PAP { #pap ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap digest #Auth-Type LDAP { ldap #} eap } preacct { preprocess acct_unique suffix files } accounting { detail unix -sql exec attr_filter.accounting_response } session { } post-auth { if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY } } update { &reply: += &session-state: } if (LDAP-Group == "vpn") { vpn_l2tp_pool } elsif (LDAP-Group == "vpn-ext") { vpn_l2tp_ext_pool } elsif (LDAP-Group == "vpn-1c") { ok } else { reject } -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { } } pre-proxy { } post-proxy { eap } } INNER TUNNEL server inner-tunnel { listen { ipaddr = * port = 18120 type = auth } authorize { filter_username suffix update control { &Proxy-To-Realm := LOCAL } eap { ok = return } -sql ldap expiration logintime pap if (User-Password) { update control { Auth-Type := ldap } } } authenticate { Auth-Type PAP { #pap ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap # Auth-Type LDAP { ldap # } eap } session { radutmp } post-auth { -sql if (LDAP-Group == "wifi") { noop } else { reject } if (0) { update reply { User-Name !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY } update { &outer.session-state: += &reply: } } Post-Auth-Type REJECT { -sql attr_filter.access_reject update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } } } pre-proxy { } post-proxy { eap } } LDAP ldap { server = 'localhost' identity = 'cn=admin,dc=fusioncore,dc=local' password = fusioncore base_dn = 'ou=people,dc=fusioncore,dc=local' sasl { } update { control:Password-With-Header += 'userPassword' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } } group { base_dn = "ou=groups,dc=fusioncore,dc=local" filter = '(objectClass=GroupOfNames)' name_attribute = cn membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" membership_attribute = 'memberUid' } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { start_tls = no } ldap_connections_number = 5 pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } } ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------------------------------------------------------------------- ----------------------------------------------------------------------
hi, your ldap connection pool is borked. you have horrible values. start with the default (in fact, if you have no problem with long lived connections then disable the auto pool stuff and just have eg 8 connections. alan On Wed, 12 Feb 2020 at 10:59, Сергей Черевко via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hi!
I have Unifi wifi — freeradius — ldap
In LDAP i have SSHA password for users.
This config on github help me to setup normal auth with SSHA passwords (instead plaintext) https://github.com/hacor/unifi-freeradius-ldap
i use ttls + pap
All ok, but i have some troubles with timeout (or something else)
After a few hours wifi on clients (ios,android,pc) stops working. And users must manually reconnect to the wifi network
When we use plaintext password and auth PEAP — all it’s ok. Clients do not stops working
Logs
Info: rlm_ldap (ldap): Closing connection (11428): Hit idle_timeout, was idle for 61 seconds Info: rlm_ldap (ldap): Closing connection (11433): Hit idle_timeout, was idle for 61 seconds Info: Need 6 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11440), 1 of 28 pending slots used Info: Need 5 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11441), 1 of 27 pending slots used Info: Need 4 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11442), 1 of 26 pending slots used Info: Need 3 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11443), 1 of 25 pending slots used
Info: rlm_ldap (ldap): Closing connection (11440): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11438): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11426): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11439): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11445): Hit idle_timeout, was idle for 105 seconds Info: rlm_ldap (ldap): Closing connection (11442): Hit idle_timeout, was idle for 105 seconds Info: rlm_ldap (ldap): Closing connection (11429): Hit idle_timeout, was idle for 105 seconds Info: rlm_ldap (ldap): Closing connection (11443): Hit idle_timeout, was idle for 105 seconds
An here is my config freeradius
EAP
eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } leap { } gtc { auth_type = PAP } tls-config tls-common { private_key_password = XXX private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem ca_file = ${cadir}/ca.pem dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 # hours } verify { } ocsp { enable = no override_cert_url = yes url = " http://127.0.0.1/ocsp/ " } }
tls { tls = tls-common } ttls { tls = tls-common default_eap_type = gtc copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } }
DEFAULT
server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } authorize { filter_username preprocess digest suffix eap { ok = return #updated = return } files -sql ldap expiration logintime pap if (User-Password) { update control { Auth-Type := ldap } } } authenticate { Auth-Type PAP { #pap ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap digest #Auth-Type LDAP { ldap #} eap } preacct { preprocess acct_unique suffix files } accounting { detail unix -sql exec attr_filter.accounting_response } session { } post-auth { if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY } } update { &reply: += &session-state: }
if (LDAP-Group == "vpn") { vpn_l2tp_pool } elsif (LDAP-Group == "vpn-ext") { vpn_l2tp_ext_pool } elsif (LDAP-Group == "vpn-1c") { ok } else { reject } -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { } } pre-proxy { } post-proxy { eap } }
INNER TUNNEL
server inner-tunnel { listen { ipaddr = * port = 18120 type = auth } authorize { filter_username suffix update control { &Proxy-To-Realm := LOCAL } eap { ok = return } -sql ldap expiration logintime pap if (User-Password) { update control { Auth-Type := ldap } } } authenticate { Auth-Type PAP { #pap ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap # Auth-Type LDAP { ldap # } eap } session { radutmp } post-auth { -sql if (LDAP-Group == "wifi") { noop } else { reject } if (0) { update reply { User-Name !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY } update { &outer.session-state: += &reply: } } Post-Auth-Type REJECT { -sql attr_filter.access_reject update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } } } pre-proxy { } post-proxy { eap } }
LDAP
ldap { server = 'localhost' identity = 'cn=admin,dc=fusioncore,dc=local' password = fusioncore base_dn = 'ou=people,dc=fusioncore,dc=local' sasl { } update { control:Password-With-Header += 'userPassword' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } } group { base_dn = "ou=groups,dc=fusioncore,dc=local" filter = '(objectClass=GroupOfNames)' name_attribute = cn membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" membership_attribute = 'memberUid' } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { start_tls = no } ldap_connections_number = 5 pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } }
----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, sorry but i don’t understand where i shoud write correct values. in the «sites-enabled\default»? Or in ldap? Sorry
Среда, 12 февраля 2020, 14:00 +03:00 от Сергей Черевко via Freeradius-Users <freeradius-users@lists.freeradius.org>:
Hi! I have Unifi wifi — freeradius — ldap In LDAP i have SSHA password for users. This config on github help me to setup normal auth with SSHA passwords (instead plaintext) https://github.com/hacor/unifi-freeradius-ldap i use ttls + pap All ok, but i have some troubles with timeout (or something else) After a few hours wifi on clients (ios,android,pc) stops working. And users must manually reconnect to the wifi network When we use plaintext password and auth PEAP — all it’s ok. Clients do not stops working Logs Info: rlm_ldap (ldap): Closing connection (11428): Hit idle_timeout, was idle for 61 seconds Info: rlm_ldap (ldap): Closing connection (11433): Hit idle_timeout, was idle for 61 seconds Info: Need 6 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11440), 1 of 28 pending slots used Info: Need 5 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11441), 1 of 27 pending slots used Info: Need 4 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11442), 1 of 26 pending slots used Info: Need 3 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11443), 1 of 25 pending slots used Info: rlm_ldap (ldap): Closing connection (11440): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11438): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11426): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11439): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11445): Hit idle_timeout, was idle for 105 seconds Info: rlm_ldap (ldap): Closing connection (11442): Hit idle_timeout, was idle for 105 seconds Info: rlm_ldap (ldap): Closing connection (11429): Hit idle_timeout, was idle for 105 seconds Info: rlm_ldap (ldap): Closing connection (11443): Hit idle_timeout, was idle for 105 seconds An here is my config freeradius EAP eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } leap { } gtc { auth_type = PAP } tls-config tls-common { private_key_password = XXX private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem ca_file = ${cadir}/ca.pem dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 # hours } verify { } ocsp { enable = no override_cert_url = yes url = " http://127.0.0.1/ocsp/ " } }
tls { tls = tls-common } ttls { tls = tls-common default_eap_type = gtc copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } } DEFAULT server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } authorize { filter_username preprocess digest suffix eap { ok = return #updated = return } files -sql ldap expiration logintime pap if (User-Password) { update control { Auth-Type := ldap } } } authenticate { Auth-Type PAP { #pap ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap digest #Auth-Type LDAP { ldap #} eap } preacct { preprocess acct_unique suffix files } accounting { detail unix -sql exec attr_filter.accounting_response } session { } post-auth { if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY } } update { &reply: += &session-state: } if (LDAP-Group == "vpn") { vpn_l2tp_pool } elsif (LDAP-Group == "vpn-ext") { vpn_l2tp_ext_pool } elsif (LDAP-Group == "vpn-1c") { ok } else { reject } -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { } } pre-proxy { } post-proxy { eap } } INNER TUNNEL server inner-tunnel { listen { ipaddr = * port = 18120 type = auth } authorize { filter_username suffix update control { &Proxy-To-Realm := LOCAL } eap { ok = return } -sql ldap expiration logintime pap if (User-Password) { update control { Auth-Type := ldap } } } authenticate { Auth-Type PAP { #pap ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap # Auth-Type LDAP { ldap # } eap } session { radutmp } post-auth { -sql if (LDAP-Group == "wifi") { noop } else { reject } if (0) { update reply { User-Name !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY } update { &outer.session-state: += &reply: } } Post-Auth-Type REJECT { -sql attr_filter.access_reject update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } } } pre-proxy { } post-proxy { eap } } LDAP ldap { server = 'localhost' identity = 'cn=admin,dc=fusioncore,dc=local' password = fusioncore base_dn = 'ou=people,dc=fusioncore,dc=local' sasl { } update { control:Password-With-Header += 'userPassword' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } } group { base_dn = "ou=groups,dc=fusioncore,dc=local" filter = '(objectClass=GroupOfNames)' name_attribute = cn membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" membership_attribute = 'memberUid' } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { start_tls = no } ldap_connections_number = 5 pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } } ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------------------------------------------------------------------- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 12, 2020, at 7:00 AM, Сергей Черевко via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hi, sorry but i don’t understand where i shoud write correct values. in the «sites-enabled\default»? Or in ldap?
The default configuration for the "ldap" module works. Don't change it unless you understand what you're changing, and why. On top of that, if you have issues with the server, RUN IT IN DEBUG MODE. *Every* piece of documentation says to do this. Alan DeKok.
Hi! I start freeradius -X and here is logs users «amohova», «dgalitskov» for example (108138) Received Accounting-Request Id 181 from 10.10.3.232:32811 to 10.10.2.40:1813 length 191 (108138) Acct-Status-Type = Start (108138) Acct-Authentic = RADIUS (108138) User-Name = "amohova" (108138) NAS-IP-Address = 10.10.3.232 (108138) Framed-IP-Address = 10.10.60.202 (108138) NAS-Identifier = "b4fbe4867b30" (108138) Called-Station-Id = "B4-FB-E4-86-7B-30:FC" (108138) NAS-Port-Type = Wireless-802.11 (108138) Service-Type = Framed-User (108138) Calling-Station-Id = "F8-4E-73-1B-3F-BD" (108138) Connect-Info = "CONNECT 0Mbps 802.11g" (108138) Acct-Session-Id = "1C9CE0FE0511C51C" (108138) WLAN-Pairwise-Cipher = 1027076 (108138) WLAN-Group-Cipher = 1027076 (108138) WLAN-AKM-Suite = 1027073 (108138) Event-Timestamp = "Feb 12 2020 17:40:08 MSK" (108138) Acct-Delay-Time = 0 (108138) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (108138) preacct { (108138) [preprocess] = ok (108138) policy acct_unique { (108138) update request { (108138) &Tmp-String-9 := "ai:" (108138) } # update request = noop (108138) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (108138) EXPAND %{hex:&Class} (108138) --> (108138) EXPAND ^%{hex:&Tmp-String-9} (108138) --> ^61693a (108138) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (108138) else { (108138) update request { (108138) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (108138) --> da23bf2eae0a20950b70b61b493c3156 (108138) &Acct-Unique-Session-Id := da23bf2eae0a20950b70b61b493c3156 (108138) } # update request = noop (108138) } # else = noop (108138) } # policy acct_unique = noop (108138) suffix: Checking for suffix after "@" (108138) suffix: No '@' in User-Name = "amohova", looking up realm NULL (108138) suffix: No such realm "NULL" (108138) [suffix] = noop (108138) [files] = noop (108138) } # preacct = ok (108138) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (108138) accounting { (108138) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (108138) detail: --> /var/log/freeradius/radacct/10.10.3.232/detail-20200212 (108138) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.10.3.232/detail-20200212 (108138) detail: EXPAND %t (108138) detail: --> Wed Feb 12 17:40:08 2020 (108138) [detail] = ok (108138) [unix] = ok (108138) [exec] = noop (108138) attr_filter.accounting_response: EXPAND %{User-Name} (108138) attr_filter.accounting_response: --> amohova (108138) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (108138) [attr_filter.accounting_response] = updated (108138) } # accounting = updated (108138) Sent Accounting-Response Id 181 from 10.10.2.40:1813 to 10.10.3.232:32811 length 0 (108138) Finished request (108138) Cleaning up request packet ID 181 with timestamp +200672 Waking up in 3.0 seconds. (108139) Received Accounting-Request Id 174 from 10.10.3.233:40969 to 10.10.2.40:1813 length 242 (108139) Acct-Status-Type = Stop (108139) Acct-Authentic = RADIUS (108139) User-Name = "dgalitskov" (108139) NAS-IP-Address = 10.10.3.233 (108139) Framed-IP-Address = 10.10.60.54 (108139) NAS-Identifier = "7483c271f552" (108139) Called-Station-Id = "74-83-C2-71-F5-52:FC" (108139) NAS-Port-Type = Wireless-802.11 (108139) Service-Type = Framed-User (108139) Calling-Station-Id = "E4-B2-FB-44-EF-D6" (108139) Connect-Info = "CONNECT 0Mbps 802.11a" (108139) Acct-Session-Id = "B0CE1AA98E2E130C" (108139) WLAN-Pairwise-Cipher = 1027076 (108139) WLAN-Group-Cipher = 1027076 (108139) WLAN-AKM-Suite = 1027073 (108139) Event-Timestamp = "Feb 12 2020 17:40:09 MSK" (108139) Acct-Delay-Time = 0 (108139) Acct-Session-Time = 207 (108139) Acct-Input-Packets = 22 (108139) Acct-Output-Packets = 22 (108139) Acct-Input-Octets = 2136 (108139) Acct-Input-Gigawords = 0 (108139) Acct-Output-Octets = 6010 (108139) Acct-Output-Gigawords = 0 (108139) Acct-Terminate-Cause = User-Request (108139) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (108139) preacct { (108139) [preprocess] = ok (108139) policy acct_unique { (108139) update request { (108139) &Tmp-String-9 := "ai:" (108139) } # update request = noop (108139) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (108139) EXPAND %{hex:&Class} (108139) --> (108139) EXPAND ^%{hex:&Tmp-String-9} (108139) --> ^61693a (108139) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (108139) else { (108139) update request { (108139) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (108139) --> 116a41339a3b573987c5fd7f78ea55cf (108139) &Acct-Unique-Session-Id := 116a41339a3b573987c5fd7f78ea55cf (108139) } # update request = noop (108139) } # else = noop (108139) } # policy acct_unique = noop (108139) suffix: Checking for suffix after "@" (108139) suffix: No '@' in User-Name = "dgalitskov", looking up realm NULL (108139) suffix: No such realm "NULL" (108139) [suffix] = noop (108139) [files] = noop (108139) } # preacct = ok (108139) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (108139) accounting { (108139) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (108139) detail: --> /var/log/freeradius/radacct/10.10.3.233/detail-20200212 (108139) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.10.3.233/detail-20200212 (108139) detail: EXPAND %t (108139) detail: --> Wed Feb 12 17:40:09 2020 (108139) [detail] = ok (108139) [unix] = ok (108139) [exec] = noop (108139) attr_filter.accounting_response: EXPAND %{User-Name} (108139) attr_filter.accounting_response: --> dgalitskov (108139) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (108139) [attr_filter.accounting_response] = updated (108139) } # accounting = updated (108139) Sent Accounting-Response Id 174 from 10.10.2.40:1813 to 10.10.3.233:40969 length 0 (108139) Finished request (108139) Cleaning up request packet ID 174 with timestamp +200673 Waking up in 2.4 seconds. (108140) Received Accounting-Request Id 182 from 10.10.3.232:32811 to 10.10.2.40:1813 length 233 (108140) Acct-Status-Type = Stop (108140) Acct-Authentic = RADIUS (108140) User-Name = "amohova" (108140) NAS-IP-Address = 10.10.3.232 (108140) Framed-IP-Address = 10.10.60.202 (108140) NAS-Identifier = "b4fbe4867b30" (108140) Called-Station-Id = "B4-FB-E4-86-7B-30:FC" (108140) NAS-Port-Type = Wireless-802.11 (108140) Service-Type = Framed-User (108140) Calling-Station-Id = "F8-4E-73-1B-3F-BD" (108140) Connect-Info = "CONNECT 0Mbps 802.11g" (108140) Acct-Session-Id = "1C9CE0FE0511C51C" (108140) WLAN-Pairwise-Cipher = 1027076 (108140) WLAN-Group-Cipher = 1027076 (108140) WLAN-AKM-Suite = 1027073 (108140) Event-Timestamp = "Feb 12 2020 17:40:11 MSK" (108140) Acct-Delay-Time = 0 (108140) Acct-Session-Time = 2 (108140) Acct-Input-Packets = 239 (108140) Acct-Output-Packets = 213 (108140) Acct-Input-Octets = 61174 (108140) Acct-Input-Gigawords = 0 (108140) Acct-Output-Octets = 54537 (108140) Acct-Output-Gigawords = 0 (108140) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (108140) preacct { (108140) [preprocess] = ok (108140) policy acct_unique { (108140) update request { (108140) &Tmp-String-9 := "ai:" (108140) } # update request = noop (108140) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (108140) EXPAND %{hex:&Class} (108140) --> (108140) EXPAND ^%{hex:&Tmp-String-9} (108140) --> ^61693a (108140) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (108140) else { (108140) update request { (108140) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (108140) --> da23bf2eae0a20950b70b61b493c3156 (108140) &Acct-Unique-Session-Id := da23bf2eae0a20950b70b61b493c3156 (108140) } # update request = noop (108140) } # else = noop (108140) } # policy acct_unique = noop (108140) suffix: Checking for suffix after "@" (108140) suffix: No '@' in User-Name = "amohova", looking up realm NULL (108140) suffix: No such realm "NULL" (108140) [suffix] = noop (108140) [files] = noop (108140) } # preacct = ok (108140) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (108140) accounting { (108140) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (108140) detail: --> /var/log/freeradius/radacct/10.10.3.232/detail-20200212 (108140) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.10.3.232/detail-20200212 (108140) detail: EXPAND %t (108140) detail: --> Wed Feb 12 17:40:11 2020 (108140) [detail] = ok (108140) [unix] = ok (108140) [exec] = noop (108140) attr_filter.accounting_response: EXPAND %{User-Name} (108140) attr_filter.accounting_response: --> amohova (108140) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (108140) [attr_filter.accounting_response] = updated (108140) } # accounting = updated (108140) Sent Accounting-Response Id 182 from 10.10.2.40:1813 to 10.10.3.232:32811 length 0 (108140) Finished request (108140) Cleaning up request packet ID 182 with timestamp +200675
Среда, 12 февраля 2020, 16:40 +03:00 от Alan DeKok <aland@deployingradius.com>:
On Feb 12, 2020, at 7:00 AM, Сергей Черевко via Freeradius-Users < freeradius-users@lists.freeradius.org > wrote:
Hi, sorry but i don’t understand where i shoud write correct values. in the «sites-enabled\default»? Or in ldap?
The default configuration for the "ldap" module works. Don't change it unless you understand what you're changing, and why.
On top of that, if you have issues with the server, RUN IT IN DEBUG MODE. *Every* piece of documentation says to do this.
Alan DeKok.
On Feb 12, 2020, at 9:43 AM, Сергей Черевко via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hi! I start freeradius -X
and here is logs
users «amohova», «dgalitskov» for example
If the user gets on the network, then FreeRADIUS is no longer responsible for them. The NAS is in charge. So when the server sees an accounting "start" followed immediately by an accounting "stop", it's because their connection is lost. This has a few reasons: a) the user disconnects from the NAS b) the NAS disconnects the user Note that in *both* situations, FreeRADIUS is not involved. Go fix the NAS. Alan DeKok.
log from freeradius whet it starts first entry "signalled to terminate" mean "service restart freeradius" it's okay May be i must ‘tune’ any settings in the ldap pool? What do you say for this? Wed Feb 12 20:46:34 2020 : Info: SiFreeRadius users mailing listgnalled to terminate Wed Feb 12 20:46:34 2020 : Info: Exiting normally Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (9) Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (8) Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (7) Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (6) Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (5) Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (4) Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (3) Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (2) Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (1) Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (0) Wed Feb 12 20:46:34 2020 : Info: Debugger not attached Wed Feb 12 20:46:34 2020 : Info: rlm_ldap: libldap vendor: OpenLDAP, version: 20445 Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used Wed Feb 12 20:46:34 2020 : Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". Wed Feb 12 20:46:34 2020 : Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". Wed Feb 12 20:46:34 2020 : Info: Loaded virtual server <default> Wed Feb 12 20:46:34 2020 : Warning: Ignoring "sql" (see raddb/mods-available/README.rst) Wed Feb 12 20:46:34 2020 : Info: # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:69 Wed Feb 12 20:46:34 2020 : Info: Loaded virtual server inner-tunnel Wed Feb 12 20:46:34 2020 : Info: Loaded virtual server default Wed Feb 12 20:46:34 2020 : Info: Ready to process requests Wed Feb 12 20:46:58 2020 : Info: Need 5 more connections to reach 10 spares Wed Feb 12 20:46:58 2020 : Info: rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used Wed Feb 12 20:47:14 2020 : Info: Need 4 more connections to reach 10 spares Wed Feb 12 20:47:14 2020 : Info: rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used Wed Feb 12 20:47:16 2020 : Info: Need 3 more connections to reach 10 spares Wed Feb 12 20:47:16 2020 : Info: rlm_ldap (ldap): Opening additional connection (7), 1 of 25 pending slots used Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 71 seconds Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 71 seconds Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 71 seconds Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 69 seconds Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Closing connection (7): Hit idle_timeout, was idle for 69 seconds Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 69 seconds Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 69 seconds Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Closing connection (6): Hit idle_timeout, was idle for 69 seconds Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Opening additional connection (8), 1 of 32 pending slots used Wed Feb 12 20:48:25 2020 : Info: Need 2 more connections to reach min connections (3) Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Opening additional connection (9), 1 of 31 pending slots used
Среда, 12 февраля 2020, 17:59 +03:00 от Alan DeKok <aland@deployingradius.com>:
On Feb 12, 2020, at 9:43 AM, Сергей Черевко via Freeradius-Users < freeradius-users@lists.freeradius.org > wrote:
Hi! I start freeradius -X
and here is logs
users «amohova», «dgalitskov» for example
If the user gets on the network, then FreeRADIUS is no longer responsible for them. The NAS is in charge.
So when the server sees an accounting "start" followed immediately by an accounting "stop", it's because their connection is lost. This has a few reasons:
a) the user disconnects from the NAS
b) the NAS disconnects the user
Note that in *both* situations, FreeRADIUS is not involved.
Go fix the NAS.
Alan DeKok.
On Feb 13, 2020, at 2:38 AM, Сергей Черевко <ink.dude@mail.ru> wrote:
log from freeradius whet it starts
Why?
first entry "signalled to terminate" mean "service restart freeradius" it's okay
So?
May be i must ‘tune’ any settings in the ldap pool? What do you say for this?
Read the documentation in mods-available/ldap. This is all explained in detail. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
Сергей Черевко