Authenticating users on LDAP based on Group name
Jose Torres-Berrocal
jetsystemservices at gmail.com
Wed Apr 22 05:31:10 CEST 2015
Debug output using group options:
radiusd: FreeRADIUS Version 2.2.5, for host i386-portbld-freebsd8.3, built
on Sep 29 2014 at 22:08:50
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /usr/pbi/freeradius-i386/etc/raddb/radiusd.conf
including configuration file /usr/pbi/freeradius-i386/etc/raddb/clients.conf
including files in directory /usr/pbi/freeradius-i386/etc/raddb/modules/
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/wimax
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/always
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_rewrite
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/cache
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/chap
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/checkval
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/counter
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/cui
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/detail
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/
detail.example.com
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/detail.log
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/dhcp_sqlippool
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/digest
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/dynamic_clients
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/echo
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/etc_group
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/exec
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/expiration
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/expr
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/files
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/inner-eap
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/ippool
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/krb5
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ldap
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/linelog
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/otp
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/logintime
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/mac2ip
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/mac2vlan
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/mschap
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/ntlm_auth
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/opendirectory
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/pam
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/pap
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/passwd
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/perl
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/policy
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/preprocess
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/radrelay
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/radutmp
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/realm
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/redis
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/rediswho
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/replicate
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/smbpasswd
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/smsotp
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/soh
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/sql_log
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/sradutmp
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/unix
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/acct_unique
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/motp
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
including configuration file /usr/pbi/freeradius-i386/etc/raddb/eap.conf
including configuration file /usr/pbi/freeradius-i386/etc/raddb/sql.conf
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/sql/mysql/dialup.conf
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/sql/mysql/dialup.conf
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/pbi/freeradius-i386/etc/raddb/policy.conf
including files in directory
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
main {
allow_core_dumps = yes
}
Core dumps are enabled.
including dictionary file /usr/pbi/freeradius-i386/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/pbi/freeradius-i386"
localstatedir = "/var"
sbindir = "/usr/pbi/freeradius-i386/sbin"
logdir = "/var/log"
run_dir = "/var/run"
radacctdir = "/var/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd.pid"
checkrad = "/usr/pbi/freeradius-i386/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = yes
auth = yes
auth_badpass = no
auth_goodpass = no
msg_badpass = ""
msg_goodpass = ""
}
security {
max_attributes = 200
reject_delay = 1
status_server = no
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client squid {
ipaddr = 192.168.56.1
require_message_authenticator = no
secret = "squid4030"
shortname = "squid"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/expr
Module: Linked to module rlm_counter
Module: Instantiating module "daily" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/counter
counter daily {
filename = "/var/log/radacct/timecounter/db.daily"
key = "User-Name"
reset = "daily"
count-attribute = "Acct-Session-Time"
counter-name = "Daily-Session-Time"
check-name = "Max-Daily-Session"
reply-name = "Session-Timeout"
cache-size = 5000
}
rlm_counter: Counter attribute Daily-Session-Time is number 11273
rlm_counter: Current Time: 1429671947 [2015-04-21 23:05:47], Next reset
1429675200 [2015-04-22 00:00:00]
Module: Instantiating module "weekly" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/counter
counter weekly {
filename = "/var/log/radacct/timecounter/db.weekly"
key = "User-Name"
reset = "weekly"
count-attribute = "Acct-Session-Time"
counter-name = "Weekly-Session-Time"
check-name = "Max-Weekly-Session"
reply-name = "Session-Timeout"
cache-size = 5000
}
rlm_counter: Counter attribute Weekly-Session-Time is number 11275
rlm_counter: Current Time: 1429671947 [2015-04-21 23:05:47], Next reset
1430020800 [2015-04-26 00:00:00]
Module: Instantiating module "monthly" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/counter
counter monthly {
filename = "/var/log/radacct/timecounter/db.monthly"
key = "User-Name"
reset = "monthly"
count-attribute = "Acct-Session-Time"
counter-name = "Monthly-Session-Time"
check-name = "Max-Monthly-Session"
reply-name = "Session-Timeout"
cache-size = 5000
}
rlm_counter: Counter attribute Monthly-Session-Time is number 11277
rlm_counter: Current Time: 1429671947 [2015-04-21 23:05:47], Next reset
1430452800 [2015-05-01 00:00:00]
Module: Instantiating module "forever" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/counter
counter forever {
filename = "/var/log/radacct/timecounter/db.forever"
key = "User-Name"
reset = "never"
count-attribute = "Acct-Session-Time"
counter-name = "Forever-Session-Time"
check-name = "Max-Forever-Session"
reply-name = "Session-Timeout"
cache-size = 5000
}
rlm_counter: Counter attribute Forever-Session-Time is number 11279
rlm_counter: Current Time: 1429671947 [2015-04-21 23:05:47], Next reset 0
[2015-04-21 23:00:00]
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file ?�(rlm_logintime
modules {
Module: Creating Auth-Type = MOTP
Module: Creating Auth-Type = digest
Module: Creating Auth-Type = LDAP
Module: Creating Autz-Type = Status-Server
Module: Creating Acct-Type = Status-Server
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
allow_retry = yes
}
Module: Instantiating module "motp" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/motp
exec motp {
wait = yes
program = " /usr/pbi/freeradius-i386/etc/raddb/scripts/otpverify.sh
%{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret}
%{reply:MOTP-PIN} %{reply:MOTP-Offset}"
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radwtmp"
}
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/ldap
ldap {
server = "jetsms-srv2003.jetdom.local"
port = 389
password = "Tramontane10520"
expect_password = yes
identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local"
net_timeout = 1
timeout = 4
timelimit = 3
max_uses = 0
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
cacertfile =
"/usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem"
cacertdir = "/usr/pbi/freeradius-i386/etc/raddb/certs/"
certfile =
"/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt"
keyfile =
"/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key"
randfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/random"
require_cert = "never"
}
basedn = "cn=Users,dc=jetdom,dc=local"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=*)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = "memberOf"
dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
keepalive {
idle = 60
probes = 3
interval = 3
}
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x28516580
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file
/usr/pbi/freeradius-i386/etc/raddb/eap.conf
eap {
default_eap_type = "mschapv2"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/pbi/freeradius-i386/etc/raddb/certs"
pem_file_type = yes
private_key_file =
"/usr/pbi/freeradius-i386/etc/raddb/certs/server_key.pem"
certificate_file =
"/usr/pbi/freeradius-i386/etc/raddb/certs/server_cert.pem"
CA_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/ca_cert.pem"
private_key_password = "whatever"
dh_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/dh"
random_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = no
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/pbi/freeradius-i386/etc/raddb/huntgroups"
hints = "/usr/pbi/freeradius-i386/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/huntgroups
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = yes
}
Module: Instantiating module "ntdomain" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = yes
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/files
files {
usersfile = "/usr/pbi/freeradius-i386/etc/raddb/users"
acctusersfile = "/usr/pbi/freeradius-i386/etc/raddb/acct_users"
preproxy_usersfile = "/usr/pbi/freeradius-i386/etc/raddb/preproxy_users"
compat = "no"
}
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/users
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/acct_users
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/preproxy_users
Module: Linked to module rlm_sql
Module: Instantiating module "sql" from file
/usr/pbi/freeradius-i386/etc/raddb/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "lamp.jetdom.local"
port = "3306"
login = "radius"
password = "radpass"
radius_db = "radius"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/sqltrace.sql"
readclients = yes
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct SET
acctstoptime = '%S', acctsessiontime =
unix_timestamp('%S') -
unix_timestamp(acctstarttime), acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
%{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL
AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime
<= '%S'"
accounting_update_query = " UPDATE radacct SET
framedipaddress = '%{Framed-IP-Address}',
acctsessiontime = '%{Acct-Session-Time}', acctinputoctets
= '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username = '%{SQL-User-Name}'
AND nasipaddress = '%{NAS-IP-Address}'"
accounting_update_query_alt = " INSERT INTO radacct
(acctsessionid, acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype,
acctstarttime, acctsessiontime, acctauthentic,
connectinfo_start, acctinputoctets, acctoutputoctets,
calledstationid, callingstationid, servicetype,
framedprotocol, framedipaddress, acctstartdelay,
xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', DATE_SUB('%S',
INTERVAL (%{%{Acct-Session-Time}:-0} +
%{%{Acct-Delay-Time}:-0}) SECOND),
'%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}',
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}',
'0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query = " INSERT INTO radacct
(acctsessionid, acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype,
acctstarttime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress, acctstartdelay,
acctstopdelay, xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL,
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
'%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query_alt = " UPDATE radacct SET
acctstarttime = '%S', acctstartdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_start =
'%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}'
AND username = '%{SQL-User-Name}' AND nasipaddress
= '%{NAS-IP-Address}'"
accounting_stop_query = " UPDATE radacct SET
acctstoptime = '%S', acctsessiontime =
'%{Acct-Session-Time}', acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_stop =
'%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}'
AND username = '%{SQL-User-Name}' AND
nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query_alt = " INSERT INTO radacct
(acctsessionid, acctuniqueid, username, realm, nasipaddress,
nasportid, nasporttype, acctstarttime, acctstoptime,
acctsessiontime, acctauthentic, connectinfo_start,
connectinfo_stop, acctinputoctets, acctoutputoctets,
calledstationid, callingstationid, acctterminatecause,
servicetype, framedprotocol, framedipaddress, acctstartdelay,
acctstopdelay) VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL
(%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0})
SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}',
'', '%{Connect-Info}',
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}',
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Acct-Terminate-Cause}',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
'0', '%{%{Acct-Delay-Time}:-0}')"
group_membership_query = "SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority"
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress,
callingstationid, framedprotocol
FROM radacct WHERE username =
'%{SQL-User-Name}' AND acctstoptime IS NULL"
postauth_query = "INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')"
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius at lamp.jetdom.local:3306/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname,
shortname, type, secret, server FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
Module: Linked to module rlm_checkval
Module: Instantiating module "checkval" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/checkval
checkval {
item-name = "Calling-Station-Id"
check-name = "Calling-Station-Id"
data-type = "string"
notfound-reject = no
}
rlm_checkval: Registered name Calling-Station-Id for attribute 31
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/detail
detail {
detailfile =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "datacounterdaily" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
exec datacounterdaily {
wait = yes
program = "/bin/sh
/usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh
%{request:User-Name} daily %{request:Acct-Input-Octets}
%{request:Acct-Output-Octets}"
input_pairs = "request"
shell_escape = yes
}
Module: Instantiating module "datacounterweekly" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
exec datacounterweekly {
wait = yes
program = "/bin/sh
/usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh
%{request:User-Name} weekly %{request:Acct-Input-Octets}
%{request:Acct-Output-Octets}"
input_pairs = "request"
shell_escape = yes
}
Module: Instantiating module "datacountermonthly" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
exec datacountermonthly {
wait = yes
program = "/bin/sh
/usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh
%{request:User-Name} monthly %{request:Acct-Input-Octets}
%{request:Acct-Output-Octets}"
input_pairs = "request"
shell_escape = yes
}
Module: Instantiating module "datacounterforever" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
exec datacounterforever {
wait = yes
program = "/bin/sh
/usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh
%{request:User-Name} forever %{request:Acct-Input-Octets}
%{request:Acct-Output-Octets}"
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file
/usr/pbi/freeradius-i386/etc/raddb/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Checking pre-proxy {...} for more modules to load
Module: Instantiating module "attr_filter.pre-proxy" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
attr_filter attr_filter.pre-proxy {
attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.pre-proxy
Module: Checking post-proxy {...} for more modules to load
Module: Instantiating module "attr_filter.post-proxy" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
attr_filter attr_filter.post-proxy {
attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.access_reject
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 192.168.56.1
port = 1812
}
listen {
type = "acct"
ipaddr = 192.168.56.1
port = 1813
}
Listening on authentication address 192.168.56.1 port 1812
Listening on accounting address 192.168.56.1 port 1813
Listening on proxy address 192.168.56.1 port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.56.1 port 5829, id=1,
length=71
User-Name = "administrator"
User-Password = "jet10520b"
NAS-Port = 111
NAS-Port-Type = Async
NAS-IP-Address = 192.168.56.1
# Executing section authorize from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "administrator", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "administrator", skipping NULL due to
config.
++[ntdomain] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[ldap] Entering ldap_groupcmp()
[files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{User-Name} -> administrator
[files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=administrator)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 0
[ldap] setting TLS CACert File to
/usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem
[ldap] setting TLS CACert Directory to
/usr/pbi/freeradius-i386/etc/raddb/certs/
[ldap] setting TLS Require Cert to never
[ldap] setting TLS Cert File to
/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt
[ldap] setting TLS Key File to
/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key
[ldap] setting TLS Rand File to
/usr/pbi/freeradius-i386/etc/raddb/certs/random
[ldap] bind as cn=pfsense,cn=Users,dc=jetdom,dc=local/Tramontane10520 to
jetsms-srv2003.jetdom.local:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))))
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in CN=Administrator,CN=Users,DC=jetdom,DC=local,
with filter (objectclass=*)
[ldap] performing search in
CN=InternetAccess,CN=Users,DC=jetdom,DC=local, with filter
(cn=InternetAccess)
rlm_ldap::ldap_groupcmp: User found in group InternetAccess
[ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 5
++[files] = ok
++policy redundant {
[sql] expand: %{User-Name} -> administrator
[sql] sql_set_user escaped user --> 'administrator'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'administrator' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'administrator' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User administrator not found
+++[sql] = notfound
++} # policy redundant = notfound
++policy redundant {
[ldap] performing user authorization for administrator
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> administrator
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=administrator)
[ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] ldap_release_conn: Release Id: 0
+++[ldap] = ok
++} # policy redundant = ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] = noop
rlm_checkval: Could not find item named Calling-Station-Id in request
rlm_checkval: Could not find attribute named Calling-Station-Id in check
pairs
++[checkval] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
expand: ->
Login OK: [administrator] (from client squid port 111)
# Executing section post-auth from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group post-auth {
++policy redundant {
[sql] expand: %{User-Name} -> administrator
[sql] sql_set_user escaped user --> 'administrator'
[sql] expand: %{User-Password} -> jet10520b
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
( 'administrator',
'jet10520b', 'Access-Accept', '2015-04-21
23:06:58')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'administrator',
'jet10520b', 'Access-Accept', '2015-04-21
23:06:58')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
+++[sql] = ok
++} # policy redundant = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 1 to 192.168.56.1 port 5829
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 1 with timestamp +71
Ready to process requests.
On Tue, Apr 21, 2015 at 9:44 AM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Apr 21, 2015, at 12:07 AM, Jose Torres-Berrocal <
> jetsystemservices at gmail.com> wrote:
> > I noticed that my problem is that when using group options I get
> authorized
> > successfully but does not get authenticated (Using Compare Check Items =
> No
> > results in Access-Accept). When not using group options I get authorized
> > and authenticated successfully.
>
> So... what does the debug output say? You posted the configuration
> files, which aren't necessary, and don't help.
>
> > Is there a way to do a two pass process? If I could run the first pass
> > without group options and the second pass if authenticated run with group
> > options, I will get my desired result.
>
> The correct solution is to fix your policies. They're wrong now. It's
> best to understand *why* they're wrong, and fix the problem.
>
> > By the way I found how to run in debug mode in pfsense and do some
> custome
> > changes in the Users.conf file.
>
> Then post the debug output here.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list