Evaluate Ldap-Group and SSID for WiFi authorization
Adam Cage
adamcage27 at gmail.com
Wed Sep 6 15:40:33 CEST 2017
Dear Alan, I've followed your advice (or wath I think you want to tell me)
bu I fail again, I obtain the error WARNING: Unknown module "sql" in string
expansion "%". I will describe briefly what I did, in order you can guide
me again please:
1) radiusd.conf --> I uncomment $INCLUDE sql.conf
2) sql.conf --> I define mysql, IP, port, database
3) default --> just unlang SQL
authorize {
# sql (comment out)
if (LDAP-Group == "GROUP1" && Called-Station-Id =~ /:Free/ &&
"%{sql:SELECT COUNT(MacAddress) FROM FILTROS WHERE MacAddress =
'%{Calling-Station-Id}'}" > 0) {
update reply {
Reply-Message = "Access enabled to WiFi"
}
ok
}
else {
reject
}
}
4)- inner-tunnel --> just unlang SQL
authorize {
# sql (comment out)
if (LDAP-Group == "GROUP1" && Called-Station-Id =~ /:Free/ &&
"%{sql:SELECT COUNT(MacAddress) FROM FILTROS WHERE MacAddress =
'%{outer.request:Calling-Station-Id}'}" > 0) {
update reply {
Reply-Message = "Access enabled to WiFi"
}
ok
}
else {
reject
}
}
And finallly the debug output show me:
WARNING: Unknown module "sql" in string expansion "%"
? Evaluating ("%{sql:SELECT COUNT(MacAddress) FROM FILTROS WHERE MacAddress
= '%{Calling-Station-Id}'}" > 0) -> FALSE
Thanks again!!!
ADAM
2017-09-05 13:53 GMT-03:00 Alan Buxey <alan.buxey at gmail.com>:
> Hi
>
> You've enabled the SQL module but that then activates the default
> conditional modules, you want to comment out the SQL (well, -sql) in the
> authorize etc sections and only use your unlang SQL
>
> This may mean that you need to add SQL to the instantiate section of the
> radiusd.conf main file
>
> alan
>
> On 5 Sep 2017 5:29 pm, "Adam Cage" <adamcage27 at gmail.com> wrote:
>
> Dear Alan and people, I tell you again I succeeded in authorize with LDAP
> and authenticate against AD. But when I add the SQL authorization check to
> the existing LDAP check, I fail. I've followed Alan's suggestion, and I did
> these settings:
>
> 1- Installed the freeradius-mysql Debian package
> 2- Edited /etc/freeradius/sql.conf with the remote DB MySQL parameters (IP,
> user, pass, DB name, port). When I start Freeradius, and I execute tcpdump,
> I can see traffic to the remote DB on port 3306)
> 3- Uncommented $INCLUDE sql.conf in /etc/freeradius/radiusd.conf
> 4- Edited /etc/freeradius/sites-available/default file in this manner:
> authorize {
> if (LDAP-Group == "GROUP1" && Called-Station-Id =~ /:Free/ &&
> "%{sql:SELECT COUNT(MacAddress) FROM FILTERS WHERE MacAddress =
> '%{Calling-Station-Id}'}" > 0) {
> update reply {
> Reply-Message = "Access enabled to WiFi"
> }
> ok
> }
> else {
> reject
> }
> }
> 5- Edited /etc/freeradius/sites-available/inner-tunnel file in this
> manner:
> authorize {
> if (LDAP-Group == "GROUP1" && Called-Station-Id =~ /:Free/ &&
> "%{sql:SELECT COUNT(MacAddress) FROM FILTERS WHERE MacAddress =
> '%{outer.request:Calling-Station-Id}'}" > 0) {
> update reply {
> Reply-Message = "Access enabled to WiFi"
> }
> ok
> }
> else {
> reject
> }
> }
>
> Finally, the debug is this....Can you help me please ??? Thanks!!!
>
> # freeradius -X
> freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built
> on Oct 24 2014 at 02:05:28
> Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License.
> For more information about these matters, see the file named COPYRIGHT.
> Starting - reading configuration files ...
> including configuration file /etc/freeradius/radiusd.conf
> including configuration file /etc/freeradius/proxy.conf
> including configuration file /etc/freeradius/clients.conf
> including files in directory /etc/freeradius/modules/
> including configuration file /etc/freeradius/modules/realm
> including configuration file /etc/freeradius/modules/dhcp_sqlippool
> including configuration file /etc/freeradius/modules/policy
> including configuration file /etc/freeradius/modules/ntlm_auth
> including configuration file /etc/freeradius/modules/passwd
> including configuration file /etc/freeradius/modules/cache
> including configuration file /etc/freeradius/modules/checkval
> including configuration file /etc/freeradius/modules/echo
> including configuration file /etc/freeradius/modules/detail.log
> including configuration file /etc/freeradius/modules/dynamic_clients
> including configuration file /etc/freeradius/modules/detail.example.com
> including configuration file /etc/freeradius/modules/radrelay
> including configuration file /etc/freeradius/modules/preprocess
> including configuration file /etc/freeradius/modules/linelog
> including configuration file /etc/freeradius/modules/unix
> including configuration file /etc/freeradius/modules/attr_rewrite
> including configuration file /etc/freeradius/modules/logintime
> including configuration file /etc/freeradius/modules/detail
> including configuration file /etc/freeradius/modules/sql_log
> including configuration file /etc/freeradius/modules/smbpasswd
> including configuration file /etc/freeradius/modules/expiration
> including configuration file /etc/freeradius/modules/wimax
> including configuration file /etc/freeradius/modules/smsotp
> including configuration file /etc/freeradius/modules/chap
> including configuration file /etc/freeradius/modules/pam
> including configuration file /etc/freeradius/modules/sradutmp
> including configuration file /etc/freeradius/modules/soh
> including configuration file /etc/freeradius/modules/acct_unique
> including configuration file /etc/freeradius/modules/replicate
> including configuration file /etc/freeradius/modules/otp
> including configuration file /etc/freeradius/modules/counter
> including configuration file /etc/freeradius/modules/etc_group
> including configuration file /etc/freeradius/modules/exec
> including configuration file /etc/freeradius/modules/redis
> including configuration file /etc/freeradius/modules/perl
> including configuration file /etc/freeradius/modules/ldap
> including configuration file /etc/freeradius/modules/files
> including configuration file /etc/freeradius/modules/krb5
> including configuration file
> /etc/freeradius/modules/sqlcounter_expire_on_login
> including configuration file /etc/freeradius/modules/inner-eap
> including configuration file /etc/freeradius/modules/mac2ip
> including configuration file /etc/freeradius/modules/cui
> including configuration file /etc/freeradius/modules/mac2vlan
> including configuration file /etc/freeradius/modules/digest
> including configuration file /etc/freeradius/modules/radutmp
> including configuration file /etc/freeradius/modules/rediswho
> including configuration file /etc/freeradius/modules/ippool
> including configuration file /etc/freeradius/modules/always
> including configuration file /etc/freeradius/modules/mschap
> including configuration file /etc/freeradius/modules/expr
> including configuration file /etc/freeradius/modules/attr_filter
> including configuration file /etc/freeradius/modules/pap
> including configuration file /etc/freeradius/modules/opendirectory
> including configuration file /etc/freeradius/eap.conf
> including configuration file /etc/freeradius/sql.conf
> including configuration file /etc/freeradius/policy.conf
> including files in directory /etc/freeradius/sites-enabled/
> including configuration file /etc/freeradius/sites-enabled/inner-tunnel
> including configuration file /etc/freeradius/sites-enabled/default
> main {
> user = "freerad"
> group = "freerad"
> allow_core_dumps = no
> }
> including dictionary file /etc/freeradius/dictionary
> main {
> name = "freeradius"
> prefix = "/usr"
> localstatedir = "/var"
> sbindir = "/usr/sbin"
> logdir = "/var/log/freeradius"
> run_dir = "/var/run/freeradius"
> libdir = "/usr/lib/freeradius"
> radacctdir = "/var/log/freeradius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 1024
> pidfile = "/var/run/freeradius/freeradius.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> }
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = yes
> allow_vulnerable_openssl = no
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server localhost {
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = "testing123"
> response_window = 20
> max_outstanding = 65536
> require_message_authenticator = yes
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> num_answers_to_alive = 3
> num_pings_to_alive = 3
> revive_interval = 120
> status_check_timeout = 4
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> }
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
> realm example.com {
> auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
> radiusd: #### Loading Clients ####
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = "testing123"
> nastype = "other"
> }
> client 10.12.1.1 {
> require_message_authenticator = no
> secret = "xxxxx"
> shortname = "WLC"
> nastype = "cisco"
> radiusd: #### Instantiating modules ####
> instantiate {
> Module: Linked to module rlm_exec
> Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> timeout = 10
> }
> Module: Linked to module rlm_expr
> Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
> Module: Linked to module rlm_expiration
> Module: Instantiating module "expiration" from file
> /etc/freeradius/modules/expiration
> expiration {
> reply-message = "Password Has Expired "
> }
> Module: Linked to module rlm_logintime
> Module: Instantiating module "logintime" from file
> /etc/freeradius/modules/logintime
> logintime {
> reply-message = "You are calling outside your allowed timespan "
> minimum-timeout = 60
> }
> }
> radiusd: #### Loading Virtual Servers ####
> server { # from file ?
> modules {
> Module: Creating Auth-Type = digest
> Module: Creating Auth-Type = ntlm_auth
> Module: Creating Post-Auth-Type = REJECT
> Module: Checking authenticate {...} for more modules to load
> Module: Linked to module rlm_pap
> Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
> pap {
> encryption_scheme = "auto"
> auto_header = no
> }
> Module: Linked to module rlm_chap
> Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
> Module: Linked to module rlm_mschap
> Module: Instantiating module "mschap" from file
> /etc/freeradius/modules/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name:-None}
> --domain=%{%{mschap:NT-Domain}:-COMPANY}
> --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-
> Response:-00}"
> allow_retry = yes
> }
> Module: Linked to module rlm_digest
> Module: Instantiating module "digest" from file
> /etc/freeradius/modules/digest
> Module: Linked to module rlm_unix
> Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
> unix {
> radwtmp = "/var/log/freeradius/radwtmp"
> }
> Module: Linked to module rlm_eap
> Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
> eap {
> default_eap_type = "peap"
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 1024
> }
> Module: Linked to sub-module rlm_eap_md5
> Module: Instantiating eap-md5
> Module: Linked to sub-module rlm_eap_leap
> Module: Instantiating eap-leap
> Module: Linked to sub-module rlm_eap_gtc
> Module: Instantiating eap-gtc
> gtc {
> challenge = "Password: "
> auth_type = "PAP"
> }
> Module: Linked to sub-module rlm_eap_tls
> Module: Instantiating eap-tls
> tls {
> rsa_key_exchange = no
> dh_key_exchange = yes
> rsa_key_length = 512
> dh_key_length = 512
> verify_depth = 0
> CA_path = "/etc/freeradius/certs"
> pem_file_type = yes
> private_key_file = "/etc/freeradius/certs/server.key"
> certificate_file = "/etc/freeradius/certs/server.pem"
> CA_file = "/etc/freeradius/certs/ca.pem"
> private_key_password = "whatever"
> dh_file = "/etc/freeradius/certs/dh"
> random_file = "/dev/urandom"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> cipher_list = "DEFAULT"
> make_cert_command = "/etc/freeradius/certs/bootstrap"
> ecdh_curve = "prime256v1"
> cache {
> enable = no
> lifetime = 24
> max_entries = 255
> }
> verify {
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/"
> use_nonce = yes
> timeout = 0
> softfail = no
> }
> }
> Module: Linked to sub-module rlm_eap_ttls
> Module: Instantiating eap-ttls
> ttls {
> default_eap_type = "md5"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> include_length = yes
> }
> Module: Linked to sub-module rlm_eap_peap
> Module: Instantiating eap-peap
> peap {
> default_eap_type = "mschapv2"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> proxy_tunneled_request_as_eap = yes
> virtual_server = "inner-tunnel"
> soh = no
> }
> Module: Linked to sub-module rlm_eap_mschapv2
> Module: Instantiating eap-mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> send_error = no
> }
> Module: Instantiating module "ntlm_auth" from file
> /etc/freeradius/modules/ntlm_auth
> exec ntlm_auth {
> wait = yes
> program = "/usr/bin/ntlm_auth --request-nt-key --domain=COMPANY
> --username=%{mschap:User-Name} --password=%{User-Password}"
> input_pairs = "request"
> shell_escape = yes
> }
> Module: Checking authorize {...} for more modules to load
> Module: Linked to module rlm_preprocess
> Module: Instantiating module "preprocess" from file
> /etc/freeradius/modules/preprocess
> preprocess {
> huntgroups = "/etc/freeradius/huntgroups"
> hints = "/etc/freeradius/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> reading pairlist file /etc/freeradius/huntgroups
> reading pairlist file /etc/freeradius/hints
> Module: Linked to module rlm_realm
> Module: Instantiating module "suffix" from file
> /etc/freeradius/modules/realm
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> Module: Linked to module rlm_files
> Module: Instantiating module "files" from file
> /etc/freeradius/modules/files
> files {
> usersfile = "/etc/freeradius/users"
> acctusersfile = "/etc/freeradius/acct_users"
> preproxy_usersfile = "/etc/freeradius/preproxy_users"
> compat = "no"
> }
> reading pairlist file /etc/freeradius/users
> reading pairlist file /etc/freeradius/acct_users
> reading pairlist file /etc/freeradius/preproxy_users
> Module: Linked to module rlm_sql
> Module: Instantiating module "sql" from file /etc/freeradius/sql.conf
> sql {
> driver = "rlm_sql_mysql"
> server = "172.31.18.19"
> port = "3306"
> login = "usrFiltradoMac"
> password = "xxxx"
> radius_db = "filtromac"
> read_groups = yes
> sqltrace = no
> sqltracefile = "/var/log/freeradius/sqltrace.sql"
> readclients = no
> deletestalesessions = yes
> num_sql_socks = 32
> lifetime = 0
> max_queries = 0
> sql_user_name = ""
> default_user_profile = ""
> nas_query = "SELECT id,nasname,shortname,type,secret FROM nas"
> authorize_check_query = ""
> authorize_group_check_query = ""
> authorize_group_reply_query = ""
> accounting_onoff_query = ""
> accounting_update_query = ""
> accounting_update_query_alt = ""
> accounting_start_query = ""
> accounting_start_query_alt = ""
> accounting_stop_query = ""
> accounting_stop_query_alt = ""
> connect_failure_retry_delay = 60
> simul_count_query = ""
> simul_verify_query = ""
> postauth_query = ""
> safe-characters =
> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
> }
> rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and
> linked
> rlm_sql (sql): Attempting to connect to
> usrFiltradoMac at 172.31.28.79:3306/filtromac
> rlm_sql (sql): starting 0
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
> rlm_sql_mysql: Starting connect to MySQL server for #0
> rlm_sql (sql): Connected new DB handle, #0
> rlm_sql (sql): starting 1
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
> rlm_sql_mysql: Starting connect to MySQL server for #1
> rlm_sql (sql): Connected new DB handle, #1
> rlm_sql (sql): starting 2
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
> rlm_sql_mysql: Starting connect to MySQL server for #2
> rlm_sql (sql): Connected new DB handle, #2
> rlm_sql (sql): starting 3
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
> rlm_sql_mysql: Starting connect to MySQL server for #3
> rlm_sql (sql): Connected new DB handle, #3
> rlm_sql (sql): starting 4
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
> rlm_sql_mysql: Starting connect to MySQL server for #4
> rlm_sql (sql): Connected new DB handle, #4
> rlm_sql (sql): starting 5
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #5
> rlm_sql_mysql: Starting connect to MySQL server for #5
> rlm_sql (sql): Connected new DB handle, #5
> rlm_sql (sql): starting 6
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #6
> rlm_sql_mysql: Starting connect to MySQL server for #6
> rlm_sql (sql): Connected new DB handle, #6
> rlm_sql (sql): starting 7
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #7
> rlm_sql_mysql: Starting connect to MySQL server for #7
> rlm_sql (sql): Connected new DB handle, #7
> rlm_sql (sql): starting 8
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #8
> rlm_sql_mysql: Starting connect to MySQL server for #8
> rlm_sql (sql): Connected new DB handle, #8
> rlm_sql (sql): starting 9
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #9
> rlm_sql_mysql: Starting connect to MySQL server for #9
> rlm_sql (sql): Connected new DB handle, #9
> rlm_sql (sql): starting 10
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #10
> rlm_sql_mysql: Starting connect to MySQL server for #10
> rlm_sql (sql): Connected new DB handle, #10
> rlm_sql (sql): starting 11
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #11
> rlm_sql_mysql: Starting connect to MySQL server for #11
> rlm_sql (sql): Connected new DB handle, #11
> rlm_sql (sql): starting 12
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #12
> rlm_sql_mysql: Starting connect to MySQL server for #12
> rlm_sql (sql): Connected new DB handle, #12
> rlm_sql (sql): starting 13
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #13
> rlm_sql_mysql: Starting connect to MySQL server for #13
> rlm_sql (sql): Connected new DB handle, #13
> rlm_sql (sql): starting 14
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #14
> rlm_sql_mysql: Starting connect to MySQL server for #14
> rlm_sql (sql): Connected new DB handle, #14
> rlm_sql (sql): starting 15
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #15
> rlm_sql_mysql: Starting connect to MySQL server for #15
> rlm_sql (sql): Connected new DB handle, #15
> rlm_sql (sql): starting 16
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #16
> rlm_sql_mysql: Starting connect to MySQL server for #16
> rlm_sql (sql): Connected new DB handle, #16
> rlm_sql (sql): starting 17
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #17
> rlm_sql_mysql: Starting connect to MySQL server for #17
> rlm_sql (sql): Connected new DB handle, #17
> rlm_sql (sql): starting 18
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #18
> rlm_sql_mysql: Starting connect to MySQL server for #18
> rlm_sql (sql): Connected new DB handle, #18
> rlm_sql (sql): starting 19
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #19
> rlm_sql_mysql: Starting connect to MySQL server for #19
> rlm_sql (sql): Connected new DB handle, #19
> rlm_sql (sql): starting 20
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #20
> rlm_sql_mysql: Starting connect to MySQL server for #20
> rlm_sql (sql): Connected new DB handle, #20
> rlm_sql (sql): starting 21
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #21
> rlm_sql_mysql: Starting connect to MySQL server for #21
> rlm_sql (sql): Connected new DB handle, #21
> rlm_sql (sql): starting 22
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #22
> rlm_sql_mysql: Starting connect to MySQL server for #22
> rlm_sql (sql): Connected new DB handle, #22
> rlm_sql (sql): starting 23
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #23
> rlm_sql_mysql: Starting connect to MySQL server for #23
> rlm_sql (sql): Connected new DB handle, #23
> rlm_sql (sql): starting 24
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #24
> rlm_sql_mysql: Starting connect to MySQL server for #24
> rlm_sql (sql): Connected new DB handle, #24
> rlm_sql (sql): starting 25
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #25
> rlm_sql_mysql: Starting connect to MySQL server for #25
> rlm_sql (sql): Connected new DB handle, #25
> rlm_sql (sql): starting 26
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #26
> rlm_sql_mysql: Starting connect to MySQL server for #26
> rlm_sql (sql): Connected new DB handle, #26
> rlm_sql (sql): starting 27
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #27
> rlm_sql_mysql: Starting connect to MySQL server for #27
> rlm_sql (sql): Connected new DB handle, #27
> rlm_sql (sql): starting 28
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #28
> rlm_sql_mysql: Starting connect to MySQL server for #28
> rlm_sql (sql): Connected new DB handle, #28
> rlm_sql (sql): starting 29
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #29
> rlm_sql_mysql: Starting connect to MySQL server for #29
> rlm_sql (sql): Connected new DB handle, #29
> rlm_sql (sql): starting 30
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #30
> rlm_sql_mysql: Starting connect to MySQL server for #30
> rlm_sql (sql): Connected new DB handle, #30
> rlm_sql (sql): starting 31
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #31
> rlm_sql_mysql: Starting connect to MySQL server for #31
> rlm_sql (sql): Connected new DB handle, #31
> Module: Linked to module rlm_ldap
> Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
> ldap {
> server = "ldap.company.net"
> port = 636
> password = "xxx"
> expect_password = yes
> identity = "cn=connect,ou=Company,dc=company,dc=net"
> net_timeout = 1
> timeout = 4
> timelimit = 3
> max_uses = 0
> tls_mode = no
> start_tls = no
> tls_require_cert = "allow"
> tls {
> start_tls = no
> require_cert = "allow"
> }
> basedn = "OU=Company,DC=company,DC=net"
> filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
> base_filter = "(objectclass=radiusprofile)"
> auto_header = no
> access_attr_used_for_allow = yes
> chase_referrals = yes
> rebind = yes
> groupname_attribute = "cn"
> groupmembership_filter =
> "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
> groupmembership_attribute = "memberOf"
> dictionary_mapping = "/etc/freeradius/ldap.attrmap"
> ldap_debug = 0
> ldap_connections_number = 5
> compare_check_items = no
> do_xlat = yes
> edir_account_policy_check = no
> set_auth_type = no
> keepalive {
> idle = 60
> probes = 3
> interval = 3
> }
> }
> rlm_ldap: Registering ldap_groupcmp for Ldap-Group
> rlm_ldap: Registering ldap_xlat with xlat_name ldap
> rlm_ldap: reading ldap<->radius mappings from file
> /etc/freeradius/ldap.attrmap
> rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
> rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
> rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
> rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
> rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
> rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
> rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
> rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
> rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
> rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
> rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
> rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
> rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
> rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
> rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
> rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
> rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
> rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
> rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
> rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
> rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
> rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
> rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
> rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
> rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
> rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
> rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
> rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
> rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
> rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
> rlm_ldap: LDAP radiusClass mapped to RADIUS Class
> rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
> rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
> rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
> rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
> rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
> rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
> rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
> Framed-AppleTalk-Link
> rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
> Framed-AppleTalk-Network
> rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
> Framed-AppleTalk-Zone
> rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
> rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
> rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
> rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
> rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
> rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
> Tunnel-Private-Group-Id
> conns: 0x10e9b30
> Module: Linked to module rlm_always
> Module: Instantiating module "ok" from file /etc/freeradius/modules/always
> always ok {
> rcode = "ok"
> simulcount = 0
> mpp = no
> }
> Module: Instantiating module "reject" from file
> /etc/freeradius/modules/always
> always reject {
> rcode = "reject"
> simulcount = 0
> mpp = no
> }
> Module: Checking preacct {...} for more modules to load
> Module: Linked to module rlm_acct_unique
> Module: Instantiating module "acct_unique" from file
> /etc/freeradius/modules/acct_unique
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier,
> NAS-Port"
> }
> Module: Checking accounting {...} for more modules to load
> Module: Linked to module rlm_detail
> Module: Instantiating module "detail" from file
> /etc/freeradius/modules/detail
> detail {
> detailfile =
> "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> header = "%t"
> detailperm = 384
> dirperm = 493
> locking = no
> log_packet_header = no
> }
> Module: Linked to module rlm_attr_filter
> Module: Instantiating module "attr_filter.accounting_response" from file
> /etc/freeradius/modules/attr_filter
> attr_filter attr_filter.accounting_response {
> attrsfile = "/etc/freeradius/attrs.accounting_response"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/freeradius/attrs.accounting_response
> Module: Checking session {...} for more modules to load
> Module: Linked to module rlm_radutmp
> Module: Instantiating module "radutmp" from file
> /etc/freeradius/modules/radutmp
> radutmp {
> filename = "/var/log/freeradius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> perm = 384
> callerid = yes
> }
> Module: Checking post-proxy {...} for more modules to load
> Module: Checking post-auth {...} for more modules to load
> Module: Instantiating module "attr_filter.access_reject" from file
> /etc/freeradius/modules/attr_filter
> attr_filter attr_filter.access_reject {
> attrsfile = "/etc/freeradius/attrs.access_reject"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/freeradius/attrs.access_reject
> } # modules
> } # server
> server inner-tunnel { # from file /etc/freeradius/sites-enabled/
> inner-tunnel
> modules {
> Module: Checking authenticate {...} for more modules to load
> Module: Checking authorize {...} for more modules to load
> Module: Checking session {...} for more modules to load
> Module: Checking post-proxy {...} for more modules to load
> Module: Checking post-auth {...} for more modules to load
> } # modules
> } # server
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> ipaddr = *
> port = 0
> }
> listen {
> type = "acct"
> ipaddr = *
> port = 0
> }
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 18120
> }
> ... adding new socket proxy address * port 51567
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Listening on authentication address 127.0.0.1 port 18120 as server
> inner-tunnel
> Listening on proxy address * port 1814
> Ready to process requests.
>
> rad_recv: Access-Request packet from host 10.12.1.1 port 32769, id=238,
> length=246
> User-Name = "adam"
> Calling-Station-Id = "54:27:1e:0c:0b:fc"
> Called-Station-Id = "44:ad:d9:0e:dd:40:Free"
> NAS-Port = 13
> Cisco-AVPair = "audit-session-id=ac1f0c620000023159aecc35"
> NAS-IP-Address = 10.12.1.1
> NAS-Identifier = "WLC"
> Airespace-Wlan-Id = 2
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "5"
> EAP-Message = 0x0203000f0165616c6d6f6e61636964
> Message-Authenticator = 0x501b12ce48af68714f1030855775ae2a
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "adam", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 3 length 15
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> ++[files] = noop
> rlm_sql (sql): Reserving sql socket id: 30
> [sql] expand: ->
> [sql] Error generating query; rejecting user
> rlm_sql (sql): Released sql socket id: 30
> ++[sql] = fail
> +} # group authorize = fail
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group REJECT {
> [attr_filter.access_reject] expand: %{User-Name} -> adam
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> Delaying reject of request 1 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 1
> Sending Access-Reject of id 238 to 10.12.1.1 port 32769
> Waking up in 4.9 seconds.
> Cleaning up request 1 ID 238 with timestamp +52
> Ready to process requests.
>
>
>
> 2017-09-04 10:28 GMT-03:00 Alan DeKok <aland at deployingradius.com>:
>
> > On Sep 4, 2017, at 9:09 AM, Adam Cage <adamcage27 at gmail.com> wrote:
> > >
> > > Dear Alan, thanks for your response....just two things for the moment:
> > >
> > >> You may need to install v3. Honestly, just install 3.0.15, and go
> with
> > > that.
> > >
> > > Ok, but can I use my current server with version 2.2.5 in order to test
> > the
> > > SQL authorization or the use of version 3.x is mandatory ???
> >
> > It's easier with v3.
> >
> > >> You will need to edit raddb/sites-enabled/default, and also the
> > > raddb/mods-enabled/sql
> > >
> > > Now I have edited default and inner-tunnel files, but you tell me to
> edit
> > > just default (and also sql module)...inner-tunel is not necessary???
> >
> > It may be. Some amount of thinking for yourself is useful, too.
> >
> > Alan DeKok.
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> >
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
More information about the Freeradius-Users
mailing list