Accounting-Request packet shared secret fail (Alan DeKok) (Kevin Virk) (Alan DeKok)
Kevin Virk
Kevin.Virk at faithlife.com
Fri Aug 10 19:28:25 CEST 2018
I did make sure to restart the server. I did fail to mention that I purged freeradius and reinstalled so I must have made a configuration error somewhere along the way.
From: Freeradius-Users <freeradius-users-bounces+kevin.virk=faithlife.com at lists.freeradius.org> on behalf of freeradius-users-request at lists.freeradius.org <freeradius-users-request at lists.freeradius.org>
Sent: Friday, August 10, 2018 1:30 AM
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 160, Issue 14
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: ldap module for user and mac authentication (Dave Macias)
2. Re: ldap module for user and mac authentication (Michael Ströder)
3. Re: Accounting-Request packet shared secret fail (Alan DeKok)
(Kevin Virk) (Alan DeKok)
4. Re: Dynamic vlan assignment (Dom Latter)
5. Re: Freeradius-Users Digest, Vol 160, Issue 9 (Arun NP)
----------------------------------------------------------------------
Message: 1
Date: Thu, 9 Aug 2018 08:23:51 -0400
From: Dave Macias <davama at gmail.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: ldap module for user and mac authentication
Message-ID:
<CA+nFYV_UOg+TuMMciVwPWTHUX5B=H=rbhpUE9mv_e+rsVDvCYw at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
>
> Yes, I had thought of something to the effect of (suggestions welcomed) :
>
> * if
> (!"%{ldap:ldap://master1/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?cn?sub?(*
> *&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {*
> * if
> (!"%{ldap:ldap://master2/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?c*
> *n?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
> {*
> * reject*
> * }*
> * }*
> * update {*
> * control:Auth-Type := Accept*
> * }*
>
> But this does not account for the scenario of openldap being dead.
> The 1st "if" statement will be always be FALSE and never attempt the next
> "if" statement and therefore 'Accept'
>
I believe i misspoke here...
But interesting observations.
if i use the below code AND have multiple ldap servers configured in my
ldap module, radius '%{ldap:ldap:///...}' will automatically go to the one
that is alive; assuming one is at least alive. IF i have just one ldap
server configured in my ldap module, (which is dead), then the 'if' will
FAIL and reject as it should.
*if
(!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
{*
*reject*
*}*
*else {*
*update {*
*control:Auth-Type := Accept*
*}*
*}*
Same results as above (ldap module will use the live ldap server, not the
dead one)
*if
(!"%{ldap:ldap://dead-ldap-server/ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")*
*...*
*...*
So what did i learn?
you dont need to use the SRV record for failover, as long as you have all
the ldap servers in your ldap module.
I think it makes sense since '%{ldap:...}" is using the ldap module,
technically, but i would have thought that "ldap:///" or
"ldap://dead-ldap-server/" meant localhost/dead-ldap-server not
"live.ldap.the-module-found'
Or maybe im just completely off...
Hope that makes, sense.
(1) if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) {
(1) if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) -> TRUE
(1) if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) {
(1) policy rewrite_calling_station_id {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(1) update request {
(1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(1) --> 00-04-F2-DD-98-C6
(1) &Calling-Station-Id := 00-04-F2-DD-98-C6
(1) } # update request = noop
(1) [updated] = updated
(1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(1) ... skipping else: Preceding "if" was taken
(1) } # policy rewrite_calling_station_id = updated
(1) if
(!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
{
rlm_ldap (ldap): Reserved connection (0)
(1) Performing search in "ou=sub-macs,ou=macs,dc=myorg,dc=net" with
filter "(&(objectClass=ieee802Device)(macAddress=00-04-F2-DD-98-C6))",
scope "sub"
(1) Waiting for search result...
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap): Connecting to ldap://localhost:389 ldap://ldap2:389
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is
present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS
initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1) EXPAND
%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}
(1) --> 0004f2dd98c6
(1) if
(!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
-> FALSE
(1) else {
(1) update {
(1) control:Auth-Type := Accept
(1) } # update = noop
(1) } # else = noop
(1) } # if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) =
updated
(1) ... skipping else: Preceding "if" was taken
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = Accept
------------------------------
Message: 2
Date: Thu, 9 Aug 2018 14:40:04 +0200
From: Michael Ströder <michael at stroeder.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>, Dave Macias
<davama at gmail.com>
Subject: Re: ldap module for user and mac authentication
Message-ID: <7caaa8c6-5a4c-19b6-a59b-fa045992de8c at stroeder.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
On 8/9/18 2:23 PM, Dave Macias wrote:
> So what did i learn?
> you dont need to use the SRV record for failover, as long as you have all
> the ldap servers in your ldap module.
Yes!
In theory the advantage of SRV RRs are that you can theoretically change
what's in your pool of LDAP servers and adjust priorities based on
locations.
Besides that I don't believe anybody fully implemented that I'm not a
fan of SRV RRs anyway because the TLS hostname check is not even defined
for that.
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180809/a8fa42d1/attachment-0001.bin>
------------------------------
Message: 3
Date: Thu, 9 Aug 2018 08:46:42 -0400
From: Alan DeKok <aland at deployingradius.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: Accounting-Request packet shared secret fail (Alan DeKok)
(Kevin Virk)
Message-ID: <E22B5478-09CA-4FC5-BE41-34B0746517B7 at deployingradius.com>
Content-Type: text/plain; charset=us-ascii
> On Aug 8, 2018, at 5:12 PM, Kevin Virk <Kevin.Virk at faithlife.com> wrote:
>
>
> figured it out I had not included the line require-message-authentication=no in my clients.conf. Thank you for your help Alan!
That wasn't the problem. "Invalid request authenticator" means that the shared secret is wrong. If you had set "request_message_authenticator = yes", then the message would have been "invalid message authenticator", or maybe "missing message authenticator"
What I suspect happened is that you were editing clients.conf, and then *not* restarting the server. After changing "require_message_authenticator = no" and restarting the server, it picked up the new secret.
Alan DeKok.
------------------------------
Message: 4
Date: Thu, 9 Aug 2018 13:47:11 +0100
From: Dom Latter <freeradius-users at latter.org>
To: freeradius-users at lists.freeradius.org
Subject: Re: Dynamic vlan assignment
Message-ID: <8818bf42-d1bf-b296-112e-ada1af8e2715 at latter.org>
Content-Type: text/plain; charset=utf-8; format=flowed
On 07/08/18 18:08, Deepak Sehrawat wrote:
>
> Can we configure it via MySQL as well?
>From a post I made in April. I have a long complicated query which
checks if the user has been deleted, or the user's account has been
suspended, etc. It returns a value which is then used in various ways.
update control {
CustomVal := "%{sql:SELECT \
CASE \
WHEN (cs_suspended.value = '1') THEN 5010 \
WHEN (u.deleted != '0') THEN 5011 \
// etc
Then the unlang code "decodes" the return value:
if ( &control:CustomVal < 5000 ) {
update reply {
Filter-Id := &control:CustomVal
Reply-Message += "Accept: MAC found."
}
}
elsif (....
------------------------------
Message: 5
Date: Fri, 10 Aug 2018 13:59:48 +0530
From: Arun NP <arun85np at gmail.com>
To: freeradius-users at lists.freeradius.org
Subject: Re: Freeradius-Users Digest, Vol 160, Issue 9
Message-ID:
<CAPLBjFVk0Uo908HJt2yA_JwBbg3_eif6HN1gXUVB2ZdffggeKg at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Hi,
As suggested . I removed free radius & deleted all the files and did a
fresh installation.
This time , I did only the following changes :
copied default file in sites-available to a file "new" .
Edited the port numbers in new four times ,two for authentication and two
for accounting
created a soft link for new in the sites-enabled directory
added my client IPs and secret to the clients.conf file
started radius by "radiusd -d /etc/raddb -i 5.1.13.70 -p 2018 -X
But , still I am getting the same error.
This field which you mentioned in the previous mail , >>>radiusd: ####
Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server>>> comes in the debug log. But I checked the radiusd.conf
thoroughly. There is no server block in the radiusd.conf (Please find the
radiusd file contents after the debug log, below) .Also , this time , the
"new" file is being included in the starting section.
Please have a look into the debug log & radiusd.conf file below & kindly
let me know what can be done to solve this
#######debug log#####
[root at ott-cafy-vm1 raddb]# !r
radiusd -d /etc/raddb -i 5.1.13.70 -p 2018 -X
FreeRADIUS Version 3.0.13
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/new
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 5.5.18.22 {
ipaddr = 5.5.18.22
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 5.5.18.20 {
ipaddr = 5.5.18.20
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôoùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔOÙÛÜY"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
instantiate {
}
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in filter list for realm
"DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/raddb/sites-enabled/inner-tunnel:330
} # server inner-tunnel
server new { # from file /etc/raddb/sites-enabled/new
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server new
radiusd: #### Opening IP addresses and Ports ####
Listening on auth address 5.1.13.70 port 2018
Listening on acct address 5.1.13.70 port 2019
Listening on proxy address * port 55766
Ready to process requests
(0) Received Access-Request Id 3 from 5.5.18.20:49922 to 5.1.13.70:2018
length 100
(0) User-Name = "test"
(0) NAS-IP-Address = 5.5.18.20
(0) NAS-IPv6-Address = ::
(0) NAS-Port = 130
(0) NAS-Port-Type = Virtual
(0) Service-Type = Login-User
(0) Calling-Station-Id = "5.255.252.5"
(0) User-Password = "tets"
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 3 from 5.1.13.70:2018 to 5.5.18.20:49922 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 3 with timestamp +15
Ready to process requests
#################radiusd.conf##########
# -*- text -*-
##
## radiusd.conf -- FreeRADIUS server configuration file - 3.0.13
##
## http://www.freeradius.org/
## $Id: c62f4ffed53a073a885f243b728129f5c482fad7 $
##
######################################################################
#
# Read "man radiusd" before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble.
#
# Run the server in debugging mode, and READ the output.
#
# $ radiusd -X
#
# We cannot emphasize this point strongly enough. The vast
# majority of problems can be solved by carefully reading the
# debugging output, which includes warnings about common issues,
# and suggestions for how they may be fixed.
#
# There may be a lot of output, but look carefully for words like:
# "warning", "error", "reject", or "failure". The messages there
# will usually be enough to guide you to a solution.
#
# If you are going to ask a question on the mailing list, then
# explain what you are trying to do, and include the output from
# debugging mode (radiusd -X). Failure to do so means that all
# of the responses to your question will be people telling you
# to "post the output of radiusd -X".
######################################################################
#
# The location of other config files and logfiles are declared
# in this file.
#
# Also general configuration for modules can be done in this
# file, it is exported through the API to modules that ask for
# it.
#
# See "man radiusd.conf" for documentation on the format of this
# file. Note that the individual configuration items are NOT
# documented in that "man" page. They are only documented here,
# in the comments.
#
# The "unlang" policy language can be used to create complex
# if / else policies. See "man unlang" for details.
#
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
#
# name of the running server. See also the "-n" command-line option.
name = radiusd
# Location of config and logfiles.
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
db_dir = ${localstatedir}/lib/radiusd
#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that symbol,
# and add the directory containing that library to the end of 'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# You can also try setting the LD_LIBRARY_PATH environment variable
# in a script which starts the server.
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = /usr/lib64/freeradius
# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/${name}.pid
#
# correct_escapes: use correct backslash escaping
#
# Prior to version 3.0.5, the handling of backslashes was a little
# awkward, i.e. "wrong". In some cases, to get one backslash into
# a regex, you had to put 4 in the config files.
#
# Version 3.0.5 fixes that. However, for backwards compatibility,
# the new method of escaping is DISABLED BY DEFAULT. This means
# that upgrading to 3.0.5 won't break your configuration.
#
# If you don't have double backslashes (i.e. \\) in your configuration,
# this won't matter to you. If you do have them, fix that to use only
# one backslash, and then set "correct_escapes = true".
#
# You can check for this by doing:
#
# $ grep '\\\\' $(find raddb -type f -print)
#
correct_escapes = true
# panic_action: Command to execute if the server dies unexpectedly.
#
# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
#
# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
# PATTACH CAN BE USED AS AN ATTACK VECTOR.
#
# The panic action is a command which will be executed if the server
# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
# SIGABRT or SIGFPE.
#
# This can be used to start an interactive debugging session so
# that information regarding the current state of the server can
# be acquired.
#
# The following string substitutions are available:
# - %e The currently executing program e.g. /sbin/radiusd
# - %p The PID of the currently executing program e.g. 12345
#
# Standard ${} substitutions are also allowed.
#
# An example panic action for opening an interactive session in GDB would
be:
#
#panic_action = "gdb %e %p"
#
# Again, don't use that on a production system.
#
# An example panic action for opening an automated session in GDB would be:
#
#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee
${logdir}/gdb-${name}-%p.log"
#
# That command can be used on a production system.
#
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven't indexed the database. See your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as separate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 16384
# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
# The default is 'off' because it would be overall better for the net
# if people had to knowingly turn this feature on, since enabling it
# means that each client request will result in AT LEAST one lookup
# request to the nameserver. Enabling hostname_lookups will also
# mean that your server may stop randomly for 30 seconds from time
# to time, if the DNS requests take too long.
#
# Turning hostname lookups off also means that the server won't block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
#
hostname_lookups = no
#
# Logging section. The various "log_*" configuration items
# will eventually be moved here.
#
log {
#
# Destination for log messages. This can be one of:
#
# files - log to "file", as defined below.
# syslog - to syslog (see also the "syslog_facility", below.
# stdout - standard output
# stderr - standard error.
#
# The command-line option "-X" over-rides this option, and forces
# logging to go to stdout.
#
destination = files
#
# Highlight important messages sent to stderr and stdout.
#
# Option will be ignored (disabled) if output if TERM is not
# an xterm or output is not to a TTY.
#
colourise = yes
#
# The logging messages for the server are appended to the
# tail of this file if destination == "files"
#
# If the server is running in debugging mode, this file is
# NOT used.
#
file = ${logdir}/radius.log
#
# If this configuration parameter is set, then log messages for
# a *request* go to this file, rather than to radius.log.
#
# i.e. This is a log file per request, once the server has accepted
# the request as being from a valid client. Messages that are
# not associated with a request still go to radius.log.
#
# Not all log messages in the server core have been updated to use
# this new internal API. As a result, some messages will still
# go to radius.log. Please submit patches to fix this behavior.
#
# The file name is expanded dynamically. You should ONLY user
# server-side attributes for the filename (e.g. things you control).
# Using this feature MAY also slow down the server substantially,
# especially if you do thinks like SQL calls as part of the
# expansion of the filename.
#
# The name of the log file should use attributes that don't change
# over the lifetime of a request, such as User-Name,
# Virtual-Server or Packet-Src-IP-Address. Otherwise, the log
# messages will be distributed over multiple files.
#
# Logging can be enabled for an individual request by a special
# dynamic expansion macro: %{debug: 1}, where the debug level
# for this request is set to '1' (or 2, 3, etc.). e.g.
#
# ...
# update control {
# Tmp-String-0 = "%{debug:1}"
# }
# ...
#
# The attribute that the value is assigned to is unimportant,
# and should be a "throw-away" attribute with no side effects.
#
#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
#
# Which syslog facility to use, if ${destination} == "syslog"
#
# The exact values permitted here are OS-dependent. You probably
# don't want to change this.
#
syslog_facility = daemon
# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = no
# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
# auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
auth_badpass = no
auth_goodpass = no
# Log additional text at the end of the "Login OK" messages.
# for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
# configurations above have to be set to "yes".
#
# The strings below are dynamically expanded, which means that
# you can put anything you want in them. However, note that
# this expansion can be slow, and can negatively impact server
# performance.
#
# msg_goodpass = ""
# msg_badpass = ""
# The message when the user exceeds the Simultaneous-Use limit.
#
msg_denied = "You are already logged in - access denied"
}
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
# section holds the configuration items which minimize the impact
# of those attacks
#
security {
# chroot: directory where the server does "chroot".
#
# The chroot is done very early in the process of starting
# the server. After the chroot has been performed it
# switches to the "user" listed below (which MUST be
# specified). If "group" is specified, it switches to that
# group, too. Any other groups listed for the specified
# "user" in "/etc/group" are also added as part of this
# process.
#
# The current working directory (chdir / cd) is left
# *outside* of the chroot until all of the modules have been
# initialized. This allows the "raddb" directory to be left
# outside of the chroot. Once the modules have been
# initialized, it does a "chdir" to ${logdir}. This means
# that it should be impossible to break out of the chroot.
#
# If you are worried about security issues related to this
# use of chdir, then simply ensure that the "raddb" directory
# is inside of the chroot, end be sure to do "cd raddb"
# BEFORE starting the server.
#
# If the server is statically linked, then the only files
# that have to exist in the chroot are ${run_dir} and
# ${logdir}. If you do the "cd raddb" as discussed above,
# then the "raddb" directory has to be inside of the chroot
# directory, too.
#
# chroot = /path/to/chroot/directory
# user/group: The name (or #number) of the user/group to run radiusd as.
#
# If these are commented out, the server will run as the
# user/group that started it. In order to change to a
# different user/group, you MUST be root ( or have root
# privileges ) to start the server.
#
# We STRONGLY recommend that you run the server with as few
# permissions as possible. That is, if you're not using
# shadow passwords, the user and group items below should be
# set to radius'.
#
# NOTE that some kernels refuse to setgid(group) when the
# value of (unsigned)group is above 60000; don't use group
# "nobody" on these systems!
#
# On systems with shadow passwords, you might have to set
# 'group = shadow' for the server to be able to read the
# shadow password file. If you can authenticate users while
# in debug mode, but not in daemon mode, it may be that the
# debugging mode server is running as a user that can read
# the shadow info, and the user listed below can not.
#
# The server will also try to use "initgroups" to read
# /etc/groups. It will join all groups where "user" is a
# member. This can allow for some finer-grained access
# controls.
#
user = radiusd
group = radiusd
# Core dumps are a bad thing. This should only be set to
# 'yes' if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no
#
# max_attributes: The maximum number of attributes
# permitted in a RADIUS packet. Packets which have MORE
# than this number of attributes in them will be dropped.
#
# If this number is set too low, then no RADIUS packets
# will be accepted.
#
# If this number is set too high, then an attacker may be
# able to send a small number of packets which will cause
# the server to use all available memory on the machine.
#
# Setting this number to 0 means "allow any number of attributes"
max_attributes = 200
#
# reject_delay: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to brute-force
# crack a users password.
#
# Setting this number to 0 means "send rejects immediately"
#
# If this number is set higher than 'cleanup_delay', then the
# rejects will be sent at 'cleanup_delay' time, when the request
# is deleted from the internal cache of requests.
#
# As of Version 3.0.5, "reject_delay" has sub-second resolution.
# e.g. "reject_delay = 1.4" seconds is possible.
#
# Useful ranges: 1 to 5
reject_delay = 1
#
# status_server: Whether or not the server will respond
# to Status-Server requests.
#
# When sent a Status-Server message, the server responds with
# an Access-Accept or Accounting-Response packet.
#
# This is mainly useful for administrators who want to "ping"
# the server, without adding test users, or creating fake
# accounting packets.
#
# It's also useful when a NAS marks a RADIUS server "dead".
# The NAS can periodically "ping" the server with a Status-Server
# packet. If the server responds, it must be alive, and the
# NAS can start using it for real requests.
#
# See also raddb/sites-available/status
#
status_server = yes
}
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE proxy.conf
# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf".
#
# The 'clients.conf' file contains all of the information from the old
# 'clients' and 'naslist' configuration files. We recommend that you
# do NOT use 'client's or 'naslist', although they are still
# supported.
#
# Anything listed in 'clients.conf' will take precedence over the
# information from the old-style configuration files.
#
$INCLUDE clients.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5
# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
#
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
#
max_servers = 32
# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10
# When the server receives a packet, it places it onto an
# internal queue, where the worker threads (configured above)
# pick it up for processing. The maximum size of that queue
# is given here.
#
# When the queue is full, any new packets will be silently
# discarded.
#
# The most common cause of the queue being full is that the
# server is dependent on a slow database, and it has received
# a large "spike" of traffic. When that happens, there is
# very little you can do other than make sure the server
# receives less traffic, or make sure that the database can
# handle the load.
#
# max_queue_size = 65536
# There may be memory leaks or resource allocation problems with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
# Automatically limit the number of accounting requests.
# This configuration item tracks how many requests per second
# the server can handle. It does this by tracking the
# packets/s received by the server for processing, and
# comparing that to the packets/s handled by the child
# threads.
#
# If the received PPS is larger than the processed PPS, *and*
# the queue is more than half full, then new accounting
# requests are probabilistically discarded. This lowers the
# number of packets that the server needs to process. Over
# time, the server will "catch up" with the traffic.
#
# Throwing away accounting packets is usually safe and low
# impact. The NAS will retransmit them in a few seconds, or
# even a few minutes. Vendors should read RFC 5080 Section 2.2.1
# to see how accounting packets should be retransmitted. Using
# any other method is likely to cause network meltdowns.
#
auto_limit_acct = no
}
######################################################################
#
# SNMP notifications. Uncomment the following line to enable
# snmptraps. Note that you MUST also configure the full path
# to the "snmptrap" command in the "trigger.conf" file.
#
#$INCLUDE trigger.conf
# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# ...
# }
#
# The 'name' is used to load the 'rlm_name' library
# which implements the functionality of the module.
#
# The 'instance' is optional. To have two different instances
# of a module, it first must be referred to by 'name'.
# The different copies of the module are then created by
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
#
# The instance names can then be used in later configuration
# INSTEAD of the original 'name'. See the 'radutmp' configuration
# for an example.
#
#
# As of 3.0, modules are in mods-enabled/. Files matching
# the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are
# initialized ONLY if they are referenced in a processing
# section, such as authorize, authenticate, accounting,
# pre/post-proxy, etc.
#
$INCLUDE mods-enabled/
}
# Instantiation
#
# This section orders the loading of the modules. Modules
# listed here will get loaded BEFORE the later sections like
# authorize, authenticate, etc. get examined.
#
# This section is not strictly needed. When a section like
# authorize refers to a module, it's automatically loaded and
# initialized. However, some modules may not be listed in any
# of the following sections, so they can be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initialized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
# After the modules listed here have been loaded, all of the modules
# in the "mods-enabled" directory will be loaded. Loading the
# "mods-enabled" directory means that unlike Version 2, you usually
# don't need to list modules here.
#
instantiate {
#
# We list the counter module here so that it registers
# the check_name attribute before any module which sets
# it
# daily
# subsections here can be thought of as "virtual" modules.
#
# e.g. If you have two redundant SQL servers, and you want to
# use them in the authorize and accounting sections, you could
# place a "redundant" block in each section, containing the
# exact same text. Or, you could uncomment the following
# lines, and list "redundant_sql" in the authorize and
# accounting sections.
#
# The "virtual" module defined here can also be used with
# dynamic expansions, under a few conditions:
#
# * The section is "redundant", or "load-balance", or
# "redundant-load-balance"
# * The section contains modules ONLY, and no sub-sections
# * all modules in the section are using the same rlm_
# driver, e.g. They are all sql, or all ldap, etc.
#
# When those conditions are satisfied, the server will
# automatically register a dynamic expansion, using the
# name of the "virtual" module. In the example below,
# it will be "redundant_sql". You can then use this expansion
# just like any other:
#
# update reply {
# Filter-Id := "%{redundant_sql: ... }"
# }
#
# In this example, the expansion is done via module "sql1",
# and if that expansion fails, using module "sql2".
#
# For best results, configure the "pool" subsection of the
# module so that "retry_delay" is non-zero. That will allow
# the redundant block to quickly ignore all "down" SQL
# databases. If instead we have "retry_delay = 0", then
# every time the redundant block is used, the server will try
# to open a connection to every "down" database, causing
# problems.
#
#redundant redundant_sql {
# sql1
# sql2
#}
}
######################################################################
#
# Policies are virtual modules, similar to those defined in the
# "instantiate" section above.
#
# Defining a policy in one of the policy.d files means that it can be
# referenced in multiple places as a *name*, rather than as a series of
# conditions to match, and actions to take.
#
# Policies are something like subroutines in a normal language, but
# they cannot be called recursively. They MUST be defined in order.
# If policy A calls policy B, then B MUST be defined before A.
#
######################################################################
policy {
$INCLUDE policy.d/
}
######################################################################
#
# Load virtual servers.
#
# This next $INCLUDE line loads files in the directory that
# match the regular expression: /[a-zA-Z0-9_.]+/
#
# It allows you to define new virtual servers simply by placing
# a file into the raddb/sites-enabled/ directory.
#
$INCLUDE sites-enabled/
######################################################################
#
# All of the other configuration sections like "authorize {}",
# "authenticate {}", "accounting {}", have been moved to the
# the file:
#
# raddb/sites-available/default
#
# This is the "default" virtual server that has the same
# configuration as in version 1.0.x and 1.1.x. The default
# installation enables this virtual server. You should
# edit it to create policies for your local site.
#
# For more documentation on virtual servers, see:
#
# raddb/sites-available/README
#
######################################################################
Thanks,
Arun
On Tue, Aug 7, 2018 at 9:21 PM <
freeradius-users-request at lists.freeradius.org> wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Dynamic vlan assignment (aseem kaushal)
> 2. Re: Freeradius-Users Digest, Vol 160, Issue 4 (Alan DeKok)
> 3. Re: Dynamic vlan assignment (Elias Pereira)
> 4. Re: radiusd -X (Mohd Yusuf Siddiqui)
> 5. FreeRADIUS fails when home server is marked as dead
> (matt.southward at gmail.com)
> 6. Re: FreeRADIUS fails when home server is marked as dead
> (Alan DeKok)
> 7. ldap module for user and mac authentication (Dave Macias)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 7 Aug 2018 16:35:38 +0530
> From: aseem kaushal <aseemkaushal91 at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: Dynamic vlan assignment
> Message-ID:
> <
> CAPTC-T2iNa0p9co4zOBavHODp_1+-FiANKkOBW5f1hEYHPmD+g at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Need to configure freeradius for dynamic vlan assignment. What could be the
> various methods for the above.
> Thanks in advance.
>
>
> Regards
> -Aseem Kaushal
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 7 Aug 2018 07:29:10 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Freeradius-Users Digest, Vol 160, Issue 4
> Message-ID: <830FC253-553E-48A5-8470-D0505ECD2BBC at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Aug 7, 2018, at 12:30 AM, Arun NP <arun85np at gmail.com> wrote:
> > I tried what you mentioned (creating a copy of the default file in
> > sites-available , changing the server name & ports and soft linking
> > sites-enabled/new to sites-available/new).
>
> That's not what you did. The debug log shows that you did something
> else.
>
> > including files in directory /etc/raddb/sites-enabled/
> > including configuration file /etc/raddb/sites-enabled/control-socket
> > including configuration file /etc/raddb/sites-enabled/default
> > including configuration file /etc/raddb/sites-enabled/inner-tunnel
>
> And there's no "sites-enabled/new" file.
>
> > ...
> > radiusd: #### Loading Virtual Servers ####
> > server { # from file /etc/raddb/radiusd.conf
> > } # server
>
> There is an EMPTY "server" section there. That's causing the problem.
>
> The default config DOES NOT have a "server" block in radiusd.conf. So
> you've edited the default configuration and broken it.
>
> Don't do that.
>
> > server default { # from file /etc/raddb/sites-enabled/default
> > # Loading authenticate {...}
>
> See? That virtual server isn't empty.
>
> > server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
> > # Loading authenticate {...}
>
> And neither is that one.
>
> > ...
> > radiusd: #### Opening IP addresses and Ports ####
> > Listening on auth address 5.1.13.70 port 2018
>
> And it doesn't load any file called "sites-available/new".
>
> So you might have edited *some* file. But whatever it is, it's not the
> file that the server is reading.
>
> Start with the default config. By this I mean DELETE EVERYTHING YOU
> DID. Delete ALL OF THE FILES.
>
> Then, uninstall the server. And re-install it from RPM / deb / whatever.
>
> The server WILL WORK. Then, make small changes. Test each change.
>
> What's happened here is that you've made a bunch of changes without
> really understanding what they are, or even what impact they have. Then,
> you haven't looked at the debug output to see if it's loading the files
> that you created.
>
> This isn't difficult. Follow the documentation. READ the debug
> output. All of this is extensively documented:
>
> http://wiki.freeradius.org/radius-X
>
> Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 7 Aug 2018 08:49:49 -0300
> From: Elias Pereira <empbilly at gmail.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Dynamic vlan assignment
> Message-ID:
> <
> CAHdxDAFECM1v1JVQ3cg_NddaBLS2XhS1rC_mY8+P9m+Q0+fzDA at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> You can configure it in the post-auth option of the sites-enable/default
> configuration file.
>
> E.g:
>
> ...
> ldap
> if (Ldap-Group == "CN=ADM,OU=GRUPOS,DC=mycompany,DC=intra") {
> update reply {
> &Tunnel-Type = VLAN
> &Tunnel-Medium-Type = IEEE-802
> &Tunnel-Private-Group-Id = "51"
> }
> }
> elsif (Ldap-Group == "CN=ALUNOS,OU=GRUPOS,DC=mycompany,DC=intra") {
> update reply {
> &Tunnel-Type = VLAN
> &Tunnel-Medium-Type = IEEE-802
> &Tunnel-Private-Group-Id = "40"
> elseif ...
> ...
>
> On Tue, Aug 7, 2018 at 8:05 AM aseem kaushal <aseemkaushal91 at gmail.com>
> wrote:
>
> > Need to configure freeradius for dynamic vlan assignment. What could be
> the
> > various methods for the above.
> > Thanks in advance.
> >
> >
> > Regards
> > -Aseem Kaushal
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
>
> --
> Elias Pereira
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 7 Aug 2018 18:05:18 +0530
> From: Mohd Yusuf Siddiqui <joseph490 at gmail.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: radiusd -X
> Message-ID:
> <
> CACx-Ti018oAqXPuSUpnQUtuHTe2UirN7+8VAgWKCnzc_6XPL_A at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> If you have sent Kill Signal,it won't show,as the prima facie suggests.
>
> Regards
> Yusuf
>
> On 11-Jul-2018 1:44 pm, "Md Montjeer" <montjeer at fransinfotech.com> wrote:
>
> Dear Team,
>
>
>
> I am running server in debugging mode but in web console is showing
> disabled
> radius service. Please help me as soon as possible.
>
>
>
>
>
>
>
>
>
>
>
>
>
> Regards,
>
> Mohammad
>
> Network Engineer
>
>
> <
> https://docs.google.com/a/fransinfotech.com/uc?id=0B9cjr3a9HlksUV9IRUpQamRz
> LWM&export=download
> <https://docs.google.com/a/fransinfotech.com/uc?id=0B9cjr3a9HlksUV9IRUpQamRzLWM&export=download>
> <
> https://docs.google.com/a/fransinfotech.com/uc?id=0B9cjr3a9HlksUV9IRUpQamRzLWM&export=download
> >>
>
>
> FRANS GLOBAL INFOTECH (P) LTD
>
> C 159, IInd Floor, Okhla Industrial Area,
>
> Phase-I, New Delhi - 110020
>
> Mobile : +91-8851550738
>
> E-Mail : montjeer at fransinfotech.com <mailto:montjeer at fransinfotech.com>
>
> Web : <http://www.fransglobel.com/> www.fransglobel.com
>
> New Delhi | NCR | Rajasthan | J & K | Singapore
>
> AN ISO 27001:2013 | ISO 9001:2008 | ISO 20000 Certified Company
>
> WIRELESS | NETWORK SECURITY | ROUTING | SWITCHING | DC BUILD | SMART CLASS
> ROOMS | IP SURVEILLANCE | FMS
>
>
>
>
> <
> https://docs.google.com/uc?export=download&id=0B9cjr3a9HlksX1VRLW5pdzFpMkU&
> revid=0B9cjr3a9HlksUWhMTGFsR205L0RrUDNSblhaMCtFMmN0YWxZPQ
> <https://docs.google.com/uc?export=download&id=0B9cjr3a9HlksX1VRLW5pdzFpMkU&revid=0B9cjr3a9HlksUWhMTGFsR205L0RrUDNSblhaMCtFMmN0YWxZPQ>
> <
> https://docs.google.com/uc?export=download&id=0B9cjr3a9HlksX1VRLW5pdzFpMkU&revid=0B9cjr3a9HlksUWhMTGFsR205L0RrUDNSblhaMCtFMmN0YWxZPQ
> >>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 7 Aug 2018 10:08:24 -0400
> From: "matt.southward at gmail.com" <matt.southward at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: FreeRADIUS fails when home server is marked as dead
> Message-ID:
> <CACyAg3m8kBFkibjRH1uZrqTWHPMLHX57EtFyoR4=-
> s4acH4a9Q at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> I am proxying accounting to a 3rd party. This works fine until the 3rd
> party stops sending accounting responses. The following is logged when this
> occurs:
>
> Mon Aug 6 17:38:28 2018 : Proxy: Marking home server xxx.xxx.xxx.xxx port
> 1813 as zombie (it has not responded in 30.000000 seconds).
>
> Mon Aug 6 17:38:28 2018 : ERROR: (29383) ERROR: Failing proxied request,
> due to lack of any response from home server xxx.xxx.xxx.xxx port 1813
>
> Mon Aug 6 17:38:58 2018 : Proxy: Marking home server xxx.xxx.xxx.xxx port
> 1813 as dead.
>
> Mon Aug 6 17:38:58 2018 : Info: SOFT ASSERT FAILED src/lib/event.c[161]:
> *(ev->parent) == ev
>
> Mon Aug 6 17:38:58 2018 : Info: SOFT ASSERT FAILED src/lib/event.c[167]:
> ret == 1
>
>
> At this point the server stops responding to everything, including access
> requests.
>
>
> I don't care if I get a response back from this server as I'm also storing
> accounting data locally in an SQL database. How do I configure FreeRADIUS
> to continue working even if the server I'm proxying accounting to doesn't
> respond.
>
>
> My apologies ahead of time as I'm betting this is somewhere in the
> documentation...I'm just not seeing it or not understanding what I'm
> reading.
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 7 Aug 2018 10:35:40 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: FreeRADIUS fails when home server is marked as dead
> Message-ID: <C95B2E8A-5605-428D-959A-8A799A780C25 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Aug 7, 2018, at 10:08 AM, matt.southward at gmail.com wrote:
> >
> > I am proxying accounting to a 3rd party. This works fine until the 3rd
> > party stops sending accounting responses. The following is logged when
> this
> > occurs:
> >
> > Mon Aug 6 17:38:28 2018 : Proxy: Marking home server xxx.xxx.xxx.xxx
> port
> > 1813 as zombie (it has not responded in 30.000000 seconds).
> >
> > Mon Aug 6 17:38:28 2018 : ERROR: (29383) ERROR: Failing proxied request,
> > due to lack of any response from home server xxx.xxx.xxx.xxx port 1813
> >
> > Mon Aug 6 17:38:58 2018 : Proxy: Marking home server xxx.xxx.xxx.xxx
> port
> > 1813 as dead.
> >
> > Mon Aug 6 17:38:58 2018 : Info: SOFT ASSERT FAILED src/lib/event.c[161]:
> > *(ev->parent) == ev
>
> Upgrade to 3.0.17.
>
> > Mon Aug 6 17:38:58 2018 : Info: SOFT ASSERT FAILED src/lib/event.c[167]:
> > ret == 1
> >
> >
> > At this point the server stops responding to everything, including access
> > requests.
>
> Because it's down.
>
> >
> > I don't care if I get a response back from this server as I'm also
> storing
> > accounting data locally in an SQL database. How do I configure FreeRADIUS
> > to continue working even if the server I'm proxying accounting to doesn't
> > respond.
>
> Use a recent version of the server.
>
> > My apologies ahead of time as I'm betting this is somewhere in the
> > documentation...I'm just not seeing it or not understanding what I'm
> > reading.
>
> Crashes aren't documented. Just upgrade to the latest release, and
> 99.99% of the time they'll be fixed.
>
> Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 7 Aug 2018 11:50:05 -0400
> From: Dave Macias <davama at gmail.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: ldap module for user and mac authentication
> Message-ID:
> <CA+nFYV9D3rNd7dYjj0Y__=
> HYTai6tUWTKLY+0GnzyDiZh-YRLQ at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hello,
>
> So background of environment i am testing:
>
> master (freeradius and openldap) server - which auths users and provides
> other services
> slave (freeradius and openldap) server - which replicates based off of
> master and *only* auths macs
>
> On the SLAVE, I am able to use the ldap module to auth a mac address
> On the MASTER, i am also able to auth a mac but by doing something like the
> links below:
>
> http://lists.freeradius.org/pipermail/freeradius-users/2015-April/076948.html
>
> http://lists.freeradius.org/pipermail/freeradius-users/2018-August/092319.html
>
> Is there a way on the MASTER to use the ldap module to also auth macs? I
> like the ability to add several ldap servers in conjunction with the
> "do_not_respond" control policy.
>
> Here is the changes i did on the ldap module to make it work for the SLAVE:
> ldap {
> server = 'localhost'
> server = 'master-server'
> base_dn = 'dc=myorg,dc=net'
> user {
> base_dn = "ou=%{config:local.BRN},ou=macs,${..base_dn}"
> filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
> ...
> }
>
> Hope this makes sense.
> Any input will is appreciated.
>
> Thank you,
> dave
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 160, Issue 9
> ************************************************
>
------------------------------
Subject: Digest Footer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 160, Issue 14
*************************************************
More information about the Freeradius-Users
mailing list