Hi, We are trying to configure our WLC Cisco + FreeRadius + LDAP to WiFi web authentication. At the moment, we have configured almost everything, but still we can't enable the Simultaneous-Use feature. LDAP works fine, we don't have authentication problems. We are using FreeRadius 2.1.12 (Centos 5.11). - The command *radcheck* doesn't show anything, and also doesn't work properly in debbug mode. - The *radutmp* file only save the last logged. We have tried a lot of things but nothing works, Can you help us, please? We stay attentive to any question you have, or if you need some log file (in this case, we did not find any relevant file that attach). Thanks in advance. Below I attach our configuration (the files more important). ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- *User* # SUBRED 1.64, vlan 222 DEFAULT Huntgroup-Name == "SSIDFuncionarios", Ldap-Group == "Empleados", Auth-Type := LDAP , Simultaneous-Use := 2 #SUBRED 1.96,vlan 223 DEFAULT Huntgroup-Name == "SSIDAlumnos", Ldap-Group == "Alumnos", Auth-Type := LDAP, Simultaneous-Use := 2 #SUBRED 1.128, vlan 224 DEFAULT Huntgroup-Name == "SSIDInvitados",Ldap-Group == "invitados", Auth-Type := LDAP DEFAULT Huntgroup-Name == "SSIDFuncionariosPiloto", Ldap-Group == "Empleados", Auth-Type := LDAP, Simultaneous-Use := 2 DEFAULT Auth-Type := REJECT reply-message = "USUARIO DESCONOCIDO O NO ASOCIADO A UN GRUPO" Client.conf client 158.251.4.0/24 { secret = xxxxx shortname = PUCV nastype = cisco } Radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # name of the running server. See also the "-n" command-line option. name = radiusd # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} # Should likely be ${localstatedir}/lib/radiusd db_dir = ${raddbdir} # # libdir: Where to find the rlm_* modules. # # This should be automatically set at configuration time. # # If the server builds and installs, but fails at execution time # with an 'undefined symbol' error, then you can use the libdir # directive to work around the problem. # # The cause is usually that a library has been installed on your # system in a place where the dynamic linker CANNOT find it. When # executing as root (or another user), your personal environment MAY # be set up to allow the dynamic linker to find the library. When # executing as a daemon, FreeRADIUS MAY NOT have the same # personalized configuration. # # To work around the problem, find out which library contains that symbol, # and add the directory containing that library to the end of 'libdir', # with a colon separating the directory names. NO spaces are allowed. # # e.g. libdir = /usr/local/lib:/opt/package/lib # # You can also try setting the LD_LIBRARY_PATH environment variable # in a script which starts the server. # # If that does not work, then you can re-configure and re-build the # server to NOT use shared libraries, via: # # ./configure --disable-shared # make # make install # libdir = /usr/lib/freeradius # pidfile: Where to place the PID of the RADIUS server. # # The server may be signalled while it's running by using this # file. # # This file is written when ONLY running in daemon mode. # # e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` # pidfile = ${run_dir}/${name}.pid # chroot: directory where the server does "chroot". # # The chroot is done very early in the process of starting the server. # After the chroot has been performed it switches to the "user" listed # below (which MUST be specified). If "group" is specified, it switchs # to that group, too. Any other groups listed for the specified "user" # in "/etc/group" are also added as part of this process. # # The current working directory (chdir / cd) is left *outside* of the # chroot until all of the modules have been initialized. This allows # the "raddb" directory to be left outside of the chroot. Once the # modules have been initialized, it does a "chdir" to ${logdir}. This # means that it should be impossible to break out of the chroot. # # If you are worried about security issues related to this use of chdir, # then simply ensure that the "raddb" directory is inside of the chroot, # end be sure to do "cd raddb" BEFORE starting the server. # # If the server is statically linked, then the only files that have # to exist in the chroot are ${run_dir} and ${logdir}. If you do the # "cd raddb" as discussed above, then the "raddb" directory has to be # inside of the chroot directory, too. # #chroot = /path/to/chroot/directory # user/group: The name (or #number) of the user/group to run radiusd as. # # If these are commented out, the server will run as the user/group # that started it. In order to change to a different user/group, you # MUST be root ( or have root privleges ) to start the server. # # We STRONGLY recommend that you run the server with as few permissions # as possible. That is, if you're not using shadow passwords, the # user and group items below should be set to radius'. # # NOTE that some kernels refuse to setgid(group) when the value of # (unsigned)group is above 60000; don't use group nobody on these systems! # # On systems with shadow passwords, you might have to set 'group = shadow' # for the server to be able to read the shadow password file. If you can # authenticate users while in debug mode, but not in daemon mode, it may be # that the debugging mode server is running as a user that can read the # shadow info, and the user listed below can not. # # The server will also try to use "initgroups" to read /etc/groups. # It will join all groups where "user" is a member. This can allow # for some finer-grained access controls. # user = radiusd group = radiusd # max_request_time: The maximum time (in seconds) to handle a request. # # Requests which take more time than this to process may be killed, and # a REJECT message is returned. # # WARNING: If you notice that requests take a long time to be handled, # then this MAY INDICATE a bug in the server, in one of the modules # used to handle a request, OR in your local configuration. # # This problem is most often seen when using an SQL database. If it takes # more than a second or two to receive an answer from the SQL database, # then it probably means that you haven't indexed the database. See your # SQL server documentation for more information. # # Useful range of values: 5 to 120 # max_request_time = 30 # cleanup_delay: The time to wait (in seconds) before cleaning up # a reply which was sent to the NAS. # # The RADIUS request is normally cached internally for a short period # of time, after the reply is sent to the NAS. The reply packet may be # lost in the network, and the NAS will not see it. The NAS will then # re-send the request, and the server will respond quickly with the # cached reply. # # If this value is set too low, then duplicate requests from the NAS # MAY NOT be detected, and will instead be handled as seperate requests. # # If this value is set too high, then the server will cache too many # requests, and some new requests may get blocked. (See 'max_requests'.) # # Useful range of values: 2 to 10 # cleanup_delay = 5 # max_requests: The maximum number of requests which the server keeps # track of. This should be 256 multiplied by the number of clients. # e.g. With 4 clients, this number should be 1024. # # If this number is too low, then when the server becomes busy, # it will not respond to any new requests, until the 'cleanup_delay' # time has passed, and it has removed the old requests. # # If this number is set too high, then the server will use a bit more # memory for no real benefit. # # If you aren't sure what it should be set to, it's better to set it # too high than too low. Setting it to 1000 per client is probably # the highest it should be. # # Useful range of values: 256 to infinity # max_requests = 1024 # listen: Make the server listen on a particular IP address, and send # replies out from that address. This directive is most useful for # hosts with multiple IP addresses on one interface. # # If you want the server to listen on additional addresses, or on # additionnal ports, you can use multiple "listen" sections. # # Each section make the server listen for only one type of packet, # therefore authentication and accounting have to be configured in # different sections. # # The server ignore all "listen" section if you are using '-i' and '-p' # on the command line. # listen { # Type of packets to listen for. # Allowed values are: # auth listen for authentication packets # acct listen for accounting packets # proxy IP to use for sending proxied packets # detail Read from the detail file. For examples, see # raddb/sites-available/copy-acct-to-home-server # status listen for Status-Server packets. For examples, # see raddb/sites-available/status # coa listen for CoA-Request and Disconnect-Request # packets. For examples, see the file # raddb/sites-available/coa-server # type = auth # Note: "type = proxy" lets you control the source IP used for # proxying packets, with some limitations: # # * A proxy listener CANNOT be used in a virtual server section. # * You should probably set "port = 0". # * Any "clients" configuration will be ignored. # # See also proxy.conf, and the "src_ipaddr" configuration entry # in the sample "home_server" section. When you specify the # source IP address for packets sent to a home server, the # proxy listeners are automatically created. # IP address on which to listen. # Allowed values are: # dotted quad (1.2.3.4) # hostname (radius.example.com) # wildcard (*) ipaddr = * # OR, you can use an IPv6 address, but not both # at the same time. # ipv6addr = :: # any. ::1 == localhost # Port on which to listen. # Allowed values are: # integer port number (1812) # 0 means "use /etc/services for the proper port" port = 0 # Some systems support binding to an interface, in addition # to the IP address. This feature isn't strictly necessary, # but for sites with many IP addresses on one interface, # it's useful to say "listen on all addresses for eth0". # # If your system does not support this feature, you will # get an error if you try to use it. # # interface = eth0 # Per-socket lists of clients. This is a very useful feature. # # The name here is a reference to a section elsewhere in # radiusd.conf, or clients.conf. Having the name as # a reference allows multiple sockets to use the same # set of clients. # # If this configuration is used, then the global list of clients # is IGNORED for this "listen" section. Take care configuring # this feature, to ensure you don't accidentally disable a # client you need. # # See clients.conf for the configuration of "per_socket_clients". # # clients = per_socket_clients } # This second "listen" section is for listening on the accounting # port, too. # listen { ipaddr = * # ipv6addr = :: port = 0 type = acct # interface = eth0 # clients = per_socket_clients } # hostname_lookups: Log the names of clients or just their IP addresses # e.g., www.freeradius.org (on) or 206.47.27.232 (off). # # The default is 'off' because it would be overall better for the net # if people had to knowingly turn this feature on, since enabling it # means that each client request will result in AT LEAST one lookup # request to the nameserver. Enabling hostname_lookups will also # mean that your server may stop randomly for 30 seconds from time # to time, if the DNS requests take too long. # # Turning hostname lookups off also means that the server won't block # for 30 seconds, if it sees an IP address which has no name associated # with it. # # allowed values: {no, yes} # hostname_lookups = no # Core dumps are a bad thing. This should only be set to 'yes' # if you're debugging a problem with the server. # # allowed values: {no, yes} # allow_core_dumps = no # Regular expressions # # These items are set at configure time. If they're set to "yes", # then setting them to "no" turns off regular expression support. # # If they're set to "no" at configure time, then setting them to "yes" # WILL NOT WORK. It will give you an error. # regular_expressions = yes extended_expressions = yes # # Logging section. The various "log_*" configuration items # will eventually be moved here. # log { # # Destination for log messages. This can be one of: # # files - log to "file", as defined below. # syslog - to syslog (see also the "syslog_facility", below. # stdout - standard output # stderr - standard error. # # The command-line option "-X" over-rides this option, and forces # logging to go to stdout. # destination = files # # The logging messages for the server are appended to the # tail of this file if destination == "files" # # If the server is running in debugging mode, this file is # NOT used. # file = ${logdir}/radius.log # # If this configuration parameter is set, then log messages for # a *request* go to this file, rather than to radius.log. # # i.e. This is a log file per request, once the server has accepted # the request as being from a valid client. Messages that are # not associated with a request still go to radius.log. # # Not all log messages in the server core have been updated to use # this new internal API. As a result, some messages will still # go to radius.log. Please submit patches to fix this behavior. # # The file name is expanded dynamically. You should ONLY user # server-side attributes for the filename (e.g. things you control). # Using this feature MAY also slow down the server substantially, # especially if you do thinks like SQL calls as part of the # expansion of the filename. # # The name of the log file should use attributes that don't change # over the lifetime of a request, such as User-Name, # Virtual-Server or Packet-Src-IP-Address. Otherwise, the log # messages will be distributed over multiple files. # # Logging can be enabled for an individual request by a special # dynamic expansion macro: %{debug: 1}, where the debug level # for this request is set to '1' (or 2, 3, etc.). e.g. # # ... # update control { # Tmp-String-0 = "%{debug:1}" # } # ... # # The attribute that the value is assigned to is unimportant, # and should be a "throw-away" attribute with no side effects. # requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log # # Which syslog facility to use, if ${destination} == "syslog" # # The exact values permitted here are OS-dependent. You probably # don't want to change this. # syslog_facility = daemon # Log the full User-Name attribute, as it was found in the request. # # allowed values: {no, yes} # stripped_names = yes # Log authentication requests to the log file. # # allowed values: {no, yes} # auth = yes # Log passwords with the authentication requests. # auth_badpass - logs password if it's rejected # auth_goodpass - logs password if it's correct # # allowed values: {no, yes} # auth_badpass = yes auth_goodpass = no # Log additional text at the end of the "Login OK" messages. # for these to work, the "auth" and "auth_goopass" or "auth_badpass" # configurations above have to be set to "yes". # # The strings below are dynamically expanded, which means that # you can put anything you want in them. However, note that # this expansion can be slow, and can negatively impact server # performance. # # msg_goodpass = "" # msg_badpass = "" } # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad # SECURITY CONFIGURATION # # There may be multiple methods of attacking on the server. This # section holds the configuration items which minimize the impact # of those attacks # security { # # max_attributes: The maximum number of attributes # permitted in a RADIUS packet. Packets which have MORE # than this number of attributes in them will be dropped. # # If this number is set too low, then no RADIUS packets # will be accepted. # # If this number is set too high, then an attacker may be # able to send a small number of packets which will cause # the server to use all available memory on the machine. # # Setting this number to 0 means "allow any number of attributes" max_attributes = 200 # # reject_delay: When sending an Access-Reject, it can be # delayed for a few seconds. This may help slow down a DoS # attack. It also helps to slow down people trying to brute-force # crack a users password. # # Setting this number to 0 means "send rejects immediately" # # If this number is set higher than 'cleanup_delay', then the # rejects will be sent at 'cleanup_delay' time, when the request # is deleted from the internal cache of requests. # # Useful ranges: 1 to 5 reject_delay = 1 # # status_server: Whether or not the server will respond # to Status-Server requests. # # When sent a Status-Server message, the server responds with # an Access-Accept or Accounting-Response packet. # # This is mainly useful for administrators who want to "ping" # the server, without adding test users, or creating fake # accounting packets. # # It's also useful when a NAS marks a RADIUS server "dead". # The NAS can periodically "ping" the server with a Status-Server # packet. If the server responds, it must be alive, and the # NAS can start using it for real requests. # # See also raddb/sites-available/status # status_server = yes } # PROXY CONFIGURATION # # proxy_requests: Turns proxying of RADIUS requests on or off. # # The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server. # # If you have proxying turned off, and your configuration files say # to proxy a request, then an error message will be logged. # # To disable proxying, change the "yes" to "no", and comment the # $INCLUDE line. # # allowed values: {no, yes} # proxy_requests = yes $INCLUDE proxy.conf # CLIENTS CONFIGURATION # # Client configuration is defined in "clients.conf". # # The 'clients.conf' file contains all of the information from the old # 'clients' and 'naslist' configuration files. We recommend that you # do NOT use 'client's or 'naslist', although they are still # supported. # # Anything listed in 'clients.conf' will take precedence over the # information from the old-style configuration files. # $INCLUDE clients.conf # THREAD POOL CONFIGURATION # # The thread pool is a long-lived group of threads which # take turns (round-robin) handling any incoming requests. # # You probably want to have a few spare threads around, # so that high-load situations can be handled immediately. If you # don't have any spare threads, then the request handling will # be delayed while a new thread is created, and added to the pool. # # You probably don't want too many spare threads around, # otherwise they'll be sitting there taking up resources, and # not doing anything productive. # # The numbers given below should be adequate for most situations. # thread pool { # Number of servers to start initially --- should be a reasonable # ballpark figure. start_servers = 5 # Limit on the total number of servers running. # # If this limit is ever reached, clients will be LOCKED OUT, so it # should NOT BE SET TOO LOW. It is intended mainly as a brake to # keep a runaway server from taking the system with it as it spirals # down... # # You may find that the server is regularly reaching the # 'max_servers' number of threads, and that increasing # 'max_servers' doesn't seem to make much difference. # # If this is the case, then the problem is MOST LIKELY that # your back-end databases are taking too long to respond, and # are preventing the server from responding in a timely manner. # # The solution is NOT do keep increasing the 'max_servers' # value, but instead to fix the underlying cause of the # problem: slow database, or 'hostname_lookups=yes'. # # For more information, see 'max_request_time', above. # max_servers = 32 # Server-pool size regulation. Rather than making you guess # how many servers you need, FreeRADIUS dynamically adapts to # the load it sees, that is, it tries to maintain enough # servers to handle the current load, plus a few spare # servers to handle transient load spikes. # # It does this by periodically checking how many servers are # waiting for a request. If there are fewer than # min_spare_servers, it creates a new spare. If there are # more than max_spare_servers, some of the spares die off. # The default values are probably OK for most sites. # min_spare_servers = 3 max_spare_servers = 10 # When the server receives a packet, it places it onto an # internal queue, where the worker threads (configured above) # pick it up for processing. The maximum size of that queue # is given here. # # When the queue is full, any new packets will be silently # discarded. # # The most common cause of the queue being full is that the # server is dependent on a slow database, and it has received # a large "spike" of traffic. When that happens, there is # very little you can do other than make sure the server # receives less traffic, or make sure that the database can # handle the load. # # max_queue_size = 65536 # There may be memory leaks or resource allocation problems with # the server. If so, set this value to 300 or so, so that the # resources will be cleaned up periodically. # # This should only be necessary if there are serious bugs in the # server which have not yet been fixed. # # '0' is a special value meaning 'infinity', or 'the servers never # exit' max_requests_per_server = 0 } # MODULE CONFIGURATION # # The names and configuration of each module is located in this section. # # After the modules are defined here, they may be referred to by name, # in other sections of this configuration file. # modules { # # Each module has a configuration as follows: # # name [ instance ] { # config_item = value # ... # } # # The 'name' is used to load the 'rlm_name' library # which implements the functionality of the module. # # The 'instance' is optional. To have two different instances # of a module, it first must be referred to by 'name'. # The different copies of the module are then created by # inventing two 'instance' names, e.g. 'instance1' and 'instance2' # # The instance names can then be used in later configuration # INSTEAD of the original 'name'. See the 'radutmp' configuration # for an example. # # # As of 2.0.5, most of the module configurations are in a # sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/ # are loaded. The modules are initialized ONLY if they are # referenced in a processing section, such as authorize, # authenticate, accounting, pre/post-proxy, etc. # $INCLUDE ${confdir}/modules/ # Extensible Authentication Protocol # # For all EAP related authentications. # Now in another file, because it is very large. # $INCLUDE eap.conf # Include another file that has the SQL-related configuration. # This is another file only because it tends to be big. # # $INCLUDE sql.conf # # This module is an SQL enabled version of the counter module. # # Rather than maintaining seperate (GDBM) databases of # accounting info for each counter, this module uses the data # stored in the raddacct table by the sql modules. This # module NEVER does any database INSERTs or UPDATEs. It is # totally dependent on the SQL module to process Accounting # packets. # # $INCLUDE sql/mysql/counter.conf # # IP addresses managed in an SQL table. # # $INCLUDE sqlippool.conf } # Instantiation # # This section orders the loading of the modules. Modules # listed here will get loaded BEFORE the later sections like # authorize, authenticate, etc. get examined. # # This section is not strictly needed. When a section like # authorize refers to a module, it's automatically loaded and # initialized. However, some modules may not be listed in any # of the following sections, so they can be listed here. # # Also, listing modules here ensures that you have control over # the order in which they are initalized. If one module needs # something defined by another module, you can list them in order # here, and ensure that the configuration will be OK. # instantiate { # # Allows the execution of external scripts. # The entire command line (and output) must fit into 253 bytes. # # e.g. Framed-Pool = `%{exec:/bin/echo foo}` exec # # The expression module doesn't do authorization, # authentication, or accounting. It only does dynamic # translation, of the form: # # Session-Timeout = `%{expr:2 + 3}` # # So the module needs to be instantiated, but CANNOT be # listed in any other section. See 'doc/rlm_expr' for # more information. # expr # # We add the counter module here so that it registers # the check-name attribute before any module which sets # it # daily expiration logintime # subsections here can be thought of as "virtual" modules. # # e.g. If you have two redundant SQL servers, and you want to # use them in the authorize and accounting sections, you could # place a "redundant" block in each section, containing the # exact same text. Or, you could uncomment the following # lines, and list "redundant_sql" in the authorize and # accounting sections. # #redundant redundant_sql { # sql1 # sql2 #} } $INCLUDE policy.conf $INCLUDE sites-enabled/ *Default* authorize { # # Security settings. Take a User-Name, and do some simple # checks on it, for spaces and other invalid characters. If # it looks like the user is trying to play games, reject it. # # This should probably be enabled by default. # # See policy.conf for the definition of the filter_username policy. # # filter_username # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. preprocess # # If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' # section, above. auth_log # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set # chap # # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. # mschap # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section. # digest # # The WiMAX specification says that the Calling-Station-Id # is 6 octets of the MAC. This definition conflicts with # RFC 3580, and all common RADIUS practices. Un-commenting # the "wimax" module here means that it will fix the # Calling-Station-Id attribute to the normal format as # specified in RFC 3580 Section 3.21 # wimax # # Look for IPASS style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # IPASS # # If you are using multiple kinds of realms, you probably # want to set "ignore_null = yes" for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. # suffix # ntdomain # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP # authentication. # # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. # # As of 2.0, the EAP module returns "ok" in the authorize stage # for TTLS and PEAP. In 1.x, it never returned "ok" here, so # this change is compatible with older configurations. # # The example below uses module failover to avoid querying all # of the following modules if the EAP module returns "ok". # Therefore, your LDAP and/or SQL servers will not be queried # for the many packets that go back and forth to set up TTLS # or PEAP. The load on those servers will therefore be reduced. # # eap { # ok = return # } # # Pull crypt'd passwords from /etc/passwd or /etc/shadow, # using the system API's to get the password. If you want # to read /etc/passwd or /etc/shadow directly, see the # passwd module in radiusd.conf. # # unix # # Read the 'users' file files # # Look in an SQL database. The schema of the database # is meant to mirror the "users" file. # # See "Authorization Queries" in sql.conf # sql # # If you are using /etc/smbpasswd, and are also doing # mschap authentication, the un-comment this line, and # configure the 'etc_smbpasswd' module, above. # etc_smbpasswd # # The ldap module will set Auth-Type to LDAP if it has not # already been set load-balance{ redundant{ ldapDS01 ldapDS02 } redundant{ ldapDS02 ldapDS01 } } # # Enforce daily limits on time spent logged in. # daily # # Use the checkval module # checkval expiration logintime # # If no other module has claimed responsibility for # authentication, then try to use PAP. This allows the # other modules listed above to add a "known good" password # to the request, and to do nothing else. The PAP module # will then see that password, and use it to do PAP # authentication. # # This module should be listed last, so that the other modules # get a chance to set Auth-Type for themselves. # # pap # # If "status_server = yes", then Status-Server messages are passed # through the following section, and ONLY the following section. # This permits you to do DB queries, for example. If the modules # listed here return "fail", then NO response is sent. # # Autz-Type Status-Server { # # } } # Authentication. # # # This section lists which modules are available for authentication. # Note that it does NOT mean 'try each module in order'. It means # that a module from the 'authorize' section adds a configuration # attribute 'Auth-Type := FOO'. That authentication type is then # used to pick the apropriate module from the list below. # # In general, you SHOULD NOT set the Auth-Type attribute. The server # will figure it out on its own, and will do the right thing. The # most common side effect of erroneously setting the Auth-Type # attribute is that one authentication method will work, but the # others will not. # # The common reasons to set the Auth-Type attribute by hand # is to either forcibly reject the user (Auth-Type := Reject), # or to or forcibly accept the user (Auth-Type := Accept). # # Note that Auth-Type := Accept will NOT work with EAP. # # Please do not put "unlang" configurations into the "authenticate" # section. Put them in the "post-auth" section instead. That's what # the post-auth section is for. # authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. # Auth-Type PAP { # pap # } # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. # Auth-Type CHAP { # chap # } # # MSCHAP authentication. # Auth-Type MS-CHAP { # mschap # } # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. # digest # # Pluggable Authentication Modules. # pam # # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # # For normal "crypt" authentication, the "pap" module should # be used instead of the "unix" module. The "unix" module should # be used for authentication ONLY for compatibility with legacy # FreeRADIUS configurations. # # unix # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { load-balance{ redundant{ ldapDS01 ldapDS02 } redundant{ ldapDS02 ldapDS01 } } } # # Allow EAP authentication. # eap # # The older configurations sent a number of attributes in # Access-Challenge packets, which wasn't strictly correct. # If you want to filter out these attributes, uncomment # the following lines. # # Auth-Type eap { # eap { # handled = 1 # } # if (handled && (Response-Packet-Type == Access-Challenge)) { # attr_filter.access_challenge.post-auth # handled # override the "updated" code from attr_filter # } # } } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess # # Session start times are *implied* in RADIUS. # The NAS never sends a "start time". Instead, it sends # a start packet, *possibly* with an Acct-Delay-Time. # The server is supposed to conclude that the start time # was "Acct-Delay-Time" seconds in the past. # # The code below creates an explicit start time, which can # then be used in other modules. # # The start time is: NOW - delay - session_length # # update request { # FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" # } # # Ensure that we have a semi-unique identifier for every # request, and many NAS boxes are broken. acct_unique # # Look for IPASS-style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # # Accounting requests are generally proxied to the same # home server as authentication requests. # IPASS suffix # ntdomain # # Read the 'acct_users' file files } # # Accounting. Log the accounting data. # accounting { # # Create a 'detail'ed log of the packets. # Note that accounting requests which are proxied # are also logged in the detail file. detail # daily # Update the wtmp file # # If you don't use "radlast", you can delete this line. unix # # For Simultaneous-Use tracking. # # Due to packet losses in the network, the data here # may be incorrect. There is little we can do about it. radutmp # sradutmp # Return an address to the IP Pool when we see a stop record. # main_pool # # Log traffic to an SQL database. # # See "Accounting queries" in sql.conf # sql # # If you receive stop packets with zero session length, # they will NOT be logged in the database. The SQL module # will print a message (only in debugging mode), and will # return "noop". # # You can ignore these packets by uncommenting the following # three lines. Otherwise, the server will not respond to the # accounting request, and the NAS will retransmit. # # if (noop) { # ok # } # # Instead of sending the query to the SQL server, # write it into a log file. # # sql_log # Cisco VoIP specific bulk accounting # pgsql-voip # For Exec-Program and Exec-Program-Wait exec # Filter attributes from the accounting response. attr_filter.accounting_response # # See "Autz-Type Status-Server" for how this works. # # Acct-Type Status-Server { # # } } # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp # # See "Simultaneous Use Checking Queries" in sql.conf # sql } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { # Get an address from the IP Pool. # main_pool # # If you want to have a log of authentication replies, # un-comment the following line, and the 'detail reply_log' # section, above. reply_log # # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in sql.conf # sql # # Instead of sending the query to the SQL server, # write it into a log file. # # sql_log # # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. # # ldap # For Exec-Program and Exec-Program-Wait exec # # Calculate the various WiMAX keys. In order for this to work, # you will need to define the WiMAX NAI, usually via # # update request { # WiMAX-MN-NAI = "%{User-Name}" # } # # If you want various keys to be calculated, you will need to # update the reply with "template" values. The module will see # this, and replace the template values with the correct ones # taken from the cryptographic calculations. e.g. # # update reply { # WiMAX-FA-RK-Key = 0x00 # WiMAX-MSK = "%{EAP-MSK}" # } # # You may want to delete the MS-MPPE-*-Keys from the reply, # as some WiMAX clients behave badly when those attributes # are included. See "raddb/modules/wimax", configuration # entry "delete_mppe_keys" for more information. # # wimax # If there is a client certificate (EAP-TLS, sometimes PEAP # and TTLS), then some attributes are filled out after the # certificate verification has been performed. These fields # MAY be available during the authentication, or they may be # available only in the "post-auth" section. # # The first set of attributes contains information about the # issuing certificate which is being used. The second # contains information about the client certificate (if # available). # # update reply { # Reply-Message += "%{TLS-Cert-Serial}" # Reply-Message += "%{TLS-Cert-Expiration}" # Reply-Message += "%{TLS-Cert-Subject}" # Reply-Message += "%{TLS-Cert-Issuer}" # Reply-Message += "%{TLS-Cert-Common-Name}" # # Reply-Message += "%{TLS-Client-Cert-Serial}" # Reply-Message += "%{TLS-Client-Cert-Expiration}" # Reply-Message += "%{TLS-Client-Cert-Subject}" # Reply-Message += "%{TLS-Client-Cert-Issuer}" # Reply-Message += "%{TLS-Client-Cert-Common-Name}" # } # If the WiMAX module did it's work, you may want to do more # things here, like delete the MS-MPPE-*-Key attributes. # # if (updated) { # update reply { # MS-MPPE-Recv-Key !* 0x00 # MS-MPPE-Send-Key !* 0x00 # } # } # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # Post-Auth-Type REJECT { # log failed authentications in SQL, too. # sql attr_filter.access_reject } } # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # pre-proxy { # attr_rewrite # Uncomment the following line if you want to change attributes # as defined in the preproxy_users file. # files # Uncomment the following line if you want to filter requests # sent to remote servers based on the rules defined in the # 'attrs.pre-proxy' file. # attr_filter.pre-proxy # If you want to have a log of packets proxied to a home # server, un-comment the following line, and the # 'detail pre_proxy_log' section, above. # pre_proxy_log } # # When the server receives a reply to a request it proxied # to a home server, the request may be massaged here, in the # post-proxy stage. # post-proxy { # If you want to have a log of replies from a home server, # un-comment the following line, and the 'detail post_proxy_log' # section, above. # post_proxy_log # attr_rewrite # Uncomment the following line if you want to filter replies from # remote proxies based on the rules defined in the 'attrs' file. # attr_filter.post-proxy # # If you are proxying LEAP, you MUST configure the EAP # module, and you MUST list it here, in the post-proxy # stage. # # You MUST also use the 'nostrip' option in the 'realm' # configuration. Otherwise, the User-Name attribute # in the proxied request will not match the user name # hidden inside of the EAP packet, and the end server will # reject the EAP request. # eap # # If the server tries to proxy a request and fails, then the # request is processed through the modules in this section. # # The main use of this section is to permit robust proxying # of accounting packets. The server can be configured to # proxy accounting packets as part of normal processing. # Then, if the home server goes down, accounting packets can # be logged to a local "detail" file, for processing with # radrelay. When the home server comes back up, radrelay # will read the detail file, and send the packets to the # home server. # # With this configuration, the server always responds to # Accounting-Requests from the NAS, but only writes # accounting packets to disk if the home server is down. # # Post-Proxy-Type Fail { # detail # } }
On Jun 8, 2015, at 1:55 PM, Felipe Lopez Placencio <felipe.lopez@pucv.cl> wrote:
We are trying to configure our WLC Cisco + FreeRadius + LDAP to WiFi web authentication.
At the moment, we have configured almost everything, but still we can't enable the Simultaneous-Use feature. LDAP works fine, we don't have authentication problems.
Is the client sending accounting packets?
We are using FreeRadius 2.1.12 (Centos 5.11).
Ugh.
- The command *radcheck* doesn't show anything, and also doesn't work properly in debbug mode.
What's "radcheck" ?
- The *radutmp* file only save the last logged.
The radutmp file shows the last time a user logged in. That's what it's supposed to do.
We have tried a lot of things but nothing works, Can you help us, please?
See the FAQ for "it doesn't work". Can the user log in once? After the user logs in, does the client send an accounting "start" packet? Is that packet stored in a DB (radutmp, sql, etc.) When the user logs in a second time, do they get Simultaneous-Use set for them? Does the server discover that the user is already logged in? What happens then?
We stay attentive to any question you have, or if you need some log file (in this case, we did not find any relevant file that attach).
The debug output, as suggested in the FAQ, "man" page, web pages, and daily on this list?
Radiusd.conf
Please don't post that to the list. It's useless. Alan DeKok.
Is the client sending accounting packets?
Yes, the client send the account packets.
What's "radcheck" ?
Sorry, the correct command is checkrad.
Can the user log in once?
Yes, all users can log in 3 times, as we configured in the WLC Cisco, but we want to restrict one group in 2 connections.
After the user logs in, does the client send an accounting "start" packet?
We suppose. The log detail shows: Mon Jun 8 15:12:29 2015 User-Name = "test" NAS-Port = 29 NAS-IP-Address = 158.251.4.193 Framed-IP-Address = 158.251.211.7 NAS-Identifier = "wlc.ucv.cl" Airespace-Wlan-Id = 4 Acct-Session-Id = "5575db47/00:17:9a:b0:26:ae/1269" Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "226" Acct-Status-Type = Start Calling-Station-Id = "158.251.211.7" Called-Station-Id = "158.251.4.193" Acct-Unique-Session-Id = "7a2d24188796cc40" Timestamp = 1433787149 Mon Jun 8 15:12:41 2015 User-Name = "test" NAS-Port = 29 NAS-IP-Address = 158.251.4.193 Framed-IP-Address = 158.251.211.7 NAS-Identifier = "wlc.ucv.cl" Airespace-Wlan-Id = 4 Acct-Session-Id = "5575db47/00:17:9a:b0:26:ae/1269" Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "226" Acct-Status-Type = Stop Acct-Input-Octets = 76060022 Acct-Output-Octets = 1508183842 Acct-Input-Packets = 773252 Acct-Output-Packets = 1227539 Acct-Terminate-Cause = User-Request Acct-Session-Time = 12 Acct-Delay-Time = 0 Calling-Station-Id = "158.251.211.7" Called-Station-Id = "158.251.4.193" Acct-Unique-Session-Id = "7a2d24188796cc40" Timestamp = 1433787161
Is that packet stored in a DB (radutmp, sql, etc.)
Yes, the packet is stored in radutmp, but only the last connection. Thats mean that appears only one input.
When the user logs in a second time, do they get Simultaneous-Use set for them?
No, doesn't work. User can connected multiple times. In debug mode doesn't appear any related with Simultaneous-Use or something like that.
Does the server discover that the user is already logged in?
We think no, because doesn't work.
What happens then?
We don't know for what reason does not work.
The debug output, as suggested in the FAQ, "man" page, web pages, and daily on this list?
The debug doesn't show any error or warning. Thank in advance for your help. We really appreciate it. Kind regards Felipe López P.
On Jun 8, 2015, at 2:26 PM, Felipe Lopez Placencio <felipe.lopez@pucv.cl> wrote:
Yes, all users can log in 3 times, as we configured in the WLC Cisco, but we want to restrict one group in 2 connections.
You've already said that.
After the user logs in, does the client send an accounting "start" packet?
We suppose. The log detail shows:
<sigh> The debug output is useful. The detail log isn't useful. Why? Because the debug output shows EVERYTHING.
Is that packet stored in a DB (radutmp, sql, etc.)
Yes, the packet is stored in radutmp, but only the last connection. Thats mean that appears only one input.
That's the problem, then. The AP is telling FreeRADIUS that the user is logging in once. And then again, from the same connection. So the user *isn't* logging in twice, from two different connections. He's logging in twice from the SAME connection. This isn't magic. FreeRADIUS can't magically know your intent. It can't know that even though the NAS *claims* the two logins are the same... that you think they're actually different. So... are the requests the same? You clearly don't know. Because you haven't looked at the debug log. Or if you did look there, you didn't notice the *important* pieces.
Does the server discover that the user is already logged in?
We think no, because doesn't work.
"It doesn't work" is almost always a bad answer.
What happens then?
We don't know for what reason does not work.
Yes, you do. See above.
The debug output, as suggested in the FAQ, "man" page, web pages, and daily on this list?
The debug doesn't show any error or warning.
<sigh> You can't get it to work. I ask for the debug log, and you say "it doesn't show anything". Really? You're asking for help, and when I tell you I need the debug output, your response is essentially "No, you don't". That's rude. I've never understood why some people ask for help, and then fight against every attempt to help them. Alan DeKok.
Hi everybody. Actually I didn't carefully read your config, but there are a lot of to configure to make it work. Did you configured checkrad script itself? - There is wrong SNMP OID for Cisco WLC. You need to set up SNMP community on controller also. Did you get something like this when you run checkrad? :~$ sudo checkrad -d cisco A.B.C.D 161 Username Username snmpget: /usr/bin/snmpget -r 1 -t 5 -v2c -c 'checkrad' A.B.C.D .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.161 user at port S161: No snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'checkrad' A.B.C.D 1.3.6.1.4.1.14179.2.1.4.1.3 I was not successful when I wanted restrict User for 2 simultaneous logins. Only one login. With 2 it doesn't work. Понедельник, 8 июня 2015, 14:39 -04:00 от Alan DeKok <aland@deployingradius.com>:
On Jun 8, 2015, at 2:26 PM, Felipe Lopez Placencio < felipe.lopez@pucv.cl > wrote:
Yes, all users can log in 3 times, as we configured in the WLC Cisco, but we want to restrict one group in 2 connections.
You've already said that.
After the user logs in, does the client send an accounting "start" packet?
We suppose. The log detail shows:
<sigh> The debug output is useful. The detail log isn't useful.
Why? Because the debug output shows EVERYTHING.
Is that packet stored in a DB (radutmp, sql, etc.)
Yes, the packet is stored in radutmp, but only the last connection. Thats mean that appears only one input.
That's the problem, then. The AP is telling FreeRADIUS that the user is logging in once. And then again, from the same connection.
So the user *isn't* logging in twice, from two different connections. He's logging in twice from the SAME connection.
This isn't magic. FreeRADIUS can't magically know your intent. It can't know that even though the NAS *claims* the two logins are the same... that you think they're actually different.
So... are the requests the same? You clearly don't know. Because you haven't looked at the debug log. Or if you did look there, you didn't notice the *important* pieces.
Does the server discover that the user is already logged in?
We think no, because doesn't work.
"It doesn't work" is almost always a bad answer.
What happens then?
We don't know for what reason does not work.
Yes, you do. See above.
The debug output, as suggested in the FAQ, "man" page, web pages, and daily on this list?
The debug doesn't show any error or warning.
<sigh> You can't get it to work. I ask for the debug log, and you say "it doesn't show anything".
Really? You're asking for help, and when I tell you I need the debug output, your response is essentially "No, you don't".
That's rude. I've never understood why some people ask for help, and then fight against every attempt to help them.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 09-06-15 08:32, Alan Buxey wrote:
'There is wrong SNMP OID for Cisco WLC'
Info please. We can get that fixed.
The current OID in the method cisco_snmp is only used for ISDN [1]. The Cisco WLC uses the Aierspace vendor, with a different OID to find the active users [2] (the one that was already given in the mail). I guess the best way to fix this is to add a new NAS type to the checkrad script, called cisco_wlc or airespace, that uses the OID from the second link. [1] http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Trans... [2] http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Trans... -- Herwin Weststrate
Hello SNMP OID 1.3.6.1.4.1.14179.2.1.4.1.3#sthash.2HYMZ57W.dpuf 1.3.6.1.4.1.14179.2.1.4.1.3#sthash.2HYMZ57W.dpuf 1.3.6.1.4.1.14179.2.1.4.1.3#sthash.2HYMZ57W.dpuf 1.3.6.1.4.1.14179.2.1.4.1.3#sthash.2HYMZ57W.dpuf 1.3.6.1.4.1.14179.2.1.4.1.3 It is true for Cisco WLC 5508 and I think for all 5500 series controllers https://supportforums.cisco.com/document/9869811/cisco-wlc-snmp-historical-u... Вторник, 9 июня 2015, 7:32 +01:00 от Alan Buxey <A.L.M.Buxey@lboro.ac.uk>:
'There is wrong SNMP OID for Cisco WLC'
Info please. We can get that fixed.
alan
Dear Олег, We changed the checkrad file as you said, especially this part: sub find_l2tp_login { my($host, $community, $port_num) = @_; my $l2tp_oid = '.*1.3.6.1.4.1.14179.2.1.4.1.3*'; my $port_oid = '.iso.org.dod.internet.private.enterprises.9.10.51.1.2.1.1.2.2'; After that, we run the command: $ *checkrad -d cisco 158.251.4.193 29 13634337 13634337* snmpget: /usr/bin/snmpget -r 1 -t 5 -v2c -c 'public' 158.251.4.193 .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.29 user at port S29: No snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'public' 158.251.4.193 .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 Returning 0 (login ok) The change of the OID number does not reflect in the checkrad command. We restarted the service, but as you see, in the response still appears *.iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.29.* What do we need to do to command work properly? Thank in advance! *Note*: We did: 1- Edited /usr/sbin/checkrad 2- We tested. Kind regards Felipe López P. 2015-06-09 5:31 GMT-03:00 Олег Кобелев <na_krul@mail.ru>:
Hello SNMP OID 1.3.6.1.4.1.14179.2.1.4.1.3#sthash.2HYMZ57W.dpuf 1.3.6.1.4.1.14179.2.1.4.1.3#sthash.2HYMZ57W.dpuf 1.3.6.1.4.1.14179.2.1.4.1.3#sthash.2HYMZ57W.dpuf 1.3.6.1.4.1.14179.2.1.4.1.3#sthash.2HYMZ57W.dpuf 1.3.6.1.4.1.14179.2.1.4.1.3 It is true for Cisco WLC 5508 and I think for all 5500 series controllers
https://supportforums.cisco.com/document/9869811/cisco-wlc-snmp-historical-u...
: 'There is wrong SNMP OID for Cisco WLC'
Info please. We can get that fixed.
alan
Вторник, 9 июня 2015, 7:32 +01:00 от Alan Buxey <A.L.M.Buxey@lboro.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dear Alan, First of all, we apologize for the missunderstanding. We are sorry for our bad English skills. We really appreciate your help and we understand the discomfort of our poor response. In no case our intention was not share the debug output, only that initially we did not understand correctly your ask. Sorry once again... Here is the output of the debug: [root@radius3 ~]# radiusd -X FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on Jan 9 2013 at 05:02:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket main { user = "radiusd" group = "radiusd" allow_core_dumps = yes } Core dumps are enabled. including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 158.251.4.193 { require_message_authenticator = no secret = "testing123" shortname = "LAB-DSIC-PUCV" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = LDAP Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_ldap Module: Instantiating module "ldapDS01" from file /etc/raddb/modules/ldap ldap ldapDS01 { server = "158.251.4.163" port = 389 password = "radius" identity = "uid=radius,dc=pucv,dc=mundo" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" basedn = "dc=pucv,dc=mundo" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "userPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=%{User-Name},ou=logins,ou=cuentas,dc=pucv,dc=mundo))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldapDS01-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldapDS01-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldapDS01 rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x9340890 Module: Instantiating module "ldapDS02" from file /etc/raddb/modules/ldap ldap ldapDS02 { server = "158.251.4.164" port = 389 password = "radius" identity = "uid=radius,dc=pucv,dc=mundo" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" basedn = "dc=pucv,dc=mundo" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "userPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(&(objectClass=groupOfUniqueNames)(uniquemember=uid=%{User-Name},ou=logins,ou=cuentas,dc=pucv,dc=mundo))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldapDS02-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldapDS02-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldapDS02 rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x9341ef8 Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_detail Module: Instantiating module "auth_log" from file /etc/raddb/modules/detail.log detail auth_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /etc/raddb/sql.conf sql { driver = "rlm_sql_mysql" server = "localhost" port = "" login = "radius" password = "radpass" radius_db = "radius" read_groups = yes sqltrace = no sqltracefile = "/var/log/radius/sqltrace.sql" readclients = no deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NOT NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NOT NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to radius@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address" } Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking post-auth {...} for more modules to load Module: Instantiating module "reply_log" from file /etc/raddb/modules/detail.log detail reply_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } ... adding new socket proxy address * port 50229 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 158.251.4.193 port 32768, id=172, length=144 User-Name = "13634337" User-Password = "arvb4722" Service-Type = Login-User NAS-IP-Address = 158.251.4.193 NAS-Port = 29 NAS-Identifier = "wlc.ucv.cl" NAS-Port-Type = Wireless-802.11 Airespace-Wlan-Id = 4 Calling-Station-Id = "158.251.211.5" Called-Station-Id = "158.251.4.193" Message-Authenticator = 0x0bc7803d74769da77c9faf215b133a36 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/158.251.4.193/auth-detail-20150609 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/158.251.4.193/auth-detail-20150609 [auth_log] expand: %t -> Tue Jun 9 09:44:13 2015 ++[auth_log] returns ok [suffix] No '@' in User-Name = "13634337", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok [sql] expand: %{User-Name} -> 13634337 [sql] sql_set_user escaped user --> '13634337' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '13634337' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '13634337' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User 13634337 not found ++[sql] returns notfound ++- entering load-balance group load-balance {...} +++- entering policy redundant {...} [ldapDS01] performing user authorization for 13634337 [ldapDS01] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldapDS01] ... expanding second conditional [ldapDS01] expand: %{User-Name} -> 13634337 [ldapDS01] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=13634337) [ldapDS01] expand: dc=pucv,dc=mundo -> dc=pucv,dc=mundo [ldapDS01] ldap_get_conn: Checking Id: 0 [ldapDS01] ldap_get_conn: Got Id: 0 [ldapDS01] attempting LDAP reconnection [ldapDS01] (re)connect to 158.251.4.163:389, authentication 0 [ldapDS01] bind as uid=radius,dc=pucv,dc=mundo/radius to 158.251.4.163:389 [ldapDS01] waiting for bind result ... [ldapDS01] Bind was successful [ldapDS01] performing search in dc=pucv,dc=mundo, with filter (uid=13634337) [ldapDS01] Added User-Password = {SHA}zb4+Y9Lt4KJxSZyKG88Dy8S9j9g= in check items [ldapDS01] looking for check items in directory... [ldapDS01] userPassword -> Password-With-Header == "{SHA}zb4+Y9Lt4KJxSZyKG88Dy8S9j9g=" [ldapDS01] looking for reply items in directory... [ldapDS01] user 13634337 authorized to use remote access [ldapDS01] ldap_release_conn: Release Id: 0 ++++[ldapDS01] returns ok +++- policy redundant returns ok ++- load-balance group load-balance returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = LDAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/sites-enabled/default +- entering group LDAP {...} ++- entering load-balance group load-balance {...} +++- entering policy redundant {...} [ldapDS01] login attempt by "13634337" with password "arvb4722" [ldapDS01] user DN: uid=13634337,ou=Logins,ou=Cuentas,dc=pucv,dc=mundo [ldapDS01] (re)connect to 158.251.4.163:389, authentication 1 [ldapDS01] bind as uid=13634337,ou=Logins,ou=Cuentas,dc=pucv,dc=mundo/arvb4722 to 158.251.4.163:389 [ldapDS01] waiting for bind result ... [ldapDS01] Bind was successful [ldapDS01] user 13634337 authenticated succesfully ++++[ldapDS01] returns ok +++- policy redundant returns ok ++- load-balance group load-balance returns ok # Executing section session from file /etc/raddb/sites-enabled/default +- entering group session {...} [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> 13634337 ++[radutmp] returns ok Login OK: [13634337] (from client LAB-DSIC-PUCV port 29 cli 158.251.211.5) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} [reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/158.251.4.193/reply-detail-20150609 [reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/158.251.4.193/reply-detail-20150609 [reply_log] expand: %t -> Tue Jun 9 09:44:13 2015 ++[reply_log] returns ok [sql] expand: %{User-Name} -> 13634337 [sql] sql_set_user escaped user --> '13634337' [sql] expand: %{User-Password} -> arvb4722 [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '13634337', 'arvb4722', 'Access-Accept', '2015-06-09 09:44:13') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '13634337', 'arvb4722', 'Access-Accept', '2015-06-09 09:44:13') rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 172 to 158.251.4.193 port 32768 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 158.251.4.193 port 32768, id=168, length=164 User-Name = "13634337" NAS-Port = 29 NAS-IP-Address = 158.251.4.193 Framed-IP-Address = 158.251.211.5 NAS-Identifier = "wlc.ucv.cl" Airespace-Wlan-Id = 4 Acct-Session-Id = "5576dfd8/ac:81:12:4e:67:36/1314" Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "226" Acct-Status-Type = Start Calling-Station-Id = "158.251.211.5" Called-Station-Id = "158.251.4.193" # Executing section preacct from file /etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'Client-IP-Address = 158.251.4.193,NAS-IP-Address = 158.251.4.193,Acct-Session-Id = "5576dfd8/ac:81:12:4e:67:36/1314",User-Name = "13634337"' [acct_unique] Acct-Unique-Session-ID = "11f2f471b08abf69". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "13634337", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: %{Packet-Src-IP-Address} -> 158.251.4.193 [detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/158.251.4.193/detail-20150609 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/158.251.4.193/detail-20150609 [detail] expand: %t -> Tue Jun 9 09:44:13 2015 ++[detail] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> 13634337 ++[radutmp] returns ok [sql] expand: %{User-Name} -> 13634337 [sql] sql_set_user escaped user --> '13634337' [sql] expand: %{Acct-Delay-Time} -> [sql] ... expanding second conditional [sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> 13634337 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 168 to 158.251.4.193 port 32768 Finished request 1. Cleaning up request 1 ID 168 with timestamp +24 Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 172 with timestamp +24 Ready to process requests. rad_recv: Access-Request packet from host 158.251.4.193 port 32768, id=173, length=144 User-Name = "13634337" User-Password = "arvb4722" Service-Type = Login-User NAS-IP-Address = 158.251.4.193 NAS-Port = 29 NAS-Identifier = "wlc.ucv.cl" NAS-Port-Type = Wireless-802.11 Airespace-Wlan-Id = 4 Calling-Station-Id = "158.251.211.7" Called-Station-Id = "158.251.4.193" Message-Authenticator = 0xb457475766bc95674dd09ad72406f35c # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/158.251.4.193/auth-detail-20150609 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/158.251.4.193/auth-detail-20150609 [auth_log] expand: %t -> Tue Jun 9 09:44:34 2015 ++[auth_log] returns ok [suffix] No '@' in User-Name = "13634337", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok [sql] expand: %{User-Name} -> 13634337 [sql] sql_set_user escaped user --> '13634337' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '13634337' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '13634337' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 [sql] User 13634337 not found ++[sql] returns notfound ++- entering load-balance group load-balance {...} +++- entering policy redundant {...} [ldapDS01] performing user authorization for 13634337 [ldapDS01] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldapDS01] ... expanding second conditional [ldapDS01] expand: %{User-Name} -> 13634337 [ldapDS01] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=13634337) [ldapDS01] expand: dc=pucv,dc=mundo -> dc=pucv,dc=mundo [ldapDS01] ldap_get_conn: Checking Id: 0 [ldapDS01] ldap_get_conn: Got Id: 0 [ldapDS01] performing search in dc=pucv,dc=mundo, with filter (uid=13634337) [ldapDS01] Added User-Password = {SHA}zb4+Y9Lt4KJxSZyKG88Dy8S9j9g= in check items [ldapDS01] looking for check items in directory... [ldapDS01] userPassword -> Password-With-Header == "{SHA}zb4+Y9Lt4KJxSZyKG88Dy8S9j9g=" [ldapDS01] looking for reply items in directory... [ldapDS01] user 13634337 authorized to use remote access [ldapDS01] ldap_release_conn: Release Id: 0 ++++[ldapDS01] returns ok +++- policy redundant returns ok ++- load-balance group load-balance returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = LDAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/sites-enabled/default +- entering group LDAP {...} ++- entering load-balance group load-balance {...} +++- entering policy redundant {...} [ldapDS02] login attempt by "13634337" with password "arvb4722" [ldapDS02] user DN: uid=13634337,ou=Logins,ou=Cuentas,dc=pucv,dc=mundo [ldapDS02] (re)connect to 158.251.4.164:389, authentication 1 [ldapDS02] bind as uid=13634337,ou=Logins,ou=Cuentas,dc=pucv,dc=mundo/arvb4722 to 158.251.4.164:389 [ldapDS02] waiting for bind result ... [ldapDS02] Bind was successful [ldapDS02] user 13634337 authenticated succesfully ++++[ldapDS02] returns ok +++- policy redundant returns ok ++- load-balance group load-balance returns ok # Executing section session from file /etc/raddb/sites-enabled/default +- entering group session {...} [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> 13634337 ++[radutmp] returns ok Login OK: [13634337] (from client LAB-DSIC-PUCV port 29 cli 158.251.211.7) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} [reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/158.251.4.193/reply-detail-20150609 [reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/158.251.4.193/reply-detail-20150609 [reply_log] expand: %t -> Tue Jun 9 09:44:34 2015 ++[reply_log] returns ok [sql] expand: %{User-Name} -> 13634337 [sql] sql_set_user escaped user --> '13634337' [sql] expand: %{User-Password} -> arvb4722 [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '13634337', 'arvb4722', 'Access-Accept', '2015-06-09 09:44:34') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '13634337', 'arvb4722', 'Access-Accept', '2015-06-09 09:44:34') rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 173 to 158.251.4.193 port 32768 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 158.251.4.193 port 32768, id=169, length=164 User-Name = "13634337" NAS-Port = 29 NAS-IP-Address = 158.251.4.193 Framed-IP-Address = 158.251.211.7 NAS-Identifier = "wlc.ucv.cl" Airespace-Wlan-Id = 4 Acct-Session-Id = "5576dfec/00:17:9a:b0:26:ae/1315" Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "226" Acct-Status-Type = Start Calling-Station-Id = "158.251.211.7" Called-Station-Id = "158.251.4.193" # Executing section preacct from file /etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'Client-IP-Address = 158.251.4.193,NAS-IP-Address = 158.251.4.193,Acct-Session-Id = "5576dfec/00:17:9a:b0:26:ae/1315",User-Name = "13634337"' [acct_unique] Acct-Unique-Session-ID = "9fc9da1901097859". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "13634337", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: %{Packet-Src-IP-Address} -> 158.251.4.193 [detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/158.251.4.193/detail-20150609 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/158.251.4.193/detail-20150609 [detail] expand: %t -> Tue Jun 9 09:44:34 2015 ++[detail] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> 13634337 ++[radutmp] returns ok [sql] expand: %{User-Name} -> 13634337 [sql] sql_set_user escaped user --> '13634337' [sql] expand: %{Acct-Delay-Time} -> [sql] ... expanding second conditional [sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> 13634337 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 169 to 158.251.4.193 port 32768 Finished request 3. Cleaning up request 3 ID 169 with timestamp +45 Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 173 with timestamp +45 Ready to process requests. rad_recv: Access-Request packet from host 158.251.4.193 port 32768, id=174, length=144 User-Name = "13634337" User-Password = "arvb4722" Service-Type = Login-User NAS-IP-Address = 158.251.4.193 NAS-Port = 29 NAS-Identifier = "wlc.ucv.cl" NAS-Port-Type = Wireless-802.11 Airespace-Wlan-Id = 4 Calling-Station-Id = "158.251.211.6" Called-Station-Id = "158.251.4.193" Message-Authenticator = 0x0d36f761168a50e3577db9be13dbc447 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/158.251.4.193/auth-detail-20150609 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/158.251.4.193/auth-detail-20150609 [auth_log] expand: %t -> Tue Jun 9 09:44:41 2015 ++[auth_log] returns ok [suffix] No '@' in User-Name = "13634337", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok [sql] expand: %{User-Name} -> 13634337 [sql] sql_set_user escaped user --> '13634337' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '13634337' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '13634337' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User 13634337 not found ++[sql] returns notfound ++- entering load-balance group load-balance {...} +++- entering policy redundant {...} [ldapDS02] performing user authorization for 13634337 [ldapDS02] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldapDS02] ... expanding second conditional [ldapDS02] expand: %{User-Name} -> 13634337 [ldapDS02] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=13634337) [ldapDS02] expand: dc=pucv,dc=mundo -> dc=pucv,dc=mundo [ldapDS02] ldap_get_conn: Checking Id: 0 [ldapDS02] ldap_get_conn: Got Id: 0 [ldapDS02] attempting LDAP reconnection [ldapDS02] (re)connect to 158.251.4.164:389, authentication 0 [ldapDS02] bind as uid=radius,dc=pucv,dc=mundo/radius to 158.251.4.164:389 [ldapDS02] waiting for bind result ... [ldapDS02] Bind was successful [ldapDS02] performing search in dc=pucv,dc=mundo, with filter (uid=13634337) [ldapDS02] Added User-Password = {SHA}zb4+Y9Lt4KJxSZyKG88Dy8S9j9g= in check items [ldapDS02] looking for check items in directory... [ldapDS02] userPassword -> Password-With-Header == "{SHA}zb4+Y9Lt4KJxSZyKG88Dy8S9j9g=" [ldapDS02] looking for reply items in directory... [ldapDS02] user 13634337 authorized to use remote access [ldapDS02] ldap_release_conn: Release Id: 0 ++++[ldapDS02] returns ok +++- policy redundant returns ok ++- load-balance group load-balance returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = LDAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/sites-enabled/default +- entering group LDAP {...} ++- entering load-balance group load-balance {...} +++- entering policy redundant {...} [ldapDS02] login attempt by "13634337" with password "arvb4722" [ldapDS02] user DN: uid=13634337,ou=Logins,ou=Cuentas,dc=pucv,dc=mundo [ldapDS02] (re)connect to 158.251.4.164:389, authentication 1 [ldapDS02] bind as uid=13634337,ou=Logins,ou=Cuentas,dc=pucv,dc=mundo/arvb4722 to 158.251.4.164:389 [ldapDS02] waiting for bind result ... [ldapDS02] Bind was successful [ldapDS02] user 13634337 authenticated succesfully ++++[ldapDS02] returns ok +++- policy redundant returns ok ++- load-balance group load-balance returns ok # Executing section session from file /etc/raddb/sites-enabled/default +- entering group session {...} [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> 13634337 ++[radutmp] returns ok Login OK: [13634337] (from client LAB-DSIC-PUCV port 29 cli 158.251.211.6) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} [reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/158.251.4.193/reply-detail-20150609 [reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/158.251.4.193/reply-detail-20150609 [reply_log] expand: %t -> Tue Jun 9 09:44:41 2015 ++[reply_log] returns ok [sql] expand: %{User-Name} -> 13634337 [sql] sql_set_user escaped user --> '13634337' [sql] expand: %{User-Password} -> arvb4722 [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '13634337', 'arvb4722', 'Access-Accept', '2015-06-09 09:44:41') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '13634337', 'arvb4722', 'Access-Accept', '2015-06-09 09:44:41') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 174 to 158.251.4.193 port 32768 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 158.251.4.193 port 32768, id=170, length=164 User-Name = "13634337" NAS-Port = 29 NAS-IP-Address = 158.251.4.193 Framed-IP-Address = 158.251.211.6 NAS-Identifier = "wlc.ucv.cl" Airespace-Wlan-Id = 4 Acct-Session-Id = "5576dff3/c8:f7:33:d4:e5:90/1316" Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "226" Acct-Status-Type = Start Calling-Station-Id = "158.251.211.6" Called-Station-Id = "158.251.4.193" # Executing section preacct from file /etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'Client-IP-Address = 158.251.4.193,NAS-IP-Address = 158.251.4.193,Acct-Session-Id = "5576dff3/c8:f7:33:d4:e5:90/1316",User-Name = "13634337"' [acct_unique] Acct-Unique-Session-ID = "b503f9f062ba51cf". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "13634337", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: %{Packet-Src-IP-Address} -> 158.251.4.193 [detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/158.251.4.193/detail-20150609 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/158.251.4.193/detail-20150609 [detail] expand: %t -> Tue Jun 9 09:44:41 2015 ++[detail] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> 13634337 ++[radutmp] returns ok [sql] expand: %{User-Name} -> 13634337 [sql] sql_set_user escaped user --> '13634337' [sql] expand: %{Acct-Delay-Time} -> [sql] ... expanding second conditional [sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> 13634337 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 170 to 158.251.4.193 port 32768 Finished request 5. Cleaning up request 5 ID 170 with timestamp +52 Going to the next request Waking up in 4.9 seconds. Cleaning up request 4 ID 174 with timestamp +52 Ready to process requests. ################################################################################ If you have any request, feel free of asking us. Thanks in advance once again. Finally, I would like to thanks to Олег Кобелев. We will also try what he said. Kind regards Felipe López P. 2015-06-08 15:39 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Jun 8, 2015, at 2:26 PM, Felipe Lopez Placencio <felipe.lopez@pucv.cl> wrote:
Yes, all users can log in 3 times, as we configured in the WLC Cisco, but we want to restrict one group in 2 connections.
You've already said that.
After the user logs in, does the client send an accounting "start" packet?
We suppose. The log detail shows:
<sigh> The debug output is useful. The detail log isn't useful.
Why? Because the debug output shows EVERYTHING.
Is that packet stored in a DB (radutmp, sql, etc.)
Yes, the packet is stored in radutmp, but only the last connection. Thats mean that appears only one input.
That's the problem, then. The AP is telling FreeRADIUS that the user is logging in once. And then again, from the same connection.
So the user *isn't* logging in twice, from two different connections. He's logging in twice from the SAME connection.
This isn't magic. FreeRADIUS can't magically know your intent. It can't know that even though the NAS *claims* the two logins are the same... that you think they're actually different.
So... are the requests the same? You clearly don't know. Because you haven't looked at the debug log. Or if you did look there, you didn't notice the *important* pieces.
Does the server discover that the user is already logged in?
We think no, because doesn't work.
"It doesn't work" is almost always a bad answer.
What happens then?
We don't know for what reason does not work.
Yes, you do. See above.
The debug output, as suggested in the FAQ, "man" page, web pages, and daily on this list?
The debug doesn't show any error or warning.
<sigh> You can't get it to work. I ask for the debug log, and you say "it doesn't show anything".
Really? You're asking for help, and when I tell you I need the debug output, your response is essentially "No, you don't".
That's rude. I've never understood why some people ask for help, and then fight against every attempt to help them.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 9, 2015, at 9:17 AM, Felipe Lopez Placencio <felipe.lopez@pucv.cl> wrote:
In no case our intention was not share the debug output, only that initially we did not understand correctly your ask. Sorry once again...
Here is the output of the debug:
Which shows that the NAS is sending *almost* exactly the same information for the two logins. The only difference is the Calling-Station-Id. So if you want to check for Simultaneous-Use, log the Calling-Station-Id to a database, and ensure that there are only a few unique ones. You should be able to update the simultaneous-use checks in the SQL module. And I'd suggest using that instead of radutmp for Simultaneous-Use checks. But... the packets are weird. How does the client have an IP address, if it isn't on the network? And why is the NAS sending an *IP address* inside of Calling-Station-Id? It's supposed to be a MAC address. That's just bad practice on the part of the vendor. Alan DeKok.
Hello, "And why is the NAS sending an *IP address* inside of Calling-Station-Id? It's supposed to be a MAC address." Thats default behavior for Cisco WLC. Configure WLC as follows: config radius callStationIdType macaddr to receive MAC address instead of IP.
Finally we solve it! :) In the ldap.attrmap file, we commented the next line of LDAP attribute: #checkItem Simultaneous-Use radiusSimultaneousUse After that, the Simultaneous-Use started to work fine. Thanks a lot for all the answers and helps that you sent us. Have a good day! Kind regards Felipe López P. 2015-06-10 1:59 GMT-03:00 Олег Кобелев <na_krul@mail.ru>:
Hello,
"And why is the NAS sending an *IP address* inside of Calling-Station-Id? It's supposed to be a MAC address."
Thats default behavior for Cisco WLC. Configure WLC as follows: config radius callStationIdType macaddr to receive MAC address instead of IP.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 10, 2015, at 10:08 AM, Felipe Lopez Placencio <felipe.lopez@pucv.cl> wrote:
Finally we solve it! :)
In the ldap.attrmap file, we commented the next line of LDAP attribute:
#checkItem Simultaneous-Use radiusSimultaneousUse
After that, the Simultaneous-Use started to work fine.
Which means you were never setting Simultaneous-Use before. Alan DeKok.
Hi Felipe, are you using sql for simultaneous-user ? I have configured sql+freeradius for simualtaneous-use, it works all good for individual WAP for WAP are under WLC it does not work at all. just wanted to know your implementation K On 06/10/2015 02:08 PM, Felipe Lopez Placencio wrote: > Finally we solve it! :) > > In the ldap.attrmap file, we commented the next line of LDAP attribute: > > #checkItem Simultaneous-Use radiusSimultaneousUse > > After that, the Simultaneous-Use started to work fine. > > Thanks a lot for all the answers and helps that you sent us. > > Have a good day! > > Kind regards > Felipe López P. > > 2015-06-10 1:59 GMT-03:00 Олег Кобелев <na_krul@mail.ru>: > >> Hello, >> >> "And why is the NAS sending an *IP address* inside of Calling-Station-Id? >> It's supposed to be a MAC address." >> >> Thats default behavior for Cisco WLC. >> Configure WLC as follows: >> config radius callStationIdType macaddr to receive MAC address instead of >> IP. >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (6)
-
Alan Buxey -
Alan DeKok -
Felipe Lopez Placencio -
Herwin Weststrate -
Khapare Joshi -
Олег Кобелев