radpostauth sql logging of bad passwords
Guy Fraser
guy at incentre.net
Fri Apr 17 18:05:23 CEST 2009
On 2009-Apr-17, at 03:08, Alan DeKok wrote:
> Guy Fraser wrote:
>> I have installed :
>> "radiusd: FreeRADIUS Version 2.1.3, for host i386-portbld-freebsd7.1,
>> built on Feb 26 2009 at 15:47:46"
>>
>> I have not been able figure out how to get it to log failed
>> authentication attempts
>> into the radpostauth sql table, like I had it working in Version 1.
>
> What do you mean by that?
>
> Q: "I tried to do stuff, but it didn't work".
> A: Huh?
>
I thought this would be enough to make it log failed authentications :
log {
destination = files
file = ${logdir}/radius.log
requests = ${logdir}/radacct/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y
%m%d.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
}
Here is the recursive, uncommented and redacted configuration :
-------
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
db_dir = ${raddbdir}
libdir = /usr/local/lib/freeradius-2.1.3
pidfile = ${run_dir}/${name}.pid
user = freeradius
group = freeradius
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 1645
}
listen {
ipaddr = *
port = 1646
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
requests = ${logdir}/radacct/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y
%m%d.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
#start : proxy.conf#
proxy server {
default_fallback = no
}
home_server localhost {
type = auth
ipaddr = 127.0.0.1
port = 1645
secret = XXXXXXX
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm LOCAL {
type = radius
authhost = LOCAL
accthost = LOCAL
}
realm domain.net {
type = radius
authhost = LOCAL
accthost = LOCAL
}
realm customer.com {
type = radius
authhost = x.x.x.x:1645
accthost = x.x.x.x:1646
secret = XXXXXXX
nostrip
}
...
#end#
$INCLUDE clients.conf
#start : clients.conf#
client localhost {
ipaddr = 127.0.0.1
secret = XXXXXXX
require_message_authenticator = no
nastype = other
}
#end#
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
#start : modules/*#
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always noop {
rcode = noop
}
always handled {
rcode = handled
}
always updated {
rcode = updated
}
always notfound {
rcode = notfound
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
attr_filter attr_filter.post-proxy {
attrsfile = ${confdir}/attrs
}
attr_filter attr_filter.pre-proxy {
attrsfile = ${confdir}/attrs.pre-proxy
}
attr_filter attr_filter.access_reject {
key = %{User-Name}
attrsfile = ${confdir}/attrs.access_reject
}
attr_filter attr_filter.accounting_response {
key = %{User-Name}
attrsfile = ${confdir}/attrs.accounting_response
}
attr_rewrite sanecallerid {
attribute = Called-Station-Id
searchin = packet
searchfor = "[+ ]"
replacewith = ""
ignore_case = no
new_attribute = no
max_matches = 10
append = no
}
chap {
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
counter daily {
filename = ${db_dir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
allowed-servicetype = Framed-User
cache-size = 5000
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
header = "%t"
}
detail detail.example.com {
detailfile = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H
}
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
detailperm = 0600
suppress {
User-Password
}
}
detail reply_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
detailperm = 0600
}
detail pre_proxy_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
detailperm = 0600
}
detail post_proxy_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m
%d
detailperm = 0600
}
digest {
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
shell_escape = yes
}
passwd etc_group {
filename = /etc/group
format = "=Etc-Group-Name:::*,User-Name"
hashsize = 50
ignorenislike = yes
allowmultiplekeys = yes
delimiter = ":"
}
exec {
wait = no
input_pairs = request
shell_escape = yes
output = none
}
expiration {
reply-message = "Password Has Expired\r\n"
}
expr {
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
eap inner-eap {
default_eap_type = mschapv2
timer_expire = 60
max_sessions = 2048
md5 {
}
gtc {
auth_type = PAP
}
mschapv2 {
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
}
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${db_dir}/db.ippool
ip-index = ${db_dir}/db.ipindex
override = no
maximum-timeout = 0
}
krb5 {
keytab = /path/to/keytab
service_principal = name_of_principle
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
linelog {
filename = ${logdir}/linelog
format = "This is a log message for %{User-Name}"
reference = "%{%{Packet-Type}:-format}"
Access-Request = "Requested access: %{User-Name}"
Access-Reject = "Rejected access: %{User-Name}"
Access-Challenge = "Sent challenge: %{User-Name}"
foo {
bar = "Example log. Please ignore"
}
Accounting-Request {
Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %
{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %
{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-
Session-Time} seconds"
Alive = ""
Accounting-On = "NAS %C (%{NAS-IP-Address}) just came online"
Accounting-Off = "NAS %C (%{NAS-IP-Address}) just went offline"
unknown = ""
}
}
logintime {
reply-message = "You are calling outside your allowed timespan\r\n"
minimum-timeout = 60
}
passwd mac2ip {
filename = ${confdir}/mac2ip
format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
delimiter = ","
}
passwd mac2vlan {
filename = ${confdir}/mac2vlan
format = "*VMPS-Mac:=VMPS-VLAN-Name"
delimiter = ","
}
mschap {
}
pam {
pam_auth = radiusd
}
pap {
auto_header = no
}
perl {
module = ${confdir}/example.pl
}
policy {
filename = ${confdir}/policy.txt
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
realm IPASS {
format = prefix
delimiter = "/"
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
realm ntdomain {
format = prefix
delimiter = "\\"
}
passwd smbpasswd {
filename = /etc/smbpasswd
format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}
sql_log {
path = "${radacctdir}/sql-relay"
acct_table = "radacct"
postauth_table = "radpostauth"
sql_user_name = "%{%{User-Name}:-DEFAULT}"
Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
AcctSessionTime, AcctTerminateCause) VALUES \
('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
'%{Framed-IP-Address}', '%S', '0', '0', '');"
Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
AcctSessionTime, AcctTerminateCause) VALUES \
('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
'%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \
'%{Acct-Terminate-Cause}');"
Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
AcctSessionTime, AcctTerminateCause) VALUES \
('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
'%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
Post-Auth = "INSERT INTO ${postauth_table} \
(username, pass, reply, authdate) VALUES \
('%{User-Name}', '%{User-Password:-Chap-Password}', \
'%{reply:Packet-Type}', '%S');"
}
sqlcounter expire_on_login {
counter-name = Expire-After-Initial-Login
check-name = Expire-After
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
FROM radacct \
WHERE UserName='%{%k}' \
ORDER BY acctstarttime \
LIMIT 1;"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
unix {
radwtmp = ${logdir}/radwtmp
}
wimax {
}
#end#
$INCLUDE sql.conf
#start : sql.conf#
sql {
database = "postgresql"
driver = "rlm_sql_${database}"
server = "X.X.X.X"
port = 5432
login = "radius"
password = "XXXXXXXX"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
deletestalesessions = no
sqltrace = yes
sqltracefile = ${logdir}/radacct/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
readclients = yes
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf
#start : sql/postgresql/dialup.conf#
sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}"
nas_query = "SELECT id, nasname, shortname, type, secret FROM $
{nas_table}"
authorize_check_query = "SELECT ${authcheck_table}.id, $
{authcheck_table}.UserName, ${authcheck_table}.Attribute, $
{authcheck_table}.Value, ${authcheck_table}.Op \
FROM ${authcheck_table} , ${usergroup_table}\
WHERE ${authcheck_table}.Username = '%{SQL-User-Name}' \
AND ${usergroup_table}.UserName = '%{SQL-User-Name}'\
AND ${usergroup_table}.Priority != '-1'\
ORDER BY id"
authorize_reply_query = "SELECT ${authreply_table}.id, $
{authreply_table}.UserName, ${authreply_table}.Attribute, $
{authreply_table}.Value, ${authreply_table}.Op \
FROM ${authreply_table} , ${usergroup_table}\
WHERE ${authreply_table}.Username = '%{SQL-User-Name}' \
AND ${usergroup_table}.UserName = '%{SQL-User-Name}'\
AND ${usergroup_table}.Priority != '-1'\
ORDER BY id"
authorize_group_check_query = "SELECT ${groupcheck_table}.id, $
{groupcheck_table}.GroupName, ${groupcheck_table}.Attribute, $
{groupcheck_table}.Value, ${groupcheck_table}.op \
FROM ${groupcheck_table} , ${usergroup_table}\
WHERE ${groupcheck_table}.GroupName = '%{Sql-Group}' \
ORDER BY id"
authorize_group_reply_query = "SELECT ${groupreply_table}.id, $
{groupreply_table}.GroupName, ${groupreply_table}.Attribute, $
{groupreply_table}.Value, ${groupreply_table}.op \
FROM ${groupreply_table} , ${usergroup_table}\
WHERE ${groupreply_table}.GroupName = '%{Sql-Group}' \
ORDER BY id"
accounting_onoff_query = "UPDATE ${acct_table1} \
SET AcctStopTime = ('%S'::timestamp - '%{%{Acct-Delay-
Time}:-0}'::interval), \
AcctSessionTime = (EXTRACT(EPOCH FROM ('%S'::timestamp with time
zone - AcctStartTime::timestamp with time zone \
- '%{%{Acct-Delay-Time}:-0}'::interval)))::BIGINT, \
AcctTerminateCause = '%{Acct-Terminate-Cause}', \
AcctStopDelay = 0 \
WHERE AcctStopTime IS NULL \
AND NASIPAddress= '%{NAS-IP-Address}' \
AND AcctStartTime <= '%S'::timestamp"
accounting_update_query = "UPDATE ${acct_table1} \
SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \
AcctSessionTime = '%{Acct-Session-Time}', \
AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32)
+ '%{%{Acct-Input-Octets}:-0}'::bigint), \
AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint <<
32) + '%{%{Acct-Output-Octets}:-0}'::bigint) \
WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-
User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime IS NULL"
accounting_update_query_alt = "INSERT INTO ${acct_table1} \
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, \
NASPortId, NASPortType, AcctStartTime, \
AcctSessionTime, AcctAuthentic, AcctInputOctets, \
AcctOutputOctets, CalledStationId, CallingStationId, \
ServiceType, FramedProtocol, FramedIPAddress, XAscendSessionSvrKey) \
VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \
'%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{NAS-IP-Address}', \
%{%{NAS-Port}:-NULL}::integer, '%{NAS-Port-Type}', \
('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval - '%{%{Acct-
Session-Time}:-0}'::interval), \
'%{Acct-Session-Time}', '%{Acct-Authentic}', \
(('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-
Octets}:-0}'::bigint), \
(('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-
Output-Octets}:-0}'::bigint), \
'%{Called-Station-Id}', \
'%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', \
NULLIF('%{Framed-IP-Address}', '')::inet, '%{X-Ascend-Session-Svr-
Key}')"
accounting_start_query = "INSERT INTO ${acct_table1} \
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, \
NASPortId, NASPortType, AcctStartTime, AcctAuthentic, \
ConnectInfo_start, CalledStationId, CallingStationId, ServiceType, \
FramedProtocol, FramedIPAddress, AcctStartDelay,
XAscendSessionSvrKey) \
VALUES('%{Acct-Session-Id}', \
'%{Acct-Unique-Session-Id}', \
'%{SQL-User-Name}', \
NULLIF('%{Realm}', ''), \
'%{NAS-IP-Address}', \
%{%{NAS-Port}:-NULL}::integer, \
'%{NAS-Port-Type}', \
('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), \
'%{Acct-Authentic}', \
'%{Connect-Info}', \
'%{Called-Station-Id}', \
'%{Calling-Station-Id}', \
'%{Service-Type}', \
'%{Framed-Protocol}', \
NULLIF('%{Framed-IP-Address}', '')::inet, \
0, \
'%{X-Ascend-Session-Svr-Key}')"
accounting_start_query_alt = "UPDATE ${acct_table1} \
SET AcctStartTime = ('%S'::timestamp - '%{%{Acct-Delay-
Time}:-0}'::interval), \
AcctStartDelay = 0, \
ConnectInfo_start = '%{Connect-Info}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' \
AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress = '%{NAS-IP-Address}' \
AND AcctStopTime IS NULL"
accounting_stop_query = "UPDATE ${acct_table2} \
SET AcctStopTime = ('%S'::timestamp - '%{%{Acct-Delay-
Time}:-0}'::interval), \
AcctSessionTime = CASE WHEN '%{Acct-Session-Time}' = '' THEN \
(EXTRACT(EPOCH FROM ('%S'::TIMESTAMP WITH TIME ZONE -
AcctStartTime::TIMESTAMP WITH TIME ZONE \
- '%{%{Acct-Delay-Time}:-0}'::INTERVAL)))::BIGINT ELSE '%{Acct-
Session-Time}' END, \
AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32)
+ '%{%{Acct-Input-Octets}:-0}'::bigint), \
AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint <<
32) + '%{%{Acct-Output-Octets}:-0}'::bigint), \
AcctTerminateCause = '%{Acct-Terminate-Cause}', \
AcctStopDelay = 0, \
FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \
ConnectInfo_stop = '%{Connect-Info}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' \
AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress = '%{NAS-IP-Address}' \
AND AcctStopTime IS NULL"
accounting_stop_query_alt = "INSERT INTO ${acct_table2} \
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress,
NASPortId, NASPortType, AcctStartTime, AcctStopTime, \
AcctSessionTime, AcctAuthentic, ConnectInfo_stop, AcctInputOctets,
AcctOutputOctets, CalledStationId, \
CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStopDelay) \
values('%{Acct-Session-Id}', \
'%{Acct-Unique-Session-Id}', \
'%{SQL-User-Name}', \
NULLIF('%{Realm}', ''), \
'%{NAS-IP-Address}', \
%{%{NAS-Port}:-NULL}::integer, \
'%{NAS-Port-Type}', \
('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval - '%{%{Acct-
Session-Time}:-0}'::interval), \
('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), \
NULLIF('%{Acct-Session-Time}', '')::bigint, '%{Acct-Authentic}', \
'%{Connect-Info}', \
(('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-
Octets}:-0}'::bigint), \
(('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-
Output-Octets}:-0}'::bigint), \
'%{Called-Station-Id}', \
'%{Calling-Station-Id}', \
'%{Acct-Terminate-Cause}', \
'%{Service-Type}', \
'%{Framed-Protocol}', \
NULLIF('%{Framed-IP-Address}', '')::inet, 0)"
group_membership_query = "SELECT GroupName FROM ${usergroup_table}
WHERE UserName='%{SQL-User-Name}' ORDER BY priority"
postauth_query = "INSERT INTO ${postauth_table} (username, pass,
reply, authdate) \
VALUES ('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%
{reply:Packet-Type}', NOW())"
#end#
}
#end#
$INCLUDE sql/postgresql/counter.conf
#start : sql/postgresql/counter.conf#
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - \
GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - \
GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%b'"
}
sqlcounter noresetcounter {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{%k}'"
}
#end#
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
#start : policy.conf#
policy {
forbid_eap {
if (EAP-Message) {
reject
}
}
permit_only_eap {
if (!EAP-Message) {
if (!"%{outer.request:EAP-Message}") {
reject
}
}
}
deny_realms {
if (User-Name =~ /@|\\/) {
reject
}
}
}
#end#
$INCLUDE sites-enabled/
#start : sites-enabled/default#
authorize {
preprocess
auth_log
suffix
sql
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
daily
sql
sql_log
attr_filter.accounting_response
}
session {
sql
}
post-auth {
reply_log
sql
sql_log
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
attr_filter.pre-proxy
pre_proxy_log
}
post-proxy {
post_proxy_log
attr_filter.post-proxy
}
#end#
-------
The configuration has changed significantly since I last contributed
to this project.
--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787
More information about the Freeradius-Users
mailing list