Fwd: General question about RadSec implementation on FR 3.2.x
Hi guys Maybe any idea / recommendations on the „threading error“ while starting freeradius with the new TLS configuration? Regards Dominic
Follow up on the radsec configuration: I configured /etc/freeradius/sites-available/tls but get the following error while starting freeradius in debug mode (see debug output below):
/etc/freeradius/sites-enabled/tls[44]: Threading must be enabled for TLS sockets to function properly /etc/freeradius/sites-enabled/tls[44]: You probably need to do 'radiusd -fxx -l stdout' for debugging
I checked the global freeradius daemon configuration and threading shoudl be enabled: /etc/freeradius/radiusd.conf
thread pool { # Number of servers to start initially --- should be a reasonable # ballpark figure. start_servers = 5
# Limit on the total number of servers running. # # If this limit is ever reached, clients will be LOCKED OUT, so it # should NOT BE SET TOO LOW. It is intended mainly as a brake to # keep a runaway server from taking the system with it as it spirals # down... # # You may find that the server is regularly reaching the # 'max_servers' number of threads, and that increasing # 'max_servers' doesn't seem to make much difference. # # If this is the case, then the problem is MOST LIKELY that # your back-end databases are taking too long to respond, and # are preventing the server from responding in a timely manner. # # The solution is NOT do keep increasing the 'max_servers' # value, but instead to fix the underlying cause of the # problem: slow database, or 'hostname_lookups=yes'. # # For more information, see 'max_request_time', above. # max_servers = 32
# Server-pool size regulation. Rather than making you guess # how many servers you need, FreeRADIUS dynamically adapts to # the load it sees, that is, it tries to maintain enough # servers to handle the current load, plus a few spare # servers to handle transient load spikes. # # It does this by periodically checking how many servers are # waiting for a request. If there are fewer than # min_spare_servers, it creates a new spare. If there are # more than max_spare_servers, some of the spares die off. # The default values are probably OK for most sites. # min_spare_servers = 3 max_spare_servers = 10
# When the server receives a packet, it places it onto an # internal queue, where the worker threads (configured above) # pick it up for processing. The maximum size of that queue # is given here. # # When the queue is full, any new packets will be silently # discarded. # # The most common cause of the queue being full is that the # server is dependent on a slow database, and it has received # a large "spike" of traffic. When that happens, there is # very little you can do other than make sure the server # receives less traffic, or make sure that the database can # handle the load. # # max_queue_size = 65536
# Clean up old threads periodically. For no reason other than # it might be useful. # # '0' is a special value meaning 'infinity', or 'the servers never # exit' max_requests_per_server = 0
# Automatically limit the number of accounting requests. # This configuration item tracks how many requests per second # the server can handle. It does this by tracking the # packets/s received by the server for processing, and # comparing that to the packets/s handled by the child # threads. #
# If the received PPS is larger than the processed PPS, *and* # the queue is more than half full, then new accounting # requests are probabilistically discarded. This lowers the # number of packets that the server needs to process. Over # time, the server will "catch up" with the traffic. # # Throwing away accounting packets is usually safe and low # impact. The NAS will retransmit them in a few seconds, or # even a few minutes. Vendors should read RFC 5080 Section 2.2.1 # to see how accounting packets should be retransmitted. Using # any other method is likely to cause network meltdowns. # auto_limit_acct = no }
root@id-radiustest1:~# freeradius -X FreeRADIUS Version 3.2.7 Copyright (C) 1999-2023 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/dictionary including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/mods-enabled/ including configuration file /etc/freeradius/mods-enabled/preprocess including configuration file /etc/freeradius/mods-enabled/utf8 including configuration file /etc/freeradius/mods-enabled/expr including configuration file /etc/freeradius/mods-enabled/expiration including configuration file /etc/freeradius/mods-enabled/proxy_rate_limit including configuration file /etc/freeradius/mods-enabled/passwd including configuration file /etc/freeradius/mods-enabled/sradutmp including configuration file /etc/freeradius/mods-enabled/dynamic_clients including configuration file /etc/freeradius/mods-enabled/digest including configuration file /etc/freeradius/mods-enabled/chap including configuration file /etc/freeradius/mods-enabled/unix including configuration file /etc/freeradius/mods-enabled/always including configuration file /etc/freeradius/mods-enabled/linelog including configuration file /etc/freeradius/mods-enabled/soh including configuration file /etc/freeradius/mods-enabled/date including configuration file /etc/freeradius/mods-enabled/pap including configuration file /etc/freeradius/mods-enabled/totp including configuration file /etc/freeradius/mods-enabled/rest including configuration file /etc/freeradius/mods-enabled/files including configuration file /etc/freeradius/mods-enabled/echo including configuration file /etc/freeradius/mods-enabled/replicate including configuration file /etc/freeradius/mods-enabled/exec including configuration file /etc/freeradius/mods-enabled/eap including configuration file /etc/freeradius/mods-enabled/ntlm_auth including configuration file /etc/freeradius/mods-enabled/radutmp including configuration file /etc/freeradius/mods-enabled/attr_filter including configuration file /etc/freeradius/mods-enabled/mschap including configuration file /etc/freeradius/mods-enabled/logintime including configuration file /etc/freeradius/mods-enabled/realm including configuration file /etc/freeradius/mods-enabled/detail including configuration file /etc/freeradius/mods-enabled/unpack including configuration file /etc/freeradius/mods-enabled/detail.log including files in directory /etc/freeradius/policy.d/ including configuration file /etc/freeradius/policy.d/operator-name including configuration file /etc/freeradius/policy.d/debug including configuration file /etc/freeradius/policy.d/filter including configuration file /etc/freeradius/policy.d/accounting including configuration file /etc/freeradius/policy.d/canonicalization including configuration file /etc/freeradius/policy.d/abfab-tr including configuration file /etc/freeradius/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/policy.d/rfc7542 including configuration file /etc/freeradius/policy.d/cui including configuration file /etc/freeradius/policy.d/eap including configuration file /etc/freeradius/policy.d/dhcp including configuration file /etc/freeradius/policy.d/control including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/tls including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/status including configuration file /etc/freeradius/sites-enabled/proxy-inner-tunnel including configuration file /etc/freeradius/sites-enabled/control-socket main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 proxy_dedup_window = 1 cleanup_delay = 5 max_requests = 16384 max_fds = 512 postauth_client_lost = no pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes require_message_authenticator = "auto" limit_proxy_state = "auto" } unlang { group_stop_return = no policy_stop_return = no } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server ftlr1.eduroam.ch-TLS { nonblock = no ipaddr = 130.59.31.24 port = 2083 type = "auth+acct" proto = "tcp" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } tls { verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/radsec-id-radius.unibe.ch.key" certificate_file = "/etc/freeradius/certs/radsec-id-radius.unibe.ch.pem" ca_file = "/etc/freeradius/certs/edupki-root-ca-cert.pem" fragment_size = 8192 include_length = yes check_crl = no ca_path_reload_interval = 0 ecdh_curve = "prime256v1" tls_min_version = "1.2" } home_server ftlr2.eduroam.ch-TLS { nonblock = no ipaddr = 130.59.31.25 port = 2083 type = "auth+acct" proto = "tcp" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } tls { verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/radsec-id-radius.unibe.ch.key" certificate_file = "/etc/freeradius/certs/radsec-id-radius.unibe.ch.pem" ca_file = "/etc/freeradius/certs/edupki-root-ca-cert.pem" fragment_size = 8192 include_length = yes check_crl = no ca_path_reload_interval = 0 ecdh_curve = "prime256v1" tls_min_version = "1.2" } home_server aai-nps-eduv2.campus.unibe.ch { nonblock = no ipaddr = 130.92.14.27 port = 1812 type = "auth+acct" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } realm NULL { } realm LOCAL { } realm UNIBE.CH { nostrip } realm STUDENTS.UNIBE.CH { nostrip } realm FACULTY.UNIBE.CH { nostrip } realm EXT.UNIBE.CH { nostrip } realm ~(.*\.UNIBE\.CH$) { virtual_server = reject } home_server_pool SWITCH-EDUROAM-TLS { type = fail-over home_server = ftlr1.eduroam.ch-TLS home_server = ftlr2.eduroam.ch-TLS } realm ~(.*PHBERN\.CH$) { auth_pool = SWITCH-EDUROAM-TLS nostrip } realm ~(.*\.GET\.EDUROAM\.ORG$) { auth_pool = SWITCH-EDUROAM-TLS nostrip } home_server_pool UNIBE-NPS-DEV { type = fail-over home_server = aai-nps-eduv2.campus.unibe.ch } realm REALM-NPS-DEV { pool = UNIBE-NPS-DEV } realm DEFAULT { auth_pool = SWITCH-EDUROAM-TLS nostrip } radiusd: #### Loading Clients #### client ftlr1.eduroam.ch-TLS { ipaddr = 130.59.31.24 netmask = 32 require_message_authenticator = "no" secret = <<< secret >>> virtual_server = "default" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Shared secret for client ftlr1.eduroam.ch-TLS is short, and likely can be broken by an attacker. client ftlr2.eduroam.ch-TLS { ipaddr = 130.59.31.25 netmask = 32 require_message_authenticator = "no" secret = <<< secret >>> virtual_server = "default" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Shared secret for client ftlr2.eduroam.ch-TLS is short, and likely can be broken by an attacker. client localhost { ipaddr = 127.0.0.1 netmask = 32 require_message_authenticator = "no" secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client cisco-wlc-9800-mgmt.wifi.unibe.ch { ipaddr = 130.92.42.20 netmask = 32 require_message_authenticator = "no" secret = <<< secret >>> virtual_server = "default" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client cisco-wlc-9800-dev-mgmt.wifi.unibe.ch { ipaddr = 130.92.42.15 netmask = 32 require_message_authenticator = "no" secret = <<< secret >>> virtual_server = "default" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client uvisrz0215.insel.ch { ipaddr = 161.62.201.77 netmask = 32 require_message_authenticator = "no" secret = <<< secret >>> virtual_server = "default" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached Configuration version: d53a-826f-8cee-356b systemd watchdog is disabled # Creating Auth-Type = mschap # Creating Auth-Type = eap # Creating Autz-Type = Status-Server radiusd: #### Instantiating modules #### modules { # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8 # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/mods-enabled/expiration # Loaded module rlm_proxy_rate_limit # Loading module "proxy_rate_limit" from file /etc/freeradius/mods-enabled/proxy_rate_limit proxy_rate_limit { max_entries = 2048 idle_timeout = 10 num_subtables = 256 window = 1 } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_radutmp # Loading module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/mods-enabled/digest # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/mods-enabled/chap # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_linelog # Loading module "802.1x_auth_log" from file /etc/freeradius/mods-enabled/linelog linelog 802.1x_auth_log { filename = "/var/log/freeradius/802.1x_auth.log" escape_filenames = no syslog_severity = "info" permissions = 384 format = "%t : AuthZ: (%I) %{reply:Packet-Type}: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown})" } # Loading module "MAC_auth_log" from file /etc/freeradius/mods-enabled/linelog linelog MAC_auth_log { filename = "/var/log/freeradius/mac_auth.log" escape_filenames = no syslog_severity = "info" permissions = 384 format = "%t : MAC Auth: (%I) %{reply:Packet-Type}: [%{%{Calling-Station-Id}:-NULL}] REST-Module-Reply=%{%{reply:REST-HTTP-Body}:-NULL}" } # Loading module "802.1x_acct_log" from file /etc/freeradius/mods-enabled/linelog linelog 802.1x_acct_log { filename = "/var/log/freeradius/802.1x_acct.log" escape_filenames = no syslog_severity = "info" permissions = 384 format = "%t : Acct: (%I) Accounting-%{%{Acct-Status-Type}:-Unknown}: [%{User-Name}] Acct-Session-Id=%{%{Acct-Session-Id}:-Unknown} Acct-Terminate-Cause=%{%{Acct-Terminate-Cause}:-Unknown} Acct-Session-Time=%{%{Acct-Session-Time}:-Unknown} seconds Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{NAS-Identifier}:-Unknown} Framed-IP-Address=%{%{Framed-IP-Address}:-Uknown} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown})" } # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_date # Loading module "date" from file /etc/freeradius/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loading module "wispr2date" from file /etc/freeradius/mods-enabled/date date wispr2date { format = "%Y-%m-%dT%H:%M:%S" utc = no } # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_totp # Loading module "totp" from file /etc/freeradius/mods-enabled/totp totp { time_step = 30 otp_length = 6 lookback_steps = 1 lookback_interval = 30 lookforward_steps = 0 } # Loaded module rlm_rest # Loading module "rest" from file /etc/freeradius/mods-enabled/rest rest { connect_uri = "https://infoblox.some.domain/"/ <https://infoblox.some.domain/"/> connect_timeout = 4.000000 http_negotiation = "default" } # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/mods-enabled/files files { filename = "/etc/freeradius/mods-config/files/authorize" acctusersfile = "/etc/freeradius/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy" } # Loaded module rlm_exec # Loading module "echo" from file /etc/freeradius/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/mods-enabled/replicate # Loading module "exec" from file /etc/freeradius/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/mods-enabled/eap eap { default_eap_type = "PEAP" timer_expire = 60 max_eap_type = 52 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = 8192 dedup_key = "" } # Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.coa" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.coa { filename = "/etc/freeradius/mods-config/attr_filter/coa" key = "%{User-Name}" relaxed = no } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /etc/freeradius/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } # Loaded module rlm_detail # Loading module "detail" from file /etc/freeradius/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack # Loading module "auth_log" from file /etc/freeradius/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } instantiate { } # Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/mods-config/preprocess/hints # Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration # Instantiating module "proxy_rate_limit" from file /etc/freeradius/mods-enabled/proxy_rate_limit # Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "reject" from file /etc/freeradius/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/mods-enabled/always # Instantiating module "802.1x_auth_log" from file /etc/freeradius/mods-enabled/linelog # Instantiating module "MAC_auth_log" from file /etc/freeradius/mods-enabled/linelog # Instantiating module "802.1x_acct_log" from file /etc/freeradius/mods-enabled/linelog # Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap # Instantiating module "totp" from file /etc/freeradius/mods-enabled/totp # Instantiating module "rest" from file /etc/freeradius/mods-enabled/rest authorize { uri = "https://infoblox.some.domain/wapi/v2.11.3/record:host?network=%25 <https://infoblox.some.domain/wapi/v2.11.3/record:host?network=%25>{locMacAuth-IP-Subnet}&mac=%{tolower:%{request:locMacAuth-Calling-Station-Id}}" method = "get" body = "none" attr_num = no raw_value = no force_to = "plain" auth = "basic" username = "xyz" password = "xyz" require_auth = yes timeout = 4.000000 chunk = 0 tls { check_cert = yes check_cert_cn = yes } body_uri_encode = yes } rlm_rest: libcurl version: libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.18 rlm_rest (rest): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 max_retries = 5 spread = no } rlm_rest (rest): Opening additional connection (0), 1 of 32 pending slots used rlm_rest (rest): Connecting to "https://infoblox.some.domain/" <https://infoblox.some.domain/"> rlm_rest (rest): Opening additional connection (1), 1 of 31 pending slots used rlm_rest (rest): Connecting to "https://infoblox.some.domain/" <https://infoblox.some.domain/"> rlm_rest (rest): Opening additional connection (2), 1 of 30 pending slots used rlm_rest (rest): Connecting to "https://infoblox.some.domain/" <https://infoblox.some.domain/"> rlm_rest (rest): Opening additional connection (3), 1 of 29 pending slots used rlm_rest (rest): Connecting to "https://infoblox.some.domain/" <https://infoblox.some.domain/"> rlm_rest (rest): Opening additional connection (4), 1 of 28 pending slots used rlm_rest (rest): Connecting to "https://infoblox.some.domain/" <https://infoblox.some.domain/"> # Instantiating module "files" from file /etc/freeradius/mods-enabled/files reading pairlist file /etc/freeradius/mods-config/files/authorize reading pairlist file /etc/freeradius/mods-config/files/accounting reading pairlist file /etc/freeradius/mods-config/files/pre-proxy # Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "proxy-inner-tunnel" soh = no require_client_cert = no } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/aai.unibe.ch.key" certificate_file = "/etc/freeradius/certs/aai.unibe.ch.pem" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 TLS_AES_256_GCM_SHA384" reject_unknown_intermediate_ca = no ecdh_curve = "prime256v1" tls_max_version = "1.3" tls_min_version = "1.2" cache { enable = no lifetime = 12 name = "EAP module" max_entries = 0 persist_dir = "/var/log/freeradius/tlscache" } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = no use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response # Instantiating module "attr_filter.coa" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/coa # Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime # Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm # Instantiating module "bangpath" from file /etc/freeradius/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm # Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail # Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:336 Compiling Post-Auth-Type REJECT for attr Post-Auth-Type } # server inner-tunnel server default { # from file /etc/freeradius/sites-enabled/default # Loading authenticate {...} Compiling Auth-Type Accept for attr Auth-Type Compiling Auth-Type eap for attr Auth-Type # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading pre-proxy {...} # Loading post-proxy {...} # Loading post-auth {...} Compiling Post-Auth-Type REJECT for attr Post-Auth-Type } # server default server status { # from file /etc/freeradius/sites-enabled/status # Loading authorize {...} Compiling Autz-Type Status-Server for attr Autz-Type } # server status server proxy-inner-tunnel { # from file /etc/freeradius/sites-enabled/proxy-inner-tunnel # Loading authenticate {...} Compiling Auth-Type mschap for attr Auth-Type # Loading authorize {...} } # server proxy-inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth+acct" virtual_server = "default" ipaddr = * port = 2083 proto = "tcp" tls { verify_depth = 0 ca_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/radsec-id-radius.unibe.ch.key" certificate_file = "/etc/freeradius/certs/radsec-id-radius.unibe.ch.pem" ca_file = "/etc/freeradius/certs/edupki-root-ca-cert.pem" fragment_size = 8192 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 3600 allow_expired_crl = no cipher_list = "DEFAULT" cipher_server_preference = no require_client_cert = yes reject_unknown_intermediate_ca = no ecdh_curve = "prime256v1" tls_max_version = "1.3" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = no use_nonce = yes timeout = 0 softfail = no } } check_client_connections = no limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } clients = "radsec" } listen { type = "control" listen { socket = "/var/run/freeradius/control/freeradius.sock" uid = "freerad" gid = "freerad" mode = "rw" peercred = no } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipaddr = * port = 1812 } listen { type = "acct" ipaddr = * port = 1813 } listen { type = "status" ipaddr = 127.0.0.1 port = 18121 client admin { ipaddr = 127.0.0.1 secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Shared secret for client admin is short, and likely can be broken by an attacker. } /etc/freeradius/sites-enabled/tls[44]: Threading must be enabled for TLS sockets to function properly /etc/freeradius/sites-enabled/tls[44]: You probably need to do 'radiusd -fxx -l stdout' for debugging
Additional debug output:
root@id-radiustest1:~# radiusd -fxx -l stdout FreeRADIUS Version 3.2.5 Copyright (C) 1999-2023 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/local/share/freeradius/dictionary including dictionary file /usr/local/share/freeradius/dictionary.dhcp including dictionary file /usr/local/share/freeradius/dictionary.vqp including dictionary file /usr/local/etc/raddb/dictionary including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/mods-enabled/ including configuration file /usr/local/etc/raddb/mods-enabled/preprocess including configuration file /usr/local/etc/raddb/mods-enabled/utf8 including configuration file /usr/local/etc/raddb/mods-enabled/expr including configuration file /usr/local/etc/raddb/mods-enabled/expiration including configuration file /usr/local/etc/raddb/mods-enabled/passwd including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients including configuration file /usr/local/etc/raddb/mods-enabled/digest including configuration file /usr/local/etc/raddb/mods-enabled/chap including configuration file /usr/local/etc/raddb/mods-enabled/unix including configuration file /usr/local/etc/raddb/mods-enabled/always including configuration file /usr/local/etc/raddb/mods-enabled/linelog including configuration file /usr/local/etc/raddb/mods-enabled/soh including configuration file /usr/local/etc/raddb/mods-enabled/date including configuration file /usr/local/etc/raddb/mods-enabled/pap including configuration file /usr/local/etc/raddb/mods-enabled/totp including configuration file /usr/local/etc/raddb/mods-enabled/files including configuration file /usr/local/etc/raddb/mods-enabled/echo including configuration file /usr/local/etc/raddb/mods-enabled/replicate including configuration file /usr/local/etc/raddb/mods-enabled/exec including configuration file /usr/local/etc/raddb/mods-enabled/eap including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth including configuration file /usr/local/etc/raddb/mods-enabled/radutmp including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter including configuration file /usr/local/etc/raddb/mods-enabled/mschap including configuration file /usr/local/etc/raddb/mods-enabled/logintime including configuration file /usr/local/etc/raddb/mods-enabled/realm including configuration file /usr/local/etc/raddb/mods-enabled/detail including configuration file /usr/local/etc/raddb/mods-enabled/unpack including configuration file /usr/local/etc/raddb/mods-enabled/detail.log including files in directory /usr/local/etc/raddb/policy.d/ including configuration file /usr/local/etc/raddb/policy.d/operator-name including configuration file /usr/local/etc/raddb/policy.d/debug including configuration file /usr/local/etc/raddb/policy.d/filter including configuration file /usr/local/etc/raddb/policy.d/accounting including configuration file /usr/local/etc/raddb/policy.d/canonicalization including configuration file /usr/local/etc/raddb/policy.d/abfab-tr including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids including configuration file /usr/local/etc/raddb/policy.d/rfc7542 including configuration file /usr/local/etc/raddb/policy.d/cui including configuration file /usr/local/etc/raddb/policy.d/eap including configuration file /usr/local/etc/raddb/policy.d/dhcp including configuration file /usr/local/etc/raddb/policy.d/control including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/default main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" run_dir = "/usr/local/var/run/freeradius" } main { name = "freeradius" prefix = "/usr/local" localstatedir = "/usr/local/var" sbindir = "/usr/local/sbin" logdir = "/usr/local/var/log/radius" run_dir = "/usr/local/var/run/freeradius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 proxy_dedup_window = 1 cleanup_delay = 5 max_requests = 16384 max_fds = 512 postauth_client_lost = no pidfile = "/usr/local/var/run/freeradius/freeradius.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { nonblock = no ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = digest # Creating Autz-Type = New-TLS-Connection radiusd: #### Instantiating modules #### modules { # Loaded module rlm_preprocess # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups" hints = "/usr/local/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_utf8 # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8 # Loaded module rlm_expr # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_expiration # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Loaded module rlm_passwd # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_radutmp # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/usr/local/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_digest # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest # Loaded module rlm_chap # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap # Loaded module rlm_unix # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_always # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_linelog # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog linelog { filename = "/usr/local/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/usr/local/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_soh # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_date # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loading module "wispr2date" from file /usr/local/etc/raddb/mods-enabled/date date wispr2date { format = "%Y-%m-%dT%H:%M:%S" utc = no } # Loaded module rlm_pap # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_totp # Loading module "totp" from file /usr/local/etc/raddb/mods-enabled/totp totp { time_step = 30 otp_length = 6 lookback_steps = 1 lookback_interval = 30 lookforward_steps = 0 } # Loaded module rlm_files # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files files { filename = "/usr/local/etc/raddb/mods-config/files/authorize" acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_exec # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_replicate # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_eap # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 max_eap_type = 52 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 dedup_key = "" } # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.coa" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.coa { filename = "/usr/local/etc/raddb/mods-config/attr_filter/coa" key = "%{User-Name}" relaxed = no } # Loaded module rlm_mschap # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_logintime # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_realm # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /usr/local/etc/raddb/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } # Loaded module rlm_detail # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail detail { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loaded module rlm_unpack # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } instantiate { } # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap # Instantiating module "totp" from file /usr/local/etc/raddb/mods-enabled/totp # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" ca_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "DEFAULT" cipher_server_preference = no reject_unknown_intermediate_ca = no ecdh_curve = "" tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" <http://127.0.0.1/ocsp/"> use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "attr_filter.coa" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/coa # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "bangpath" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log } # modules radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf } # server server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} Compiling Auth-Type PAP for attr Auth-Type Compiling Auth-Type CHAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:366 Compiling Post-Auth-Type REJECT for attr Post-Auth-Type } # server inner-tunnel server default { # from file /usr/local/etc/raddb/sites-enabled/default # Loading authenticate {...} Compiling Auth-Type PAP for attr Auth-Type Compiling Auth-Type CHAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} Compiling Autz-Type New-TLS-Connection for attr Autz-Type # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} Compiling Post-Auth-Type REJECT for attr Post-Auth-Type Compiling Post-Auth-Type Challenge for attr Post-Auth-Type Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type } # server default thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 cleanup_delay = 5 max_queue_size = 65536 auto_limit_acct = no } Thread spawned new child 1. Total threads in pool: 1 Thread spawned new child 2. Total threads in pool: 2 Thread 1 waiting to be assigned a request Thread 2 waiting to be assigned a request Thread 3 waiting to be assigned a request Thread spawned new child 3. Total threads in pool: 3 Thread spawned new child 4. Total threads in pool: 4 Thread 4 waiting to be assigned a request Thread spawned new child 5. Total threads in pool: 5 Thread 5 waiting to be assigned a request Thread pool initialized radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } Failed opening auth address :: port 1812 bound to server default: Address family not supported by protocol /usr/local/etc/raddb/sites-enabled/default[246]: Error binding to port for :: port 1812 _EXIT(1) CALLED src/main/process.c[6325]. Last error was: /usr/local/lib/proto_auth.so: cannot open shared object file: No such file or directory
Am 17.04.25, 13:22 schrieb "Freeradius-Users im Auftrag von Alan DeKok" <freeradius-users-bounces+dominic.stalder=unibe.ch@lists.freeradius.org <mailto:unibe.ch@lists.freeradius.org> <mailto:unibe.ch@lists.freeradius.org <mailto:unibe.ch@lists.freeradius.org>> im Auftrag von aland@deployingradius.com <mailto:aland@deployingradius.com> <mailto:aland@deployingradius.com <mailto:aland@deployingradius.com>>>:
On Apr 17, 2025, at 2:24 AM, <dominic.stalder@unibe.ch <mailto:dominic.stalder@unibe.ch> <mailto:dominic.stalder@unibe.ch <mailto:dominic.stalder@unibe.ch>>> <dominic.stalder@unibe.ch <mailto:dominic.stalder@unibe.ch> <mailto:dominic.stalder@unibe.ch <mailto:dominic.stalder@unibe.ch>>> wrote:
Hi Alan
Thanks for the fast and informative feedback. When I get your answer correct, I can just can put:
1. all RADIUS [UDP] & RadSec [TCP] clients into clients.conf and it does work
2. all RADIUS [UDP] & RadSec [TCP] home servers into proxy.conf and it does work
So I can "consolidate" all clients and all home servers in one location respectively?
Yes.
The file names don't matter. All of the files are merged into one via $INCLUDE statements. So you can add clients to the bottom of a virtual server file if you want.
What matters is the sections. If you put clients into a "name { ...} " section, then they won't be found. Each section has a pre-defined purpose, and a pre-defined content.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html> <http://www.freeradius.org/list/users.html> <http://www.freeradius.org/list/users.html;>
On Apr 19, 2025, at 10:33 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
Maybe any idea / recommendations on the „threading error“ while starting freeradius with the new TLS configuration? ...
Follow up on the radsec configuration: I configured /etc/freeradius/sites-available/tls but get the following error while starting freeradius in debug mode (see debug output below):
/etc/freeradius/sites-enabled/tls[44]: Threading must be enabled for TLS sockets to function properly /etc/freeradius/sites-enabled/tls[44]: You probably need to do 'radiusd -fxx -l stdout' for debugging
I checked the global freeradius daemon configuration and threading shoudl be enabled: /etc/freeradius/radiusd.conf
When you use -X, that also sets the "no threads" flag. Use -fxx -l stdout instead, as the debug output suggests. Alan DeKok.
Hi Alan 1. thanks, in fact, I did not know that 2. but I also sent the respective output of "radiusd -fxx -l stdout“ in my email before and got the following error instead (see full output below), as recommended in the „freeradius -X“ output: Failed opening auth address :: port 1812 bound to server default: Address family not supported by protocol /usr/local/etc/raddb/sites-enabled/default[246]: Error binding to port for :: port 1812 _EXIT(1) CALLED src/main/process.c[6325]. Last error was: /usr/local/lib/proto_auth.so: cannot open shared object file: No such file or directory 3. At the same time, I just recognized, that when I started the debug output with "radiusd …“, it shows me output of FR 3.2.5: root@id-radiustest1:/etc/freeradius/sites-enabled# radiusd -fxx -l stdout FreeRADIUS Version 3.2.5 … BUT I have FR 3.2.7 in place and started it with „freeradius -fxx -l stdout“ instead and now the correct FR instance is trying to start: root@id-radiustest1:/etc/freeradius/sites-enabled# freeradius -fxx -l stdout FreeRADIUS Version 3.2.7 … But still I get the following error: check_client_connections = no Thread 5 waiting to be assigned a request Thread 3 waiting to be assigned a request Thread 4 waiting to be assigned a request limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } Thread 2 waiting to be assigned a request Thread 1 waiting to be assigned a request Failed binding to auth+acct address * port 2083 (TLS) bound to server default: Address already in use /etc/freeradius/sites-enabled/tls[44]: Error binding to port for 0.0.0.0 port 2083 —> After killing the manually started FR 3.2.5 process, I now can start FR 3.2.7 with TLS succesfully: root@id-radiustest1:/etc/freeradius/sites-enabled# freeradius -fxx -l stdout FreeRADIUS Version 3.2.7 ... Listening on auth+acct proto tcp address * port 2083 (TLS) bound to server default Listening on command file /var/run/freeradius/control/freeradius.sock Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on status address 127.0.0.1 port 18121 bound to server status Listening on proxy address * port 57758 Ready to process requests Thanks for somehow showing the right direction, even I don’t understand, why FR 3.2.5 is still in place when starting with „freerad -fxx -l stdout“ instead of „freeradius -fxx-l stdout“, any idea how I can cleanup this version situation on our freeradius server? Regards Dominic
Am 19.04.2025 um 17:08 schrieb Alan DeKok <aland@deployingradius.com>:
On Apr 19, 2025, at 10:33 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
Maybe any idea / recommendations on the „threading error“ while starting freeradius with the new TLS configuration? ...
Follow up on the radsec configuration: I configured /etc/freeradius/sites-available/tls but get the following error while starting freeradius in debug mode (see debug output below):
/etc/freeradius/sites-enabled/tls[44]: Threading must be enabled for TLS sockets to function properly /etc/freeradius/sites-enabled/tls[44]: You probably need to do 'radiusd -fxx -l stdout' for debugging
I checked the global freeradius daemon configuration and threading shoudl be enabled: /etc/freeradius/radiusd.conf
When you use -X, that also sets the "no threads" flag. Use -fxx -l stdout instead, as the debug output suggests.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 19, 2025, at 1:26 PM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
2. but I also sent the respective output of "radiusd -fxx -l stdout“ in my email before and got the following error instead (see full output below), as recommended in the „freeradius -X“ output:
Failed opening auth address :: port 1812 bound to server default: Address family not supported by protocol /usr/local/etc/raddb/sites-enabled/default[246]: Error binding to port for :: port 1812
That's very odd. But likely explained by the next issue:
_EXIT(1) CALLED src/main/process.c[6325]. Last error was: /usr/local/lib/proto_auth.so: cannot open shared object file: No such file or directory
3. At the same time, I just recognized, that when I started the debug output with "radiusd …“, it shows me output of FR 3.2.5:
root@id-radiustest1:/etc/freeradius/sites-enabled# radiusd -fxx -l stdout FreeRADIUS Version 3.2.5 …
BUT I have FR 3.2.7 in place and started it with „freeradius -fxx -l stdout“ instead and now the correct FR instance is trying to start:
You have two copies of FreeRADIUS installed on the same machine. Don't do that.
Thanks for somehow showing the right direction, even I don’t understand, why FR 3.2.5 is still in place when starting with „freerad -fxx -l stdout“ instead of „freeradius -fxx-l stdout“,
See the local configuration on your machine. i.e. PATH variable, and whatever else you've configured.
any idea how I can cleanup this version situation on our freeradius server?
Use your local OS tools to remove one of versions of FreeRADIUS. Alan DeKok.
You have two copies of FreeRADIUS installed on the same machine. Don't do that.
I do agree, that is very strange, because this was never intended. The upgrade path lately was like this: FR 3.2.5 —> FR 3.2.6 (git #a69627989) by compiling out of the git repository (make) —> FR 3.2.7 via apt packet manager I also executed "apt autoremove“ after upgrading from FR 3.2.7. When I check the source of the radiusd command, I get: root@id-radiustest1:~# which radiusd /usr/local/sbin/radiusd root@id-radiustest1:~# radiusd -v radiusd: FreeRADIUS Version 3.2.5 (git #67e58e67f), for host x86_64-pc-linux-gnu, built on Jun 21 2024 at 22:22:48 FreeRADIUS Version 3.2.5 Copyright (C) 1999-2023 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Compared to freeradius: root@id-radiustest1:~# which freeradius /usr/sbin/freeradius dpkg looks like this: root@id-radiustest1:~# dpkg -l | grep radius ii freeradius 3.2.7-1 amd64 high-performance and highly configurable RADIUS server ii freeradius-common 3.2.7-1 all FreeRADIUS common files ii freeradius-config 3.2.7-1 amd64 FreeRADIUS default config files ii freeradius-dbg 3.2.7-1 amd64 debug symbols for the FreeRADIUS packages ii freeradius-dhcp 3.2.7-1 amd64 DHCP module for FreeRADIUS server ii freeradius-freetds 3.2.7-1 amd64 FreeTDS support for FreeRADIUS ii freeradius-krb5 3.2.7-1 amd64 kerberos module for FreeRADIUS server ii freeradius-ldap 3.2.7-1 amd64 LDAP module for FreeRADIUS server ii freeradius-memcached 3.2.7-1 amd64 Memcached module for FreeRADIUS server ii freeradius-mysql 3.2.7-1 amd64 MySQL module for FreeRADIUS server ii freeradius-perl-util 3.2.7-1 amd64 FreeRADIUS Perl utilities ii freeradius-postgresql 3.2.7-1 amd64 PostgreSQL module for FreeRADIUS server ii freeradius-python2 3.2.7-1 amd64 Python2 module for the FreeRADIUS server ii freeradius-python3 3.2.7-1 amd64 Python3 module for the FreeRADIUS server ii freeradius-redis 3.2.7-1 amd64 Redis module for FreeRADIUS server ii freeradius-rest 3.2.7-1 amd64 REST module for FreeRADIUS server ii freeradius-unbound 3.2.7-1 amd64 Unbound module for FreeRADIUS server ii freeradius-unixodbc 3.2.7-1 amd64 unixODBC module for FreeRADIUS server ii freeradius-utils 3.2.7-1 amd64 FreeRADIUS client utilities ii freeradius-yubikey 3.2.7-1 amd64 Yubikey module for FreeRADIUS server ii libfreeradius-dev 3.2.7-1 amd64 FreeRADIUS shared library development files ii libfreeradius3 3.2.7-1 amd64 FreeRADIUS shared library I think this is because I installed it initially by compiling the git sources, correct? I would like to clean this mess up, can I just go ahead and delete the following files under /usr/local/sbin? - checkrad - raddebug - radiusd - radmin - rc.radiusd - raddb root@id-radiustest1:~# ls -la /usr/local/etc/ total 12 drwxr-xr-x 3 root root 4096 Jun 21 2024 . drwxr-xr-x 11 root root 4096 Jun 21 2024 .. drwxr-xr-x 9 freerad freerad 4096 Apr 17 13:51 raddb root@id-radiustest1:~# ls -la /usr/local/sbin/ total 3228 drwxr-xr-x 2 root root 4096 Jun 21 2024 . drwxr-xr-x 11 root root 4096 Jun 21 2024 .. -rwxr-xr-x 1 root root 38414 Jun 21 2024 checkrad -rwxr-xr-x 1 root root 3626 Jun 21 2024 raddebug -rwxr-xr-x 1 root root 2291552 Jun 21 2024 radiusd -rwxr-xr-x 1 root root 944128 Jun 21 2024 radmin -rwxr-xr-x 1 root root 2548 Jun 21 2024 rc.radiusd -rwxr-xr-x 1 root root 4181 Feb 17 2023 unminimize Or what is the best way to have a clean installation again; download the 3.2.5 git repository again and execute „make uninstall“? Regards Dominic
Am 19.04.2025 um 19:44 schrieb Alan DeKok <aland@deployingradius.com>:
On Apr 19, 2025, at 1:26 PM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
2. but I also sent the respective output of "radiusd -fxx -l stdout“ in my email before and got the following error instead (see full output below), as recommended in the „freeradius -X“ output:
Failed opening auth address :: port 1812 bound to server default: Address family not supported by protocol /usr/local/etc/raddb/sites-enabled/default[246]: Error binding to port for :: port 1812
That's very odd. But likely explained by the next issue:
_EXIT(1) CALLED src/main/process.c[6325]. Last error was: /usr/local/lib/proto_auth.so: cannot open shared object file: No such file or directory
3. At the same time, I just recognized, that when I started the debug output with "radiusd …“, it shows me output of FR 3.2.5:
root@id-radiustest1:/etc/freeradius/sites-enabled# radiusd -fxx -l stdout FreeRADIUS Version 3.2.5 …
BUT I have FR 3.2.7 in place and started it with „freeradius -fxx -l stdout“ instead and now the correct FR instance is trying to start:
You have two copies of FreeRADIUS installed on the same machine. Don't do that.
Thanks for somehow showing the right direction, even I don’t understand, why FR 3.2.5 is still in place when starting with „freerad -fxx -l stdout“ instead of „freeradius -fxx-l stdout“,
See the local configuration on your machine. i.e. PATH variable, and whatever else you've configured.
any idea how I can cleanup this version situation on our freeradius server?
Use your local OS tools to remove one of versions of FreeRADIUS.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 20, 2025, at 3:23 PM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
You have two copies of FreeRADIUS installed on the same machine. Don't do that.
I do agree, that is very strange, because this was never intended. The upgrade path lately was like this:
FR 3.2.5 —> FR 3.2.6 (git #a69627989) by compiling out of the git repository (make) —> FR 3.2.7 via apt packet manager
The apt package manager doesn't know that you compiled the server out of the git repository.
I also executed "apt autoremove“ after upgrading from FR 3.2.7.
Which doesn't remove the version compiled out of the git repository.
Or what is the best way to have a clean installation again; download the 3.2.5 git repository again and execute „make uninstall“?
There is no "make uninstall" target. The solution here is "rm" Alan DeKok.
Hi Alan another follow-up question about the configuration of RadSec clients: 1a) in the default FreeRADIUS tls configuration is a statement „clients = radsec“ under the listen{} subsection —> this references the clients {} subsection in the same file (/etc/freeradius/sites-available/tls) —> if I configure the clients in /etc/freeradius/clients.conf directly, I can just remove / outcomment the statement „clients = radsec“ and it will just allow / accept all configured clients in clients.conf for RadSec; is this assumption correct? 1b) and if so, will only clients be allowed for RadSec in /etc/freeradius/clients.conf, that have the proto statement configured for tls or tcp (please see next question as well)? *** 2a) in the default FreeRADIUS tls configuration there is a statement „proto = tcp“ under the listen{} subsection, see example below: listen { ipaddr = * port = 2083 # # TCP and TLS sockets can accept Access-Request and # Accounting-Request on the same socket. # # auth = only Access-Request # acct = only Accounting-Request # auth+acct = both # coa = only CoA / Disconnect requests # type = auth+acct # For now, only TCP transport is allowed. proto = tcp 2b) in the FreeRADIUS RadSec configuration example online (https://www.freeradius.org/documentation/freeradius-server/3.2.8/howto/proto...) is an example with „proto = tls“: clients radsec { ... # Direct connections from the test client client radseccli { ipaddr = 172.23.0.2 proto = tls virtual_server = default —> when I configure the „proto = tls“ in the client subsection in /etc/freeradius/clients.conf, the debug states: /etc/freeradius/clients.conf[32]: Client does not have the same TLS configuration as the listener —> when I change this to „proto = tcp“ in the client subsection in /etc/freeradius/clients.conf as well, the FR service is started. *** Thanks for the clarification on this in advance. Regards Dominic
On Apr 28, 2025, at 10:10 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
another follow-up question about the configuration of RadSec clients:
1a) in the default FreeRADIUS tls configuration is a statement „clients = radsec“ under the listen{} subsection —> this references the clients {} subsection in the same file (/etc/freeradius/sites-available/tls)
—> if I configure the clients in /etc/freeradius/clients.conf directly, I can just remove / outcomment the statement „clients = radsec“ and it will just allow / accept all configured clients in clients.conf for RadSec; is this assumption correct?
Yes. You can also try it and see. Or, go through the comments and documentation which explain how it works: * clients are in clients.conf * BUT if you put "clients = foo" in a virtual server, then the clients for that server are all read from the "foo" section in that virtual server. All of this is extensively documented. I'm not sure why it's necessary to repeat that here.
2a) in the default FreeRADIUS tls configuration there is a statement „proto = tcp“ under the listen{} subsection, see example below: ... 2b) in the FreeRADIUS RadSec configuration example online (https://www.freeradius.org/documentation/freeradius-server/3.2.8/howto/proto...) is an example with „proto = tls“:
There's no need to post configurations to the list.
—> when I configure the „proto = tls“ in the client subsection in /etc/freeradius/clients.conf, the debug states:
/etc/freeradius/clients.conf[32]: Client does not have the same TLS configuration as the listener
—> when I change this to „proto = tcp“ in the client subsection in /etc/freeradius/clients.conf as well, the FR service is started.
Yes. The entire purpose of the "proto = ..." and "tls" sections are to define properties of a client. You can't use a UDP client for TCP. You can't use a TCP client for TLS. Alan DeKok.
Hi Alan
All of this is extensively documented. I'm not sure why it's necessary to repeat that here.
Not all of us „users“ from this mailing list are FreeRADIUS experts or RADIUS standards experts like you are - so please try to bring up some patience with some of us, not knowing each and every bit of the documentation starting freshly with FreeRADIUS. And at the end of the day, each and everyone on the list is here to learn about the great product FreeRADIUS. We just want to get better by asking questions: I get the concept of RTFM, but sometimes some concepts need to be understood first.
The entire purpose of the "proto = ..." and "tls" sections are to define properties of a client. You can't use a UDP client for TCP. You can't use a TCP client for TLS.
That’s were my confusion comes from: 1. in the tls configuration file the comment says "# For now, only TCP transport is allowed“ and and proto is set to tcp, which make sense. I can not configure „proto = tls“ here. I get that. 2. But then in the clients.conf documentation online, the statement shows „proto = tls“, but in this case the server won’t start because of the "/etc/freeradius/clients.conf[32]: Client does not have the same TLS configuration as the listener“ error 3. And if you tell me "You can't use a TCP client for TLS“, then I would need to configure „proto = tls“ in clients.conf, which does not work? I hope you get what I try to explain concerning the proto configuration and examples online? Regards Dominic
Am 28.04.2025 um 16:20 schrieb Alan DeKok <aland@deployingradius.com>:
On Apr 28, 2025, at 10:10 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
another follow-up question about the configuration of RadSec clients:
1a) in the default FreeRADIUS tls configuration is a statement „clients = radsec“ under the listen{} subsection —> this references the clients {} subsection in the same file (/etc/freeradius/sites-available/tls)
—> if I configure the clients in /etc/freeradius/clients.conf directly, I can just remove / outcomment the statement „clients = radsec“ and it will just allow / accept all configured clients in clients.conf for RadSec; is this assumption correct?
Yes.
You can also try it and see. Or, go through the comments and documentation which explain how it works:
* clients are in clients.conf * BUT if you put "clients = foo" in a virtual server, then the clients for that server are all read from the "foo" section in that virtual server.
All of this is extensively documented. I'm not sure why it's necessary to repeat that here.
2a) in the default FreeRADIUS tls configuration there is a statement „proto = tcp“ under the listen{} subsection, see example below: ... 2b) in the FreeRADIUS RadSec configuration example online (https://www.freeradius.org/documentation/freeradius-server/3.2.8/howto/proto...) is an example with „proto = tls“:
There's no need to post configurations to the list.
—> when I configure the „proto = tls“ in the client subsection in /etc/freeradius/clients.conf, the debug states:
/etc/freeradius/clients.conf[32]: Client does not have the same TLS configuration as the listener
—> when I change this to „proto = tcp“ in the client subsection in /etc/freeradius/clients.conf as well, the FR service is started.
Yes.
The entire purpose of the "proto = ..." and "tls" sections are to define properties of a client. You can't use a UDP client for TCP. You can't use a TCP client for TLS.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 28, 2025, at 10:38 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
All of this is extensively documented. I'm not sure why it's necessary to repeat that here.
Not all of us „users“ from this mailing list are FreeRADIUS experts or RADIUS standards experts like you are - so please try to bring up some patience with some of us, not knowing each and every bit of the documentation starting freshly with FreeRADIUS.
There have been repeated questions about the documentation. "Does it really do what it says?" and "Does it really work the way it says?" And "I configured this, and it works. Is that right?" Yes, yes, it does. Yes, the documentation is correct. Yes, if you test something and it works, then it works and you can use it. It is somewhat frustrating to get repeated questions about things which are already documented, and which are explained in great detail in the documentation.
That’s were my confusion comes from:
1. in the tls configuration file the comment says "# For now, only TCP transport is allowed“ and and proto is set to tcp, which make sense. I can not configure „proto = tls“ here. I get that.
OK.
2. But then in the clients.conf documentation online, the statement shows „proto = tls“, but in this case the server won’t start because of the "/etc/freeradius/clients.conf[32]: Client does not have the same TLS configuration as the listener“ error
See raddb/sites-available/tls. The examples show how a TLS client and server are configured. The example is tested, and works. You're modifying these examples, and then running into issues. The solution is to follow the examples.
3. And if you tell me "You can't use a TCP client for TLS“, then I would need to configure „proto = tls“ in clients.conf, which does not work?
Maybe there are issues with TLS clients in the main clients.conf file. It should work, but perhaps not. If it doesn't, then just.... follow the examples. The RADIUS/TLS configuration is tested in CI, and by many other people. It works.
I hope you get what I try to explain concerning the proto configuration and examples online?
I get that your'e trying to do things which are not in the default configuration, and are running into issues. So follow the examples. I also get that you're having difficult following basic documentation and error messages. For example, using "radiusd -X" with TLS, gets you the following message, which you posted to the list:
/etc/freeradius/sites-enabled/tls[44]: Threading must be enabled for TLS sockets to function properly /etc/freeradius/sites-enabled/tls[44]: You probably need to do 'radiusd -fxx -l stdout' for debugging
Should your next action be: (a) follow the instructions and get it working (b) post the message to the list, and ask "What should I do"? Many of the questions in this thread have been at a similar level. This is not an "expert" versus "beginner" issue. This comes across as you don't want to follow any documentation or error message until you get a personal email from me, reassuring you that it's OK to follow the documentation. This behavior is unproductive. Unless you're reporting bugs, I don't see a need for me to continue to explain simple error messages. Alan DeKok.
participants (2)
-
Alan DeKok -
Dominic Stalder