LDAP CONFIGURATION IN FreeRadius
Hi Folks, On the FreeRadius servers we have inherited, I am trying to locate where LDAP is configured. Our Servers communicate with an External Authentication server (companies phone directory for user id/pswd verification) so I know someplace in there the LDAP server is specified and should indicate which port (389 or 636) it is using. FreeRadius doc indicates this is defined in radiusd.conf In checking radiusd.conf I do not see anything specifying LDAP. Was thinking would see something similar to this in radiusd.conf: server = "ldap" port = 636 #port = 389 SO my question is, is there someplace else where the LDAP server may be configured? Or radius.conf is the place.?? I have poked around in etc/raddb but unable to locate these settings. Appreciate any information anyone may be able to provide. Thanks in Advance
On Wed, May 04, 2016 at 04:34:04PM +0000, WINANT, KEVIN wrote:
Hi Folks, On the FreeRadius servers we have inherited, I am trying to locate where LDAP is configured.
What version?
SO my question is, is there someplace else where the LDAP server may be configured? Or radius.conf is the place.?? I have poked around in etc/raddb but unable to locate these settings.
Probably /etc/raddb/modules/ldap for v2 /etc/raddb/mods-{enabled,available}/ldap for v3 or just "grep -lr ldap /etc/raddb/*" will get you in the right direction, as will running FreeRADIUS in debug mode (radiusd -X) and reading the output at the start. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Version is 2.1.1 which we found is EOL and looking to go to V3. Did the debug and looks like it loads up > "including configuration file /etc/raddb/modules/ldap" Looking in there do not find the hostname or IP of the external LDAP server in there. Reason trying to see LDAP settings is Company in installing SHA256 certs on the External LDAP server soon. I am trying to determine if LDAP is configured to use port 389 (unsecure) and there will be NO IMPACT to our servers communicating to External LDAP server or IF LDAP is configured to use port 636 (secure) then I would then need to find out if ROOT CA freeradius is using is same ROOT CA External LDAP server is using along with the same serial number. FreeRadius is totally new to us and sorry for the questions. The debug: ProdBox debug5-4-16 On Wed, May 04, 2016 at 04:34:04PM +0000, WINANT, KEVIN wrote:
Hi Folks, On the FreeRadius servers we have inherited, I am trying to locate where LDAP is configured.
What version?
SO my question is, is there someplace else where the LDAP server may be configured? Or radius.conf is the place.?? I have poked around in etc/raddb but unable to locate these settings.
Probably /etc/raddb/modules/ldap for v2 /etc/raddb/mods-{enabled,available}/ldap for v3 or just "grep -lr ldap /etc/raddb/*" will get you in the right direction, as will running FreeRADIUS in debug mode (radiusd -X) and reading the output at the start. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 4 May 2016, at 12:43, WINANT, KEVIN <KW517G@att.com> wrote:
Version is 2.1.1 which we found is EOL and looking to go to V3. Did the debug and looks like it loads up > "including configuration file /etc/raddb/modules/ldap" Looking in there do not find the hostname or IP of the external LDAP server in there.
Uh nope, don't try and use your v2.x.x config with v3.0.x. Just rebuild it using a stock v3.0.x config.
Reason trying to see LDAP settings is Company in installing SHA256 certs on the External LDAP server soon. I am trying to determine if LDAP is configured to use port 389 (unsecure) and there will be NO IMPACT to our servers communicating to External LDAP server or IF LDAP is configured to use port 636 (secure) then I would then need to find out if ROOT CA freeradius is using is same ROOT CA External LDAP server is using along with the same serial number.
Wow it may be the altitude but that extremely long sentence made absolutely no sense to me. Could you try rephrasing? -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Sorry am not trying to move/upgrade anything to v3 at this time. I am trying to see my LDAP configuration for our External LDAP server. I am trying to see which port LDAP is using. If port 389 I will have no issue when the EXTERNAL LDAP server begins using SHA256 certs. If configured to use 636, I then need to identify the ROOT CA and serial number being used by FreeRadius and verify it is the SAME Root CA and serial number the External LDAP server is using. Apologies for the original looooooooong sentence.
On 4 May 2016, at 12:43, WINANT, KEVIN <KW517G@att.com> wrote:
Version is 2.1.1 which we found is EOL and looking to go to V3. Did the debug and looks like it loads up > "including configuration file /etc/raddb/modules/ldap" Looking in there do not find the hostname or IP of the external LDAP server in there.
Uh nope, don't try and use your v2.x.x config with v3.0.x. Just rebuild it using a stock v3.0.x config.
Reason trying to see LDAP settings is Company in installing SHA256 certs on the External LDAP server soon. I am trying to determine if LDAP is configured to use port 389 (unsecure) and there will be NO IMPACT to our servers communicating to External LDAP server or IF LDAP is configured to use port 636 (secure) then I would then need to find out if ROOT CA freeradius is using is same ROOT CA External LDAP server is using along with the same serial number.
Wow it may be the altitude but that extremely long sentence made absolutely no sense to me. Could you try rephrasing? -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Ummmm. Surely you want to use protection if its out in the cloud anyway?? You can view connecting to ldap using eg netstat and tcpdump However, regarding the root CA for ldap. Its entirely different (or can be!) To that used by freeradius for clients (PEAP etc). So, grab the required root CA of the ldap server and is server cert and use those in your config. PS ldap stuff is very much refreshed in v3 - many more options etc and a far better connection pool (could be ideal for WAN based ldap servers) alan
Thanks Alan, This is all on the companies INTRANET. No connectivity/access to Internet/Cloud. The LDAP config and Cert I am trying to verify is for the ssl connection between the FreeRadius servers and the LDAP server itself when queries sent to the LDAP server. Someplace in Free Radius I am thinking it would tell us which ROOT CA (Certificate Authority) cert and serial number it is using and via what port. (although if using port 389 for LDAP,,I figure it is not using a cert at all) Once I can locate that info I can compare to the ROOT CA and serial the LDAP server uses. If the same we’re good to go when External LDAP server installs SHA256 certs shortly. Original FreeRadius SME is no longer with us, hence the queries. From: Alan Buxey [mailto:A.L.M.Buxey@lboro.ac.uk] Sent: Wednesday, May 04, 2016 6:43 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>; WINANT, KEVIN <KW517G@att.com> Subject: RE: LDAP CONFIGURATION IN FreeRadius Ummmm. Surely you want to use protection if its out in the cloud anyway?? You can view connecting to ldap using eg netstat and tcpdump However, regarding the root CA for ldap. Its entirely different (or can be!) To that used by freeradius for clients (PEAP etc). So, grab the required root CA of the ldap server and is server cert and use those in your config. PS ldap stuff is very much refreshed in v3 - many more options etc and a far better connection pool (could be ideal for WAN based ldap servers) alan
Hi,
The LDAP config and Cert I am trying to verify is for the ssl connection between the FreeRadius servers and the LDAP server itself when queries sent to the LDAP server.
for v2, /etc/raddb/modules/ldap see the lines: server = "ldap.your.domain" # Port to connect on, defaults to 389. Setting this to # 636 will enable LDAPS if start_tls (see below) is not # able to be used. #port = 389 and for secure TLS stuff, look in that same file for the tls { } section you will need to ensure that the appropriate parts are complete you may find that things are missing, empty because the original admin decided that the 'best thing' would be to remove stuff...in which case you need to look at original files.... alan
HI Alan, Thanks for the info and this is a file I was looking at. In that file where I would expect to see the LDAP server name: "server =" It shows: server = "ldap.your.domain" Assume this is default before specifying an actual LDAP server hostname And for TLS in that file Is see: { start_tls = no } The start tls=no indicates to me that LDAPS is not being used (port 636) and would instead be using unsecure LDAP via port 389.. Is this correct assumption? Still puzzled by the LDAP file having no SPECIFIC LDAP server hostname defined for "server=" Have attached the LDAP file, not sure if will make it through Hi,
The LDAP config and Cert I am trying to verify is for the ssl connection between the FreeRadius servers and the LDAP server itself when queries sent to the LDAP server.
for v2, /etc/raddb/modules/ldap see the lines: server = "ldap.your.domain" # Port to connect on, defaults to 389. Setting this to # 636 will enable LDAPS if start_tls (see below) is not # able to be used. #port = 389 and for secure TLS stuff, look in that same file for the tls { } section you will need to ensure that the appropriate parts are complete you may find that things are missing, empty because the original admin decided that the 'best thing' would be to remove stuff...in which case you need to look at original files.... alan
On May 5, 2016, at 12:02 PM, WINANT, KEVIN <KW517G@att.com> wrote:
HI Alan, Thanks for the info and this is a file I was looking at. In that file where I would expect to see the LDAP server name: "server =" It shows: server = "ldap.your.domain"
So it's an example file. It's not the local configuration.
Assume this is default before specifying an actual LDAP server hostname
It should. Once you find the correct file, it will have the LDAP server hostname. This shouldn't be hard. Look in /etc/raddb/mods-enabled. Find the files which contain "ldap". Read them.
The start tls=no indicates to me that LDAPS is not being used (port 636) and would instead be using unsecure LDAP via port 389.. Is this correct assumption?
Since you're not looking at the correct file, no.
Still puzzled by the LDAP file having no SPECIFIC LDAP server hostname defined for "server="
You're not looking at the correct file. This isn't rocket science. If there's no LDAP server hostname, you're not looking at the correct file. The server doesn't magically know to talk to your LDAP hostname.
Have attached the LDAP file, not sure if will make it through
No. And please don't attach the default configuration files. We know what they look like. They're distributed with the server. Alan DeKok.
Hi, its quite clear that its not using that config...... so, is it actually using LDAP - check what the config looks like in the virtual servers.... why do you think its using LDAP? ;-) alan
Hi Alan, you are right, with all the EXCELLENT forum help we received through users-lists, determined it all executes from a perl, bgmod.pl. That perl calls up a stunnel.conf file which had the LDAP configuration within and it identified the ROOT CA (.pem file) being used for the secure connection to the LDAP server.. We were then able to decipher the .pem file to validate the issuing CA, issuing CA's Root serial number and date. Knew we were using LDAP because every request a defined FW receives from an end user to authenticate through that FW (to the environment behind the firewall) is passed to FreeRadius, which then verifies the end users id/pswd using LDAP to the Corporate Directory. SO, knew it was defined in there someplace but not the expected place. Excellent forum, good answers, right answers, no BS. I Thank You All!!!! -----Original Message----- From: A.L.M.Buxey@lboro.ac.uk [mailto:A.L.M.Buxey@lboro.ac.uk] Sent: Thursday, May 05, 2016 3:15 PM To: WINANT, KEVIN <KW517G@att.com> Cc: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: LDAP CONFIGURATION IN FreeRadius Hi, its quite clear that its not using that config...... so, is it actually using LDAP - check what the config looks like in the virtual servers.... why do you think its using LDAP? ;-) alan
Hi,
Version is 2.1.1 which we found is EOL and looking to go to V3. Did the debug and looks like it loads up > "including configuration file /etc/raddb/modules/ldap"
v3 doesnt read that file..... you cannot use v3 with v2 config files. you need to start with base b3 config and configure it as required alan
On Wed, May 04, 2016 at 07:43:28PM +0000, WINANT, KEVIN wrote:
Version is 2.1.1 which we found is EOL and looking to go to V3. Did the debug and looks like it loads up > "including configuration file /etc/raddb/modules/ldap" Looking in there do not find the hostname or IP of the external LDAP server in there.
Just realised you included the -X output further down. That server isn't configured to do LDAP, at least not if it's using /etc/raddb as its live config. It is configured to use perl, so it's possible someone has decided to do an LDAP lookup from perl rather than using the FreeRADIUS module. Look in /etc/raddb/bgmod.pl (a local file, not part of the standard config). Matthew
FreeRADIUS Version 2.1.1, for host s390x-ibm-linux-gnu, built on Feb 28 2014 at 23:16:21 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/bgclients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 18 cleanup_delay = 5 max_requests = 30720 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client whplp2621f1133a.whiteplains.ibm/9.58.200.102 { ipaddr = 9.58.200.102 require_message_authenticator = no secret = "xxxxxxxx" } client rep-pf-16e04-a.atlanta.ibm.com/9.9.161.93 { ipaddr = 9.9.161.93 require_message_authenticator = no secret = "xxxxxxxxxxx" } client igf-fw-gy.pokvpn.ibm.com/9.56.200.153 { ipaddr = 9.56.200.153 require_message_authenticator = no secret = "xxxxxxxxxxxxx" } client aus-bf-bldg904-a.austin.ibm.com/9.3.60.208 { ipaddr = 9.3.60.208 require_message_authenticator = no secret = "xxxxxxxxxxxxx" } SEVERAL HUINDRED MORE DEVICES DEFINED IN THIS AREA USING THE SAME FORMAT }
radiusd: #### Loading Realms and Home Servers #### radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "xxxxxxxxx" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_perl Module: Instantiating perl perl { module = "/etc/raddb/bgmod.pl" func_authorize = "authorize" func_authenticate = "authenticate" func_accounting = "accounting" func_preacct = "preacct" func_checksimul = "checksimul" func_detach = "detach" func_xlat = "xlat" func_pre_proxy = "pre_proxy" func_post_proxy = "post_proxy" func_post_auth = "post_auth" } perl { max_clones = 10 start_clones = 3 min_spare_clones = 1 max_spare_clones = 3 cleanup_delay = 0 max_request_per_clone = 0 } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 Failed binding to socket: Address already in use /etc/raddb/radiusd.conf[242]: Error binding to port for 0.0.0.0 port 1812
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi Matt, yup. Was looking around and see that it looks like bgmod.pl is handling the LDAP. See this in there and now trying to determine 'localhost:20389' # # Define LDAP server # # Production LDAP - Connect to LDAP server via stunnel # $LDAPServer = 'localhost:20389'; # User direct LDAP query from Perl On Wed, May 04, 2016 at 07:43:28PM +0000, WINANT, KEVIN wrote:
Version is 2.1.1 which we found is EOL and looking to go to V3. Did the debug and looks like it loads up > "including configuration file /etc/raddb/modules/ldap" Looking in there do not find the hostname or IP of the external LDAP server in there.
Just realised you included the -X output further down. That server isn't configured to do LDAP, at least not if it's using /etc/raddb as its live config. It is configured to use perl, so it's possible someone has decided to do an LDAP lookup from perl rather than using the FreeRADIUS module. Look in /etc/raddb/bgmod.pl (a local file, not part of the standard config). Matthew
FreeRADIUS Version 2.1.1, for host s390x-ibm-linux-gnu, built on Feb 28 2014 at 23:16:21 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/bgclients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 18 cleanup_delay = 5 max_requests = 30720 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client whplp2621f1133a.whiteplains.ibm/9.58.200.102 { ipaddr = 9.58.200.102 require_message_authenticator = no secret = "xxxxxxxx" } client rep-pf-16e04-a.atlanta.ibm.com/9.9.161.93 { ipaddr = 9.9.161.93 require_message_authenticator = no secret = "xxxxxxxxxxx" } client igf-fw-gy.pokvpn.ibm.com/9.56.200.153 { ipaddr = 9.56.200.153 require_message_authenticator = no secret = "xxxxxxxxxxxxx" } client aus-bf-bldg904-a.austin.ibm.com/9.3.60.208 { ipaddr = 9.3.60.208 require_message_authenticator = no secret = "xxxxxxxxxxxxx" } SEVERAL HUINDRED MORE DEVICES DEFINED IN THIS AREA USING THE SAME FORMAT }
radiusd: #### Loading Realms and Home Servers #### radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "xxxxxxxxx" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_perl Module: Instantiating perl perl { module = "/etc/raddb/bgmod.pl" func_authorize = "authorize" func_authenticate = "authenticate" func_accounting = "accounting" func_preacct = "preacct" func_checksimul = "checksimul" func_detach = "detach" func_xlat = "xlat" func_pre_proxy = "pre_proxy" func_post_proxy = "post_proxy" func_post_auth = "post_auth" } perl { max_clones = 10 start_clones = 3 min_spare_clones = 1 max_spare_clones = 3 cleanup_delay = 0 max_request_per_clone = 0 } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 Failed binding to socket: Address already in use /etc/raddb/radiusd.conf[242]: Error binding to port for 0.0.0.0 port 1812
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, May 05, 2016 at 07:18:00PM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
See this in there and now trying to determine 'localhost:20389'
openLDAP (or some other LDAP) running on local machine. slave/peered with your main LDAP?
Given the comment, probably a copy of stunnel listening on port 20389 :-) In terms of the certificate it's checking, if any, I'd start by looking in (probably) /etc/ldap/ldap.conf. But in any case, not a FreeRADIUS issue. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Matthew Newton -
WINANT, KEVIN