dynamic vlan assign and LDAP authentication

Siddhartha Mishra siddhartha0111 at gmail.com
Sun Aug 12 08:08:35 CEST 2018


Dear All,

Please help to me for configuration dynamic vlan on user authentication via
LDAP.
User authentication via LDAP is working
But when we r going to enable file module in innertunnel and default file
it's not work.

Because we add grop-  LDAP detail in users file.

Please help to resolve this.

On Fri 10 Aug, 2018, 10:59 PM , <
freeradius-users-request at lists.freeradius.org> wrote:

> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Re: Freeradius-Users Digest, Vol 160, Issue 9 (Alan DeKok)
>    2. Re: Filtering out Proxy-State in COA to fix broken Cisco NAS
>       (Alan DeKok)
>    3. FOREACH error message? (Stefan Paetow)
>    4. Re: FOREACH error message? (Stefan Paetow)
>    5. Re:Re: Accounting-Request packet shared secret fail (Alan
>       DeKok) (Kevin Virk) (Alan DeKok) (Kevin Virk)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 10 Aug 2018 07:21:24 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Freeradius-Users Digest, Vol 160, Issue 9
> Message-ID: <3BC2D945-4A1F-4E2C-8328-61997A3A0A98 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Aug 10, 2018, at 4:29 AM, Arun NP <arun85np at gmail.com> wrote:
> > As suggested . I removed free radius  & deleted all the files and did a
> > fresh installation.
> > This time , I did only the following changes :
>
>   OK.
>
> > copied default file in sites-available to a file "new" .
> > Edited the port numbers in new four times ,two for authentication and two
> > for accounting
> > created a soft link for new in the sites-enabled directory
>
>   Did you edit the name?  "server NEW { " ?
>
> > added my client IPs and secret to the clients.conf file
> > started radius by "radiusd -d /etc/raddb -i 5.1.13.70 -p 2018 -X
> >
> > But , still I am getting the same error.
>
>   I'm running v3.0.x head (mostly 3.0.17) and it works for me.
>
> > radiusd -d /etc/raddb -i 5.1.13.70 -p 2018 -X
> > FreeRADIUS Version 3.0.13
>
>   Upgrade.
>
>   We're not going to track down & fix bugs which were already found and
> fixed years ago.
>
>   Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 10 Aug 2018 08:12:35 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Filtering out Proxy-State in COA to fix broken Cisco NAS
> Message-ID: <E01CB6A4-EDD9-4A23-BA0E-D50941E442E3 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Aug 8, 2018, at 9:19 PM, Fraser McGlinn <fraser at frizianz.com> wrote:
> >
> > Trying to get COA proxying working with a Cisco NAS. Unfortunately they
> have a broken implementation where if Proxy-State is in the request it
> drops it.
>
>   That's based on a naive reading of RFC 5176.  Happily, my new draft
> clarifies this.  It should be an RFC this year:
>
> https://tools.ietf.org/html/draft-ietf-radext-coa-proxy-03
>
> > I dug and found this old thread
> http://lists.freeradius.org/pipermail/freeradius-users/2012-April/060456.html
> implying that we can filter out Proxy-State in attr_filter, however i've
> had some issues getting this working. Although this was relevant to
> freeradius 2x, i'm running 3.0.16.
> >
> > Any other ways to achieve this? Hoping someone can point me in the right
> direction.
>
>   You can delete the Proxy-State attribute in the "pre-proxy" section:
>
> pre-proxy {
>         ...
>         update proxy-request {
>                 Proxy-State !* ANY
>         }
>         ...
> }
>
>   Hope that helps.
>
>   Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 10 Aug 2018 14:01:31 +0000
> From: Stefan Paetow <Stefan.Paetow at jisc.ac.uk>
> To: "freeradius-users at lists.freeradius.org"
>         <freeradius-users at lists.freeradius.org>
> Subject: FOREACH error message?
> Message-ID: <C77025A2-BE73-4732-8924-996CBE33C547 at jisc.ac.uk>
> Content-Type: text/plain; charset=UTF-8
>
> Alan, Arran et al,
>
> I'm getting this message:
>
> /etc/raddb/policy.d/moonshot-assertion[46]: MUST use attribute or list
> reference in 'foreach'
> /etc/raddb/policy.d/moonshot-assertion[46]: Failed to parse "foreach"
> subsection.
> /etc/raddb/policy.d/moonshot-assertion[38]: Failed to parse "if"
> subsection.
> /etc/raddb/policy.d/moonshot-assertion[105]: Failed to parse
> "saml_add_affiliation" entry.
>
> The policy in question is this (I've marked line 46 with '46>'):
>
> #  This policy adds the eduPersonAffiliation if it exists
> saml_add_affiliation.post-auth {
>         #  Only try to add the Affiliation when the attribute exists
>         if (&reply:Reply-eduPersonAffiliation) {
>                 update control {
>                         SAML-Attribute-Value !* ANY
>                         SAML-Attribute-Value +=
> "%{explode:&reply:Reply-eduPersonAffiliation ,}"
>                 }
>                 update reply {
>                         SAML-AAA-Assertion += '<saml:Attribute
> Name="urn:oid:0.9.2342.19200300.100.1.1"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">'
>                 }
> 46>                foreach &control:SAML-Attribute-Value {
>                         update reply {
>                                 SAML-AAA-Assertion +=
> '<saml:AttributeValue xsi:type="xs:string">'
>                                 SAML-AAA-Assertion +=
> "%{Foreach-Variable-0}"
>                                 SAML-AAA-Assertion +=
> '</saml:AttributeValue>'
>                         }
>                 }
>                 update reply {
>                         SAML-AAA-Assertion += '</saml:Attribute>'
>                 }
>         }
> }
>
> I can't see where I'm going wrong here... It's probably something *very*
> obvious that I can't see. I'm using FreeRADIUS 3.0.15 (I know, I know...
> It's not the newest).
>
> Can someone point out the obvious mistake? :-/
>
> Thank you :-)
>
> Stefan Paetow
> Consultant, Trust and Identity
>
> t: +44 (0)1235 822 125
> gpg: 0x3FCE5142
> xmpp: stefanp at jabber.dev.ja.net
> skype: stefan.paetow.janet
>
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited by
> guarantee which is registered in England under Company No. 5747339, VAT No.
> GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
> Bristol, BS2 0JA. T 0203 697 5800.
>
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 10 Aug 2018 14:18:52 +0000
> From: Stefan Paetow <Stefan.Paetow at jisc.ac.uk>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: FOREACH error message?
> Message-ID: <198BEB54-C708-4E9A-8A18-012E2C3B4131 at jisc.ac.uk>
> Content-Type: text/plain; charset=UTF-8
>
> And I've figured it out...
>
> It would help to update the dictionary with the custom values! *headdesk*
>
> *eyeroll*
>
> Stefan Paetow
> Consultant, Trust and Identity
>
> t: +44 (0)1235 822 125
> gpg: 0x3FCE5142
> xmpp: stefanp at jabber.dev.ja.net
> skype: stefan.paetow.janet
>
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited by
> guarantee which is registered in England under Company No. 5747339, VAT No.
> GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
> Bristol, BS2 0JA. T 0203 697 5800.
>
>
> On 10/08/2018, 15:02, "Freeradius-Users on behalf of Stefan Paetow"
> <freeradius-users-bounces+stefan.paetow=jisc.ac.uk at lists.freeradius.org
> on behalf of Stefan.Paetow at jisc.ac.uk> wrote:
>
>     Alan, Arran et al,
>
>     I'm getting this message:
>
>     /etc/raddb/policy.d/moonshot-assertion[46]: MUST use attribute or list
> reference in 'foreach'
>     /etc/raddb/policy.d/moonshot-assertion[46]: Failed to parse "foreach"
> subsection.
>     /etc/raddb/policy.d/moonshot-assertion[38]: Failed to parse "if"
> subsection.
>     /etc/raddb/policy.d/moonshot-assertion[105]: Failed to parse
> "saml_add_affiliation" entry.
>
>     The policy in question is this (I've marked line 46 with '46>'):
>
>     #  This policy adds the eduPersonAffiliation if it exists
>     saml_add_affiliation.post-auth {
>             #  Only try to add the Affiliation when the attribute exists
>             if (&reply:Reply-eduPersonAffiliation) {
>                     update control {
>                             SAML-Attribute-Value !* ANY
>                             SAML-Attribute-Value +=
> "%{explode:&reply:Reply-eduPersonAffiliation ,}"
>                     }
>                     update reply {
>                             SAML-AAA-Assertion += '<saml:Attribute
> Name="urn:oid:0.9.2342.19200300.100.1.1"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">'
>                     }
>     46>                foreach &control:SAML-Attribute-Value {
>                             update reply {
>                                     SAML-AAA-Assertion +=
> '<saml:AttributeValue xsi:type="xs:string">'
>                                     SAML-AAA-Assertion +=
> "%{Foreach-Variable-0}"
>                                     SAML-AAA-Assertion +=
> '</saml:AttributeValue>'
>                             }
>                     }
>                     update reply {
>                             SAML-AAA-Assertion += '</saml:Attribute>'
>                     }
>             }
>     }
>
>     I can't see where I'm going wrong here... It's probably something
> *very* obvious that I can't see. I'm using FreeRADIUS 3.0.15 (I know, I
> know... It's not the newest).
>
>     Can someone point out the obvious mistake? :-/
>
>     Thank you :-)
>
>     Stefan Paetow
>     Consultant, Trust and Identity
>
>     t: +44 (0)1235 822 125
>     gpg: 0x3FCE5142
>     xmpp: stefanp at jabber.dev.ja.net
>     skype: stefan.paetow.janet
>
>     jisc.ac.uk
>
>     Jisc is a registered charity (number 1149740) and a company limited by
> guarantee which is registered in England under Company No. 5747339, VAT No.
> GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
> Bristol, BS2 0JA. T 0203 697 5800.
>
>
>
>     -
>     List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 10 Aug 2018 17:28:25 +0000
> From: Kevin Virk <Kevin.Virk at faithlife.com>
> To: "freeradius-users at lists.freeradius.org"
>         <freeradius-users at lists.freeradius.org>
> Subject: Re:Re: Accounting-Request packet shared secret fail (Alan
>         DeKok) (Kevin Virk) (Alan DeKok)
> Message-ID: <1533922105253.29587 at faithlife.com>
> Content-Type: text/plain; charset=WINDOWS-1252
>
>
> I did make sure to restart the server. I did fail to mention that I purged
> freeradius and reinstalled so I must have made a configuration error
> somewhere along the way.
>
>
> From: Freeradius-Users <freeradius-users-bounces+kevin.virk=
> faithlife.com at lists.freeradius.org> on behalf of
> freeradius-users-request at lists.freeradius.org  <
> freeradius-users-request at lists.freeradius.org>
> Sent: Friday, August 10, 2018 1:30 AM
> To: freeradius-users at lists.freeradius.org
> Subject: Freeradius-Users Digest, Vol 160, Issue 14
>
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: ldap module for user and mac authentication (Dave Macias)
> 2. Re: ldap module for user and mac authentication (Michael Ströder)
> 3. Re: Accounting-Request packet shared secret fail (Alan DeKok)
> (Kevin Virk) (Alan DeKok)
> 4. Re: Dynamic vlan assignment (Dom Latter)
> 5. Re: Freeradius-Users Digest, Vol 160, Issue 9 (Arun NP)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 9 Aug 2018 08:23:51 -0400
> From: Dave Macias <davama at gmail.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: ldap module for user and mac authentication
> Message-ID:
> <CA+nFYV_UOg+TuMMciVwPWTHUX5B=H=rbhpUE9mv_e+rsVDvCYw at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> >
> > Yes, I had thought of something to the effect of (suggestions welcomed) :
> >
> > * if
> >
> (!"%{ldap:ldap://master1/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?cn?sub?(*
> > *&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {*
> > * if
> >
> (!"%{ldap:ldap://master2/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?c*
> >
> *n?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
> > {*
> > * reject*
> > * }*
> > * }*
> > * update {*
> > * control:Auth-Type := Accept*
> > * }*
> >
> > But this does not account for the scenario of openldap being dead.
> > The 1st "if" statement will be always be FALSE and never attempt the next
> > "if" statement and therefore 'Accept'
> >
>
> I believe i misspoke here...
> But interesting observations.
>
> if i use the below code AND have multiple ldap servers configured in my
> ldap module, radius '%{ldap:ldap:///...}' will automatically go to the one
> that is alive; assuming one is at least alive. IF i have just one ldap
> server configured in my ldap module, (which is dead), then the 'if' will
> FAIL and reject as it should.
>
> *if
>
> (!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
> {*
> *reject*
> *}*
> *else {*
> *update {*
> *control:Auth-Type := Accept*
> *}*
> *}*
>
> Same results as above (ldap module will use the live ldap server, not the
> dead one)
> *if
>
> (!"%{ldap:ldap://dead-ldap-server/ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")*
> *...*
> *...*
>
> So what did i learn?
> you dont need to use the SRV record for failover, as long as you have all
> the ldap servers in your ldap module.
>
> I think it makes sense since '%{ldap:...}" is using the ldap module,
> technically, but i would have thought that "ldap:///" or
> "ldap://dead-ldap-server/" meant localhost/dead-ldap-server not
> "live.ldap.the-module-found'
>
> Or maybe im just completely off...
> Hope that makes, sense.
>
> (1) if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) {
> (1) if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) -> TRUE
> (1) if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) {
> (1) policy rewrite_calling_station_id {
> (1) if (&Calling-Station-Id && (&Calling-Station-Id =~
>
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> {
> (1) if (&Calling-Station-Id && (&Calling-Station-Id =~
>
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> -> TRUE
> (1) if (&Calling-Station-Id && (&Calling-Station-Id =~
>
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> {
> (1) update request {
> (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
> (1) --> 00-04-F2-DD-98-C6
> (1) &Calling-Station-Id := 00-04-F2-DD-98-C6
> (1) } # update request = noop
> (1) [updated] = updated
> (1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
>
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> = updated
> (1) ... skipping else: Preceding "if" was taken
> (1) } # policy rewrite_calling_station_id = updated
> (1) if
>
> (!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
> {
> rlm_ldap (ldap): Reserved connection (0)
> (1) Performing search in "ou=sub-macs,ou=macs,dc=myorg,dc=net" with
> filter "(&(objectClass=ieee802Device)(macAddress=00-04-F2-DD-98-C6))",
> scope "sub"
> (1) Waiting for search result...
> rlm_ldap (ldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389 ldap://ldap2:389
> TLSMC: MozNSS compatibility interception begins.
> tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is
> present.
> tlsmc_intercept_initialization: INFO: successfully intercepted TLS
> initialization. Continuing with OpenSSL only.
> TLSMC: MozNSS compatibility interception ends.
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (1) EXPAND
>
> %{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}
> (1) --> 0004f2dd98c6
> (1) if
>
> (!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
> -> FALSE
> (1) else {
> (1) update {
> (1) control:Auth-Type := Accept
> (1) } # update = noop
> (1) } # else = noop
> (1) } # if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) =
> updated
> (1) ... skipping else: Preceding "if" was taken
> (1) [expiration] = noop
> (1) [logintime] = noop
> (1) pap: WARNING: Auth-Type already set. Not setting to PAP
> (1) [pap] = noop
> (1) } # authorize = updated
> (1) Found Auth-Type = Accept
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 9 Aug 2018 14:40:04 +0200
> From: Michael Ströder <michael at stroeder.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>, Dave Macias
> <davama at gmail.com>
> Subject: Re: ldap module for user and mac authentication
> Message-ID: <7caaa8c6-5a4c-19b6-a59b-fa045992de8c at stroeder.com>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> On 8/9/18 2:23 PM, Dave Macias wrote:
> > So what did i learn?
> > you dont need to use the SRV record for failover, as long as you have all
> > the ldap servers in your ldap module.
>
> Yes!
>
> In theory the advantage of SRV RRs are that you can theoretically change
> what's in your pool of LDAP servers and adjust priorities based on
> locations.
>
> Besides that I don't believe anybody fully implemented that I'm not a
> fan of SRV RRs anyway because the TLS hostname check is not even defined
> for that.
>
> Ciao, Michael.
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 3829 bytes
> Desc: S/MIME Cryptographic Signature
> URL: <
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180809/a8fa42d1/attachment-0001.bin
> >
>
> ------------------------------
>
> Message: 3
> Date: Thu, 9 Aug 2018 08:46:42 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Accounting-Request packet shared secret fail (Alan DeKok)
> (Kevin Virk)
> Message-ID: <E22B5478-09CA-4FC5-BE41-34B0746517B7 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
>
> > On Aug 8, 2018, at 5:12 PM, Kevin Virk <Kevin.Virk at faithlife.com> wrote:
> >
> >
> > figured it out I had not included the line
> require-message-authentication=no in my clients.conf. Thank you for your
> help Alan!
>
> That wasn't the problem. "Invalid request authenticator" means that the
> shared secret is wrong. If you had set "request_message_authenticator =
> yes", then the message would have been "invalid message authenticator", or
> maybe "missing message authenticator"
>
> What I suspect happened is that you were editing clients.conf, and then
> *not* restarting the server. After changing "require_message_authenticator
> = no" and restarting the server, it picked up the new secret.
>
> Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 9 Aug 2018 13:47:11 +0100
> From: Dom Latter <freeradius-users at latter.org>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: Dynamic vlan assignment
> Message-ID: <8818bf42-d1bf-b296-112e-ada1af8e2715 at latter.org>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
>
>
> On 07/08/18 18:08, Deepak Sehrawat wrote:
> >
> > Can we configure it via MySQL as well?
>
> >From a post I made in April. I have a long complicated query which
> checks if the user has been deleted, or the user's account has been
> suspended, etc. It returns a value which is then used in various ways.
>
> update control {
> CustomVal := "%{sql:SELECT \
> CASE \
> WHEN (cs_suspended.value = '1') THEN 5010 \
> WHEN (u.deleted != '0') THEN 5011 \
> // etc
>
> Then the unlang code "decodes" the return value:
> if ( &control:CustomVal < 5000 ) {
> update reply {
> Filter-Id := &control:CustomVal
> Reply-Message += "Accept: MAC found."
> }
> }
> elsif (....
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 10 Aug 2018 13:59:48 +0530
> From: Arun NP <arun85np at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: Freeradius-Users Digest, Vol 160, Issue 9
> Message-ID:
> <CAPLBjFVk0Uo908HJt2yA_JwBbg3_eif6HN1gXUVB2ZdffggeKg at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi,
>
> As suggested . I removed free radius & deleted all the files and did a
> fresh installation.
> This time , I did only the following changes :
>
> copied default file in sites-available to a file "new" .
> Edited the port numbers in new four times ,two for authentication and two
> for accounting
> created a soft link for new in the sites-enabled directory
> added my client IPs and secret to the clients.conf file
> started radius by "radiusd -d /etc/raddb -i  5.1.13.70 -p 2018 -X
>
> But , still I am getting the same error.
> This field which you mentioned in the previous mail , >>>radiusd: ####
> Loading Virtual Servers ####
> server { # from file /etc/raddb/radiusd.conf
> } # server>>> comes in the debug log. But I checked the radiusd.conf
> thoroughly. There is no server block in the radiusd.conf (Please find the
> radiusd file contents after the debug log, below) .Also , this time , the
> "new" file is being included in the starting section.
> Please have a look into the debug log & radiusd.conf file below & kindly
> let me know what can be done to solve this
> #######debug log#####
> [root at ott-cafy-vm1 raddb]# !r
> radiusd -d /etc/raddb -i  5.1.13.70 -p 2018 -X
> FreeRADIUS Version 3.0.13
> Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License
> For more information about these matters, see the file named COPYRIGHT
> Starting - reading configuration files ...
> including dictionary file /usr/share/freeradius/dictionary
> including dictionary file /usr/share/freeradius/dictionary.dhcp
> including dictionary file /usr/share/freeradius/dictionary.vqp
> including dictionary file /etc/raddb/dictionary
> including configuration file /etc/raddb/radiusd.conf
> including configuration file /etc/raddb/proxy.conf
> including configuration file /etc/raddb/clients.conf
> including files in directory /etc/raddb/mods-enabled/
> including configuration file /etc/raddb/mods-enabled/always
> including configuration file /etc/raddb/mods-enabled/attr_filter
> including configuration file /etc/raddb/mods-enabled/cache_eap
> including configuration file /etc/raddb/mods-enabled/chap
> including configuration file /etc/raddb/mods-enabled/date
> including configuration file /etc/raddb/mods-enabled/detail
> including configuration file /etc/raddb/mods-enabled/detail.log
> including configuration file /etc/raddb/mods-enabled/dhcp
> including configuration file /etc/raddb/mods-enabled/digest
> including configuration file /etc/raddb/mods-enabled/dynamic_clients
> including configuration file /etc/raddb/mods-enabled/eap
> including configuration file /etc/raddb/mods-enabled/echo
> including configuration file /etc/raddb/mods-enabled/exec
> including configuration file /etc/raddb/mods-enabled/expiration
> including configuration file /etc/raddb/mods-enabled/expr
> including configuration file /etc/raddb/mods-enabled/files
> including configuration file /etc/raddb/mods-enabled/linelog
> including configuration file /etc/raddb/mods-enabled/logintime
> including configuration file /etc/raddb/mods-enabled/mschap
> including configuration file /etc/raddb/mods-enabled/ntlm_auth
> including configuration file /etc/raddb/mods-enabled/pap
> including configuration file /etc/raddb/mods-enabled/passwd
> including configuration file /etc/raddb/mods-enabled/preprocess
> including configuration file /etc/raddb/mods-enabled/radutmp
> including configuration file /etc/raddb/mods-enabled/realm
> including configuration file /etc/raddb/mods-enabled/replicate
> including configuration file /etc/raddb/mods-enabled/soh
> including configuration file /etc/raddb/mods-enabled/sradutmp
> including configuration file /etc/raddb/mods-enabled/unix
> including configuration file /etc/raddb/mods-enabled/unpack
> including configuration file /etc/raddb/mods-enabled/utf8
> including files in directory /etc/raddb/policy.d/
> including configuration file /etc/raddb/policy.d/accounting
> including configuration file /etc/raddb/policy.d/canonicalization
> including configuration file /etc/raddb/policy.d/control
> including configuration file /etc/raddb/policy.d/cui
> including configuration file /etc/raddb/policy.d/debug
> including configuration file /etc/raddb/policy.d/dhcp
> including configuration file /etc/raddb/policy.d/eap
> including configuration file /etc/raddb/policy.d/filter
> including configuration file /etc/raddb/policy.d/operator-name
> including files in directory /etc/raddb/sites-enabled/
> including configuration file /etc/raddb/sites-enabled/default
> including configuration file /etc/raddb/sites-enabled/inner-tunnel
> including configuration file /etc/raddb/sites-enabled/new
> main {
> security {
> user = "radiusd"
> group = "radiusd"
> allow_core_dumps = no
> }
> name = "radiusd"
> prefix = "/usr"
> localstatedir = "/var"
> logdir = "/var/log/radius"
> run_dir = "/var/run/radiusd"
> }
> main {
> name = "radiusd"
> prefix = "/usr"
> localstatedir = "/var"
> sbindir = "/usr/sbin"
> logdir = "/var/log/radius"
> run_dir = "/var/run/radiusd"
> libdir = "/usr/lib64/freeradius"
> radacctdir = "/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 16384
> pidfile = "/var/run/radiusd/radiusd.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> colourise = yes
> msg_denied = "You are already logged in - access denied"
> }
> resources {
> }
> security {
> max_attributes = 200
> reject_delay = 1.000000
> status_server = yes
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server localhost {
> ipaddr =  127.0.0.1
> port = 1812
> type = "auth"
> secret = <<< secret >>>
> response_window = 20.000000
> response_timeouts = 1
> max_outstanding = 65536
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> check_timeout = 4
> num_answers_to_alive = 3
> revive_interval = 120
> limit {
> max_connections = 16
> max_requests = 0
> lifetime = 0
> idle_timeout = 0
> }
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> }
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
> realm  example.com {
> auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
> radiusd: #### Loading Clients ####
> client localhost {
> ipaddr =  127.0.0.1
> require_message_authenticator = no
> secret = <<< secret >>>
> nas_type = "other"
> proto = "*"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client localhost_ipv6 {
> ipv6addr = ::1
> require_message_authenticator = no
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client  5.5.18.22 {
> ipaddr =  5.5.18.22
> require_message_authenticator = no
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client  5.5.18.20 {
> ipaddr =  5.5.18.20
> require_message_authenticator = no
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> Debugger not attached
> # Creating Auth-Type = mschap
> # Creating Auth-Type = digest
> # Creating Auth-Type = eap
> # Creating Auth-Type = PAP
> # Creating Auth-Type = CHAP
> # Creating Auth-Type = MS-CHAP
> radiusd: #### Instantiating modules ####
> modules {
> # Loaded module rlm_always
> # Loading module "reject" from file /etc/raddb/mods-enabled/always
> always reject {
> rcode = "reject"
> simulcount = 0
> mpp = no
> }
> # Loading module "fail" from file /etc/raddb/mods-enabled/always
> always fail {
> rcode = "fail"
> simulcount = 0
> mpp = no
> }
> # Loading module "ok" from file /etc/raddb/mods-enabled/always
> always ok {
> rcode = "ok"
> simulcount = 0
> mpp = no
> }
> # Loading module "handled" from file /etc/raddb/mods-enabled/always
> always handled {
> rcode = "handled"
> simulcount = 0
> mpp = no
> }
> # Loading module "invalid" from file /etc/raddb/mods-enabled/always
> always invalid {
> rcode = "invalid"
> simulcount = 0
> mpp = no
> }
> # Loading module "userlock" from file /etc/raddb/mods-enabled/always
> always userlock {
> rcode = "userlock"
> simulcount = 0
> mpp = no
> }
> # Loading module "notfound" from file /etc/raddb/mods-enabled/always
> always notfound {
> rcode = "notfound"
> simulcount = 0
> mpp = no
> }
> # Loading module "noop" from file /etc/raddb/mods-enabled/always
> always noop {
> rcode = "noop"
> simulcount = 0
> mpp = no
> }
> # Loading module "updated" from file /etc/raddb/mods-enabled/always
> always updated {
> rcode = "updated"
> simulcount = 0
> mpp = no
> }
> # Loaded module rlm_attr_filter
> # Loading module "attr_filter.post-proxy" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.post-proxy {
> filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> # Loading module "attr_filter.pre-proxy" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.pre-proxy {
> filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> # Loading module "attr_filter.access_reject" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.access_reject {
> filename = "/etc/raddb/mods-config/attr_filter/access_reject"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.access_challenge" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.access_challenge {
> filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.accounting_response" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.accounting_response {
> filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loaded module rlm_cache
> # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
> cache cache_eap {
> driver = "rlm_cache_rbtree"
> key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
> ttl = 15
> max_entries = 0
> epoch = 0
> add_stats = no
> }
> # Loaded module rlm_chap
> # Loading module "chap" from file /etc/raddb/mods-enabled/chap
> # Loaded module rlm_date
> # Loading module "date" from file /etc/raddb/mods-enabled/date
> date {
> format = "%b %e %Y %H:%M:%S %Z"
> }
> # Loaded module rlm_detail
> # Loading module "detail" from file /etc/raddb/mods-enabled/detail
> detail {
> filename =
>
> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
> detail auth_log {
> filename =
>
> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
> detail reply_log {
> filename =
>
> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "pre_proxy_log" from file
> /etc/raddb/mods-enabled/detail.log
> detail pre_proxy_log {
> filename =
>
> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "post_proxy_log" from file
> /etc/raddb/mods-enabled/detail.log
> detail post_proxy_log {
> filename =
>
> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loaded module rlm_dhcp
> # Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
> # Loaded module rlm_digest
> # Loading module "digest" from file /etc/raddb/mods-enabled/digest
> # Loaded module rlm_dynamic_clients
> # Loading module "dynamic_clients" from file
> /etc/raddb/mods-enabled/dynamic_clients
> # Loaded module rlm_eap
> # Loading module "eap" from file /etc/raddb/mods-enabled/eap
> eap {
> default_eap_type = "md5"
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 16384
> }
> # Loaded module rlm_exec
> # Loading module "echo" from file /etc/raddb/mods-enabled/echo
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = "request"
> output_pairs = "reply"
> shell_escape = yes
> }
> # Loading module "exec" from file /etc/raddb/mods-enabled/exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> timeout = 10
> }
> # Loaded module rlm_expiration
> # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
> # Loaded module rlm_expr
> # Loading module "expr" from file /etc/raddb/mods-enabled/expr
> expr {
> safe_characters =
> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
> /äéöüàâæçèéêëîïôoùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔOÙÛÜY"
> }
> # Loaded module rlm_files
> # Loading module "files" from file /etc/raddb/mods-enabled/files
> files {
> filename = "/etc/raddb/mods-config/files/authorize"
> acctusersfile = "/etc/raddb/mods-config/files/accounting"
> preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
> }
> # Loaded module rlm_linelog
> # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
> linelog {
> filename = "/var/log/radius/linelog"
> escape_filenames = no
> syslog_severity = "info"
> permissions = 384
> format = "This is a log message for %{User-Name}"
> reference = "messages.%{%{reply:Packet-Type}:-default}"
> }
> # Loading module "log_accounting" from file
> /etc/raddb/mods-enabled/linelog
> linelog log_accounting {
> filename = "/var/log/radius/linelog-accounting"
> escape_filenames = no
> syslog_severity = "info"
> permissions = 384
> format = ""
> reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
> }
> # Loaded module rlm_logintime
> # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
> logintime {
> minimum_timeout = 60
> }
> # Loaded module rlm_mschap
> # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> passchange {
> }
> allow_retry = yes
> winbind_retry_with_normalised_username = no
> }
> # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
> exec ntlm_auth {
> wait = yes
> program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
> --username=%{mschap:User-Name} --password=%{User-Password}"
> shell_escape = yes
> }
> # Loaded module rlm_pap
> # Loading module "pap" from file /etc/raddb/mods-enabled/pap
> pap {
> normalise = yes
> }
> # Loaded module rlm_passwd
> # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
> passwd etc_passwd {
> filename = "/etc/passwd"
> format = "*User-Name:Crypt-Password:"
> delimiter = ":"
> ignore_nislike = no
> ignore_empty = yes
> allow_multiple_keys = no
> hash_size = 100
> }
> # Loaded module rlm_preprocess
> # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
> preprocess {
> huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
> hints = "/etc/raddb/mods-config/preprocess/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> # Loaded module rlm_radutmp
> # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
> radutmp {
> filename = "/var/log/radius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 384
> caller_id = yes
> }
> # Loaded module rlm_realm
> # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
> realm IPASS {
> format = "prefix"
> delimiter = "/"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "suffix" from file /etc/raddb/mods-enabled/realm
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
> realm realmpercent {
> format = "suffix"
> delimiter = "%"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
> realm ntdomain {
> format = "prefix"
> delimiter = "\\"
> ignore_default = no
> ignore_null = no
> }
> # Loaded module rlm_replicate
> # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
> # Loaded module rlm_soh
> # Loading module "soh" from file /etc/raddb/mods-enabled/soh
> soh {
> dhcp = yes
> }
> # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
> radutmp sradutmp {
> filename = "/var/log/radius/sradutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 420
> caller_id = no
> }
> # Loaded module rlm_unix
> # Loading module "unix" from file /etc/raddb/mods-enabled/unix
> unix {
> radwtmp = "/var/log/radius/radwtmp"
> }
> Creating attribute Unix-Group
> # Loaded module rlm_unpack
> # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
> # Loaded module rlm_utf8
> # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
> instantiate {
> }
> # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
> # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
> # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
> # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
> # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
> # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
> # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
> # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
> # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
> # Instantiating module "attr_filter.post-proxy" from file
> /etc/raddb/mods-enabled/attr_filter
> reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
> # Instantiating module "attr_filter.pre-proxy" from file
> /etc/raddb/mods-enabled/attr_filter
> reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
> # Instantiating module "attr_filter.access_reject" from file
> /etc/raddb/mods-enabled/attr_filter
> reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
> [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
> [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay-USec" found in filter list for realm
> "DEFAULT".
> # Instantiating module "attr_filter.access_challenge" from file
> /etc/raddb/mods-enabled/attr_filter
> reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
> # Instantiating module "attr_filter.accounting_response" from file
> /etc/raddb/mods-enabled/attr_filter
> reading pairlist file
> /etc/raddb/mods-config/attr_filter/accounting_response
> # Instantiating module "cache_eap" from file
> /etc/raddb/mods-enabled/cache_eap
> rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
> loaded and linked
> # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
> # Instantiating module "auth_log" from file
> /etc/raddb/mods-enabled/detail.log
> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
> detail output
> # Instantiating module "reply_log" from file
> /etc/raddb/mods-enabled/detail.log
> # Instantiating module "pre_proxy_log" from file
> /etc/raddb/mods-enabled/detail.log
> # Instantiating module "post_proxy_log" from file
> /etc/raddb/mods-enabled/detail.log
> # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
> # Linked to sub-module rlm_eap_md5
> # Linked to sub-module rlm_eap_leap
> # Linked to sub-module rlm_eap_gtc
> gtc {
> challenge = "Password: "
> auth_type = "PAP"
> }
> # Linked to sub-module rlm_eap_tls
> tls {
> tls = "tls-common"
> }
> tls-config tls-common {
> verify_depth = 0
> ca_path = "/etc/raddb/certs"
> pem_file_type = yes
> private_key_file = "/etc/raddb/certs/server.pem"
> certificate_file = "/etc/raddb/certs/server.pem"
> ca_file = "/etc/raddb/certs/ca.pem"
> private_key_password = <<< secret >>>
> dh_file = "/etc/raddb/certs/dh"
> fragment_size = 1024
> include_length = yes
> auto_chain = yes
> check_crl = no
> check_all_crl = no
> cipher_list = "DEFAULT"
> cipher_server_preference = no
> ecdh_curve = "prime256v1"
> cache {
> enable = no
> lifetime = 24
> max_entries = 255
> }
> verify {
> skip_if_ocsp_ok = no
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/"
> use_nonce = yes
> timeout = 0
> softfail = no
> }
> }
> # Linked to sub-module rlm_eap_ttls
> ttls {
> tls = "tls-common"
> default_eap_type = "md5"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> include_length = yes
> require_client_cert = no
> }
> tls: Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_peap
> peap {
> tls = "tls-common"
> default_eap_type = "mschapv2"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> proxy_tunneled_request_as_eap = yes
> virtual_server = "inner-tunnel"
> soh = no
> require_client_cert = no
> }
> tls: Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> send_error = no
> }
> # Instantiating module "expiration" from file
> /etc/raddb/mods-enabled/expiration
> # Instantiating module "files" from file /etc/raddb/mods-enabled/files
> reading pairlist file /etc/raddb/mods-config/files/authorize
> reading pairlist file /etc/raddb/mods-config/files/accounting
> reading pairlist file /etc/raddb/mods-config/files/pre-proxy
> # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
> # Instantiating module "log_accounting" from file
> /etc/raddb/mods-enabled/linelog
> # Instantiating module "logintime" from file
> /etc/raddb/mods-enabled/logintime
> # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
> rlm_mschap (mschap): using internal authentication
> # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
> # Instantiating module "etc_passwd" from file
> /etc/raddb/mods-enabled/passwd
> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
> # Instantiating module "preprocess" from file
> /etc/raddb/mods-enabled/preprocess
> reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
> reading pairlist file /etc/raddb/mods-config/preprocess/hints
> # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
> # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
> # Instantiating module "realmpercent" from file
> /etc/raddb/mods-enabled/realm
> # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
> } # modules
> radiusd: #### Loading Virtual Servers ####
> server { # from file /etc/raddb/radiusd.conf
> } # server
> server default { # from file /etc/raddb/sites-enabled/default
> # Loading authenticate {...}
> # Loading authorize {...}
> Ignoring "sql" (see raddb/mods-available/README.rst)
> Ignoring "ldap" (see raddb/mods-available/README.rst)
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> } # server default
> server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading session {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> # Skipping contents of 'if' as it is always 'false' --
> /etc/raddb/sites-enabled/inner-tunnel:330
> } # server inner-tunnel
> server new { # from file /etc/raddb/sites-enabled/new
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> } # server new
> radiusd: #### Opening IP addresses and Ports ####
> Listening on auth address  5.1.13.70 port 2018
> Listening on acct address  5.1.13.70 port 2019
> Listening on proxy address * port 55766
> Ready to process requests
> (0) Received Access-Request Id 3 from  5.5.18.20:49922 to  5.1.13.70:2018
> length 100
> (0) User-Name = "test"
> (0) NAS-IP-Address =  5.5.18.20
> (0) NAS-IPv6-Address = ::
> (0) NAS-Port = 130
> (0) NAS-Port-Type = Virtual
> (0) Service-Type = Login-User
> (0) Calling-Station-Id = "5.255.252.5"
> (0) User-Password = "tets"
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
> Reject
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
> (0) Post-Auth-Type sub-section not found. Ignoring.
> (0) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (0) Sending delayed response
> (0) Sent Access-Reject Id 3 from  5.1.13.70:2018 to  5.5.18.20:49922
> length 20
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 3 with timestamp +15
> Ready to process requests
> #################radiusd.conf##########
> # -*- text -*-
> ##
> ## radiusd.conf -- FreeRADIUS server configuration file - 3.0.13
> ##
> ##  http://www.freeradius.org/
> ## $Id: c62f4ffed53a073a885f243b728129f5c482fad7 $
> ##
>
> ######################################################################
> #
> # Read "man radiusd" before editing this file. See the section
> # titled DEBUGGING. It outlines a method where you can quickly
> # obtain the configuration you want, without running into
> # trouble.
> #
> # Run the server in debugging mode, and READ the output.
> #
> # $ radiusd -X
> #
> # We cannot emphasize this point strongly enough. The vast
> # majority of problems can be solved by carefully reading the
> # debugging output, which includes warnings about common issues,
> # and suggestions for how they may be fixed.
> #
> # There may be a lot of output, but look carefully for words like:
> # "warning", "error", "reject", or "failure". The messages there
> # will usually be enough to guide you to a solution.
> #
> # If you are going to ask a question on the mailing list, then
> # explain what you are trying to do, and include the output from
> # debugging mode (radiusd -X). Failure to do so means that all
> # of the responses to your question will be people telling you
> # to "post the output of radiusd -X".
>
> ######################################################################
> #
> # The location of other config files and logfiles are declared
> # in this file.
> #
> # Also general configuration for modules can be done in this
> # file, it is exported through the API to modules that ask for
> # it.
> #
> # See "man radiusd.conf" for documentation on the format of this
> # file. Note that the individual configuration items are NOT
> # documented in that "man" page. They are only documented here,
> # in the comments.
> #
> # The "unlang" policy language can be used to create complex
> # if / else policies. See "man unlang" for details.
> #
>
> prefix = /usr
> exec_prefix = /usr
> sysconfdir = /etc
> localstatedir = /var
> sbindir = /usr/sbin
> logdir = ${localstatedir}/log/radius
> raddbdir = ${sysconfdir}/raddb
> radacctdir = ${logdir}/radacct
>
> #
> # name of the running server. See also the "-n" command-line option.
> name = radiusd
>
> # Location of config and logfiles.
> confdir = ${raddbdir}
> modconfdir = ${confdir}/mods-config
> certdir = ${confdir}/certs
> cadir = ${confdir}/certs
> run_dir = ${localstatedir}/run/${name}
>
> db_dir = ${localstatedir}/lib/radiusd
>
> #
> # libdir: Where to find the rlm_* modules.
> #
> # This should be automatically set at configuration time.
> #
> # If the server builds and installs, but fails at execution time
> # with an 'undefined symbol' error, then you can use the libdir
> # directive to work around the problem.
> #
> # The cause is usually that a library has been installed on your
> # system in a place where the dynamic linker CANNOT find it. When
> # executing as root (or another user), your personal environment MAY
> # be set up to allow the dynamic linker to find the library. When
> # executing as a daemon, FreeRADIUS MAY NOT have the same
> # personalized configuration.
> #
> # To work around the problem, find out which library contains that symbol,
> # and add the directory containing that library to the end of 'libdir',
> # with a colon separating the directory names. NO spaces are allowed.
> #
> # e.g. libdir = /usr/local/lib:/opt/package/lib
> #
> # You can also try setting the LD_LIBRARY_PATH environment variable
> # in a script which starts the server.
> #
> # If that does not work, then you can re-configure and re-build the
> # server to NOT use shared libraries, via:
> #
> # ./configure --disable-shared
> # make
> # make install
> #
> libdir = /usr/lib64/freeradius
>
> # pidfile: Where to place the PID of the RADIUS server.
> #
> # The server may be signalled while it's running by using this
> # file.
> #
> # This file is written when ONLY running in daemon mode.
> #
> # e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
> #
> pidfile = ${run_dir}/${name}.pid
>
> #
> # correct_escapes: use correct backslash escaping
> #
> # Prior to version 3.0.5, the handling of backslashes was a little
> # awkward, i.e. "wrong". In some cases, to get one backslash into
> # a regex, you had to put 4 in the config files.
> #
> # Version 3.0.5 fixes that. However, for backwards compatibility,
> # the new method of escaping is DISABLED BY DEFAULT. This means
> # that upgrading to 3.0.5 won't break your configuration.
> #
> # If you don't have double backslashes (i.e. \\) in your configuration,
> # this won't matter to you. If you do have them, fix that to use only
> # one backslash, and then set "correct_escapes = true".
> #
> # You can check for this by doing:
> #
> # $ grep '\\\\' $(find raddb -type f -print)
> #
> correct_escapes = true
>
> # panic_action: Command to execute if the server dies unexpectedly.
> #
> # FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
> # AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
> # AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
> #
> # THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
> # PATTACH CAN BE USED AS AN ATTACK VECTOR.
> #
> # The panic action is a command which will be executed if the server
> # receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
> # SIGABRT or SIGFPE.
> #
> # This can be used to start an interactive debugging session so
> # that information regarding the current state of the server can
> # be acquired.
> #
> # The following string substitutions are available:
> # - %e The currently executing program e.g. /sbin/radiusd
> # - %p The PID of the currently executing program e.g. 12345
> #
> # Standard ${} substitutions are also allowed.
> #
> # An example panic action for opening an interactive session in GDB would
> be:
> #
> #panic_action = "gdb %e %p"
> #
> # Again, don't use that on a production system.
> #
> # An example panic action for opening an automated session in GDB would be:
> #
> #panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee
> ${logdir}/gdb-${name}-%p.log"
> #
> # That command can be used on a production system.
> #
>
> # max_request_time: The maximum time (in seconds) to handle a request.
> #
> # Requests which take more time than this to process may be killed, and
> # a REJECT message is returned.
> #
> # WARNING: If you notice that requests take a long time to be handled,
> # then this MAY INDICATE a bug in the server, in one of the modules
> # used to handle a request, OR in your local configuration.
> #
> # This problem is most often seen when using an SQL database. If it takes
> # more than a second or two to receive an answer from the SQL database,
> # then it probably means that you haven't indexed the database. See your
> # SQL server documentation for more information.
> #
> # Useful range of values: 5 to 120
> #
> max_request_time = 30
>
> # cleanup_delay: The time to wait (in seconds) before cleaning up
> # a reply which was sent to the NAS.
> #
> # The RADIUS request is normally cached internally for a short period
> # of time, after the reply is sent to the NAS. The reply packet may be
> # lost in the network, and the NAS will not see it. The NAS will then
> # re-send the request, and the server will respond quickly with the
> # cached reply.
> #
> # If this value is set too low, then duplicate requests from the NAS
> # MAY NOT be detected, and will instead be handled as separate requests.
> #
> # If this value is set too high, then the server will cache too many
> # requests, and some new requests may get blocked. (See 'max_requests'.)
> #
> # Useful range of values: 2 to 10
> #
> cleanup_delay = 5
>
> # max_requests: The maximum number of requests which the server keeps
> # track of. This should be 256 multiplied by the number of clients.
> # e.g. With 4 clients, this number should be 1024.
> #
> # If this number is too low, then when the server becomes busy,
> # it will not respond to any new requests, until the 'cleanup_delay'
> # time has passed, and it has removed the old requests.
> #
> # If this number is set too high, then the server will use a bit more
> # memory for no real benefit.
> #
> # If you aren't sure what it should be set to, it's better to set it
> # too high than too low. Setting it to 1000 per client is probably
> # the highest it should be.
> #
> # Useful range of values: 256 to infinity
> #
> max_requests = 16384
>
> # hostname_lookups: Log the names of clients or just their IP addresses
> # e.g.,  www.freeradius.org (on) or  206.47.27.232 (off).
> #
> # The default is 'off' because it would be overall better for the net
> # if people had to knowingly turn this feature on, since enabling it
> # means that each client request will result in AT LEAST one lookup
> # request to the nameserver. Enabling hostname_lookups will also
> # mean that your server may stop randomly for 30 seconds from time
> # to time, if the DNS requests take too long.
> #
> # Turning hostname lookups off also means that the server won't block
> # for 30 seconds, if it sees an IP address which has no name associated
> # with it.
> #
> # allowed values: {no, yes}
> #
> hostname_lookups = no
>
> #
> # Logging section. The various "log_*" configuration items
> # will eventually be moved here.
> #
> log {
> #
> # Destination for log messages. This can be one of:
> #
> # files - log to "file", as defined below.
> # syslog - to syslog (see also the "syslog_facility", below.
> # stdout - standard output
> # stderr - standard error.
> #
> # The command-line option "-X" over-rides this option, and forces
> # logging to go to stdout.
> #
> destination = files
>
> #
> # Highlight important messages sent to stderr and stdout.
> #
> # Option will be ignored (disabled) if output if TERM is not
> # an xterm or output is not to a TTY.
> #
> colourise = yes
>
> #
> # The logging messages for the server are appended to the
> # tail of this file if destination == "files"
> #
> # If the server is running in debugging mode, this file is
> # NOT used.
> #
> file = ${logdir}/radius.log
>
> #
> # If this configuration parameter is set, then log messages for
> # a *request* go to this file, rather than to radius.log.
> #
> # i.e. This is a log file per request, once the server has accepted
> # the request as being from a valid client. Messages that are
> # not associated with a request still go to radius.log.
> #
> # Not all log messages in the server core have been updated to use
> # this new internal API. As a result, some messages will still
> # go to radius.log. Please submit patches to fix this behavior.
> #
> # The file name is expanded dynamically. You should ONLY user
> # server-side attributes for the filename (e.g. things you control).
> # Using this feature MAY also slow down the server substantially,
> # especially if you do thinks like SQL calls as part of the
> # expansion of the filename.
> #
> # The name of the log file should use attributes that don't change
> # over the lifetime of a request, such as User-Name,
> # Virtual-Server or Packet-Src-IP-Address. Otherwise, the log
> # messages will be distributed over multiple files.
> #
> # Logging can be enabled for an individual request by a special
> # dynamic expansion macro: %{debug: 1}, where the debug level
> # for this request is set to '1' (or 2, 3, etc.). e.g.
> #
> # ...
> # update control {
> # Tmp-String-0 = "%{debug:1}"
> # }
> # ...
> #
> # The attribute that the value is assigned to is unimportant,
> # and should be a "throw-away" attribute with no side effects.
> #
> #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
>
> #
> # Which syslog facility to use, if ${destination} == "syslog"
> #
> # The exact values permitted here are OS-dependent. You probably
> # don't want to change this.
> #
> syslog_facility = daemon
>
> # Log the full User-Name attribute, as it was found in the request.
> #
> # allowed values: {no, yes}
> #
> stripped_names = no
>
> # Log authentication requests to the log file.
> #
> # allowed values: {no, yes}
> #
> auth = no
>
> # Log passwords with the authentication requests.
> # auth_badpass - logs password if it's rejected
> # auth_goodpass - logs password if it's correct
> #
> # allowed values: {no, yes}
> #
> auth_badpass = no
> auth_goodpass = no
>
> # Log additional text at the end of the "Login OK" messages.
> # for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
> # configurations above have to be set to "yes".
> #
> # The strings below are dynamically expanded, which means that
> # you can put anything you want in them. However, note that
> # this expansion can be slow, and can negatively impact server
> # performance.
> #
> # msg_goodpass = ""
> # msg_badpass = ""
>
> # The message when the user exceeds the Simultaneous-Use limit.
> #
> msg_denied = "You are already logged in - access denied"
> }
>
> # The program to execute to do concurrency checks.
> checkrad = ${sbindir}/checkrad
>
> # SECURITY CONFIGURATION
> #
> # There may be multiple methods of attacking on the server. This
> # section holds the configuration items which minimize the impact
> # of those attacks
> #
> security {
> # chroot: directory where the server does "chroot".
> #
> # The chroot is done very early in the process of starting
> # the server. After the chroot has been performed it
> # switches to the "user" listed below (which MUST be
> # specified). If "group" is specified, it switches to that
> # group, too. Any other groups listed for the specified
> # "user" in "/etc/group" are also added as part of this
> # process.
> #
> # The current working directory (chdir / cd) is left
> # *outside* of the chroot until all of the modules have been
> # initialized. This allows the "raddb" directory to be left
> # outside of the chroot. Once the modules have been
> # initialized, it does a "chdir" to ${logdir}. This means
> # that it should be impossible to break out of the chroot.
> #
> # If you are worried about security issues related to this
> # use of chdir, then simply ensure that the "raddb" directory
> # is inside of the chroot, end be sure to do "cd raddb"
> # BEFORE starting the server.
> #
> # If the server is statically linked, then the only files
> # that have to exist in the chroot are ${run_dir} and
> # ${logdir}. If you do the "cd raddb" as discussed above,
> # then the "raddb" directory has to be inside of the chroot
> # directory, too.
> #
> # chroot = /path/to/chroot/directory
>
> # user/group: The name (or #number) of the user/group to run radiusd as.
> #
> # If these are commented out, the server will run as the
> # user/group that started it. In order to change to a
> # different user/group, you MUST be root ( or have root
> # privileges ) to start the server.
> #
> # We STRONGLY recommend that you run the server with as few
> # permissions as possible. That is, if you're not using
> # shadow passwords, the user and group items below should be
> # set to radius'.
> #
> # NOTE that some kernels refuse to setgid(group) when the
> # value of (unsigned)group is above 60000; don't use group
> # "nobody" on these systems!
> #
> # On systems with shadow passwords, you might have to set
> # 'group = shadow' for the server to be able to read the
> # shadow password file. If you can authenticate users while
> # in debug mode, but not in daemon mode, it may be that the
> # debugging mode server is running as a user that can read
> # the shadow info, and the user listed below can not.
> #
> # The server will also try to use "initgroups" to read
> # /etc/groups. It will join all groups where "user" is a
> # member. This can allow for some finer-grained access
> # controls.
> #
> user = radiusd
> group = radiusd
>
> # Core dumps are a bad thing. This should only be set to
> # 'yes' if you're debugging a problem with the server.
> #
> # allowed values: {no, yes}
> #
> allow_core_dumps = no
>
> #
> # max_attributes: The maximum number of attributes
> # permitted in a RADIUS packet. Packets which have MORE
> # than this number of attributes in them will be dropped.
> #
> # If this number is set too low, then no RADIUS packets
> # will be accepted.
> #
> # If this number is set too high, then an attacker may be
> # able to send a small number of packets which will cause
> # the server to use all available memory on the machine.
> #
> # Setting this number to 0 means "allow any number of attributes"
> max_attributes = 200
>
> #
> # reject_delay: When sending an Access-Reject, it can be
> # delayed for a few seconds. This may help slow down a DoS
> # attack. It also helps to slow down people trying to brute-force
> # crack a users password.
> #
> # Setting this number to 0 means "send rejects immediately"
> #
> # If this number is set higher than 'cleanup_delay', then the
> # rejects will be sent at 'cleanup_delay' time, when the request
> # is deleted from the internal cache of requests.
> #
> # As of Version 3.0.5, "reject_delay" has sub-second resolution.
> # e.g. "reject_delay = 1.4" seconds is possible.
> #
> # Useful ranges: 1 to 5
> reject_delay = 1
>
> #
> # status_server: Whether or not the server will respond
> # to Status-Server requests.
> #
> # When sent a Status-Server message, the server responds with
> # an Access-Accept or Accounting-Response packet.
> #
> # This is mainly useful for administrators who want to "ping"
> # the server, without adding test users, or creating fake
> # accounting packets.
> #
> # It's also useful when a NAS marks a RADIUS server "dead".
> # The NAS can periodically "ping" the server with a Status-Server
> # packet. If the server responds, it must be alive, and the
> # NAS can start using it for real requests.
> #
> # See also raddb/sites-available/status
> #
> status_server = yes
>
>
> }
>
> # PROXY CONFIGURATION
> #
> # proxy_requests: Turns proxying of RADIUS requests on or off.
> #
> # The server has proxying turned on by default. If your system is NOT
> # set up to proxy requests to another server, then you can turn proxying
> # off here. This will save a small amount of resources on the server.
> #
> # If you have proxying turned off, and your configuration files say
> # to proxy a request, then an error message will be logged.
> #
> # To disable proxying, change the "yes" to "no", and comment the
> # $INCLUDE line.
> #
> # allowed values: {no, yes}
> #
> proxy_requests = yes
> $INCLUDE proxy.conf
>
>
> # CLIENTS CONFIGURATION
> #
> # Client configuration is defined in "clients.conf".
> #
>
> # The 'clients.conf' file contains all of the information from the old
> # 'clients' and 'naslist' configuration files. We recommend that you
> # do NOT use 'client's or 'naslist', although they are still
> # supported.
> #
> # Anything listed in 'clients.conf' will take precedence over the
> # information from the old-style configuration files.
> #
> $INCLUDE clients.conf
>
>
> # THREAD POOL CONFIGURATION
> #
> # The thread pool is a long-lived group of threads which
> # take turns (round-robin) handling any incoming requests.
> #
> # You probably want to have a few spare threads around,
> # so that high-load situations can be handled immediately. If you
> # don't have any spare threads, then the request handling will
> # be delayed while a new thread is created, and added to the pool.
> #
> # You probably don't want too many spare threads around,
> # otherwise they'll be sitting there taking up resources, and
> # not doing anything productive.
> #
> # The numbers given below should be adequate for most situations.
> #
> thread pool {
> # Number of servers to start initially --- should be a reasonable
> # ballpark figure.
> start_servers = 5
>
> # Limit on the total number of servers running.
> #
> # If this limit is ever reached, clients will be LOCKED OUT, so it
> # should NOT BE SET TOO LOW. It is intended mainly as a brake to
> # keep a runaway server from taking the system with it as it spirals
> # down...
> #
> # You may find that the server is regularly reaching the
> # 'max_servers' number of threads, and that increasing
> # 'max_servers' doesn't seem to make much difference.
> #
> # If this is the case, then the problem is MOST LIKELY that
> # your back-end databases are taking too long to respond, and
> # are preventing the server from responding in a timely manner.
> #
> # The solution is NOT do keep increasing the 'max_servers'
> # value, but instead to fix the underlying cause of the
> # problem: slow database, or 'hostname_lookups=yes'.
> #
> # For more information, see 'max_request_time', above.
> #
> max_servers = 32
>
> # Server-pool size regulation. Rather than making you guess
> # how many servers you need, FreeRADIUS dynamically adapts to
> # the load it sees, that is, it tries to maintain enough
> # servers to handle the current load, plus a few spare
> # servers to handle transient load spikes.
> #
> # It does this by periodically checking how many servers are
> # waiting for a request. If there are fewer than
> # min_spare_servers, it creates a new spare. If there are
> # more than max_spare_servers, some of the spares die off.
> # The default values are probably OK for most sites.
> #
> min_spare_servers = 3
> max_spare_servers = 10
>
> # When the server receives a packet, it places it onto an
> # internal queue, where the worker threads (configured above)
> # pick it up for processing. The maximum size of that queue
> # is given here.
> #
> # When the queue is full, any new packets will be silently
> # discarded.
> #
> # The most common cause of the queue being full is that the
> # server is dependent on a slow database, and it has received
> # a large "spike" of traffic. When that happens, there is
> # very little you can do other than make sure the server
> # receives less traffic, or make sure that the database can
> # handle the load.
> #
> # max_queue_size = 65536
>
> # There may be memory leaks or resource allocation problems with
> # the server. If so, set this value to 300 or so, so that the
> # resources will be cleaned up periodically.
> #
> # This should only be necessary if there are serious bugs in the
> # server which have not yet been fixed.
> #
> # '0' is a special value meaning 'infinity', or 'the servers never
> # exit'
> max_requests_per_server = 0
>
> # Automatically limit the number of accounting requests.
> # This configuration item tracks how many requests per second
> # the server can handle. It does this by tracking the
> # packets/s received by the server for processing, and
> # comparing that to the packets/s handled by the child
> # threads.
> #
>
> # If the received PPS is larger than the processed PPS, *and*
> # the queue is more than half full, then new accounting
> # requests are probabilistically discarded. This lowers the
> # number of packets that the server needs to process. Over
> # time, the server will "catch up" with the traffic.
> #
> # Throwing away accounting packets is usually safe and low
> # impact. The NAS will retransmit them in a few seconds, or
> # even a few minutes. Vendors should read RFC 5080 Section 2.2.1
> # to see how accounting packets should be retransmitted. Using
> # any other method is likely to cause network meltdowns.
> #
> auto_limit_acct = no
> }
>
> ######################################################################
> #
> # SNMP notifications. Uncomment the following line to enable
> # snmptraps. Note that you MUST also configure the full path
> # to the "snmptrap" command in the "trigger.conf" file.
> #
> #$INCLUDE trigger.conf
>
> # MODULE CONFIGURATION
> #
> # The names and configuration of each module is located in this section.
> #
> # After the modules are defined here, they may be referred to by name,
> # in other sections of this configuration file.
> #
> modules {
> #
> # Each module has a configuration as follows:
> #
> # name [ instance ] {
> # config_item = value
> # ...
> # }
> #
> # The 'name' is used to load the 'rlm_name' library
> # which implements the functionality of the module.
> #
> # The 'instance' is optional. To have two different instances
> # of a module, it first must be referred to by 'name'.
> # The different copies of the module are then created by
> # inventing two 'instance' names, e.g. 'instance1' and 'instance2'
> #
> # The instance names can then be used in later configuration
> # INSTEAD of the original 'name'. See the 'radutmp' configuration
> # for an example.
> #
>
> #
> # As of 3.0, modules are in mods-enabled/. Files matching
> # the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are
> # initialized ONLY if they are referenced in a processing
> # section, such as authorize, authenticate, accounting,
> # pre/post-proxy, etc.
> #
> $INCLUDE mods-enabled/
> }
>
> # Instantiation
> #
> # This section orders the loading of the modules. Modules
> # listed here will get loaded BEFORE the later sections like
> # authorize, authenticate, etc. get examined.
> #
> # This section is not strictly needed. When a section like
> # authorize refers to a module, it's automatically loaded and
> # initialized. However, some modules may not be listed in any
> # of the following sections, so they can be listed here.
> #
> # Also, listing modules here ensures that you have control over
> # the order in which they are initialized. If one module needs
> # something defined by another module, you can list them in order
> # here, and ensure that the configuration will be OK.
> #
> # After the modules listed here have been loaded, all of the modules
> # in the "mods-enabled" directory will be loaded. Loading the
> # "mods-enabled" directory means that unlike Version 2, you usually
> # don't need to list modules here.
> #
> instantiate {
> #
> # We list the counter module here so that it registers
> # the check_name attribute before any module which sets
> # it
> # daily
>
> # subsections here can be thought of as "virtual" modules.
> #
> # e.g. If you have two redundant SQL servers, and you want to
> # use them in the authorize and accounting sections, you could
> # place a "redundant" block in each section, containing the
> # exact same text. Or, you could uncomment the following
> # lines, and list "redundant_sql" in the authorize and
> # accounting sections.
> #
> # The "virtual" module defined here can also be used with
> # dynamic expansions, under a few conditions:
> #
> # * The section is "redundant", or "load-balance", or
> # "redundant-load-balance"
> # * The section contains modules ONLY, and no sub-sections
> # * all modules in the section are using the same rlm_
> # driver, e.g. They are all sql, or all ldap, etc.
> #
> # When those conditions are satisfied, the server will
> # automatically register a dynamic expansion, using the
> # name of the "virtual" module. In the example below,
> # it will be "redundant_sql". You can then use this expansion
> # just like any other:
> #
> # update reply {
> # Filter-Id := "%{redundant_sql: ... }"
> # }
> #
> # In this example, the expansion is done via module "sql1",
> # and if that expansion fails, using module "sql2".
> #
> # For best results, configure the "pool" subsection of the
> # module so that "retry_delay" is non-zero. That will allow
> # the redundant block to quickly ignore all "down" SQL
> # databases. If instead we have "retry_delay = 0", then
> # every time the redundant block is used, the server will try
> # to open a connection to every "down" database, causing
> # problems.
> #
> #redundant redundant_sql {
> # sql1
> # sql2
> #}
> }
>
> ######################################################################
> #
> # Policies are virtual modules, similar to those defined in the
> # "instantiate" section above.
> #
> # Defining a policy in one of the policy.d files means that it can be
> # referenced in multiple places as a *name*, rather than as a series of
> # conditions to match, and actions to take.
> #
> # Policies are something like subroutines in a normal language, but
> # they cannot be called recursively. They MUST be defined in order.
> # If policy A calls policy B, then B MUST be defined before A.
> #
> ######################################################################
> policy {
> $INCLUDE policy.d/
> }
>
> ######################################################################
> #
> # Load virtual servers.
> #
> # This next $INCLUDE line loads files in the directory that
> # match the regular expression: /[a-zA-Z0-9_.]+/
> #
> # It allows you to define new virtual servers simply by placing
> # a file into the raddb/sites-enabled/ directory.
> #
> $INCLUDE sites-enabled/
>
> ######################################################################
> #
> # All of the other configuration sections like "authorize {}",
> # "authenticate {}", "accounting {}", have been moved to the
> # the file:
> #
> # raddb/sites-available/default
> #
> # This is the "default" virtual server that has the same
> # configuration as in version 1.0.x and 1.1.x. The default
> # installation enables this virtual server. You should
> # edit it to create policies for your local site.
> #
> # For more documentation on virtual servers, see:
> #
> # raddb/sites-available/README
> #
> ######################################################################
> Thanks,
> Arun
>
>
> On Tue, Aug 7, 2018 at 9:21 PM <
> freeradius-users-request at lists.freeradius.org> wrote:
>
> > Send Freeradius-Users mailing list submissions to
> > freeradius-users at lists.freeradius.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >  http://lists.freeradius.org/mailman/listinfo/freeradius-users
> > or, via email, send a message with subject or body 'help' to
> > freeradius-users-request at lists.freeradius.org
> >
> > You can reach the person managing the list at
> > freeradius-users-owner at lists.freeradius.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Freeradius-Users digest..."
> >
> >
> > Today's Topics:
> >
> > 1. Dynamic vlan assignment (aseem kaushal)
> > 2. Re: Freeradius-Users Digest, Vol 160, Issue 4 (Alan DeKok)
> > 3. Re: Dynamic vlan assignment (Elias Pereira)
> > 4. Re: radiusd -X (Mohd Yusuf Siddiqui)
> > 5. FreeRADIUS fails when home server is marked as dead
> > (matt.southward at gmail.com)
> > 6. Re: FreeRADIUS fails when home server is marked as dead
> > (Alan DeKok)
> > 7. ldap module for user and mac authentication (Dave Macias)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Tue, 7 Aug 2018 16:35:38 +0530
> > From: aseem kaushal <aseemkaushal91 at gmail.com>
> > To: freeradius-users at lists.freeradius.org
> > Subject: Dynamic vlan assignment
> > Message-ID:
> > <
> > CAPTC-T2iNa0p9co4zOBavHODp_1+-FiANKkOBW5f1hEYHPmD+g at mail.gmail.com>
> > Content-Type: text/plain; charset="UTF-8"
> >
> > Need to configure freeradius for dynamic vlan assignment. What could be
> the
> > various methods for the above.
> > Thanks in advance.
> >
> >
> > Regards
> > -Aseem Kaushal
> >
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Tue, 7 Aug 2018 07:29:10 -0400
> > From: Alan DeKok <aland at deployingradius.com>
> > To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> > Subject: Re: Freeradius-Users Digest, Vol 160, Issue 4
> > Message-ID: <830FC253-553E-48A5-8470-D0505ECD2BBC at deploying
> <830FC253-553E-48A5-8470-D0505ECD2BBC at deployingradius.com>


More information about the Freeradius-Users mailing list