LDAP and RFC2868 tagged attributes for Tunnel
I would like to know if anyone has encountered (and solved!) this before. I am trying to use LDAP Tunnel attributes to establish PPP over L2TP tunnels from a provider's LAC to our LNS. This has been working for many years now using freeradius 2.2.6 using the following syntax in /etc/raddb/ldap.attrmap: replyItem Tunnel-Type radiusTunnelType += replyItem Tunnel-Medium-Type radiusTunnelMediumType += replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId += replyItem Tunnel-Server-Endpoint radiusTunnelServerEndpoint += replyItem Tunnel-Password radiusTunnelPassword += replyItem Tunnel-Preference radiusTunnelPreference += and the LDAP attributes as follows: radiustunnelmediumtype: :0:IP radiustunnelmediumtype: :1:IP radiustunnelmediumtype: :2:IP radiustunnelmediumtype: :3:IP radiustunnelpassword: :0:providersecret radiustunnelpassword: :1:providersecret radiustunnelpassword: :2:providersecret radiustunnelpassword: :3:providersecret radiustunnelpreference: :0:1 radiustunnelpreference: :1:1 radiustunnelpreference: :2:1 radiustunnelpreference: :3:1 radiustunnelserverendpoint: :0:AA.BB.20.106 radiustunnelserverendpoint: :1:AA.BB.20.114 radiustunnelserverendpoint: :2:CC.DD.80.26 radiustunnelserverendpoint: :3:CC.DD.80.74 radiustunneltype: :0:L2TP radiustunneltype: :1:L2TP radiustunneltype: :2:L2TP radiustunneltype: :3:L2TP resulting in output like this: rad_recv: Access-Accept packet from host XX.YY.186.11 port 1812, id=240, length=547 Tunnel-Preference:0 = 1 Tunnel-Preference:1 = 1 Tunnel-Preference:2 = 1 Tunnel-Preference:3 = 1 Tunnel-Password:0 = "providersecret" Tunnel-Password:1 = "providersecret" Tunnel-Password:2 = "providersecret" Tunnel-Password:3 = "providersecret" Tunnel-Server-Endpoint:0 = "AA.BB.20.106" Tunnel-Server-Endpoint:1 = "AA.BB.20.114" Tunnel-Server-Endpoint:2 = "CC.DD.80.26" Tunnel-Server-Endpoint:3 = "CC.DD.80.74" Tunnel-Medium-Type:0 = IPv4 Tunnel-Medium-Type:1 = IPv4 Tunnel-Medium-Type:2 = IPv4 Tunnel-Medium-Type:3 = IPv4 Tunnel-Type:0 = L2TP Tunnel-Type:1 = L2TP Tunnel-Type:2 = L2TP Tunnel-Type:3 = L2TP However when upgrading these servers to a modern distro (ubuntu 24.04), and to freeradius 3.2.5, and adding the following lines to the "update" section of the ldap module: reply:Tunnel-Type += 'radiusTunnelType' reply:Tunnel-Medium-Type += 'radiusTunnelMediumType' reply:Tunnel-Server-Endpoint += 'radiusTunnelServerEndpoint' reply:Tunnel-Password += 'radiusTunnelPassword' reply:Tunnel-Preference += 'radiusTunnelPreference' I get the following reply: Tunnel-Server-Endpoint:0 = ":0:AA.BB.20.106" Tunnel-Server-Endpoint:0 = ":1:AA.BB.20.114" Tunnel-Server-Endpoint:0 = ":2:CC.DD.80.26" Tunnel-Server-Endpoint:0 = ":3:CC.DD.80.74" Tunnel-Password:0 = ":0:providersecret" Tunnel-Password:0 = ":1:providersecret" Tunnel-Password:0 = ":2:providersecret" Tunnel-Password:0 = ":3:providersecret" which is obviously not right - it does not seem to be recognizing the attributes as ones that need to have a tag pulled out - though curiously it does remove the colons. Debug follows, but obviously what I am trying to do is tell freeradius 3.2.5 that these attributes "has_tag".....it obviously knows they SHOULD have a tag but it's not picking them up. FreeRADIUS Version 3.2.5 Copyright (C) 1999-2023 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/clients.conf including configuration file /etc/freeradius/3.0/mods-enabled/sql including configuration file /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/ldap including configuration file /etc/freeradius/3.0/mods-enabled/sqlippool including configuration file /etc/freeradius/3.0/mods-config/sql/ippool/mysql/queries.conf including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/pap including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/always including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/3.0/policy.d/control including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/dhcp including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/rfc7542 including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/eap including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel including configuration file /etc/freeradius/3.0/sites-enabled/default main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 proxy_dedup_window = 1 cleanup_delay = 5 max_requests = 16384 max_fds = 512 postauth_client_lost = no pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes require_message_authenticator = "auto" limit_proxy_state = "auto" } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } } client radius2 { ipaddr = 172.XX.2.12 require_message_authenticator = "true" secret = <<< secret >>> limit { max_connections = 100 lifetime = 0 idle_timeout = 30 } } Debugger not attached systemd watchdog is disabled # Creating Auth-Type = mschap # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = LDAP # Creating Auth-Type = digest # Creating Autz-Type = New-TLS-Connection radiusd: #### Instantiating modules #### modules { # Loaded module rlm_sql # Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql sql { driver = "rlm_sql_null" server = "dbhost" port = 3306 login = "radius" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = no delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct a LEFT OUTER JOIN nasreload n USING (nasipaddress) WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL AND (a.acctstarttime > n.reloadtime OR n.reloadtime IS NULL)" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct a LEFT OUTER JOIN nasreload n USING (nasipaddress) WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL AND (a.acctstarttime > n.reloadtime OR n.reloadtime IS NULL)" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" auto_escape = no accounting { reference = "%{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l}), acctsessiontime = '%{%{integer:Event-Timestamp}:-%l}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l})" } accounting-off { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l}), acctsessiontime = '%{%{integer:Event-Timestamp}:-%l}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l})" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6address, framedipv6prefix, framedinterfaceid, delegatedipv6prefix ) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l}), FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Framed-IPv6-Address}', '%{Framed-IPv6-Prefix}', '%{Framed-Interface-Id}', '%{Delegated-IPv6-Prefix}' )" } interim-update { query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l}), acctinterval = %{%{integer:Event-Timestamp}:-%l} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', framedipv6address = '%{Framed-IPv6-Address}', framedipv6prefix = '%{Framed-IPv6-Prefix}', framedinterfaceid = '%{Framed-Interface-Id}', delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M' )" } } rlm_sql (sql): Driver rlm_sql_null (module rlm_sql_null) loaded and linked Creating attribute SQL-Group # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8 # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.coa" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.coa { filename = "/etc/freeradius/3.0/mods-config/attr_filter/coa" key = "%{User-Name}" relaxed = no } # Loaded module rlm_detail # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_exec # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_radutmp # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files files { filename = "/etc/freeradius/3.0/mods-config/files/authorize" acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy" } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Loaded module rlm_ldap # Loading module "ldap" from file /etc/freeradius/3.0/mods-enabled/ldap ldap { server = "localhost" identity = "cn=radiusmanager,dc=redacteddomain,dc=com" password = <<< secret >>> sasl { } user_dn = "LDAP-UserDn" user { scope = "sub" access_positive = yes sasl { } } group { filter = "(objectClass=posixGroup)" scope = "sub" name_attribute = "cn" membership_attribute = "memberOf" cacheable_name = no cacheable_dn = no allow_dangling_group_ref = no } client { filter = "(objectClass=radiusClient)" scope = "sub" base_dn = "dc=redacteddomain,dc=com" } profile { attribute = "radiusProfileDn" } options { ldap_debug = 40 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 10 srv_timelimit = 3 idle = 60 probes = 3 interval = 3 } tls { cipher_list = "DEFAULT" check_crl = no start_tls = no } } Creating attribute LDAP-Group # Loaded module rlm_sqlippool # Loading module "sqlippool" from file /etc/freeradius/3.0/mods-enabled/sqlippool sqlippool { sql_module_instance = "sql" lease_duration = 86400 pool_name = "Pool-Name" attribute_name = "Framed-IP-Address" req_attribute_name = "Framed-IP-Address" allocate_begin = "START TRANSACTION" allocate_clear = "" allocate_clear_timeout = 1 allocate_existing = "SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}' ORDER BY expiry_time DESC LIMIT 1 FOR UPDATE " allocate_requested = "" allocate_find = "SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND expiry_time < NOW() ORDER BY expiry_time LIMIT 1 FOR UPDATE " allocate_update = "UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = NOW() + INTERVAL 86400 SECOND WHERE framedipaddress = '%I'" allocate_commit = "COMMIT" pool_check = "SELECT id FROM radippool WHERE pool_name='%{control:Pool-Name}' LIMIT 1" start_update = "UPDATE radippool SET expiry_time = NOW() + INTERVAL 86400 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'" alive_update = "UPDATE radippool SET expiry_time = NOW() + INTERVAL 86400 SECOND WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'" stop_clear = "UPDATE radippool SET expiry_time = NOW() WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'" on_clear = "UPDATE radippool SET expiry_time = NOW() WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" off_clear = "UPDATE radippool SET expiry_time = NOW() WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" messages { exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" clear = "Released IP %{request:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})" failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" } } # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 max_eap_type = 52 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 dedup_key = "" } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } instantiate { } # Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 max_retries = 5 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response # Instantiating module "attr_filter.coa" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/coa # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Instantiating module "ldap" from file /etc/freeradius/3.0/mods-enabled/ldap rlm_ldap: libldap vendor: OpenLDAP, version: 20607 accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL !! There may be random issues with TLS connections due to this conflict. !! The server may also crash. !! See https://wiki.freeradius.org/modules/Rlm_ldap for more information. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! rlm_ldap (ldap): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 max_retries = 5 spread = no } rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful # Instantiating module "sqlippool" from file /etc/freeradius/3.0/mods-enabled/sqlippool # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key" certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem" ca_file = "/etc/ssl/certs/ca-certificates.crt" private_key_password = <<< secret >>> fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "DEFAULT" cipher_server_preference = no reject_unknown_intermediate_ca = no ecdh_curve = "" tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/3.0/radiusd.conf } # server server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate {...} Compiling Auth-Type PAP for attr Auth-Type Compiling Auth-Type CHAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type Compiling Auth-Type LDAP for attr Auth-Type # Loading authorize {...} # Loading session {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:366 Compiling Post-Auth-Type REJECT for attr Post-Auth-Type } # server inner-tunnel server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} Compiling Auth-Type PAP for attr Auth-Type Compiling Auth-Type CHAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} Compiling Autz-Type New-TLS-Connection for attr Autz-Type # Loading preacct {...} # Loading accounting {...} # Loading post-auth {...} Compiling Post-Auth-Type REJECT for attr Post-Auth-Type Compiling Post-Auth-Type Challenge for attr Post-Auth-Type Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type } # server default radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Ready to process requests (0) Received Access-Request Id 218 from 172.XX.2.12:53346 to 172.XX.2.11:1812 length 93 (0) Message-Authenticator = 0x0e0ef84ae5e7e16d5f4da0bedfeb5968 (0) User-Name = "testprog2@redacteddomain.com" (0) User-Password = "seekrit" (0) NAS-IP-Address = 172.XX.2.12 (0) NAS-Port = 0 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/freeradius/radacct/172.XX.2.12/auth-detail-20250224 (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.XX.2.12/auth-detail-20250224 (0) auth_log: EXPAND %t (0) auth_log: --> Mon Feb 24 16:59:22 2025 (0) [auth_log] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "redacteddomain.com" for User-Name = "testprog2@redacteddomain.com" (0) suffix: No such realm "redacteddomain.com" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (&(objectclass=radiusprofile)(uid=%{%{Stripped-User-Name}:-%{User-Name}})) (0) ldap: --> (&(objectclass=radiusprofile)(uid=testprog2@redacteddomain.com)) (0) ldap: Performing search in "dc=redacteddomain,dc=com" with filter "(&(objectclass=radiusprofile)(uid=testprog2@redacteddomain.com))", scope "sub" (0) ldap: Waiting for search result... (0) ldap: User object found at DN "cn=testprog2@redacteddomain.com,ou=people,dc=redacteddomain,dc=com" (0) ldap: Performing search in "cn=BalancedPublic,ou=profiles,dc=redacteddomain,dc=com" with filter "(objectclass=radiusprofile)", scope "base" (0) ldap: Waiting for search result... (0) ldap: Processing profile attributes (0) ldap: control:Simultaneous-Use := 1 (0) ldap: reply:Service-Type := Framed-User (0) ldap: reply:Idle-Timeout := 0 (0) ldap: reply:Session-Timeout := 0 (0) ldap: reply:Framed-Protocol := PPP (0) ldap: WARNING: Failed parsing value ":0:L2TP" for attribute Tunnel-Type: Unknown or invalid value ":0:L2TP" for attribute Tunnel-Type (0) ldap: WARNING: Failed parsing value ":1:L2TP" for attribute Tunnel-Type: Unknown or invalid value ":1:L2TP" for attribute Tunnel-Type (0) ldap: WARNING: Failed parsing value ":2:L2TP" for attribute Tunnel-Type: Unknown or invalid value ":2:L2TP" for attribute Tunnel-Type (0) ldap: WARNING: Failed parsing value ":3:L2TP" for attribute Tunnel-Type: Unknown or invalid value ":3:L2TP" for attribute Tunnel-Type (0) ldap: WARNING: Failed parsing value ":4:L2TP" for attribute Tunnel-Type: Unknown or invalid value ":4:L2TP" for attribute Tunnel-Type (0) ldap: WARNING: Failed parsing value ":5:L2TP" for attribute Tunnel-Type: Unknown or invalid value ":5:L2TP" for attribute Tunnel-Type (0) ldap: WARNING: Failed parsing value ":6:L2TP" for attribute Tunnel-Type: Unknown or invalid value ":6:L2TP" for attribute Tunnel-Type (0) ldap: WARNING: Failed parsing value ":7:L2TP" for attribute Tunnel-Type: Unknown or invalid value ":7:L2TP" for attribute Tunnel-Type (0) ldap: No attributes updated for RHS radiusTunnelType (0) ldap: WARNING: Failed parsing value ":0:IP" for attribute Tunnel-Medium-Type: Unknown or invalid value ":0:IP" for attribute Tunnel-Medium-Type (0) ldap: WARNING: Failed parsing value ":1:IP" for attribute Tunnel-Medium-Type: Unknown or invalid value ":1:IP" for attribute Tunnel-Medium-Type (0) ldap: WARNING: Failed parsing value ":2:IP" for attribute Tunnel-Medium-Type: Unknown or invalid value ":2:IP" for attribute Tunnel-Medium-Type (0) ldap: WARNING: Failed parsing value ":3:IP" for attribute Tunnel-Medium-Type: Unknown or invalid value ":3:IP" for attribute Tunnel-Medium-Type (0) ldap: WARNING: Failed parsing value ":4:IP" for attribute Tunnel-Medium-Type: Unknown or invalid value ":4:IP" for attribute Tunnel-Medium-Type (0) ldap: WARNING: Failed parsing value ":5:IP" for attribute Tunnel-Medium-Type: Unknown or invalid value ":5:IP" for attribute Tunnel-Medium-Type (0) ldap: WARNING: Failed parsing value ":6:IP" for attribute Tunnel-Medium-Type: Unknown or invalid value ":6:IP" for attribute Tunnel-Medium-Type (0) ldap: WARNING: Failed parsing value ":7:IP" for attribute Tunnel-Medium-Type: Unknown or invalid value ":7:IP" for attribute Tunnel-Medium-Type (0) ldap: No attributes updated for RHS radiusTunnelMediumType (0) ldap: reply:Tunnel-Server-Endpoint += ':0:AA.BB.20.106' (0) ldap: reply:Tunnel-Server-Endpoint += ':1:AA.BB.20.114' (0) ldap: reply:Tunnel-Server-Endpoint += ':2:CC.DD.80.26' (0) ldap: reply:Tunnel-Server-Endpoint += ':3:CC.DD.80.74' (0) ldap: reply:Tunnel-Server-Endpoint += ':4:AA.BB.20.107' (0) ldap: reply:Tunnel-Server-Endpoint += ':5:AA.BB.20.115' (0) ldap: reply:Tunnel-Server-Endpoint += ':6:CC.DD.80.27' (0) ldap: reply:Tunnel-Server-Endpoint += ':7:CC.DD.80.75' (0) ldap: reply:Tunnel-Password += ':0:providersecret' (0) ldap: reply:Tunnel-Password += ':1:providersecret' (0) ldap: reply:Tunnel-Password += ':2:providersecret' (0) ldap: reply:Tunnel-Password += ':3:providersecret' (0) ldap: reply:Tunnel-Password += ':4:providersecret' (0) ldap: reply:Tunnel-Password += ':5:providersecret' (0) ldap: reply:Tunnel-Password += ':6:providersecret' (0) ldap: reply:Tunnel-Password += ':7:providersecret' (0) ldap: WARNING: Failed parsing value ":0:1" for attribute Tunnel-Preference: Unknown or invalid value ":0:1" for attribute Tunnel-Preference (0) ldap: WARNING: Failed parsing value ":1:1" for attribute Tunnel-Preference: Unknown or invalid value ":1:1" for attribute Tunnel-Preference (0) ldap: WARNING: Failed parsing value ":2:1" for attribute Tunnel-Preference: Unknown or invalid value ":2:1" for attribute Tunnel-Preference (0) ldap: WARNING: Failed parsing value ":3:1" for attribute Tunnel-Preference: Unknown or invalid value ":3:1" for attribute Tunnel-Preference (0) ldap: WARNING: Failed parsing value ":4:1" for attribute Tunnel-Preference: Unknown or invalid value ":4:1" for attribute Tunnel-Preference (0) ldap: WARNING: Failed parsing value ":5:1" for attribute Tunnel-Preference: Unknown or invalid value ":5:1" for attribute Tunnel-Preference (0) ldap: WARNING: Failed parsing value ":6:1" for attribute Tunnel-Preference: Unknown or invalid value ":6:1" for attribute Tunnel-Preference (0) ldap: WARNING: Failed parsing value ":7:1" for attribute Tunnel-Preference: Unknown or invalid value ":7:1" for attribute Tunnel-Preference (0) ldap: No attributes updated for RHS radiusTunnelPreference (0) ldap: reply::Cisco-AVPair = 'ip:dns-servers=208.67.222.222 208.67.220.220' (0) ldap: Processing user attributes (0) ldap: control:Password-With-Header += 'seekrit' (0) ldap: reply:Framed-IP-Netmask := 255.255.255.255 (0) ldap: reply:Framed-IP-Address := EE.FF.180.1 rlm_ldap (ldap): Released connection (0) Need more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = updated (0) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (0) pap: Removing &control:Password-With-Header (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known good" Cleartext-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) sqlippool: Framed-IP-Address already exists (0) sqlippool: EXPAND Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name}) (0) sqlippool: --> Existing IP: EE.FF.180.1 (did cli port 0 user testprog2@redacteddomain.com) (0) [sqlippool] = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (0) (0) sql: EXPAND %{User-Name} (0) sql: --> testprog2@redacteddomain.com (0) sql: SQL-User-Name set to 'testprog2@redacteddomain.com' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M' ) (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'testprog2@redacteddomain.com', 'seekrit', 'Access-Accept', '2025-02-24 16:59:22.395281' ) (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'testprog2@redacteddomain.com', 'seekrit', 'Access-Accept', '2025-02-24 16:59:22.395281' ) (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (0) Need more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) if (EAP-Key-Name && &reply:EAP-Session-Id) { (0) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (0) } # post-auth = ok (0) Login OK: [testprog2@redacteddomain.com/seekrit] (from client radius2 port 0) (0) Sent Access-Accept Id 218 from 172.XX.2.11:1812 to 172.XX.2.12:53346 length 438 (0) Service-Type := Framed-User (0) Idle-Timeout := 0 (0) Session-Timeout := 0 (0) Framed-Protocol := PPP (0) Tunnel-Server-Endpoint += ":0:AA.BB.20.106" (0) Tunnel-Server-Endpoint += ":1:AA.BB.20.114" (0) Tunnel-Server-Endpoint += ":2:CC.DD.80.26" (0) Tunnel-Server-Endpoint += ":3:CC.DD.80.74" (0) Tunnel-Server-Endpoint += ":4:AA.BB.20.107" (0) Tunnel-Server-Endpoint += ":5:AA.BB.20.115" (0) Tunnel-Server-Endpoint += ":6:CC.DD.80.27" (0) Tunnel-Server-Endpoint += ":7:CC.DD.80.75" (0) Tunnel-Password += ":0:providersecret" (0) Tunnel-Password += ":1:providersecret" (0) Tunnel-Password += ":2:providersecret" (0) Tunnel-Password += ":3:providersecret" (0) Tunnel-Password += ":4:providersecret" (0) Tunnel-Password += ":5:providersecret" (0) Tunnel-Password += ":6:providersecret" (0) Tunnel-Password += ":7:providersecret" (0) Cisco-AVPair = "ip:dns-servers=208.67.222.222 208.67.220.220" (0) Framed-IP-Netmask := 255.255.255.255 (0) Framed-IP-Address := EE.FF.180.1 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 218 with timestamp +6 due to cleanup_delay was reached Ready to process requests -- Ron Grant Balan Software/Networks Network Architecture & Programming 604-737-2113 ca.linkedin.com/in/obiron
errata: this is not true - it assigns the values as is without modifiication. On 2025-02-24 9:09 a.m., Ron Grant wrote:
which is obviously not right - it does not seem to be recognizing the attributes as ones that need to have a tag pulled out - though curiously it does remove the colons.
-- Ron Grant Balan Software/Networks Network Architecture & Programming 604-737-2113 ca.linkedin.com/in/obiron
On Feb 24, 2025, at 12:09 PM, Ron Grant <ron@balansoft.com> wrote:
I would like to know if anyone has encountered (and solved!) this before.
I am trying to use LDAP Tunnel attributes to establish PPP over L2TP tunnels from a provider's LAC to our LNS.
This has been working for many years now using freeradius 2.2.6 using the following syntax in /etc/raddb/ldap.attrmap:
Oh boy...
However when upgrading these servers to a modern distro (ubuntu 24.04), and to freeradius 3.2.5, and adding the following lines to the "update" section of the ldap module: ... I get the following reply:
Tunnel-Server-Endpoint:0 = ":0:AA.BB.20.106" Tunnel-Server-Endpoint:0 = ":1:AA.BB.20.114" Tunnel-Server-Endpoint:0 = ":2:CC.DD.80.26"
Yes. Unfortunately we had to change how the tags were being managed in v3. Parsing the tags from the values caused problems. So the tags were moved to be associated with the attribute name. That makes sense, as that's how the tags are printed. It looks like this was a situation which was missed.
which is obviously not right - it does not seem to be recognizing the attributes as ones that need to have a tag pulled out - though curiously it does remove the colons.
? I still see the colons in the values you posted.
Debug follows, but obviously what I am trying to do is tell freeradius 3.2.5 that these attributes "has_tag".....it obviously knows they SHOULD have a tag but it's not picking them up.
Sure. I've pushed some changes to the v3.2.x branch which should help. They're "compile tested", so it might not be perfect. But you should now be able to update the LDAP mapping to: reply:Tunnel-Type:V += 'radiusTunnelType' reply:Tunnel-Medium-Type:V += 'radiusTunnelMediumType' reply:Tunnel-Server-Endpoint:V += 'radiusTunnelServerEndpoint' reply:Tunnel-Password:V += 'radiusTunnelPassword' reply:Tunnel-Preference:V += 'radiusTunnelPreference' and the tag will be parsed from the value. This won't work if the data in LDAP is double-quoted strings, e.e.g radiustunnelserverendpoint: ":0:AA.BB.20.106" But it will work for simple strings without quotes: radiustunnelserverendpoint: :0:AA.BB.20.106 Please test it and tell me whether or not it works. Alan DeKok.
I was partially afraid of this - and partially hoping for it - i.e. "I'm not crazy". :-) Yes, the colons were still in there- that was a misspeak on my part in the original post. I corrected in the next reply, but indeed the data remained intact. Should I try the .V syntax first, or do I have to download first? I suspect it'd take a while to get to Ubuntu..... On 2025-02-24 12:50 p.m., Alan DeKok wrote:
On Feb 24, 2025, at 12:09 PM, Ron Grant <ron@balansoft.com> wrote:
I would like to know if anyone has encountered (and solved!) this before.
I am trying to use LDAP Tunnel attributes to establish PPP over L2TP tunnels from a provider's LAC to our LNS.
This has been working for many years now using freeradius 2.2.6 using the following syntax in /etc/raddb/ldap.attrmap: Oh boy...
However when upgrading these servers to a modern distro (ubuntu 24.04), and to freeradius 3.2.5, and adding the following lines to the "update" section of the ldap module: ... I get the following reply:
Tunnel-Server-Endpoint:0 = ":0:AA.BB.20.106" Tunnel-Server-Endpoint:0 = ":1:AA.BB.20.114" Tunnel-Server-Endpoint:0 = ":2:CC.DD.80.26" Yes. Unfortunately we had to change how the tags were being managed in v3. Parsing the tags from the values caused problems. So the tags were moved to be associated with the attribute name. That makes sense, as that's how the tags are printed.
It looks like this was a situation which was missed.
which is obviously not right - it does not seem to be recognizing the attributes as ones that need to have a tag pulled out - though curiously it does remove the colons. ? I still see the colons in the values you posted.
Debug follows, but obviously what I am trying to do is tell freeradius 3.2.5 that these attributes "has_tag".....it obviously knows they SHOULD have a tag but it's not picking them up. Sure.
I've pushed some changes to the v3.2.x branch which should help. They're "compile tested", so it might not be perfect. But you should now be able to update the LDAP mapping to:
reply:Tunnel-Type:V += 'radiusTunnelType' reply:Tunnel-Medium-Type:V += 'radiusTunnelMediumType' reply:Tunnel-Server-Endpoint:V += 'radiusTunnelServerEndpoint' reply:Tunnel-Password:V += 'radiusTunnelPassword' reply:Tunnel-Preference:V += 'radiusTunnelPreference'
and the tag will be parsed from the value.
This won't work if the data in LDAP is double-quoted strings, e.e.g
radiustunnelserverendpoint: ":0:AA.BB.20.106"
But it will work for simple strings without quotes:
radiustunnelserverendpoint: :0:AA.BB.20.106
Please test it and tell me whether or not it works.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Ron Grant Balan Software/Networks Network Architecture & Programming 604-737-2113 ca.linkedin.com/in/obiron
On Feb 24, 2025, at 4:07 PM, Ron Grant <ron@balansoft.com> wrote:
I was partially afraid of this - and partially hoping for it - i.e. "I'm not crazy". :-)
Yes, the colons were still in there- that was a misspeak on my part in the original post. I corrected in the next reply, but indeed the data remained intact.
Should I try the .V syntax first, or do I have to download first? I suspect it'd take a while to get to Ubuntu.....
Since I said I just pushed that change, it won't work in 3.2.7. You will need to download the source, and build a new copy. Alan DeKok.
OK so presumably a "git pull" will pick that up. I'll try that in the next few days, thanks! On 2025-02-24 1:36 p.m., Alan DeKok wrote:
On Feb 24, 2025, at 4:07 PM, Ron Grant <ron@balansoft.com> wrote:
I was partially afraid of this - and partially hoping for it - i.e. "I'm not crazy". :-)
Yes, the colons were still in there- that was a misspeak on my part in the original post. I corrected in the next reply, but indeed the data remained intact.
Should I try the .V syntax first, or do I have to download first? I suspect it'd take a while to get to Ubuntu..... Since I said I just pushed that change, it won't work in 3.2.7. You will need to download the source, and build a new copy.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Ron Grant Balan Software/Networks Network Architecture & Programming 604-737-2113 ca.linkedin.com/in/obiron
On 24/02/2025 22:53, Ron Grant wrote:
OK so presumably a "git pull" will pick that up. I'll try that in the next few days, thanks!
Yes. I've kicked off a devel package build, so you can also install from there to try. https://packages.inkbridgenetworks.com/freeradius-devel-3.2/ Instructions at packages.inkbridgenetworks.com, but use 'freeradius-devel-3.2' rather than 'freeradius-3.2' in the sources.list deb line. -- Matthew
Was this devel package supposed to include Alan's changes? Package: freeradius Version: 3.2.7+git42 Priority: optional Section: net Installed as per instructions but still not working. /etc/freeradius/mods-enabled/ldap[144]: Failed parsing attribute reference /etc/freeradius/mods-enabled/ldap[144]: reply:Tunnel-Type:V /etc/freeradius/mods-enabled/ldap[144]: ^ Unexpected text after attr /etc/freeradius/mods-enabled/ldap[8]: Instantiation failed for module "ldap" On 2025-02-24 3:29 p.m., Matthew Newton via Freeradius-Users wrote:
On 24/02/2025 22:53, Ron Grant wrote:
OK so presumably a "git pull" will pick that up. I'll try that in the next few days, thanks!
Yes.
I've kicked off a devel package build, so you can also install from there to try.
https://packages.inkbridgenetworks.com/freeradius-devel-3.2/
Instructions at packages.inkbridgenetworks.com, but use 'freeradius-devel-3.2' rather than 'freeradius-3.2' in the sources.list deb line.
-- Ron Grant Balan Software/Networks Network Architecture & Programming 604-737-2113 ca.linkedin.com/in/obiron
On Feb 25, 2025, at 3:08 PM, Ron Grant <ron@balansoft.com> wrote:
Was this devel package supposed to include Alan's changes? ... Installed as per instructions but still not working.
/etc/freeradius/mods-enabled/ldap[144]: Failed parsing attribute reference /etc/freeradius/mods-enabled/ldap[144]: reply:Tunnel-Type:V /etc/freeradius/mods-enabled/ldap[144]: ^ Unexpected text after attr /etc/freeradius/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
I pushed some more changes earlier today. We'll have to rebuild the packages. Alan DeKok.
On 25/02/2025 20:24, Alan DeKok wrote:
On Feb 25, 2025, at 3:08 PM, Ron Grant <ron@balansoft.com> wrote:
Was this devel package supposed to include Alan's changes?
I pushed some more changes earlier today. We'll have to rebuild the packages.
Done. FWIW, the Docker freeradius/freeradius-dev images auto build on every commit, if that works for testing. -- Matthew
yay! Received Access-Accept Id 178 from 172.XX.2.123:1812 to 172.XX.2.12:40997 length 565 Message-Authenticator = 0x9357a0fa59269abbe5e5ba4bc09c80c2 Service-Type = Framed-User Idle-Timeout = 0 Session-Timeout = 0 Framed-Protocol = PPP Tunnel-Type:0 = L2TP Tunnel-Type:1 = L2TP Tunnel-Type:2 = L2TP Tunnel-Type:3 = L2TP Tunnel-Type:4 = L2TP Tunnel-Type:5 = L2TP Tunnel-Type:6 = L2TP Tunnel-Type:7 = L2TP Tunnel-Medium-Type:0 = IPv4 Tunnel-Medium-Type:1 = IPv4 Tunnel-Medium-Type:2 = IPv4 Tunnel-Medium-Type:3 = IPv4 Tunnel-Medium-Type:4 = IPv4 Tunnel-Medium-Type:5 = IPv4 Tunnel-Medium-Type:6 = IPv4 Tunnel-Medium-Type:7 = IPv4 Tunnel-Server-Endpoint:0 = "AA.BB.20.106" Tunnel-Server-Endpoint:1 = "AA.BB.20.114" Tunnel-Server-Endpoint:2 = "CC.DD.80.26" Tunnel-Server-Endpoint:3 = "CC.DD.80.74" Tunnel-Server-Endpoint:4 = "AA.BB.20.107" Tunnel-Server-Endpoint:5 = "AA.BB.20.115" Tunnel-Server-Endpoint:6 = "CC.DD.80.27" Tunnel-Server-Endpoint:7 = "CC.DD.80.75" Tunnel-Password:0 = "providersecret" Tunnel-Password:1 = "providersecret" Tunnel-Password:2 = "providersecret" Tunnel-Password:3 = "providersecret" Tunnel-Password:4 = "providersecret" Tunnel-Password:5 = "providersecret" Tunnel-Password:6 = "providersecret" Tunnel-Password:7 = "providersecret" Tunnel-Preference:0 = 1 Tunnel-Preference:1 = 1 Tunnel-Preference:2 = 1 Tunnel-Preference:3 = 1 Tunnel-Preference:4 = 1 Tunnel-Preference:5 = 1 Tunnel-Preference:6 = 1 Tunnel-Preference:7 = 1 Cisco-AVPair = "ip:dns-servers=208.67.222.222 208.67.220.220" Framed-IP-Netmask = 255.255.255.255 Framed-IP-Address = EE.FF.180.1 On 2025-02-25 12:24 p.m., Alan DeKok wrote:
On Feb 25, 2025, at 3:08 PM, Ron Grant <ron@balansoft.com> wrote:
Was this devel package supposed to include Alan's changes? ... Installed as per instructions but still not working.
/etc/freeradius/mods-enabled/ldap[144]: Failed parsing attribute reference /etc/freeradius/mods-enabled/ldap[144]: reply:Tunnel-Type:V /etc/freeradius/mods-enabled/ldap[144]: ^ Unexpected text after attr /etc/freeradius/mods-enabled/ldap[8]: Instantiation failed for module "ldap" I pushed some more changes earlier today. We'll have to rebuild the packages.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Ron Grant Balan Software/Networks Network Architecture & Programming 604-737-2113 ca.linkedin.com/in/obiron
On Feb 28, 2025, at 1:29 AM, Ron Grant <ron@balansoft.com> wrote:
yay!
Received Access-Accept Id 178 from 172.XX.2.123:1812 to 172.XX.2.12:40997 length 565 Message-Authenticator = 0x9357a0fa59269abbe5e5ba4bc09c80c2 Service-Type = Framed-User Idle-Timeout = 0 Session-Timeout = 0 Framed-Protocol = PPP Tunnel-Type:0 = L2TP Tunnel-Type:1 = L2TP
That's good news! Thanks for your testing.
When would I expect to see these in the Ubuntu 24.04 updates? Latest is 3.2.5+dfsg-3~ubuntu24.04.2 This client would prefer a standard distro, but I could see me convincing him to use the packages.networkradius.com repo but maybe not the -devel one. On 2025-02-28 3:51 a.m., Alan DeKok wrote:
On Feb 28, 2025, at 1:29 AM, Ron Grant <ron@balansoft.com> wrote:
yay!
Received Access-Accept Id 178 from 172.XX.2.123:1812 to 172.XX.2.12:40997 length 565 Message-Authenticator = 0x9357a0fa59269abbe5e5ba4bc09c80c2 Service-Type = Framed-User Idle-Timeout = 0 Session-Timeout = 0 Framed-Protocol = PPP Tunnel-Type:0 = L2TP Tunnel-Type:1 = L2TP That's good news! Thanks for your testing.
-- Ron Grant Balan Software/Networks Network Architecture & Programming 604-737-2113 ca.linkedin.com/in/obiron
On Feb 28, 2025, at 7:09 PM, Ron Grant <ron@balansoft.com> wrote:
When would I expect to see these in the Ubuntu 24.04 updates? Latest is 3.2.5+dfsg-3~ubuntu24.04.2
Ask Ubuntu. We released 3.2.6 a long time ago, and many distributions still haven't updated.
This client would prefer a standard distro, but I could see me convincing him to use the packages.networkradius.com repo but maybe not the -devel one.
To be perfectly frank, our packages are better and more up to date than the OS distributions. For them, FreeRADIUS is a low priority which they get to if they feel like it. For us, it's what we do. I understand the desire to stick with an "approved" distribution. But people have to realize that an "approval" by someone who knows nothing about RADIUS or FreeRADIUS is not worth much. If you can get an approval from people who actually know what they're doing, that's worth a lot more. Alan DeKok.
You've convinced me! :-) I'll snapshot and add the release repo to their staging servers. Thanks Alan! On 2025-02-28 4:41 p.m., Alan DeKok wrote:
On Feb 28, 2025, at 7:09 PM, Ron Grant <ron@balansoft.com> wrote:
When would I expect to see these in the Ubuntu 24.04 updates? Latest is 3.2.5+dfsg-3~ubuntu24.04.2 Ask Ubuntu. We released 3.2.6 a long time ago, and many distributions still haven't updated.
This client would prefer a standard distro, but I could see me convincing him to use the packages.networkradius.com repo but maybe not the -devel one. To be perfectly frank, our packages are better and more up to date than the OS distributions. For them, FreeRADIUS is a low priority which they get to if they feel like it. For us, it's what we do.
I understand the desire to stick with an "approved" distribution. But people have to realize that an "approval" by someone who knows nothing about RADIUS or FreeRADIUS is not worth much. If you can get an approval from people who actually know what they're doing, that's worth a lot more.
Alan DeKok.
-- Ron Grant Balan Software/Networks Network Architecture & Programming 604-737-2113 ca.linkedin.com/in/obiron
On 01/03/2025 00:47, Ron Grant wrote:
You've convinced me! :-)
I'll snapshot and add the release repo to their staging servers.
Adding to Alan's message, we released 3.2.7 just a couple of weeks ago - there are very few changes since. Taking the current packages from the devel repo will be fine until the next release is cut. You can see what's been updated in the commit log. It'll likely be a few months before 3.2.8, and probably years before it gets into any distros. -- Matthew
participants (3)
-
Alan DeKok -
Matthew Newton -
Ron Grant