Freeradius-Users Digest, Vol 160, Issue 16

Arun NP arun85np at gmail.com
Mon Aug 13 06:22:03 CEST 2018


Hi ,
I am doing a yum install  & it is supposed to bring the latest version rt ?
. Please let me know how I can get the version which you are using (3.0.17)
. I am using centos 7 does the version which you mentioned exist for the
same ?  please inform me

Thanks,
Arun

On Sun, Aug 12, 2018 at 11:39 AM <
freeradius-users-request at lists.freeradius.org> wrote:

> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Re: dynamic vlan assign and LDAP authentication
>       (Siddhartha Mishra)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 12 Aug 2018 11:38:35 +0530
> From: Siddhartha Mishra <siddhartha0111 at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: dynamic vlan assign and LDAP authentication
> Message-ID:
>         <
> CAGb7Tj4XhTvHza8fd5Fk3d-rRtzi94wKBaMZXTWYPpF5aehqMg at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Dear All,
>
> Please help to me for configuration dynamic vlan on user authentication via
> LDAP.
> User authentication via LDAP is working
> But when we r going to enable file module in innertunnel and default file
> it's not work.
>
> Because we add grop-  LDAP detail in users file.
>
> Please help to resolve this.
>
> On Fri 10 Aug, 2018, 10:59 PM , <
> freeradius-users-request at lists.freeradius.org> wrote:
>
> > Send Freeradius-Users mailing list submissions to
> >         freeradius-users at lists.freeradius.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> > or, via email, send a message with subject or body 'help' to
> >         freeradius-users-request at lists.freeradius.org
> >
> > You can reach the person managing the list at
> >         freeradius-users-owner at lists.freeradius.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Freeradius-Users digest..."
> >
> >
> > Today's Topics:
> >
> >    1. Re: Freeradius-Users Digest, Vol 160, Issue 9 (Alan DeKok)
> >    2. Re: Filtering out Proxy-State in COA to fix broken Cisco NAS
> >       (Alan DeKok)
> >    3. FOREACH error message? (Stefan Paetow)
> >    4. Re: FOREACH error message? (Stefan Paetow)
> >    5. Re:Re: Accounting-Request packet shared secret fail (Alan
> >       DeKok) (Kevin Virk) (Alan DeKok) (Kevin Virk)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Fri, 10 Aug 2018 07:21:24 -0400
> > From: Alan DeKok <aland at deployingradius.com>
> > To: FreeRadius users mailing list
> >         <freeradius-users at lists.freeradius.org>
> > Subject: Re: Freeradius-Users Digest, Vol 160, Issue 9
> > Message-ID: <3BC2D945-4A1F-4E2C-8328-61997A3A0A98 at deployingradius.com>
> > Content-Type: text/plain; charset=us-ascii
> >
> > On Aug 10, 2018, at 4:29 AM, Arun NP <arun85np at gmail.com> wrote:
> > > As suggested . I removed free radius  & deleted all the files and did a
> > > fresh installation.
> > > This time , I did only the following changes :
> >
> >   OK.
> >
> > > copied default file in sites-available to a file "new" .
> > > Edited the port numbers in new four times ,two for authentication and
> two
> > > for accounting
> > > created a soft link for new in the sites-enabled directory
> >
> >   Did you edit the name?  "server NEW { " ?
> >
> > > added my client IPs and secret to the clients.conf file
> > > started radius by "radiusd -d /etc/raddb -i 5.1.13.70 -p 2018 -X
> > >
> > > But , still I am getting the same error.
> >
> >   I'm running v3.0.x head (mostly 3.0.17) and it works for me.
> >
> > > radiusd -d /etc/raddb -i 5.1.13.70 -p 2018 -X
> > > FreeRADIUS Version 3.0.13
> >
> >   Upgrade.
> >
> >   We're not going to track down & fix bugs which were already found and
> > fixed years ago.
> >
> >   Alan DeKok.
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Fri, 10 Aug 2018 08:12:35 -0400
> > From: Alan DeKok <aland at deployingradius.com>
> > To: FreeRadius users mailing list
> >         <freeradius-users at lists.freeradius.org>
> > Subject: Re: Filtering out Proxy-State in COA to fix broken Cisco NAS
> > Message-ID: <E01CB6A4-EDD9-4A23-BA0E-D50941E442E3 at deployingradius.com>
> > Content-Type: text/plain; charset=us-ascii
> >
> > On Aug 8, 2018, at 9:19 PM, Fraser McGlinn <fraser at frizianz.com> wrote:
> > >
> > > Trying to get COA proxying working with a Cisco NAS. Unfortunately they
> > have a broken implementation where if Proxy-State is in the request it
> > drops it.
> >
> >   That's based on a naive reading of RFC 5176.  Happily, my new draft
> > clarifies this.  It should be an RFC this year:
> >
> > https://tools.ietf.org/html/draft-ietf-radext-coa-proxy-03
> >
> > > I dug and found this old thread
> >
> http://lists.freeradius.org/pipermail/freeradius-users/2012-April/060456.html
> > implying that we can filter out Proxy-State in attr_filter, however i've
> > had some issues getting this working. Although this was relevant to
> > freeradius 2x, i'm running 3.0.16.
> > >
> > > Any other ways to achieve this? Hoping someone can point me in the
> right
> > direction.
> >
> >   You can delete the Proxy-State attribute in the "pre-proxy" section:
> >
> > pre-proxy {
> >         ...
> >         update proxy-request {
> >                 Proxy-State !* ANY
> >         }
> >         ...
> > }
> >
> >   Hope that helps.
> >
> >   Alan DeKok.
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Fri, 10 Aug 2018 14:01:31 +0000
> > From: Stefan Paetow <Stefan.Paetow at jisc.ac.uk>
> > To: "freeradius-users at lists.freeradius.org"
> >         <freeradius-users at lists.freeradius.org>
> > Subject: FOREACH error message?
> > Message-ID: <C77025A2-BE73-4732-8924-996CBE33C547 at jisc.ac.uk>
> > Content-Type: text/plain; charset=UTF-8
> >
> > Alan, Arran et al,
> >
> > I'm getting this message:
> >
> > /etc/raddb/policy.d/moonshot-assertion[46]: MUST use attribute or list
> > reference in 'foreach'
> > /etc/raddb/policy.d/moonshot-assertion[46]: Failed to parse "foreach"
> > subsection.
> > /etc/raddb/policy.d/moonshot-assertion[38]: Failed to parse "if"
> > subsection.
> > /etc/raddb/policy.d/moonshot-assertion[105]: Failed to parse
> > "saml_add_affiliation" entry.
> >
> > The policy in question is this (I've marked line 46 with '46>'):
> >
> > #  This policy adds the eduPersonAffiliation if it exists
> > saml_add_affiliation.post-auth {
> >         #  Only try to add the Affiliation when the attribute exists
> >         if (&reply:Reply-eduPersonAffiliation) {
> >                 update control {
> >                         SAML-Attribute-Value !* ANY
> >                         SAML-Attribute-Value +=
> > "%{explode:&reply:Reply-eduPersonAffiliation ,}"
> >                 }
> >                 update reply {
> >                         SAML-AAA-Assertion += '<saml:Attribute
> > Name="urn:oid:0.9.2342.19200300.100.1.1"
> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">'
> >                 }
> > 46>                foreach &control:SAML-Attribute-Value {
> >                         update reply {
> >                                 SAML-AAA-Assertion +=
> > '<saml:AttributeValue xsi:type="xs:string">'
> >                                 SAML-AAA-Assertion +=
> > "%{Foreach-Variable-0}"
> >                                 SAML-AAA-Assertion +=
> > '</saml:AttributeValue>'
> >                         }
> >                 }
> >                 update reply {
> >                         SAML-AAA-Assertion += '</saml:Attribute>'
> >                 }
> >         }
> > }
> >
> > I can't see where I'm going wrong here... It's probably something *very*
> > obvious that I can't see. I'm using FreeRADIUS 3.0.15 (I know, I know...
> > It's not the newest).
> >
> > Can someone point out the obvious mistake? :-/
> >
> > Thank you :-)
> >
> > Stefan Paetow
> > Consultant, Trust and Identity
> >
> > t: +44 (0)1235 822 125
> > gpg: 0x3FCE5142
> > xmpp: stefanp at jabber.dev.ja.net
> > skype: stefan.paetow.janet
> >
> > jisc.ac.uk
> >
> > Jisc is a registered charity (number 1149740) and a company limited by
> > guarantee which is registered in England under Company No. 5747339, VAT
> No.
> > GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
> > Bristol, BS2 0JA. T 0203 697 5800.
> >
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 4
> > Date: Fri, 10 Aug 2018 14:18:52 +0000
> > From: Stefan Paetow <Stefan.Paetow at jisc.ac.uk>
> > To: FreeRadius users mailing list
> >         <freeradius-users at lists.freeradius.org>
> > Subject: Re: FOREACH error message?
> > Message-ID: <198BEB54-C708-4E9A-8A18-012E2C3B4131 at jisc.ac.uk>
> > Content-Type: text/plain; charset=UTF-8
> >
> > And I've figured it out...
> >
> > It would help to update the dictionary with the custom values! *headdesk*
> >
> > *eyeroll*
> >
> > Stefan Paetow
> > Consultant, Trust and Identity
> >
> > t: +44 (0)1235 822 125
> > gpg: 0x3FCE5142
> > xmpp: stefanp at jabber.dev.ja.net
> > skype: stefan.paetow.janet
> >
> > jisc.ac.uk
> >
> > Jisc is a registered charity (number 1149740) and a company limited by
> > guarantee which is registered in England under Company No. 5747339, VAT
> No.
> > GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
> > Bristol, BS2 0JA. T 0203 697 5800.
> >
> >
> > On 10/08/2018, 15:02, "Freeradius-Users on behalf of Stefan Paetow"
> > <freeradius-users-bounces+stefan.paetow=jisc.ac.uk at lists.freeradius.org
> > on behalf of Stefan.Paetow at jisc.ac.uk> wrote:
> >
> >     Alan, Arran et al,
> >
> >     I'm getting this message:
> >
> >     /etc/raddb/policy.d/moonshot-assertion[46]: MUST use attribute or
> list
> > reference in 'foreach'
> >     /etc/raddb/policy.d/moonshot-assertion[46]: Failed to parse "foreach"
> > subsection.
> >     /etc/raddb/policy.d/moonshot-assertion[38]: Failed to parse "if"
> > subsection.
> >     /etc/raddb/policy.d/moonshot-assertion[105]: Failed to parse
> > "saml_add_affiliation" entry.
> >
> >     The policy in question is this (I've marked line 46 with '46>'):
> >
> >     #  This policy adds the eduPersonAffiliation if it exists
> >     saml_add_affiliation.post-auth {
> >             #  Only try to add the Affiliation when the attribute exists
> >             if (&reply:Reply-eduPersonAffiliation) {
> >                     update control {
> >                             SAML-Attribute-Value !* ANY
> >                             SAML-Attribute-Value +=
> > "%{explode:&reply:Reply-eduPersonAffiliation ,}"
> >                     }
> >                     update reply {
> >                             SAML-AAA-Assertion += '<saml:Attribute
> > Name="urn:oid:0.9.2342.19200300.100.1.1"
> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">'
> >                     }
> >     46>                foreach &control:SAML-Attribute-Value {
> >                             update reply {
> >                                     SAML-AAA-Assertion +=
> > '<saml:AttributeValue xsi:type="xs:string">'
> >                                     SAML-AAA-Assertion +=
> > "%{Foreach-Variable-0}"
> >                                     SAML-AAA-Assertion +=
> > '</saml:AttributeValue>'
> >                             }
> >                     }
> >                     update reply {
> >                             SAML-AAA-Assertion += '</saml:Attribute>'
> >                     }
> >             }
> >     }
> >
> >     I can't see where I'm going wrong here... It's probably something
> > *very* obvious that I can't see. I'm using FreeRADIUS 3.0.15 (I know, I
> > know... It's not the newest).
> >
> >     Can someone point out the obvious mistake? :-/
> >
> >     Thank you :-)
> >
> >     Stefan Paetow
> >     Consultant, Trust and Identity
> >
> >     t: +44 (0)1235 822 125
> >     gpg: 0x3FCE5142
> >     xmpp: stefanp at jabber.dev.ja.net
> >     skype: stefan.paetow.janet
> >
> >     jisc.ac.uk
> >
> >     Jisc is a registered charity (number 1149740) and a company limited
> by
> > guarantee which is registered in England under Company No. 5747339, VAT
> No.
> > GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
> > Bristol, BS2 0JA. T 0203 697 5800.
> >
> >
> >
> >     -
> >     List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 5
> > Date: Fri, 10 Aug 2018 17:28:25 +0000
> > From: Kevin Virk <Kevin.Virk at faithlife.com>
> > To: "freeradius-users at lists.freeradius.org"
> >         <freeradius-users at lists.freeradius.org>
> > Subject: Re:Re: Accounting-Request packet shared secret fail (Alan
> >         DeKok) (Kevin Virk) (Alan DeKok)
> > Message-ID: <1533922105253.29587 at faithlife.com>
> > Content-Type: text/plain; charset=WINDOWS-1252
> >
> >
> > I did make sure to restart the server. I did fail to mention that I
> purged
> > freeradius and reinstalled so I must have made a configuration error
> > somewhere along the way.
> >
> >
> > From: Freeradius-Users <freeradius-users-bounces+kevin.virk=
> > faithlife.com at lists.freeradius.org> on behalf of
> > freeradius-users-request at lists.freeradius.org  <
> > freeradius-users-request at lists.freeradius.org>
> > Sent: Friday, August 10, 2018 1:30 AM
> > To: freeradius-users at lists.freeradius.org
> > Subject: Freeradius-Users Digest, Vol 160, Issue 14
> >
> > Send Freeradius-Users mailing list submissions to
> > freeradius-users at lists.freeradius.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://lists.freeradius.org/mailman/listinfo/freeradius-users
> > or, via email, send a message with subject or body 'help' to
> > freeradius-users-request at lists.freeradius.org
> >
> > You can reach the person managing the list at
> > freeradius-users-owner at lists.freeradius.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Freeradius-Users digest..."
> >
> >
> > Today's Topics:
> >
> > 1. Re: ldap module for user and mac authentication (Dave Macias)
> > 2. Re: ldap module for user and mac authentication (Michael Ströder)
> > 3. Re: Accounting-Request packet shared secret fail (Alan DeKok)
> > (Kevin Virk) (Alan DeKok)
> > 4. Re: Dynamic vlan assignment (Dom Latter)
> > 5. Re: Freeradius-Users Digest, Vol 160, Issue 9 (Arun NP)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Thu, 9 Aug 2018 08:23:51 -0400
> > From: Dave Macias <davama at gmail.com>
> > To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> > Subject: Re: ldap module for user and mac authentication
> > Message-ID:
> > <CA+nFYV_UOg+TuMMciVwPWTHUX5B=H=rbhpUE9mv_e+rsVDvCYw at mail.gmail.com>
> > Content-Type: text/plain; charset="UTF-8"
> >
> > >
> > > Yes, I had thought of something to the effect of (suggestions
> welcomed) :
> > >
> > > * if
> > >
> >
> (!"%{ldap:ldap://master1/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?cn?sub?(*
> > > *&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {*
> > > * if
> > >
> >
> (!"%{ldap:ldap://master2/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?c*
> > >
> >
> *n?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
> > > {*
> > > * reject*
> > > * }*
> > > * }*
> > > * update {*
> > > * control:Auth-Type := Accept*
> > > * }*
> > >
> > > But this does not account for the scenario of openldap being dead.
> > > The 1st "if" statement will be always be FALSE and never attempt the
> next
> > > "if" statement and therefore 'Accept'
> > >
> >
> > I believe i misspoke here...
> > But interesting observations.
> >
> > if i use the below code AND have multiple ldap servers configured in my
> > ldap module, radius '%{ldap:ldap:///...}' will automatically go to the
> one
> > that is alive; assuming one is at least alive. IF i have just one ldap
> > server configured in my ldap module, (which is dead), then the 'if' will
> > FAIL and reject as it should.
> >
> > *if
> >
> >
> (!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
> > {*
> > *reject*
> > *}*
> > *else {*
> > *update {*
> > *control:Auth-Type := Accept*
> > *}*
> > *}*
> >
> > Same results as above (ldap module will use the live ldap server, not the
> > dead one)
> > *if
> >
> >
> (!"%{ldap:ldap://dead-ldap-server/ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")*
> > *...*
> > *...*
> >
> > So what did i learn?
> > you dont need to use the SRV record for failover, as long as you have all
> > the ldap servers in your ldap module.
> >
> > I think it makes sense since '%{ldap:...}" is using the ldap module,
> > technically, but i would have thought that "ldap:///" or
> > "ldap://dead-ldap-server/" meant localhost/dead-ldap-server not
> > "live.ldap.the-module-found'
> >
> > Or maybe im just completely off...
> > Hope that makes, sense.
> >
> > (1) if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) {
> > (1) if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) -> TRUE
> > (1) if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) {
> > (1) policy rewrite_calling_station_id {
> > (1) if (&Calling-Station-Id && (&Calling-Station-Id =~
> >
> >
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> > {
> > (1) if (&Calling-Station-Id && (&Calling-Station-Id =~
> >
> >
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> > -> TRUE
> > (1) if (&Calling-Station-Id && (&Calling-Station-Id =~
> >
> >
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> > {
> > (1) update request {
> > (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
> > (1) --> 00-04-F2-DD-98-C6
> > (1) &Calling-Station-Id := 00-04-F2-DD-98-C6
> > (1) } # update request = noop
> > (1) [updated] = updated
> > (1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
> >
> >
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> > = updated
> > (1) ... skipping else: Preceding "if" was taken
> > (1) } # policy rewrite_calling_station_id = updated
> > (1) if
> >
> >
> (!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
> > {
> > rlm_ldap (ldap): Reserved connection (0)
> > (1) Performing search in "ou=sub-macs,ou=macs,dc=myorg,dc=net" with
> > filter "(&(objectClass=ieee802Device)(macAddress=00-04-F2-DD-98-C6))",
> > scope "sub"
> > (1) Waiting for search result...
> > rlm_ldap (ldap): Released connection (0)
> > Need 5 more connections to reach 10 spares
> > rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
> > used
> > rlm_ldap (ldap): Connecting to ldap://localhost:389 ldap://ldap2:389
> > TLSMC: MozNSS compatibility interception begins.
> > tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration
> is
> > present.
> > tlsmc_intercept_initialization: INFO: successfully intercepted TLS
> > initialization. Continuing with OpenSSL only.
> > TLSMC: MozNSS compatibility interception ends.
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > (1) EXPAND
> >
> >
> %{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}
> > (1) --> 0004f2dd98c6
> > (1) if
> >
> >
> (!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
> > -> FALSE
> > (1) else {
> > (1) update {
> > (1) control:Auth-Type := Accept
> > (1) } # update = noop
> > (1) } # else = noop
> > (1) } # if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) =
> > updated
> > (1) ... skipping else: Preceding "if" was taken
> > (1) [expiration] = noop
> > (1) [logintime] = noop
> > (1) pap: WARNING: Auth-Type already set. Not setting to PAP
> > (1) [pap] = noop
> > (1) } # authorize = updated
> > (1) Found Auth-Type = Accept
> >
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Thu, 9 Aug 2018 14:40:04 +0200
> > From: Michael Ströder <michael at stroeder.com>
> > To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>, Dave Macias
> > <davama at gmail.com>
> > Subject: Re: ldap module for user and mac authentication
> > Message-ID: <7caaa8c6-5a4c-19b6-a59b-fa045992de8c at stroeder.com>
> > Content-Type: text/plain; charset="utf-8"; Format="flowed"
> >
> > On 8/9/18 2:23 PM, Dave Macias wrote:
> > > So what did i learn?
> > > you dont need to use the SRV record for failover, as long as you have
> all
> > > the ldap servers in your ldap module.
> >
> > Yes!
> >
> > In theory the advantage of SRV RRs are that you can theoretically change
> > what's in your pool of LDAP servers and adjust priorities based on
> > locations.
> >
> > Besides that I don't believe anybody fully implemented that I'm not a
> > fan of SRV RRs anyway because the TLS hostname check is not even defined
> > for that.
> >
> > Ciao, Michael.
> >
> > -------------- next part --------------
> > A non-text attachment was scrubbed...
> > Name: smime.p7s
> > Type: application/pkcs7-signature
> > Size: 3829 bytes
> > Desc: S/MIME Cryptographic Signature
> > URL: <
> >
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180809/a8fa42d1/attachment-0001.bin
> > >
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Thu, 9 Aug 2018 08:46:42 -0400
> > From: Alan DeKok <aland at deployingradius.com>
> > To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> > Subject: Re: Accounting-Request packet shared secret fail (Alan DeKok)
> > (Kevin Virk)
> > Message-ID: <E22B5478-09CA-4FC5-BE41-34B0746517B7 at deployingradius.com>
> > Content-Type: text/plain; charset=us-ascii
> >
> >
> > > On Aug 8, 2018, at 5:12 PM, Kevin Virk <Kevin.Virk at faithlife.com>
> wrote:
> > >
> > >
> > > figured it out I had not included the line
> > require-message-authentication=no in my clients.conf. Thank you for your
> > help Alan!
> >
> > That wasn't the problem. "Invalid request authenticator" means that the
> > shared secret is wrong. If you had set "request_message_authenticator =
> > yes", then the message would have been "invalid message authenticator",
> or
> > maybe "missing message authenticator"
> >
> > What I suspect happened is that you were editing clients.conf, and then
> > *not* restarting the server. After changing
> "require_message_authenticator
> > = no" and restarting the server, it picked up the new secret.
> >
> > Alan DeKok.
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 4
> > Date: Thu, 9 Aug 2018 13:47:11 +0100
> > From: Dom Latter <freeradius-users at latter.org>
> > To: freeradius-users at lists.freeradius.org
> > Subject: Re: Dynamic vlan assignment
> > Message-ID: <8818bf42-d1bf-b296-112e-ada1af8e2715 at latter.org>
> > Content-Type: text/plain; charset=utf-8; format=flowed
> >
> >
> >
> > On 07/08/18 18:08, Deepak Sehrawat wrote:
> > >
> > > Can we configure it via MySQL as well?
> >
> > >From a post I made in April. I have a long complicated query which
> > checks if the user has been deleted, or the user's account has been
> > suspended, etc. It returns a value which is then used in various ways.
> >
> > update control {
> > CustomVal := "%{sql:SELECT \
> > CASE \
> > WHEN (cs_suspended.value = '1') THEN 5010 \
> > WHEN (u.deleted != '0') THEN 5011 \
> > // etc
> >
> > Then the unlang code "decodes" the return value:
> > if ( &control:CustomVal < 5000 ) {
> > update reply {
> > Filter-Id := &control:CustomVal
> > Reply-Message += "Accept: MAC found."
> > }
> > }
> > elsif (....
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 5
> > Date: Fri, 10 Aug 2018 13:59:48 +0530
> > From: Arun NP <arun85np at gmail.com>
> > To: freeradius-users at lists.freeradius.org
> > Subject: Re: Freeradius-Users Digest, Vol 160, Issue 9
> > Message-ID:
> > <CAPLBjFVk0Uo908HJt2yA_JwBbg3_eif6HN1gXUVB2ZdffggeKg at mail.gmail.com>
> > Content-Type: text/plain; charset="UTF-8"
> >
> > Hi,
> >
> > As suggested . I removed free radius & deleted all the files and did a
> > fresh installation.
> > This time , I did only the following changes :
> >
> > copied default file in sites-available to a file "new" .
> > Edited the port numbers in new four times ,two for authentication and two
> > for accounting
> > created a soft link for new in the sites-enabled directory
> > added my client IPs and secret to the clients.conf file
> > started radius by "radiusd -d /etc/raddb -i  5.1.13.70 -p 2018 -X
> >
> > But , still I am getting the same error.
> > This field which you mentioned in the previous mail , >>>radiusd: ####
> > Loading Virtual Servers ####
> > server { # from file /etc/raddb/radiusd.conf
> > } # server>>> comes in the debug log. But I checked the radiusd.conf
> > thoroughly. There is no server block in the radiusd.conf (Please find the
> > radiusd file contents after the debug log, below) .Also , this time , the
> > "new" file is being included in the starting section.
> > Please have a look into the debug log & radiusd.conf file below & kindly
> > let me know what can be done to solve this
> > #######debug log#####
> > [root at ott-cafy-vm1 raddb]# !r
> > radiusd -d /etc/raddb -i  5.1.13.70 -p 2018 -X
> > FreeRADIUS Version 3.0.13
> > Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
> > There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> > PARTICULAR PURPOSE
> > You may redistribute copies of FreeRADIUS under the terms of the
> > GNU General Public License
> > For more information about these matters, see the file named COPYRIGHT
> > Starting - reading configuration files ...
> > including dictionary file /usr/share/freeradius/dictionary
> > including dictionary file /usr/share/freeradius/dictionary.dhcp
> > including dictionary file /usr/share/freeradius/dictionary.vqp
> > including dictionary file /etc/raddb/dictionary
> > including configuration file /etc/raddb/radiusd.conf
> > including configuration file /etc/raddb/proxy.conf
> > including configuration file /etc/raddb/clients.conf
> > including files in directory /etc/raddb/mods-enabled/
> > including configuration file /etc/raddb/mods-enabled/always
> > including configuration file /etc/raddb/mods-enabled/attr_filter
> > including configuration file /etc/raddb/mods-enabled/cache_eap
> > including configuration file /etc/raddb/mods-enabled/chap
> > including configuration file /etc/raddb/mods-enabled/date
> > including configuration file /etc/raddb/mods-enabled/detail
> > including configuration file /etc/raddb/mods-enabled/detail.log
> > including configuration file /etc/raddb/mods-enabled/dhcp
> > including configuration file /etc/raddb/mods-enabled/digest
> > including configuration file /etc/raddb/mods-enabled/dynamic_clients
> > including configuration file /etc/raddb/mods-enabled/eap
> > including configuration file /etc/raddb/mods-enabled/echo
> > including configuration file /etc/raddb/mods-enabled/exec
> > including configuration file /etc/raddb/mods-enabled/expiration
> > including configuration file /etc/raddb/mods-enabled/expr
> > including configuration file /etc/raddb/mods-enabled/files
> > including configuration file /etc/raddb/mods-enabled/linelog
> > including configuration file /etc/raddb/mods-enabled/logintime
> > including configuration file /etc/raddb/mods-enabled/mschap
> > including configuration file /etc/raddb/mods-enabled/ntlm_auth
> > including configuration file /etc/raddb/mods-enabled/pap
> > including configuration file /etc/raddb/mods-enabled/passwd
> > including configuration file /etc/raddb/mods-enabled/preprocess
> > including configuration file /etc/raddb/mods-enabled/radutmp
> > including configuration file /etc/raddb/mods-enabled/realm
> > including configuration file /etc/raddb/mods-enabled/replicate
> > including configuration file /etc/raddb/mods-enabled/soh
> > including configuration file /etc/raddb/mods-enabled/sradutmp
> > including configuration file /etc/raddb/mods-enabled/unix
> > including configuration file /etc/raddb/mods-enabled/unpack
> > including configuration file /etc/raddb/mods-enabled/utf8
> > including files in directory /etc/raddb/policy.d/
> > including configuration file /etc/raddb/policy.d/accounting
> > including configuration file /etc/raddb/policy.d/canonicalization
> > including configuration file /etc/raddb/policy.d/control
> > including configuration file /etc/raddb/policy.d/cui
> > including configuration file /etc/raddb/policy.d/debug
> > including configuration file /etc/raddb/policy.d/dhcp
> > including configuration file /etc/raddb/policy.d/eap
> > including configuration file /etc/raddb/policy.d/filter
> > including configuration file /etc/raddb/policy.d/operator-name
> > including files in directory /etc/raddb/sites-enabled/
> > including configuration file /etc/raddb/sites-enabled/default
> > including configuration file /etc/raddb/sites-enabled/inner-tunnel
> > including configuration file /etc/raddb/sites-enabled/new
> > main {
> > security {
> > user = "radiusd"
> > group = "radiusd"
> > allow_core_dumps = no
> > }
> > name = "radiusd"
> > prefix = "/usr"
> > localstatedir = "/var"
> > logdir = "/var/log/radius"
> > run_dir = "/var/run/radiusd"
> > }
> > main {
> > name = "radiusd"
> > prefix = "/usr"
> > localstatedir = "/var"
> > sbindir = "/usr/sbin"
> > logdir = "/var/log/radius"
> > run_dir = "/var/run/radiusd"
> > libdir = "/usr/lib64/freeradius"
> > radacctdir = "/var/log/radius/radacct"
> > hostname_lookups = no
> > max_request_time = 30
> > cleanup_delay = 5
> > max_requests = 16384
> > pidfile = "/var/run/radiusd/radiusd.pid"
> > checkrad = "/usr/sbin/checkrad"
> > debug_level = 0
> > proxy_requests = yes
> > log {
> > stripped_names = no
> > auth = no
> > auth_badpass = no
> > auth_goodpass = no
> > colourise = yes
> > msg_denied = "You are already logged in - access denied"
> > }
> > resources {
> > }
> > security {
> > max_attributes = 200
> > reject_delay = 1.000000
> > status_server = yes
> > }
> > }
> > radiusd: #### Loading Realms and Home Servers ####
> > proxy server {
> > retry_delay = 5
> > retry_count = 3
> > default_fallback = no
> > dead_time = 120
> > wake_all_if_all_dead = no
> > }
> > home_server localhost {
> > ipaddr =  127.0.0.1
> > port = 1812
> > type = "auth"
> > secret = <<< secret >>>
> > response_window = 20.000000
> > response_timeouts = 1
> > max_outstanding = 65536
> > zombie_period = 40
> > status_check = "status-server"
> > ping_interval = 30
> > check_interval = 30
> > check_timeout = 4
> > num_answers_to_alive = 3
> > revive_interval = 120
> > limit {
> > max_connections = 16
> > max_requests = 0
> > lifetime = 0
> > idle_timeout = 0
> > }
> > coa {
> > irt = 2
> > mrt = 16
> > mrc = 5
> > mrd = 30
> > }
> > }
> > home_server_pool my_auth_failover {
> > type = fail-over
> > home_server = localhost
> > }
> > realm  example.com {
> > auth_pool = my_auth_failover
> > }
> > realm LOCAL {
> > }
> > radiusd: #### Loading Clients ####
> > client localhost {
> > ipaddr =  127.0.0.1
> > require_message_authenticator = no
> > secret = <<< secret >>>
> > nas_type = "other"
> > proto = "*"
> > limit {
> > max_connections = 16
> > lifetime = 0
> > idle_timeout = 30
> > }
> > }
> > client localhost_ipv6 {
> > ipv6addr = ::1
> > require_message_authenticator = no
> > secret = <<< secret >>>
> > limit {
> > max_connections = 16
> > lifetime = 0
> > idle_timeout = 30
> > }
> > }
> > client  5.5.18.22 {
> > ipaddr =  5.5.18.22
> > require_message_authenticator = no
> > secret = <<< secret >>>
> > limit {
> > max_connections = 16
> > lifetime = 0
> > idle_timeout = 30
> > }
> > }
> > client  5.5.18.20 {
> > ipaddr =  5.5.18.20
> > require_message_authenticator = no
> > secret = <<< secret >>>
> > limit {
> > max_connections = 16
> > lifetime = 0
> > idle_timeout = 30
> > }
> > }
> > Debugger not attached
> > # Creating Auth-Type = mschap
> > # Creating Auth-Type = digest
> > # Creating Auth-Type = eap
> > # Creating Auth-Type = PAP
> > # Creating Auth-Type = CHAP
> > # Creating Auth-Type = MS-CHAP
> > radiusd: #### Instantiating modules ####
> > modules {
> > # Loaded module rlm_always
> > # Loading module "reject" from file /etc/raddb/mods-enabled/always
> > always reject {
> > rcode = "reject"
> > simulcount = 0
> > mpp = no
> > }
> > # Loading module "fail" from file /etc/raddb/mods-enabled/always
> > always fail {
> > rcode = "fail"
> > simulcount = 0
> > mpp = no
> > }
> > # Loading module "ok" from file /etc/raddb/mods-enabled/always
> > always ok {
> > rcode = "ok"
> > simulcount = 0
> > mpp = no
> > }
> > # Loading module "handled" from file /etc/raddb/mods-enabled/always
> > always handled {
> > rcode = "handled"
> > simulcount = 0
> > mpp = no
> > }
> > # Loading module "invalid" from file /etc/raddb/mods-enabled/always
> > always invalid {
> > rcode = "invalid"
> > simulcount = 0
> > mpp = no
> > }
> > # Loading module "userlock" from file /etc/raddb/mods-enabled/always
> > always userlock {
> > rcode = "userlock"
> > simulcount = 0
> > mpp = no
> > }
> > # Loading module "notfound" from file /etc/raddb/mods-enabled/always
> > always notfound {
> > rcode = "notfound"
> > simulcount = 0
> > mpp = no
> > }
> > # Loading module "noop" from file /etc/raddb/mods-enabled/always
> > always noop {
> > rcode = "noop"
> > simulcount = 0
> > mpp = no
> > }
> > # Loading module "updated" from file /etc/raddb/mods-enabled/always
> > always updated {
> > rcode = "updated"
> > simulcount = 0
> > mpp = no
> > }
> > # Loaded module rlm_attr_filter
> > # Loading module "attr_filter.post-proxy" from file
> > /etc/raddb/mods-enabled/attr_filter
> > attr_filter attr_filter.post-proxy {
> > filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
> > key = "%{Realm}"
> > relaxed = no
> > }
> > # Loading module "attr_filter.pre-proxy" from file
> > /etc/raddb/mods-enabled/attr_filter
> > attr_filter attr_filter.pre-proxy {
> > filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
> > key = "%{Realm}"
> > relaxed = no
> > }
> > # Loading module "attr_filter.access_reject" from file
> > /etc/raddb/mods-enabled/attr_filter
> > attr_filter attr_filter.access_reject {
> > filename = "/etc/raddb/mods-config/attr_filter/access_reject"
> > key = "%{User-Name}"
> > relaxed = no
> > }
> > # Loading module "attr_filter.access_challenge" from file
> > /etc/raddb/mods-enabled/attr_filter
> > attr_filter attr_filter.access_challenge {
> > filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
> > key = "%{User-Name}"
> > relaxed = no
> > }
> > # Loading module "attr_filter.accounting_response" from file
> > /etc/raddb/mods-enabled/attr_filter
> > attr_filter attr_filter.accounting_response {
> > filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
> > key = "%{User-Name}"
> > relaxed = no
> > }
> > # Loaded module rlm_cache
> > # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
> > cache cache_eap {
> > driver = "rlm_cache_rbtree"
> > key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
> > ttl = 15
> > max_entries = 0
> > epoch = 0
> > add_stats = no
> > }
> > # Loaded module rlm_chap
> > # Loading module "chap" from file /etc/raddb/mods-enabled/chap
> > # Loaded module rlm_date
> > # Loading module "date" from file /etc/raddb/mods-enabled/date
> > date {
> > format = "%b %e %Y %H:%M:%S %Z"
> > }
> > # Loaded module rlm_detail
> > # Loading module "detail" from file /etc/raddb/mods-enabled/detail
> > detail {
> > filename =
> >
> >
> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> > header = "%t"
> > permissions = 384
> > locking = no
> > escape_filenames = no
> > log_packet_header = no
> > }
> > # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
> > detail auth_log {
> > filename =
> >
> >
> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
> > header = "%t"
> > permissions = 384
> > locking = no
> > escape_filenames = no
> > log_packet_header = no
> > }
> > # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
> > detail reply_log {
> > filename =
> >
> >
> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
> > header = "%t"
> > permissions = 384
> > locking = no
> > escape_filenames = no
> > log_packet_header = no
> > }
> > # Loading module "pre_proxy_log" from file
> > /etc/raddb/mods-enabled/detail.log
> > detail pre_proxy_log {
> > filename =
> >
> >
> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
> > header = "%t"
> > permissions = 384
> > locking = no
> > escape_filenames = no
> > log_packet_header = no
> > }
> > # Loading module "post_proxy_log" from file
> > /etc/raddb/mods-enabled/detail.log
> > detail post_proxy_log {
> > filename =
> >
> >
> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
> > header = "%t"
> > permissions = 384
> > locking = no
> > escape_filenames = no
> > log_packet_header = no
> > }
> > # Loaded module rlm_dhcp
> > # Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
> > # Loaded module rlm_digest
> > # Loading module "digest" from file /etc/raddb/mods-enabled/digest
> > # Loaded module rlm_dynamic_clients
> > # Loading module "dynamic_clients" from file
> > /etc/raddb/mods-enabled/dynamic_clients
> > # Loaded module rlm_eap
> > # Loading module "eap" from file /etc/raddb/mods-enabled/eap
> > eap {
> > default_eap_type = "md5"
> > timer_expire = 60
> > ignore_unknown_eap_types = no
> > cisco_accounting_username_bug = no
> > max_sessions = 16384
> > }
> > # Loaded module rlm_exec
> > # Loading module "echo" from file /etc/raddb/mods-enabled/echo
> > exec echo {
> > wait = yes
> > program = "/bin/echo %{User-Name}"
> > input_pairs = "request"
> > output_pairs = "reply"
> > shell_escape = yes
> > }
> > # Loading module "exec" from file /etc/raddb/mods-enabled/exec
> > exec {
> > wait = no
> > input_pairs = "request"
> > shell_escape = yes
> > timeout = 10
> > }
> > # Loaded module rlm_expiration
> > # Loading module "expiration" from file
> /etc/raddb/mods-enabled/expiration
> > # Loaded module rlm_expr
> > # Loading module "expr" from file /etc/raddb/mods-enabled/expr
> > expr {
> > safe_characters =
> > "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
> > /äéöüàâæçèéêëîïôoùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔOÙÛÜY"
> > }
> > # Loaded module rlm_files
> > # Loading module "files" from file /etc/raddb/mods-enabled/files
> > files {
> > filename = "/etc/raddb/mods-config/files/authorize"
> > acctusersfile = "/etc/raddb/mods-config/files/accounting"
> > preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
> > }
> > # Loaded module rlm_linelog
> > # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
> > linelog {
> > filename = "/var/log/radius/linelog"
> > escape_filenames = no
> > syslog_severity = "info"
> > permissions = 384
> > format = "This is a log message for %{User-Name}"
> > reference = "messages.%{%{reply:Packet-Type}:-default}"
> > }
> > # Loading module "log_accounting" from file
> > /etc/raddb/mods-enabled/linelog
> > linelog log_accounting {
> > filename = "/var/log/radius/linelog-accounting"
> > escape_filenames = no
> > syslog_severity = "info"
> > permissions = 384
> > format = ""
> > reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
> > }
> > # Loaded module rlm_logintime
> > # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
> > logintime {
> > minimum_timeout = 60
> > }
> > # Loaded module rlm_mschap
> > # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
> > mschap {
> > use_mppe = yes
> > require_encryption = no
> > require_strong = no
> > with_ntdomain_hack = yes
> > passchange {
> > }
> > allow_retry = yes
> > winbind_retry_with_normalised_username = no
> > }
> > # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
> > exec ntlm_auth {
> > wait = yes
> > program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
> > --username=%{mschap:User-Name} --password=%{User-Password}"
> > shell_escape = yes
> > }
> > # Loaded module rlm_pap
> > # Loading module "pap" from file /etc/raddb/mods-enabled/pap
> > pap {
> > normalise = yes
> > }
> > # Loaded module rlm_passwd
> > # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
> > passwd etc_passwd {
> > filename = "/etc/passwd"
> > format = "*User-Name:Crypt-Password:"
> > delimiter = ":"
> > ignore_nislike = no
> > ignore_empty = yes
> > allow_multiple_keys = no
> > hash_size = 100
> > }
> > # Loaded module rlm_preprocess
> > # Loading module "preprocess" from file
> /etc/raddb/mods-enabled/preprocess
> > preprocess {
> > huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
> > hints = "/etc/raddb/mods-config/preprocess/hints"
> > with_ascend_hack = no
> > ascend_channels_per_line = 23
> > with_ntdomain_hack = no
> > with_specialix_jetstream_hack = no
> > with_cisco_vsa_hack = no
> > with_alvarion_vsa_hack = no
> > }
> > # Loaded module rlm_radutmp
> > # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
> > radutmp {
> > filename = "/var/log/radius/radutmp"
> > username = "%{User-Name}"
> > case_sensitive = yes
> > check_with_nas = yes
> > permissions = 384
> > caller_id = yes
> > }
> > # Loaded module rlm_realm
> > # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
> > realm IPASS {
> > format = "prefix"
> > delimiter = "/"
> > ignore_default = no
> > ignore_null = no
> > }
> > # Loading module "suffix" from file /etc/raddb/mods-enabled/realm
> > realm suffix {
> > format = "suffix"
> > delimiter = "@"
> > ignore_default = no
> > ignore_null = no
> > }
> > # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
> > realm realmpercent {
> > format = "suffix"
> > delimiter = "%"
> > ignore_default = no
> > ignore_null = no
> > }
> > # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
> > realm ntdomain {
> > format = "prefix"
> > delimiter = "\\"
> > ignore_default = no
> > ignore_null = no
> > }
> > # Loaded module rlm_replicate
> > # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
> > # Loaded module rlm_soh
> > # Loading module "soh" from file /etc/raddb/mods-enabled/soh
> > soh {
> > dhcp = yes
> > }
> > # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
> > radutmp sradutmp {
> > filename = "/var/log/radius/sradutmp"
> > username = "%{User-Name}"
> > case_sensitive = yes
> > check_with_nas = yes
> > permissions = 420
> > caller_id = no
> > }
> > # Loaded module rlm_unix
> > # Loading module "unix" from file /etc/raddb/mods-enabled/unix
> > unix {
> > radwtmp = "/var/log/radius/radwtmp"
> > }
> > Creating attribute Unix-Group
> > # Loaded module rlm_unpack
> > # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
> > # Loaded module rlm_utf8
> > # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
> > instantiate {
> > }
> > # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
> > # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
> > # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
> > # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
> > # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
> > # Instantiating module "userlock" from file
> /etc/raddb/mods-enabled/always
> > # Instantiating module "notfound" from file
> /etc/raddb/mods-enabled/always
> > # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
> > # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
> > # Instantiating module "attr_filter.post-proxy" from file
> > /etc/raddb/mods-enabled/attr_filter
> > reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
> > # Instantiating module "attr_filter.pre-proxy" from file
> > /etc/raddb/mods-enabled/attr_filter
> > reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
> > # Instantiating module "attr_filter.access_reject" from file
> > /etc/raddb/mods-enabled/attr_filter
> > reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
> > [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
> > "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
> > [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
> > "FreeRADIUS-Response-Delay-USec" found in filter list for realm
> > "DEFAULT".
> > # Instantiating module "attr_filter.access_challenge" from file
> > /etc/raddb/mods-enabled/attr_filter
> > reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
> > # Instantiating module "attr_filter.accounting_response" from file
> > /etc/raddb/mods-enabled/attr_filter
> > reading pairlist file
> > /etc/raddb/mods-config/attr_filter/accounting_response
> > # Instantiating module "cache_eap" from file
> > /etc/raddb/mods-enabled/cache_eap
> > rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
> > loaded and linked
> > # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
> > # Instantiating module "auth_log" from file
> > /etc/raddb/mods-enabled/detail.log
> > rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
> > detail output
> > # Instantiating module "reply_log" from file
> > /etc/raddb/mods-enabled/detail.log
> > # Instantiating module "pre_proxy_log" from file
> > /etc/raddb/mods-enabled/detail.log
> > # Instantiating module "post_proxy_log" from file
> > /etc/raddb/mods-enabled/detail.log
> > # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
> > # Linked to sub-module rlm_eap_md5
> > # Linked to sub-module rlm_eap_leap
> > # Linked to sub-module rlm_eap_gtc
> > gtc {
> > challenge = "Password: "
> > auth_type = "PAP"
> > }
> > # Linked to sub-module rlm_eap_tls
> > tls {
> > tls = "tls-common"
> > }
> > tls-config tls-common {
> > verify_depth = 0
> > ca_path = "/etc/raddb/certs"
> > pem_file_type = yes
> > private_key_file = "/etc/raddb/certs/server.pem"
> > certificate_file = "/etc/raddb/certs/server.pem"
> > ca_file = "/etc/raddb/certs/ca.pem"
> > private_key_password = <<< secret >>>
> > dh_file = "/etc/raddb/certs/dh"
> > fragment_size = 1024
> > include_length = yes
> > auto_chain = yes
> > check_crl = no
> > check_all_crl = no
> > cipher_list = "DEFAULT"
> > cipher_server_preference = no
> > ecdh_curve = "prime256v1"
> > cache {
> > enable = no
> > lifetime = 24
> > max_entries = 255
> > }
> > verify {
> > skip_if_ocsp_ok = no
> > }
> > ocsp {
> > enable = no
> > override_cert_url = yes
> > url = "http://127.0.0.1/ocsp/"
> > use_nonce = yes
> > timeout = 0
> > softfail = no
> > }
> > }
> > # Linked to sub-module rlm_eap_ttls
> > ttls {
> > tls = "tls-common"
> > default_eap_type = "md5"
> > copy_request_to_tunnel = no
> > use_tunneled_reply = no
> > virtual_server = "inner-tunnel"
> > include_length = yes
> > require_client_cert = no
> > }
> > tls: Using cached TLS configuration from previous invocation
> > # Linked to sub-module rlm_eap_peap
> > peap {
> > tls = "tls-common"
> > default_eap_type = "mschapv2"
> > copy_request_to_tunnel = no
> > use_tunneled_reply = no
> > proxy_tunneled_request_as_eap = yes
> > virtual_server = "inner-tunnel"
> > soh = no
> > require_client_cert = no
> > }
> > tls: Using cached TLS configuration from previous invocation
> > # Linked to sub-module rlm_eap_mschapv2
> > mschapv2 {
> > with_ntdomain_hack = no
> > send_error = no
> > }
> > # Instantiating module "expiration" from file
> > /etc/raddb/mods-enabled/expiration
> > # Instantiating module "files" from file /etc/raddb/mods-enabled/files
> > reading pairlist file /etc/raddb/mods-config/files/authorize
> > reading pairlist file /etc/raddb/mods-config/files/accounting
> > reading pairlist file /etc/raddb/mods-config/files/pre-proxy
> > # Instantiating module "linelog" from file
> /etc/raddb/mods-enabled/linelog
> > # Instantiating module "log_accounting" from file
> > /etc/raddb/mods-enabled/linelog
> > # Instantiating module "logintime" from file
> > /etc/raddb/mods-enabled/logintime
> > # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
> > rlm_mschap (mschap): using internal authentication
> > # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
> > # Instantiating module "etc_passwd" from file
> > /etc/raddb/mods-enabled/passwd
> > rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
> > # Instantiating module "preprocess" from file
> > /etc/raddb/mods-enabled/preprocess
> > reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
> > reading pairlist file /etc/raddb/mods-config/preprocess/hints
> > # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
> > # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
> > # Instantiating module "realmpercent" from file
> > /etc/raddb/mods-enabled/realm
> > # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
> > } # modules
> > radiusd: #### Loading Virtual Servers ####
> > server { # from file /etc/raddb/radiusd.conf
> > } # server
> > server default { # from file /etc/raddb/sites-enabled/default
> > # Loading authenticate {...}
> > # Loading authorize {...}
> > Ignoring "sql" (see raddb/mods-available/README.rst)
> > Ignoring "ldap" (see raddb/mods-available/README.rst)
> > # Loading preacct {...}
> > # Loading accounting {...}
> > # Loading post-proxy {...}
> > # Loading post-auth {...}
> > } # server default
> > server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
> > # Loading authenticate {...}
> > # Loading authorize {...}
> > # Loading session {...}
> > # Loading post-proxy {...}
> > # Loading post-auth {...}
> > # Skipping contents of 'if' as it is always 'false' --
> > /etc/raddb/sites-enabled/inner-tunnel:330
> > } # server inner-tunnel
> > server new { # from file /etc/raddb/sites-enabled/new
> > # Loading authenticate {...}
> > # Loading authorize {...}
> > # Loading preacct {...}
> > # Loading accounting {...}
> > # Loading post-proxy {...}
> > # Loading post-auth {...}
> > } # server new
> > radiusd: #### Opening IP addresses and Ports ####
> > Listening on auth address  5.1.13.70 port 2018
> > Listening on acct address  5.1.13.70 port 2019
> > Listening on proxy address * port 55766
> > Ready to process requests
> > (0) Received Access-Request Id 3 from  5.5.18.20:49922 to
> 5.1.13.70:2018
> > length 100
> > (0) User-Name = "test"
> > (0) NAS-IP-Address =  5.5.18.20
> > (0) NAS-IPv6-Address = ::
> > (0) NAS-Port = 130
> > (0) NAS-Port-Type = Virtual
> > (0) Service-Type = Login-User
> > (0) Calling-Station-Id = "5.255.252.5"
> > (0) User-Password = "tets"
> > (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
> > Reject
> > (0) Failed to authenticate the user
> > (0) Using Post-Auth-Type Reject
> > (0) Post-Auth-Type sub-section not found. Ignoring.
> > (0) Delaying response for 1.000000 seconds
> > Waking up in 0.3 seconds.
> > Waking up in 0.6 seconds.
> > (0) Sending delayed response
> > (0) Sent Access-Reject Id 3 from  5.1.13.70:2018 to  5.5.18.20:49922
> > length 20
> > Waking up in 3.9 seconds.
> > (0) Cleaning up request packet ID 3 with timestamp +15
> > Ready to process requests
> > #################radiusd.conf##########
> > # -*- text -*-
> > ##
> > ## radiusd.conf -- FreeRADIUS server configuration file - 3.0.13
> > ##
> > ##  http://www.freeradius.org/
> > ## $Id: c62f4ffed53a073a885f243b728129f5c482fad7 $
> > ##
> >
> > ######################################################################
> > #
> > # Read "man radiusd" before editing this file. See the section
> > # titled DEBUGGING. It outlines a method where you can quickly
> > # obtain the configuration you want, without running into
> > # trouble.
> > #
> > # Run the server in debugging mode, and READ the output.
> > #
> > # $ radiusd -X
> > #
> > # We cannot emphasize this point strongly enough. The vast
> > # majority of problems can be solved by carefully reading the
> > # debugging output, which includes warnings about common issues,
> > # and suggestions for how they may be fixed.
> > #
> > # There may be a lot of output, but look carefully for words like:
> > # "warning", "error", "reject", or "failure". The messages there
> > # will usually be enough to guide you to a solution.
> > #
> > # If you are going to ask a question on the mailing list, then
> > # explain what you are trying to do, and include the output from
> > # debugging mode (radiusd -X). Failure to do so means that all
> > # of the responses to your question will be people telling you
> > # to "post the output of radiusd -X".
> >
> > ######################################################################
> > #
> > # The location of other config files and logfiles are declared
> > # in this file.
> > #
> > # Also general configuration for modules can be done in this
> > # file, it is exported through the API to modules that ask for
> > # it.
> > #
> > # See "man radiusd.conf" for documentation on the format of this
> > # file. Note that the individual configuration items are NOT
> > # documented in that "man" page. They are only documented here,
> > # in the comments.
> > #
> > # The "unlang" policy language can be used to create complex
> > # if / else policies. See "man unlang" for details.
> > #
> >
> > prefix = /usr
> > exec_prefix = /usr
> > sysconfdir = /etc
> > localstatedir = /var
> > sbindir = /usr/sbin
> > logdir = ${localstatedir}/log/radius
> > raddbdir = ${sysconfdir}/raddb
> > radacctdir = ${logdir}/radacct
> >
> > #
> > # name of the running server. See also the "-n" command-line option.
> > name = radiusd
> >
> > # Location of config and logfiles.
> > confdir = ${raddbdir}
> > modconfdir = ${confdir}/mods-config
> > certdir = ${confdir}/certs
> > cadir = ${confdir}/certs
> > run_dir = ${localstatedir}/run/${name}
> >
> > db_dir = ${localstatedir}/lib/radiusd
> >
> > #
> > # libdir: Where to find the rlm_* modules.
> > #
> > # This should be automatically set at configuration time.
> > #
> > # If the server builds and installs, but fails at execution time
> > # with an 'undefined symbol' error, then you can use the libdir
> > # directive to work around the problem.
> > #
> > # The cause is usually that a library has been installed on your
> > # system in a place where the dynamic linker CANNOT find it. When
> > # executing as root (or another user), your personal environment MAY
> > # be set up to allow the dynamic linker to find the library. When
> > # executing as a daemon, FreeRADIUS MAY NOT have the same
> > # personalized configuration.
> > #
> > # To work around the problem, find out which library contains that
> symbol,
> > # and add the directory containing that library to the end of 'libdir',
> > # with a colon separating the directory names. NO spaces are allowed.
> > #
> > # e.g. libdir = /usr/local/lib:/opt/package/lib
> > #
> > # You can also try setting the LD_LIBRARY_PATH environment variable
> > # in a script which starts the server.
> > #
> > # If that does not work, then you can re-configure and re-build the
> > # server to NOT use shared libraries, via:
> > #
> > # ./configure --disable-shared
> > # make
> > # make install
> > #
> > libdir = /usr/lib64/freeradius
> >
> > # pidfile: Where to place the PID of the RADIUS server.
> > #
> > # The server may be signalled while it's running by using this
> > # file.
> > #
> > # This file is written when ONLY running in daemon mode.
> > #
> > # e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
> > #
> > pidfile = ${run_dir}/${name}.pid
> >
> > #
> > # correct_escapes: use correct backslash escaping
> > #
> > # Prior to version 3.0.5, the handling of backslashes was a little
> > # awkward, i.e. "wrong". In some cases, to get one backslash into
> > # a regex, you had to put 4 in the config files.
> > #
> > # Version 3.0.5 fixes that. However, for backwards compatibility,
> > # the new method of escaping is DISABLED BY DEFAULT. This means
> > # that upgrading to 3.0.5 won't break your configuration.
> > #
> > # If you don't have double backslashes (i.e. \\) in your configuration,
> > # this won't matter to you. If you do have them, fix that to use only
> > # one backslash, and then set "correct_escapes = true".
> > #
> > # You can check for this by doing:
> > #
> > # $ grep '\\\\' $(find raddb -type f -print)
> > #
> > correct_escapes = true
> >
> > # panic_action: Command to execute if the server dies unexpectedly.
> > #
> > # FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
> > # AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
> > # AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
> > #
> > # THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
> > # PATTACH CAN BE USED AS AN ATTACK VECTOR.
> > #
> > # The panic action is a command which will be executed if the server
> > # receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
> > # SIGABRT or SIGFPE.
> > #
> > # This can be used to start an interactive debugging session so
> > # that information regarding the current state of the server can
> > # be acquired.
> > #
> > # The following string substitutions are available:
> > # - %e The currently executing program e.g. /sbin/radiusd
> > # - %p The PID of the currently executing program e.g. 12345
> > #
> > # Standard ${} substitutions are also allowed.
> > #
> > # An example panic action for opening an interactive session in GDB would
> > be:
> > #
> > #panic_action = "gdb %e %p"
> > #
> > # Again, don't use that on a production system.
> > #
> > # An example panic action for opening an automated session in GDB would
> be:
> > #
> > #panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee
> > ${logdir}/gdb-${name}-%p.log"
> > #
> > # That command can be used on a production system.
> > #
> >
> > # max_request_time: The maximum time (in seconds) to handle a request.
> > #
> > # Requests which take more time than this to process may be killed, and
> > # a REJECT message is returned.
> > #
> > # WARNING: If you notice that requests take a long time to be handled,
> > # then this MAY INDICATE a bug in the server, in one of the modules
> > # used to handle a request, OR in your local configuration.
> > #
> > # This problem is most often seen when using an SQL database. If it takes
> > # more than a second or two to receive an answer from the SQL database,
> > # then it probably means that you haven't indexed the database. See your
> > # SQL server documentation for more information.
> > #
> > # Useful range of values: 5 to 120
> > #
> > max_request_time = 30
> >
> > # cleanup_delay: The time to wait (in seconds) before cleaning up
> > # a reply which was sent to the NAS.
> > #
> > # The RADIUS request is normally cached internally for a short period
> > # of time, after the reply is sent to the NAS. The reply packet may be
> > # lost in the network, and the NAS will not see it. The NAS will then
> > # re-send the request, and the server will respond quickly with the
> > # cached reply.
> > #
> > # If this value is set too low, then duplicate requests from the NAS
> > # MAY NOT be detected, and will instead be handled as separate requests.
> > #
> > # If this value is set too high, then the server will cache too many
> > # requests, and some new requests may get blocked. (See 'max_requests'.)
> > #
> > # Useful range of values: 2 to 10
> > #
> > cleanup_delay = 5
> >
> > # max_requests: The maximum number of requests which the server keeps
> > # track of. This should be 256 multiplied by the number of clients.
> > # e.g. With 4 clients, this number should be 1024.
> > #
> > # If this number is too low, then when the server becomes busy,
> > # it will not respond to any new requests, until the 'cleanup_delay'
> > # time has passed, and it has removed the old requests.
> > #
> > # If this number is set too high, then the server will use a bit more
> > # memory for no real benefit.
> > #
> > # If you aren't sure what it should be set to, it's better to set it
> > # too high than too low. Setting it to 1000 per client is probably
> > # the highest it should be.
> > #
> > # Useful range of values: 256 to infinity
> > #
> > max_requests = 16384
> >
> > # hostname_lookups: Log the names of clients or just their IP addresses
> > # e.g.,  www.freeradius.org (on) or  206.47.27.232 (off).
> > #
> > # The default is 'off' because it would be overall better for the net
> > # if people had to knowingly turn this feature on, since enabling it
> > # means that each client request will result in AT LEAST one lookup
> > # request to the nameserver. Enabling hostname_lookups will also
> > # mean that your server may stop randomly for 30 seconds from time
> > # to time, if the DNS requests take too long.
> > #
> > # Turning hostname lookups off also means that the server won't block
> > # for 30 seconds, if it sees an IP address which has no name associated
> > # with it.
> > #
> > # allowed values: {no, yes}
> > #
> > hostname_lookups = no
> >
> > #
> > # Logging section. The various "log_*" configuration items
> > # will eventually be moved here.
> > #
> > log {
> > #
> > # Destination for log messages. This can be one of:
> > #
> > # files - log to "file", as defined below.
> > # syslog - to syslog (see also the "syslog_facility", below.
> > # stdout - standard output
> > # stderr - standard error.
> > #
> > # The command-line option "-X" over-rides this option, and forces
> > # logging to go to stdout.
> > #
> > destination = files
> >
> > #
> > # Highlight important messages sent to stderr and stdout.
> > #
> > # Option will be ignored (disabled) if output if TERM is not
> > # an xterm or output is not to a TTY.
> > #
> > colourise = yes
> >
> > #
> > # The logging messages for the server are appended to the
> > # tail of this file if destination == "files"
> > #
> > # If the server is running in debugging mode, this file is
> > # NOT used.
> > #
> > file = ${logdir}/radius.log
> >
> > #
> > # If this configuration parameter is set, then log messages for
> > # a *request* go to this file, rather than to radius.log.
> > #
> > # i.e. This is a log file per request, once the server has accepted
> > # the request as being from a valid client. Messages that are
> > # not associated with a request still go to radius.log.
> > #
> > # Not all log messages in the server core have been updated to use
> > # this new internal API. As a result, some messages will still
> > # go to radius.log. Please submit patches to fix this behavior.
> > #
> > # The file name is expanded dynamically. You should ONLY user
> > # server-side attributes for the filename (e.g. things you control).
> > # Using this feature MAY also slow down the server substantially,
> > # especially if you do thinks like SQL calls as part of the
> > # expansion of the filename.
> > #
> > # The name of the log file should use attributes that don't change
> > # over the lifetime of a request, such as User-Name,
> > # Virtual-Server or Packet-Src-IP-Address. Otherwise, the log
> > # messages will be distributed over multiple files.
> > #
> > # Logging can be enabled for an individual request by a special
> > # dynamic expansion macro: %{debug: 1}, where the debug level
> > # for this request is set to '1' (or 2, 3, etc.). e.g.
> > #
> > # ...
> > # update control {
> > # Tmp-String-0 = "%{debug:1}"
> > # }
> > # ...
> > #
> > # The attribute that the value is assigned to is unimportant,
> > # and should be a "throw-away" attribute with no side effects.
> > #
> > #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
> >
> > #
> > # Which syslog facility to use, if ${destination} == "syslog"
> > #
> > # The exact values permitted here are OS-dependent. You probably
> > # don't want to change this.
> > #
> > syslog_facility = daemon
> >
> > # Log the full User-Name attribute, as it was found in the request.
> > #
> > # allowed values: {no, yes}
> > #
> > stripped_names = no
> >
> > # Log authentication requests to the log file.
> > #
> > # allowed values: {no, yes}
> > #
> > auth = no
> >
> > # Log passwords with the authentication requests.
> > # auth_badpass - logs password if it's rejected
> > # auth_goodpass - logs password if it's correct
> > #
> > # allowed values: {no, yes}
> > #
> > auth_badpass = no
> > auth_goodpass = no
> >
> > # Log additional text at the end of the "Login OK" messages.
> > # for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
> > # configurations above have to be set to "yes".
> > #
> > # The strings below are dynamically expanded, which means that
> > # you can put anything you want in them. However, note that
> > # this expansion can be slow, and can negatively impact server
> > # performance.
> > #
> > # msg_goodpass = ""
> > # msg_badpass = ""
> >
> > # The message when the user exceeds the Simultaneous-Use limit.
> > #
> > msg_denied = "You are already logged in - access denied"
> > }
> >
> > # The program to execute to do concurrency checks.
> > checkrad = ${sbindir}/checkrad
> >
> > # SECURITY CONFIGURATION
> > #
> > # There may be multiple methods of attacking on the server. This
> > # section holds the configuration items which minimize the impact
> > # of those attacks
> > #
> > security {
> > # chroot: directory where the server does "chroot".
> > #
> > # The chroot is done very early in the process of starting
> > # the server. After the chroot has been performed it
> > # switches to the "user" listed below (which MUST be
> > # specified). If "group" is specified, it switches to that
> > # group, too. Any other groups listed for the specified
> > # "user" in "/etc/group" are also added as part of this
> > # process.
> > #
> > # The current working directory (chdir / cd) is left
> > # *outside* of the chroot until all of the modules have been
> > # initialized. This allows the "raddb" directory to be left
> > # outside of the chroot. Once the modules have been
> > # initialized, it does a "chdir" to ${logdir}. This means
> > # that it should be impossible to break out of the chroot.
> > #
> > # If you are worried about security issues related to this
> > # use of chdir, then simply ensure that the "raddb" directory
> > # is inside of the chroot, end be sure to do "cd raddb"
> > # BEFORE starting the server.
> > #
> > # If the server is statically linked, then the only files
> > # that have to exist in the chroot are ${run_dir} and
> > # ${logdir}. If you do the "cd raddb" as discussed above,
> > # then the "raddb" directory has to be inside of the chroot
> > # directory, too.
> > #
> > # chroot = /path/to/chroot/directory
> >
> > # user/group: The name (or #number) of the user/group to run radiusd as.
> > #
> > # If these are commented out, the server will run as the
> > # user/group that started it. In order to change to a
> > # different user/group, you MUST be root ( or have root
> > # privileges ) to start the server.
> > #
> > # We STRONGLY recommend that you run the server with as few
> > # permissions as possible. That is, if you're not using
> > # shadow passwords, the user and group items below should be
> > # set to radius'.
> > #
> > # NOTE that some kernels refuse to setgid(group) when the
> > # value of (unsigned)group is above 60000; don't use group
> > # "nobody" on these systems!
> > #
> > # On systems with shadow passwords, you might have to set
> > # 'group = shadow' for the server to be able to read the
> > # shadow password file. If you can authenticate users while
> > # in debug mode, but not in daemon mode, it may be that the
> > # debugging mode server is running as a user that can read
> > # the shadow info, and the user listed below can not.
> > #
> > # The server will also try to use "initgroups" to read
> > # /etc/groups. It will join all groups where "user" is a
> > # member. This can allow for some finer-grained access
> > # controls.
> > #
> > user = radiusd
> > group = radiusd
> >
> > # Core dumps are a bad thing. This should only be set to
> > # 'yes' if you're debugging a problem with the server.
> > #
> > # allowed values: {no, yes}
> > #
> > allow_core_dumps = no
> >
> > #
> > # max_attributes: The maximum number of attributes
> > # permitted in a RADIUS packet. Packets which have MORE
> > # than this number of attributes in them will be dropped.
> > #
> > # If this number is set too low, then no RADIUS packets
> > # will be accepted.
> > #
> > # If this number is set too high, then an attacker may be
> > # able to send a small number of packets which will cause
> > # the server to use all available memory on the machine.
> > #
> > # Setting this number to 0 means "allow any number of attributes"
> > max_attributes = 200
> >
> > #
> > # reject_delay: When sending an Access-Reject, it can be
> > # delayed for a few seconds. This may help slow down a DoS
> > # attack. It also helps to slow down people trying to brute-force
> > # crack a users password.
> > #
> > # Setting this number to 0 means "send rejects immediately"
> > #
> > # If this number is set higher than 'cleanup_delay', then the
> > # rejects will be sent at 'cleanup_delay' time, when the request
> > # is deleted from the internal cache of requests.
> > #
> > # As of Version 3.0.5, "reject_delay" has sub-second resolution.
> > # e.g. "reject_delay = 1.4" seconds is possible.
> > #
> > # Useful ranges: 1 to 5
> > reject_delay = 1
> >
> > #
> > # status_server: Whether or not the server will respond
> > # to Status-Server requests.
> > #
> > # When sent a Status-Server message, the server responds with
> > # an Access-Accept or Accounting-Response packet.
> > #
> > # This is mainly useful for administrators who want to "ping"
> > # the server, without adding test users, or creating fake
> > # accounting packets.
> > #
> > # It's also useful when a NAS marks a RADIUS server "dead".
> > # The NAS can periodically "ping" the server with a Status-Server
> > # packet. If the server responds, it must be alive, and the
> > # NAS can start using it for real requests.
> > #
> > # See also raddb/sites-available/status
> > #
> > status_server = yes
> >
> >
> > }
> >
> > # PROXY CONFIGURATION
> > #
> > # proxy_requests: Turns proxying of RADIUS requests on or off.
> > #
> > # The server has proxying turned on by default. If your system is NOT
> > # set up to proxy requests to another server, then you can turn proxying
> > # off here. This will save a small amount of resources on the server.
> > #
> > # If you have proxying turned off, and your configuration files say
> > # to proxy a request, then an error message will be logged.
> > #
> > # To disable proxying, change the "yes" to "no", and comment the
> > # $INCLUDE line.
> > #
> > # allowed values: {no, yes}
> > #
> > proxy_requests = yes
> > $INCLUDE proxy.conf
> >
> >
> > # CLIENTS CONFIGURATION
> > #
> > # Client configuration is defined in "clients.conf".
> > #
> >
> > # The 'clients.conf' file contains all of the information from the old
> > # 'clients' and 'naslist' configuration files. We recommend that you
> > # do NOT use 'client's or 'naslist', although they are still
> > # supported.
> > #
> > # Anything listed in 'clients.conf' will take precedence over the
> > # information from the old-style configuration files.
> > #
> > $INCLUDE clients.conf
> >
> >
> > # THREAD POOL CONFIGURATION
> > #
> > # The thread pool is a long-lived group of threads which
> > # take turns (round-robin) handling any incoming requests.
> > #
> > # You probably want to have a few spare threads around,
> > # so that high-load situations can be handled immediately. If you
> > # don't have any spare threads, then the request handling will
> > # be delayed while a new thread is created, and added to the pool.
> > #
> > # You probably don't want too many spare threads around,
> > # otherwise they'll be sitting there taking up resources, and
> > # not doing anything productive.
> > #
> > # The numbers given below should be adequate for most situations.
> > #
> > thread pool {
> > # Number of servers to start initially --- should be a reasonable
> > # ballpark figure.
> > start_servers = 5
> >
> > # Limit on the total number of servers running.
> > #
> > # If this limit is ever reached, clients will be LOCKED OUT, so it
> > # should NOT BE SET TOO LOW. It is intended mainly as a brake to
> > # keep a runaway server from taking the system with it as it spirals
> > # down...
> > #
> > # You


More information about the Freeradius-Users mailing list