check MAC Adress with freeradius via openldap
Andreas Viehhauser
andreas.viehhauser at wuestenrot.at
Mon Mar 31 14:33:35 CEST 2008
hi,
i need help to configurate the MAC based authentication.
I use freeradius 1.0.1 and openldap 2.0.27-17. The config from the
HP Switch to the Radius is ok.
In the LDAP there are the MAC Adresses from all my Laptops like "macAdress".
LDAP:
ldapsearch -LL -x -H ldap://atmacldapsr01 -D
cn=Manager,o=wuestenrot,c=at -w secret -b
ou=workstation,o=wuestenrot,c=at macAddress=00:1E:37:1C:5F:D4
wueroRechnername: ATTSBGVARR40
macAddress: 00:06:1B:CA:53:64
I only want that radius check at the LDAP, if the MAC Address
exists. IF the MAC exists go to VLAN 5 else go to VLAN 10.
Have anyone an idea were my problem is??? or an good Howto??
Is it right to make this with the checkval? users File?
Have anyone an example?
Next step, I want to make checks over an extern script? Where to I
activate this feature?
Please help me.
thanks a lot
andi
RADIUS:
[root at atmacradsr01 raddb]# radiusd -Xf
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "yes"
main: lower_pass = "yes"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded LDAP
ldap: server = "atmacldapsr01"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "cn=Manager,o=wuestenrot,c=at"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = "secret"
ldap: basedn = "ou=workstation,o=wuestenrot,c=at"
ldap: filter = "(macAddress=%{User-Name})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "(null)"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)
(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)
(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP macAddress mapped to RADIUS User-Name
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-
AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-
AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-
AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
conns: 0x8bb05a8
Module: Instantiated ldap (ldap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/
auth-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded checkval
checkval: item-name = "User-Name"
checkval: check-name = "macAddress"
checkval: data-type = "string"
checkval: notfound-reject = no
rlm_checkval: Registered name macAddress for attribute 1671
Module: Instantiated checkval (checkval)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/
detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
Now I connect an Laptop on the switch and this is shown on the radius:
rad_recv: Access-Request packet from host 192.168.10.1:1024, id=241,length=183
Framed-MTU = 9178
NAS-IP-Address = 192.168.10.1
NAS-Identifier = "MAC-VAR"
User-Name = "00:06:1b:ca:53:64"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-18-fe-e6-36-ef"
Calling-Station-Id = "00-06-1b-ca-53-64"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
CHAP-Password = 0x50eec0218f3e8b36308a4c070b9eca0267
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/192.168.10.1/auth-detail-20080328'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-
detail-%Y%m%d expands to /var/log/radius/radacct/192.168.10.1/auth-
detail-20080328
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 00:06:1b:ca:53:64
radius_xlat: '(macAddress=00:06:1b:ca:53:64)'
radius_xlat: 'ou=workstation,o=wuestenrot,c=at'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to atmacldapsr01:389, authentication 0
rlm_ldap: bind as cn=Manager,o=wuestenrot,c=at/secret to atmacldapsr01:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=workstation,o=wuestenrot,c=at,
with filter (macAddress=00:06:1b:ca:53:64)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding macAddress as User-Name, value 00:06:1B:CA:53:64 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user 00:06:1b:ca:53:64 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_checkval: Item Name: User-Name, Value: 00:06:1b:ca:53:64
rlm_checkval: Could not find attribute named macAddress in check pairs
modcall[authorize]: module "checkval" returns notfound for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
Cannot use "CHAP-Password".
modcall[authenticate]: module "ldap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Login incorrect: [00:06:1b:ca:53:64] (from client private-network-1
port 17 cli 00-06-1b-ca-53-64)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 241 to 192.168.10.1:1024
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 241 with timestamp 47eca277
Nothing to do. Sleeping until we see a request.
This are my config Files:
cat ldap.attrmap
checkItem $GENERIC$ radiusCheckItem
replyItem $GENERIC$ radiusReplyItem
checkItem User-Name macAddress
checkItem Auth-Type radiusAuthType
checkItem Simultaneous-Use radiusSimultaneousUse
checkItem Called-Station-Id radiusCalledStationId
checkItem Calling-Station-Id radiusCallingStationId
checkItem LM-Password sambaLMPassword
checkItem NT-Password sambaNTPassword
checkItem SMB-Account-CTRL-TEXT sambaAcctFlags
checkItem Expiration radiusExpiration
replyItem Service-Type radiusServiceType
replyItem Framed-Protocol radiusFramedProtocol
replyItem Framed-IP-Address radiusFramedIPAddress
replyItem Framed-IP-Netmask radiusFramedIPNetmask
replyItem Framed-Route radiusFramedRoute
replyItem Framed-Routing radiusFramedRouting
replyItem Filter-Id radiusFilterId
replyItem Framed-MTU radiusFramedMTU
replyItem Framed-Compression radiusFramedCompression
replyItem Login-IP-Host radiusLoginIPHost
replyItem Login-Service radiusLoginService
replyItem Login-TCP-Port radiusLoginTCPPort
replyItem Callback-Number radiusCallbackNumber
replyItem Callback-Id radiusCallbackId
replyItem Framed-IPX-Network radiusFramedIPXNetwork
replyItem Class radiusClass
replyItem Session-Timeout radiusSessionTimeout
replyItem Idle-Timeout radiusIdleTimeout
replyItem Termination-Action radiusTerminationAction
replyItem Login-LAT-Service radiusLoginLATService
replyItem Login-LAT-Node radiusLoginLATNode
replyItem Login-LAT-Group radiusLoginLATGroup
replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink
replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork
replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone
replyItem Port-Limit radiusPortLimit
replyItem Login-LAT-Port radiusLoginLATPort
file: clients.conf: only add my segment
client 192.168.10.0/24 {
secret = testing123-1
shortname = private-network-1
}
file: users: only add LDAP as Auth-Type
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
DEFAULT Auth-Type = LDAP
Fall-Through = 1
#
# Set up different IP address pools for the terminal servers.
# Note that the "+" behind the IP address means that this is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
file: radius.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
#listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
# ipaddr = *
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
# port = 0
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
#
# type = auth
#}
# hostname_lookups: Log the names of clients or just their IP addresses
# allowed values: {no, yes}
#
hostname_lookups = no
# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
# allowed values: {no, yes}
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
log_stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
log_auth = yes
# Log passwords with the authentication requests.
# log_auth_badpass - logs password if it's rejected
# log_auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
log_auth_badpass = no
log_auth_goodpass = no
# usercollide: Turn "username collision" code on and off. See the
# "doc/duplicate-users" file
usercollide = no
# Default is 'no' (don't lowercase values)
# Valid values = "before" / "after" / "no"
#
#lower_user = no
#lower_pass = no
lower_user = yes
lower_pass = yes
# nospace_user / nospace_pass:
# Some users like to enter spaces in their username or password
# incorrectly. To save yourself the tech support call, you can
# eliminate those spaces here:
# Default is 'no' (don't remove spaces)
# Valid values = "before" / "after" / "no" (explanation above)
nospace_user = no
nospace_pass = no
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
# SECURITY CONFIGURATION
#
security {
#
max_attributes = 200
reject_delay = 1
status_server = no
}
# PROXY CONFIGURATION
# proxy_requests: Turns proxying of RADIUS requests on or off.
# allowed values: {no, yes}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
# CLIENTS CONFIGURATION
# The 'clients.conf' file contains all of the information from the old
# 'clients' and 'naslist' configuration files. We recommend that you
# do NOT use 'client's or 'naslist', although they are still
# supported.
# Anything listed in 'clients.conf' will take precedence over the
# information from the old-style configuration files.
$INCLUDE ${confdir}/clients.conf
# SNMP CONFIGURATION
# 'snmp' attribute to 'yes'
snmp = no
$INCLUDE ${confdir}/snmp.conf
# THREAD POOL CONFIGURATION
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5
# Limit on the total number of servers running.
#
max_servers = 32
# Server-pool size regulation. Rather than making you guess
min_spare_servers = 3
max_spare_servers = 10
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
}
# MODULE CONFIGURATION
#
modules {
#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# ...
# }
#
# The 'name' is used to load the 'rlm_name' library
# which implements the functionality of the module.
#
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
# md5: MD5 ecnryption
# sha1: SHA1 encryption.
# DEFAULT: crypt
#auskommentiert
#pap {
# encryption_scheme = crypt
#}
# CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
#aukommentiert
#chap {
# authtype = CHAP
#}
# Pluggable Authentication Modules
#
# For Linux, see:
# http://www.kernel.org/pub/linux/libs/pam/index.html
#
# WARNING: On many systems, the system PAM libraries have
# memory leaks! We STRONGLY SUGGEST that you do not
# use PAM for authentication, due to those memory leaks.
#
#pam {
#
#}
#
$INCLUDE ${confdir}/eap.conf
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type := LDAP)
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap {
server = "atmacldapsr01"
identity = "cn=Manager,o=wuestenrot,c=at"
password = secret
basedn = "ou=workstation,o=wuestenrot,c=at"
#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
filter = "(macAddress=%{User-Name})"
#filter = "(macAddress=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
#aukommendiert
#access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)
(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)
(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
# 'realm/username'
#
# Using this entry, IPASS users have their realm set to "IPASS".
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
# 'username at realm'
#
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# A simple value checking module
#
#
# Regular expressions in the check attribute value are allowed
# as long as the operator is '=~'
#
checkval {
# The attribute to look for in the request
#item-name = Calling-Station-Id
item-name = User-Name
# The attribute to look for in check items. Can be multi valued
#check-name = Calling-Station-Id
check-name = macAddress
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
#notfound-reject = no
}
# rewrite arbitrary packets. Useful in accounting and authorization.
# Backreferences are supported: %{0} will contain the string the whole match
# and %{1} to %{8} will contain the contents of the 1st to the 8th
parentheses
#
# If max_matches is greater than one the backreferences will
correspond to the
# first match
#
#attr_rewrite sanecallerid {
# attribute = Called-Station-Id
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
# searchin = packet
# searchfor = "[+ ]"
# replacewith = ""
# ignore_case = no
# new_attribute = no
# max_matches = 10
# ## If set to yes then the replace string will be appended to the
original string
# append = no
#}
# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
#
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
with_ntdomain_hack = no
#
# If you're not running a Cisco NAS, you don't need
# this hack.
with_cisco_vsa_hack = no
}
# Livingston-style 'users' file
#
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
# Write a detailed log of all accounting records received.
#
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
}
# Create a unique accounting session Id. Many NASes re-use or
# repeat values for Acct-Session-Id, causing no end of
# confusion.
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-
Address, NAS-Port"
}
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
#
# You may want instead: %{Stripped-User-Name:-%{User-Name}}
username = %{User-Name}
#
case_sensitive = yes
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600
callerid = "yes"
}
# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another 'instance' of the radutmp module, but it is given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter {
attrsfile = ${confdir}/attrs
}
# counter module:
# DEFAULT Max-Daily-Session := 36000
# Fall-Through = 1
#
# 'check-name' attribute.
#
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
# The "ALways" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
#
# The 'expression' module currently has no configuration.
#
# Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
expr {
}
#
# The 'digest' module currently has no configuration.
#
# "Digest" authentication against a Cisco SIP server.
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
digest {
}
#
# Execute external programs
#
exec {
wait = yes
programm = "/bin/echo %{User-Name}"
input_pairs = request
}
execok {
rcode = ok
}
#
# This is a more general example of the execute module.
#
exec echo {
#
# Wait for the program to finish.
#
# If we do NOT wait, then the program is "fire and
# forget", and any output attributes from it are ignored.
#
# If we are looking for the program to output
# attributes, and want to add those attributes to the
# request, then we MUST wait for the program to
# finish, and therefore set 'wait=yes'
#
# allowed values: {no, yes}
wait = yes
#
# The name of the program to execute, and it's
# arguments. Dynamic translation is done on this
# field, so things like the following example will
# work.
#
program = "/bin/echo %{User-Name}"
#
# The attributes which are placed into the
# environment variables for the program.
#
input_pairs = request
#
# Where to place the output attributes (if any) from
#
output_pairs = reply
#
#
#packet_type = Access-Accept
}
# Do server side ip pool management. Should be added in post-auth and
# accounting sections.
*********
#
ippool main_pool {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 192.168.1.1
range-stop = 192.168.3.254
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 800
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/db.ippool
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex
# override: Will this ippool override a Framed-IP-Address already set
override = no
# maximum-timeout: If not zero specifies the maximum time in seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
# ANSI X9.9 token support. Not included by default.
# $INCLUDE ${confdir}/x99.conf
}
# Instantiation
#
# This section orders the loading of the modules. Modules
# listed here will get loaded BEFORE the later sections like
# authorize, authenticate, etc. get examined.
#
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec
#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
#
#
expr
#
# We add the counter module here so that it registers
# the check-name attribute before any module which sets
# it
# daily
}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the request.
preprocess
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
auth_log
# attr_filter
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
#chap
#
# If the users are logging in with an MS-CHAP-Challenge
#mschap
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
# digest
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
# suffIx
# ntdomain
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#auskommentiert
#eap
#
# Read the 'users' file
#auskommentiert
#files
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap
#
# Enforce daily limits on time spent logged in.
# daily
#
# Use the checkval module
##auskommentiert
checkval
}
# Authentication.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
Auth-Type LDAP {
#exec
ldap
}
}
#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess
#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique
# IPASS
suffix
# ntdomain
#
# Read the 'acct_users' file
files
}
#
# Accounting. Log the accounting data.
#
accounting {
#
detail
# daily
radutmp
# sradutmp
# Return an address to the IP Pool when we see a stop record.
# main_pool
# Cisco VoIP specific bulk accounting
# pgsql-voip
}
# Session database, used for checking Simultaneous-Use. Either the radutmp
# The rlm_sql module is *much* faster
session {
radutmp
#
# See "Simultaneous Use Checking Querie" in sql.conf
# sql
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Get an address from the IP Pool.
# main_pool
#
# If you want to have a log of authentication replies,
# un-comment the following line, and the 'detail reply_log'
# section, above.
# reply_log
#
# After authenticating the user, do another SQL qeury.
#
# See "Authentication Logging Queries" in sql.conf
# sql
#
# Access-Reject packets are sent through the REJECT sub-section
# of the post-auth section.
#
# Post-Auth-Type REJECT {
# insert-module-name-here
# }
}
#
#
# Only a few modules currently have this method.
#
pre-proxy {
# attr_rewrite
# pre_proxy_log
}
#
post-proxy {
# post_proxy_log
# attr_rewrite
# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter
#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
#
eap
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080331/80a397a1/attachment.html>
More information about the Freeradius-Users
mailing list