Checkval weird issue with LDAP backend and PAM authentication
marco
marco at marcolinux.it
Tue Nov 23 01:19:42 CET 2010
Hi,
I'm facing this issue in configuring radius: I'm developing a GPLv3 script that will easily setup a whole linux server with lots of usefull services (NTP,DHCP,DNS with DDNS update to DHCP, MIT-Kerberos, OpenLDAP (Kerberized), FreeRadius, MySQL, Apache, ProFTP, SQUID, Samba (kerberized), Appletalk File Protocol, Postfix and Dovecot (also with public and shared folders), roundcube webmail, LDAP Addressbook, PPTP and L2TP over IPSec VPNs, Egroupware. And it works with SeLinux enabled.The script is quite mature (it is named ECK - you can download from sourceforge if you want to). It can install almost everything mentioned above, and they could even work ;O) - I've started the development of a GTKmm-based GUI that will easily administer almost everything (although I have not published the GUI yet - the app is stable, but I've just finished the user manager, so I have a lot of work more to have somthing to publish)
And now the trouble with freeradius: I' d like to have most of the services with Radius Based Authentication - I think this will let me have a better logging system, expecially to trace sessions. As about authentication everything works fine.
But I want also to do Authorization: I mean that I want to allow services FTP, VPN, Apache userdirs, Squid proxy, ecc. on per user basisI started with proftpd with mod_radius:
the idea is to use checkval module to catch the NAS-Identifier parameter that the proftpd module set as "ftp".
here is an example requestrad_recv:
Access-Request packet from host 127.0.0.1:9409, id=74, length=93
User-Name = "testuser"
User-Password = "test1Test"
NAS-Identifier = "ftp"
NAS-Port = 21
NAS-Port-Type = Virtual
Calling-Station-Id = "::ffff:127.0.0.1"
Service-Type = 0x0000000100000000
I inserted the following lines in my radiusd.conf:
checkval NAS{
item-name = NAS-Identifier
check-name = NAS-Identifier
data-type = string
notfound-reject=yes
}
and added "NAS" in the authorize sectionauthorize {
...
NAS
...
}
I also updated ldap.attrmap inserting the following line
checkItem NAS-Identifier eckAllowedServices
and obviously extended the LDAP schema (eck.schema)
attributetype ( 1.3.6.1.4.1.26309.1.1.11 NAME 'eckAllowedServices' DESC 'Services the user is allowed to login' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
objectClass ( 1.3.6.1.4.1.26309.1.1.1 NAME 'eckGenericObject' AUXILIARY DESC 'an ECK generic object' MAY ( locked $ eckPublicKey $ eckPrivateKey $ userPKCS12 $ allowProxy $ eckAllowedServices))
The script creates 2 users: Administrator - that is actually an administrator, and testuser. In my test environment I added 2 attributes eckAllowedServices to testuser (ftp and httpproxy) and left Administrator without eckAllowedServices attributeAnd now the weird issue: checkval is able to realize that testuser has the ftp attribute
Processing the authorize section of radiusd.confmodcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0rlm_ldap: - authorizerlm_ldap: performing user authorization for testuserradius_xlat: '(uid=testuser)'radius_xlat: 'DC=marcolinux,DC=local'rlm_ldap: ldap_get_conn: Checking Id: 0rlm_ldap: ldap_get_conn: Got Id: 0rlm_ldap: attempting LDAP reconnectionrlm_ldap: (re)connect to 127.0.0.1:389, authentication 0rlm_ldap: bind as CN=FreeRADIUS,OU=AAA,OU=Services,DC=marcolinux,DC=local/wRtEYnd3sGkEa.Y4 to 127.0.0.1:389rlm_ldap: waiting for bind result ...rlm_ldap: Bind was successfulrlm_ldap: performing search in DC=marcolinux,DC=local, with filter (uid=testuser)rlm_ldap: checking if remote access for testuser is allowed by dialupAccessrlm_ldap: Added password AB39C1761CF4947661DAB7AF9849A61E in check itemsrlm_ldap: looking for check items in directory...rlm_ldap: Adding eckAllowedServices as NAS-Identifier, value ftp & op=21rlm_ldap: Adding eckAllowedServices as NAS-Identifier, value httpProxy & op=21rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [U ] & op=21rlm_ldap: Adding sambaNTPassword as NT-Password, value AB39C1761CF4947661DAB7AF9849A61E & op=21rlm_ldap: Adding radiusAuthType as Auth-Type, value pam & op=21rlm_ldap: looking for reply items in directory...rlm_ldap: Adding FTPQuotaFilesTransferred as ArticaECK-FTP-Quota-Files-Transferred, value 0 & op=11rlm_ldap: Adding FTPQuotaFilesOutgoing as ArticaECK-FTP-Quota-Files-Outgoing, value 0 & op=11rlm_ldap: Adding FTPQuotaFilesIncoming as ArticaECK-FTP-Quota-Files-Incoming, value 50 & op=11rlm_ldap: Adding FTPQuotaBytesTransferred as ArticaECK-FTP-Quota-Bytes-Transferred, value 0 & op=11rlm_ldap: Adding FTPQuotaBytesOutgoing as ArticaECK-FTP-Quota-Bytes-Outgoing, value 0 & op=11rlm_ldap: Adding FTPQuotaBytesIncoming as ArticaECK-FTP-Quota-Bytes-Incoming, value 200 & op=11rlm_ldap: Adding FTPQuotaIsPerSession as ArticaECK-FTP-Quota-Is-Per-Session, value FALSE & op=11rlm_ldap: Adding FTPQuotaLimitType as ArticaECK-FTP-Quota-Limit-Type, value soft & op=11rlm_ldap: Adding loginShell as ArticaECK-FTP-Shell, value /bin/tcsh & op=11rlm_ldap: Adding homeDirectory as ArticaECK-FTP-Home, value /home/testuser & op=11rlm_ldap: Adding gidNumber as ArticaECK-FTP-GID, value 100 & op=11rlm_ldap: Adding uidNumber as ArticaECK-FTP-UID, value 1001 & op=11rlm_ldap: user testuser authorized to use remote accessrlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0rlm_checkval: Item Name: NAS-Identifier, Value: ftprlm_checkval: Value Name: NAS-Identifier, Value: ftp modcall[authorize]: module "NAS" returns ok for request 0modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type pamauth: type "PAM" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 0pam_pass: using pamauth string for pam.conf lookuppam_pass: authentication succeeded for >modcall[authenticate]: module "pam" returns ok for request 0modcall: leaving group authenticate (returns ok) for request 0 Processing the post-auth section of radiusd.conf
and that Administrator doesn't
rlm_ldap: Adding uidNumber as ArticaECK-FTP-UID, value 1000 & op=11rlm_ldap: user Administrator authorized to use remote accessrlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3rlm_checkval: Item Name: NAS-Identifier, Value: ftprlm_checkval: Could not find attribute named NAS-Identifier in check pairs modcall[authorize]: module "NAS" returns notfound for request 3modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type pamauth: type "PAM" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 3pam_pass: using pamauth string for pam.conf lookuppam_pass: authentication succeeded for modcall[authenticate]: module "pam" returns ok for request 3modcall: leaving group authenticate (returns ok) for request 3 Processing the post-auth section of radiusd.conf
but I always got both of them authorized. How is it possible? What I did wrong?Why freeradius goes to the authentication section altought checkval module module "NAS" returned notfound?I'm sure I did some kind of mistake, but I really am not able to find it.Now are days I'm googling around and getting quite crazy - I hope that someone of you may help meThank you very much
Marco Carcano
Configuration files
########################RADIUSD.CONF###############################
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
$INCLUDE ${confdir}/eap.conf
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
}
ldap {
server = "127.0.0.1"
identity = "CN=FreeRADIUS,OU=AAA,OU=Services,DC=marcolinux,DC=local"
password = wRtEYnd3sGkEa.Y4
basedn = "DC=marcolinux,DC=local"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = sambaNTPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\"
ignore_default = no
ignore_null = no
}
checkval NAS{
item-name = NAS-Identifier
check-name = NAS-Identifier
data-type = string
notfound-reject=yes
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.150
range-stop = 192.168.1.199
netmask = 255.255.255.0
cache-size = 800
session-db = ${localstatedir}/lib/raddb/db.ippool
ip-index = ${localstatedir}/lib/raddb/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
preprocess
chap
mschap
suffix
eap
ldap
NAS
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
pam
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
radutmp
main_pool
sql
}
session {
radutmp
}
post-auth {
main_pool
}
pre-proxy {
}
post-proxy {
eap
}
##########################USERS################################
DEFAULT Auth-Type = pam
Fall-Through = 1
DEFAULT Service-Type == Framed-User
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Pool-Name := main_pool
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
##################radiusd -X -f output ##############
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded Pam
pam: pam_auth = "radiusd"
Module: Instantiated pam (pam)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded LDAP
ldap: server = "127.0.0.1"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "CN=FreeRADIUS,OU=AAA,OU=Services,DC=marcolinux,DC=local"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = "wRtEYnd3sGkEa.Y4"
ldap: basedn = "DC=marcolinux,DC=local"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "sambaNTPassword"
ldap: access_attr = "dialupAccess"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP eckAllowedServices mapped to RADIUS NAS-Identifier
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP uidNumber mapped to RADIUS ArticaECK-FTP-UID
rlm_ldap: LDAP gidNumber mapped to RADIUS ArticaECK-FTP-GID
rlm_ldap: LDAP homeDirectory mapped to RADIUS ArticaECK-FTP-Home
rlm_ldap: LDAP loginShell mapped to RADIUS ArticaECK-FTP-Shell
rlm_ldap: LDAP FTPQuotaLimitType mapped to RADIUS ArticaECK-FTP-Quota-Limit-Type
rlm_ldap: LDAP FTPQuotaIsPerSession mapped to RADIUS ArticaECK-FTP-Quota-Is-Per-Session
rlm_ldap: LDAP FTPQuotaBytesIncoming mapped to RADIUS ArticaECK-FTP-Quota-Bytes-Incoming
rlm_ldap: LDAP FTPQuotaBytesOutgoing mapped to RADIUS ArticaECK-FTP-Quota-Bytes-Outgoing
rlm_ldap: LDAP FTPQuotaBytesTransferred mapped to RADIUS ArticaECK-FTP-Quota-Bytes-Transferred
rlm_ldap: LDAP FTPQuotaFilesIncoming mapped to RADIUS ArticaECK-FTP-Quota-Files-Incoming
rlm_ldap: LDAP FTPQuotaFilesOutgoing mapped to RADIUS ArticaECK-FTP-Quota-Files-Outgoing
rlm_ldap: LDAP FTPQuotaFilesTransferred mapped to RADIUS ArticaECK-FTP-Quota-Files-Transferred
conns: 0x2afd23ec69b0
Module: Instantiated ldap (ldap)
Module: Loaded checkval
checkval: item-name = "NAS-Identifier"
checkval: check-name = "NAS-Identifier"
checkval: data-type = "string"
checkval: notfound-reject = yes
rlm_checkval: Registered name NAS-Identifier for attribute 32
Module: Instantiated checkval (NAS)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Module: Loaded IPPOOL
ippool: session-db = "/var/lib/raddb/db.ippool"
ippool: ip-index = "/var/lib/raddb/db.ipindex"
ippool: range-start = 192.168.1.150 IP address [192.168.1.150]
ippool: range-stop = 192.168.1.199 IP address [192.168.1.199]
ippool: netmask = 255.255.255.0 IP address [255.255.255.0]
ippool: cache-size = 800
ippool: override = no
ippool: maximum-timeout = 0
Module: Instantiated ippool (main_pool)
Module: Loaded SQL
sql: driver = "rlm_sql_mysql"
sql: server = "localhost"
sql: port = ""
sql: login = "FreeRADIUS"
sql: password = "wRtEYnd3sGkEa.Y4"
sql: radius_db = "radius"
sql: nas_table = "nas"
sql: sqltrace = no
sql: sqltracefile = "/var/log/radius/sqltrace.sql"
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = "%{User-Name}"
sql: default_user_profile = ""
sql: query_on_not_found = no
sql: authorize_check_query = "SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id"
sql: authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id"
sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
sql: accounting_update_query = "UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}'"
sql: accounting_update_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')"
sql: accounting_start_query = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_stop_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"
sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'"
sql: connect_failure_retry_delay = 60
sql: simul_count_query = ""
sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
sql: postauth_query = "INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())"
sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to FreeRADIUS at localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Instantiated sql (sql)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
More information about the Freeradius-Users
mailing list