trying to override the pam_auth attribute
I'm trying to override the pam_auth attribute which is set in: mods-enabled/pam In that file I read the following note: # Note that any Pam-Auth attribute set in the 'authorize' # section will over-ride this one. I've tried adding it to the authorize section of a virtual-server but get the following error when starting freeradius -X server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} /etc/freeradius/3.0/sites-enabled/default[329]: Entry is not a reference to a module /etc/freeradius/3.0/sites-enabled/default[283]: Errors parsing authorize section. The only other authorize I could think of which might be the authorize section referenced is: mods-config/files/authorize But not sure how to add it, as it's not a check item for a user, and I don't want to set it as a default? End goal is based on clients, change the pam_auth to load different /etc/pam.d/ files that specify different yubikey_mappings files. Thank you, JOnathan
https://wiki.freeradius.org/guide/Users-Mailing-List
On 24 Aug 2021, at 19:07, Jonathan Davis <jonathan@prioritycolo.com> wrote:
I'm trying to override the pam_auth attribute which is set in: mods-enabled/pam
In that file I read the following note:
# Note that any Pam-Auth attribute set in the 'authorize' # section will over-ride this one.
I've tried adding it to the authorize section of a virtual-server but get the following error when starting freeradius -X
server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} /etc/freeradius/3.0/sites-enabled/default[329]: Entry is not a reference to a module /etc/freeradius/3.0/sites-enabled/default[283]: Errors parsing authorize section.
The only other authorize I could think of which might be the authorize section referenced is: mods-config/files/authorize
But not sure how to add it, as it's not a check item for a user, and I don't want to set it as a default?
End goal is based on clients, change the pam_auth to load different /etc/pam.d/ files that specify different yubikey_mappings files.
Thank you, JOnathan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Jorge, I can't Include a packet being processed as I can't get the server started (I receive the error previously stated) - so the server haven't received any packets and people might ask me to post the debug again :) Either or, here it is full output as requested. Thank you in advance, Jonathan root@dradior2:/home/freer# freeradius -X FreeRADIUS Version 3.0.20 Copyright (C) 1999-2019 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/clients.conf including configuration file /etc/freeradius/3.0/mods-enabled/sql including configuration file /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/pap including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/pam including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/expr including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/rfc7542 including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/dhcp including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/3.0/policy.d/control including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/default including configuration file /etc/freeradius/3.0/sites-enabled/raritans including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel main { security { user = "root" group = "root" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.10 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client raritan-b11-tor1 { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 32 lifetime = 0 idle_timeout = 30 } } Debugger not attached systemd watchdog is disabled # Creating Auth-Type = PAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_sql # Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql sql { driver = "rlm_sql_mysql" server = "localhost" port = 3306 login = "radius" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = no delete_stale_sessions = yes sql_user_name = "%{User-Name}" logfile = "/var/log/freeradius/sqllog.sql" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" auto_escape = no accounting { reference = "%{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } accounting-off { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6address, framedipv6prefix, framedinterfaceid, delegatedipv6prefix) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Framed-IPv6-Address}', '%{Framed-IPv6-Prefix}', '%{Framed-Interface-Id}', '%{Delegated-IPv6-Prefix}')" } interim-update { query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', framedipv6address = '%{Framed-IPv6-Address}', framedipv6prefix = '%{Framed-IPv6-Prefix}', framedinterfaceid = '%{Framed-Interface-Id}', delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets= '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Creating attribute SQL-Group # Loaded module rlm_exec # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_radutmp # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack # Loaded module rlm_detail # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8 # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest # Loaded module rlm_pam # Loading module "pam" from file /etc/freeradius/3.0/mods-enabled/pam pam { pam_auth = "radiusd" } # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files files { filename = "/etc/freeradius/3.0/mods-config/files/authorize" acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy" } # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } instantiate { } # Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql rlm_sql_mysql: libmysql version: 8.0.26 mysql { tls { tls_required = no check_cert = no check_cert_cn = no } warnings = "auto" } rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.31-MariaDB-0ubuntu0.20.04.1, protocol version 10 rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.31-MariaDB-0ubuntu0.20.04.1, protocol version 10 rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.31-MariaDB-0ubuntu0.20.04.1, protocol version 10 rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.31-MariaDB-0ubuntu0.20.04.1, protocol version 10 rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.31-MariaDB-0ubuntu0.20.04.1, protocol version 10 # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/3.0/radiusd.conf } # server server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} /etc/freeradius/3.0/sites-enabled/default[329]: Entry is not a reference to a module /etc/freeradius/3.0/sites-enabled/default[283]: Errors parsing authorize section. root@dradior2:/home/free# On 2021-08-24 6:34 p.m., Jorge Pereira wrote:
https://wiki.freeradius.org/guide/Users-Mailing-List
On 24 Aug 2021, at 19:07, Jonathan Davis <jonathan@prioritycolo.com> wrote:
I'm trying to override the pam_auth attribute which is set in: mods-enabled/pam
In that file I read the following note:
# Note that any Pam-Auth attribute set in the 'authorize' # section will over-ride this one.
I've tried adding it to the authorize section of a virtual-server but get the following error when starting freeradius -X
server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} /etc/freeradius/3.0/sites-enabled/default[329]: Entry is not a reference to a module /etc/freeradius/3.0/sites-enabled/default[283]: Errors parsing authorize section.
The only other authorize I could think of which might be the authorize section referenced is: mods-config/files/authorize
But not sure how to add it, as it's not a check item for a user, and I don't want to set it as a default?
End goal is based on clients, change the pam_auth to load different /etc/pam.d/ files that specify different yubikey_mappings files.
Thank you, JOnathan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 24, 2021, at 6:07 PM, Jonathan Davis <jonathan@prioritycolo.com> wrote:
I'm trying to override the pam_auth attribute which is set in: mods-enabled/pam
In that file I read the following note:
# Note that any Pam-Auth attribute set in the 'authorize' # section will over-ride this one.
I've tried adding it to the authorize section
How? What did you do?
of a virtual-server but get the following error when starting freeradius -X
server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} /etc/freeradius/3.0/sites-enabled/default[329]: Entry is not a reference to a module /etc/freeradius/3.0/sites-enabled/default[283]: Errors parsing authorize section.
So... what's on line 329 of the file /etc/freeradius/3.0/sites-enabled/default?
The only other authorize I could think of which might be the authorize section referenced is: mods-config/files/authorize
No.
But not sure how to add it, as it's not a check item for a user, and I don't want to set it as a default?
So.. what did you do? How can we help you if you give us as little information as possible? See "man unlang" and all of the virtual servers for how to add attributes. You can't just invent stuff and drop it into the configuration files. It looks like that's what you've done. Instead, you have to read the documentation. You have to use the documented syntax to do things. And please, if you make changes to the config and it errors out, PLEASE tell us what changes you made. That's the only way we can help you. When you keep things secret, it makes it much more difficult for us to help you. Alan DeKok.
On 2021-08-24 7:21 p.m., Alan DeKok wrote:
How? What did you do?
Looking at mods-enabled/pam I added in following the same synatx: pam_auth = radiusd2 I also tried: pam { pam_auth = radiusd2 } But that gave me the error that "pam" modules aren't allowed in 'authorize' sections -- they have no such method.
So... what's on line 329 of the file /etc/freeradius/3.0/sites-enabled/default?
pam_auth = radiusd2
No.
Good to know
So.. what did you do?
If it's "no" to adding it to /mods-config/files/authorize no point wasting characters on adding my various attempts here.
How can we help you if you give us as little information as possible?
See "man unlang" and all of the virtual servers for how to add attributes. You can't just invent stuff and drop it into the configuration files. It looks like that's what you've done.
Instead, you have to read the documentation. You have to use the documented syntax to do things.
When I look in man unlang I'm reading a lot on comparisons and logic statements, and don't fully understand the attributes assignment section, as in the example: Attribute-Reference = value That is what I thought I was doing? In the authentication section, where I match the Auth-Type I want, I've tried the following with no luck: update request { pam_auth = radiusd2 } Error: Unknown attribute 'pam_auth' update request { pam-auth = radiusd2 } No error but I see it's using /etc/pam.d/radiusd instead of /etc/pam.d/radiusd2 "-> (0) pam: Using pamauth string "radiusd" for pam.conf lookup" Which lead me to trying to update the pamauth string (even if in pam.conf it's set with pam_auth) update request { pamauth = radiusd2 } Error: Unknown attribute 'pamauth' Tried the above with just update { } to similar errors. Also tried: pam { pam_auth = radiusd2 } pam { pamauth = radiusd2 } Error: Unknown action 'radiusd2' Failed to parse "pam" subsection. I have read some documentation :) As this is the comment: # Note that any Pam-Auth attribute set in the 'authorize' # section will over-ride this one. So I mean, full circle, what am I missing from trying to set a Pam-Auth attribute in authorize? I'm very willing to eat humble pie if I've missed how to do this in the docs ( Even throwing the update {} into authorize {} gives me the same Unknown attribute error for pam_auth and pamauth, and pam-auth is ignored. (0) pam: Using pamauth string "radiusd" for pam.conf lookup
And please, if you make changes to the config and it errors out, PLEASE tell us what changes you made. That's the only way we can help you.
When you keep things secret, it makes it much more difficult for us to help you.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 24, 2021, at 9:09 PM, Jonathan Davis <jonathan@prioritycolo.com> wrote:
On 2021-08-24 7:21 p.m., Alan DeKok wrote:
How? What did you do?
Looking at mods-enabled/pam I added in following the same synatx: pam_auth = radiusd2
That doesn't tell me a lot.
I also tried:
pam {
pam_auth = radiusd2
}
But that gave me the error that "pam" modules aren't allowed in 'authorize' sections -- they have no such method.
So... you added random text to the configuration files. No, that won't work.
So... what's on line 329 of the file /etc/freeradius/3.0/sites-enabled/default?
pam_auth = radiusd2
Nothing in the documentation says to do that.
When I look in man unlang I'm reading a lot on comparisons and logic statements, and don't fully understand the attributes assignment section, as in the example:
Attribute-Reference = value
That is what I thought I was doing? In the authentication section, where I match the Auth-Type I want, I've tried the following with no luck:
update request { pam_auth = radiusd2 }
That's a bit better.
Error: Unknown attribute 'pam_auth'
Because the docs say "Pam-Auth". Not "pam_auth".
update request { pam-auth = radiusd2 }
No error but I see it's using /etc/pam.d/radiusd instead of /etc/pam.d/radiusd2 "-> (0) pam: Using pamauth string "radiusd" for pam.conf lookup"
Which lead me to trying to update the pamauth string (even if in pam.conf it's set with pam_auth)
update request { pamauth = radiusd2 } Error: Unknown attribute 'pamauth'
So trying random things. This is very much not going to work.
Tried the above with just update { } to similar errors. Also tried:
pam { pam_auth = radiusd2 }
pam { pamauth = radiusd2 }
Error: Unknown action 'radiusd2' Failed to parse "pam" subsection.
I have read some documentation :) As this is the comment:
# Note that any Pam-Auth attribute set in the 'authorize'
Note "Pam-Auth. Not "pam_auth" or "pamauth" or anything else. Please follow the docs. Things are likely to work a lot better.
# section will over-ride this one.
So I mean, full circle, what am I missing from trying to set a Pam-Auth attribute in authorize? I'm very willing to eat humble pie if I've missed how to do this in the docs (
So you can use "Pam-Auth" here. Why not try it in the configuration files? Alan DeKok.
On 2021-08-24 9:27 p.m., Alan DeKok wrote:
Looking at mods-enabled/pam I added in following the same synatx: pam_auth = radiusd2
That doesn't tell me a lot.
That was the only text I had added when I started, not a lot to tell at that point.
Error: Unknown attribute 'pam_auth' Because the docs say "Pam-Auth". Not "pam_auth".
Note "Pam-Auth. Not "pam_auth" or "pamauth" or anything else.
Please follow the docs. Things are likely to work a lot better.
I got tripped up and originally approached it from the thought that if an attribute (which I was thinking as a variable) was set as "pam_auth" (lowercause and an underscore), that I would be required to updated it by using "pam_auth = <new value>". Having it switch to camel case with a dash wasn't clicking. But I'm eating my humble pie, and having revisited the docs on unlang, the intro about the intention not to create yet another programming language, and re-reading the docs on update with a fresh morning brain free of distractions, I caught that it was the control keyword as the list was missing, and that no list specified was defaulting to request, and am able to override values set in the pam.conf to allow different yubico yubikey_mapping files by specifying different pam configuration files. Thank you for the assistance.
On Aug 27, 2021, at 10:41 AM, Jonathan Davis <jonathan@prioritycolo.com> wrote:
On 2021-08-24 9:27 p.m., Alan DeKok wrote:
Looking at mods-enabled/pam I added in following the same synatx: pam_auth = radiusd2
That doesn't tell me a lot.
That was the only text I had added when I started, not a lot to tell at that point.
The point is that there are many configuration files, each of which can be hundreds of lines of text. "I added stuff" tells me nothing. Where did you add it? Which file? Where in the file?
I got tripped up and originally approached it from the thought that if an attribute (which I was thinking as a variable) was set as "pam_auth" (lowercause and an underscore), that I would be required to updated it by using "pam_auth = <new value>". Having it switch to camel case with a dash wasn't clicking.
Or use the same name? I don't know of any programming language where you can change case of variable names, *and* change dashes to underscores, and it will just "do the right thing".
But I'm eating my humble pie, and having revisited the docs on unlang, the intro about the intention not to create yet another programming language, and re-reading the docs on update with a fresh morning brain free of distractions, I caught that it was the control keyword as the list was missing, and that no list specified was defaulting to request, and am able to override values set in the pam.conf to allow different yubico yubikey_mapping files by specifying different pam configuration files.
Yup. Technical details matter. Alan DeKok.
On 2021-08-27 10:47 a.m., Alan DeKok wrote:
That was the only text I had added when I started, not a lot to tell at that point. The point is that there are many configuration files, each of which can be hundreds of lines of text. "I added stuff" tells me nothing. Where did you add it? Which file? Where in the file?
Sorry, multiple thread replies in, and I guess it wasn't clear. At the start, I had only added the line "pam_auth = newradiusd" to authorize {} of sites-enabled/default
I got tripped up and originally approached it from the thought that if an attribute (which I was thinking as a variable) was set as "pam_auth" (lowercause and an underscore), that I would be required to updated it by using "pam_auth = <new value>". Having it switch to camel case with a dash wasn't clicking. Or use the same name? I don't know of any programming language where you can change case of variable names, *and* change dashes to underscores, and it will just "do the right thing".
That's right, I was looking at it from different perspective (being ignorant of Attribute-Names and update <lists>. I saw the following in mods-enabled/pam pam { pam_auth = radiusd } And the note about how it could be overridden in authorize, so I lifted "pam_auth = radiusd". To me, it was unexpected that a value set to "pam_auth" would need to be updated with "Pam-Auth", and again ignorant of Attribute-Names and that the Note was very specifically pointing to Pam-Auth. It's obvious now and I feel foolish heh. What's the reason behind it being updated in the authorize section? My novice understanding is that authorize is where FreeRadius checks modules to see which one is up to trying to authenticate the request? I've also got some other questions related to breaking down users vs clients vs virtual_servers, with all this in place, but that's possibly best started in a new thread with all the details included. Thank you again for your assistance. J
But I'm eating my humble pie, and having revisited the docs on unlang, the intro about the intention not to create yet another programming language, and re-reading the docs on update with a fresh morning brain free of distractions, I caught that it was the control keyword as the list was missing, and that no list specified was defaulting to request, and am able to override values set in the pam.conf to allow different yubico yubikey_mapping files by specifying different pam configuration files. Yup. Technical details matter.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 27, 2021, at 2:36 PM, Jonathan Davis <jonathan@prioritycolo.com> wrote:
That's right, I was looking at it from different perspective (being ignorant of Attribute-Names and update <lists>. I saw the following in mods-enabled/pam
pam { pam_auth = radiusd }
Yeah, the module configurations are substantially different from the attributes.
What's the reason behind it being updated in the authorize section? My novice understanding is that authorize is where FreeRadius checks modules to see which one is up to trying to authenticate the request?
The "authorize" phase is really "set things up for authentication". So get passwords, set databases to use for authentication, etc. i.e. you have to know which PAM auth string to use for authentication. So... the PAM auth string has to be set *before* the "authenticate" section is run.
I've also got some other questions related to breaking down users vs clients vs virtual_servers, with all this in place, but that's possibly best started in a new thread with all the details included.
Sure. See also raddb/sites-available/README, there's a ton of documentation on this subject.
Thank you again for your assistance.
You're welcome. It's what I do. :) Alan DeKok.
On 2021-08-24 7:21 p.m., Alan DeKok wrote:
The only other authorize I could think of which might be the authorize section referenced is: mods-config/files/authorize No.
This is documentation I found kicking around on the web which lead me to the above assumption: # # Note that any Pam-Auth attribute set in the 'users' # file over-rides this one. # Knowing users has been moved to authorize, I thought that it made sense the note updated. The example provided: DEFAULT Auth-Type = Pam, Pam-Auth = "radius2", NAS-IP-Address = 127.0.0.1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Filter-Id = "std.ppp", Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP (taken from http://manual.freeshell.org/freeradius/modules/rlm_pam )
participants (3)
-
Alan DeKok -
Jonathan Davis -
Jorge Pereira