safe_characters issue
Fabrice Durand
fdurand at inverse.ca
Wed Jun 17 14:55:07 CEST 2020
Hello all,
i am trying to set the safe_characters in a sql configuration and it
looks that the safe characters are not working anymore (at least the
extra i add).
I have the following configuration:
```
sql sql_degraded {
database = "mysql"
driver = "rlm_sql_${database}"
server = "127.0.0.1"
port = 3306
login = "pf"
password = "inverse"
radius_db = "pf"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "password"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
delete_stale_sessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
sql_user_name = "%{User-Name}"
postauth_query = ""
group_membership_query = ""
pool = sql
client_table = "radius_nas"
# Read database-specific queries
$INCLUDE ${modconfdir}/${.:name}/main/mysql/reject.conf
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"
}
```
I added (),' as extra char.
Followinf the trace from freeradius 3.0.21 (doesn't work) and from
freeradius-3.0.13 (works) for exactly the same radius request and
exactly the same configuration:
```
FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /usr/local/pf/raddb/dictionary
including configuration file /usr/local/pf/raddb/auth.conf
including configuration file /usr/local/pf/raddb/radiusd.conf
including configuration file /usr/local/pf/raddb/proxy.conf
including configuration file /usr/local/pf/raddb/proxy.conf.inc
including configuration file /usr/local/pf/raddb/clients.conf
including configuration file /usr/local/pf/raddb/clients.conf.inc
including configuration file /usr/local/pf/raddb/clients.eduroam.conf.inc
including files in directory /usr/local/pf/raddb/mods-enabled/
including configuration file /usr/local/pf/raddb/mods-enabled/logintime
including configuration file /usr/local/pf/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/pf/raddb/mods-enabled/pap
including configuration file /usr/local/pf/raddb/mods-enabled/passwd
including configuration file /usr/local/pf/raddb/mods-enabled/perl
including configuration file /usr/local/pf/raddb/mods-enabled/preprocess
including configuration file /usr/local/pf/raddb/mods-enabled/radutmp
including configuration file /usr/local/pf/raddb/mods-enabled/raw
including configuration file /usr/local/pf/raddb/mods-enabled/realm
including configuration file /usr/local/pf/raddb/mods-enabled/redis
including configuration file /usr/local/pf/raddb/mods-enabled/replicate
including configuration file /usr/local/pf/raddb/mods-enabled/soh
including configuration file /usr/local/pf/raddb/mods-enabled/sradutmp
including configuration file /usr/local/pf/raddb/mods-enabled/unix
including configuration file /usr/local/pf/raddb/mods-enabled/unpack
including configuration file /usr/local/pf/raddb/mods-enabled/utf8
including configuration file /usr/local/pf/raddb/mods-enabled/eap
including configuration file /usr/local/pf/raddb/mods-enabled/rest
including configuration file /usr/local/pf/raddb/mods-enabled/sql
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/queries.conf
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/reject.conf
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/reject.conf
including configuration file /usr/local/pf/raddb/mods-enabled/mschap
including configuration file /usr/local/pf/raddb/mods-enabled/go
including configuration file /usr/local/pf/raddb/mods-enabled/always
including configuration file /usr/local/pf/raddb/mods-enabled/attr_filter
including configuration file /usr/local/pf/raddb/mods-enabled/cache_eap
including configuration file /usr/local/pf/raddb/mods-enabled/cache_ntlm
including configuration file /usr/local/pf/raddb/mods-enabled/cache_password
including configuration file /usr/local/pf/raddb/mods-enabled/chap
including configuration file /usr/local/pf/raddb/mods-enabled/detail
including configuration file /usr/local/pf/raddb/mods-enabled/detail.log
including configuration file /usr/local/pf/raddb/mods-enabled/digest
including configuration file
/usr/local/pf/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/pf/raddb/mods-enabled/echo
including configuration file /usr/local/pf/raddb/mods-enabled/exec
including configuration file /usr/local/pf/raddb/mods-enabled/expiration
including configuration file /usr/local/pf/raddb/mods-enabled/expr
including configuration file /usr/local/pf/raddb/mods-enabled/files
including configuration file /usr/local/pf/raddb/mods-enabled/linelog
including files in directory /usr/local/pf/raddb/policy.d/
including configuration file /usr/local/pf/raddb/policy.d/abfab-tr
including configuration file /usr/local/pf/raddb/policy.d/accounting
including configuration file /usr/local/pf/raddb/policy.d/canonicalization
including configuration file /usr/local/pf/raddb/policy.d/control
including configuration file /usr/local/pf/raddb/policy.d/cui
including configuration file /usr/local/pf/raddb/policy.d/debug
including configuration file /usr/local/pf/raddb/policy.d/dhcp
including configuration file /usr/local/pf/raddb/policy.d/eap
including configuration file /usr/local/pf/raddb/policy.d/filter
including configuration file /usr/local/pf/raddb/policy.d/operator-name
including configuration file /usr/local/pf/raddb/policy.d/packetfence.orig
including configuration file /usr/local/pf/raddb/policy.d/packetfence
including files in directory /usr/local/pf/raddb/sites-enabled/
including configuration file /usr/local/pf/raddb/sites-enabled/packetfence
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-cli
including configuration file
/usr/local/pf/raddb/sites-enabled/dynamic-clients
including configuration file /usr/local/pf/raddb/sites-enabled/status
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
main {
security {
user = "pf"
group = "pf"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/usr/local/pf/var"
logdir = "/usr/local/pf/logs"
run_dir = "/usr/local/pf/var/run"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/usr/local/pf/var"
sbindir = "/usr/sbin"
logdir = "/usr/local/pf/logs"
run_dir = "/usr/local/pf/var/run"
libdir = "/usr/lib64/freeradius:/usr/lib/freeradius"
radacctdir = "/usr/local/pf/logs/radacct"
hostname_lookups = no
max_request_time = 10
cleanup_delay = 5
max_requests = 20000
pidfile = "/usr/local/pf/var/run/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "yes"
}
}
auth: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
Ignoring "response_window = 20.000000", forcing to "response_window =
10.000000"
home_server pf.remote {
ipaddr = 172.20.135.10
port = 1812
type = "auth+acct"
secret = <<< secret >>>
src_ipaddr = "172.20.135.4"
response_window = 6.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server degraded {
virtual_server = "pf.degraded"
port = 0
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
Ignoring "response_window = 30.000000", forcing to "response_window =
10.000000"
home_server pf0.cluster {
ipaddr = 172.20.135.4
port = 1812
type = "auth+acct"
secret = <<< secret >>>
src_ipaddr = "172.20.135.5"
response_window = 6.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server pf0.cli.cluster {
ipaddr = 172.20.135.4
port = 1815
type = "auth"
secret = <<< secret >>>
src_ipaddr = "172.20.135.5"
response_window = 6.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm default {
}
realm local {
}
realm null {
}
realm bob {
}
realm bibi {
}
realm inverse.inc {
}
realm eduroam.default {
}
realm eduroam.local {
}
realm eduroam.null {
}
realm eduroam.bob {
}
realm eduroam.bibi {
}
realm eduroam.inverse.inc {
}
home_server_pool pf_auth_pool {
type = fail-over
home_server = pf.remote
home_server = degraded
}
home_server_pool pf_acct_pool {
type = fail-over
home_server = pf.remote
}
realm remote {
auth_pool = pf_auth_pool
acct_pool = pf_acct_pool
}
home_server_pool pf_pool.cluster {
type = keyed-balance
home_server = pf0.cluster
}
home_server_pool pfacct_pool.cluster {
type = load-balance
home_server = pf0.cluster
}
realm packetfence {
auth_pool = pf_pool.cluster
acct_pool = pfacct_pool.cluster
}
home_server_pool pfcli_pool.cluster {
type = keyed-balance
home_server = pf0.cli.cluster
}
realm packetfence-cli {
auth_pool = pfcli_pool.cluster
}
auth: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.20.135.4 {
ipaddr = 172.20.135.4
require_message_authenticator = no
secret = <<< secret >>>
shortname = "pf"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.20.135.5 {
ipaddr = 172.20.135.5
require_message_authenticator = no
secret = <<< secret >>>
shortname = "pf"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.20.135.11 {
ipaddr = 172.20.135.11
require_message_authenticator = no
secret = <<< secret >>>
shortname = "pf"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.20.135.12 {
ipaddr = 172.20.135.12
require_message_authenticator = no
secret = <<< secret >>>
shortname = "pf"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.20.135.13 {
ipaddr = 172.20.135.13
require_message_authenticator = no
secret = <<< secret >>>
shortname = "pf"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client dynamic {
ipaddr = 0.0.0.0/0
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
dynamic_clients = "dynamic_clients"
lifetime = 300
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = eap-degraded
# Creating Autz-Type = Status-Server
auth: #### Instantiating modules ####
modules {
# Loaded module rlm_logintime
# Loading module "logintime" from file
/usr/local/pf/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file
/usr/local/pf/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/pf/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/usr/local/pf/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_perl
# Loading module "perl" from file /usr/local/pf/raddb/mods-enabled/perl
perl {
filename = "/usr/local/pf/raddb/mods-config/perl/example.pl"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loading module "packetfence" from file
/usr/local/pf/raddb/mods-enabled/perl
perl packetfence {
filename = "/usr/local/pf/raddb/mods-config/perl/packetfence.pm"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loading module "packetfence-multi-domain" from file
/usr/local/pf/raddb/mods-enabled/perl
perl packetfence-multi-domain {
filename =
"/usr/local/pf/raddb/mods-config/perl/packetfence-multi-domain.pm"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loading module "reply_in_db" from file
/usr/local/pf/raddb/mods-enabled/perl
perl reply_in_db {
filename = "/usr/local/pf/raddb/mods-config/perl/reply_in_db.pm"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/usr/local/pf/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/pf/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/pf/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file
/usr/local/pf/raddb/mods-enabled/radutmp
radutmp {
filename = "/usr/local/pf/logs/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_raw
# Loading module "raw" from file /usr/local/pf/raddb/mods-enabled/raw
raw {
name = "raw"
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/pf/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file
/usr/local/pf/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = yes
}
# Loading module "realmpercent" from file
/usr/local/pf/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file
/usr/local/pf/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_redis
# Loading module "redis" from file /usr/local/pf/raddb/mods-enabled/redis
redis {
server = "127.0.0.1"
port = 6379
database = 0
query_timeout = 5
}
rlm_redis: libhiredis version: 0.12.1
# Loading module "redis_ntlm" from file
/usr/local/pf/raddb/mods-enabled/redis
redis redis_ntlm {
server = "127.0.0.1"
port = 6383
database = 0
query_timeout = 5
}
rlm_redis: libhiredis version: 0.12.1
# Loaded module rlm_replicate
# Loading module "replicate" from file
/usr/local/pf/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/pf/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file
/usr/local/pf/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/usr/local/pf/logs/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/pf/raddb/mods-enabled/unix
unix {
radwtmp = "/usr/local/pf/logs/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file
/usr/local/pf/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/pf/raddb/mods-enabled/utf8
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/pf/raddb/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 20000
}
# Loading module "eap-degraded" from file
/usr/local/pf/raddb/mods-enabled/eap
eap eap-degraded {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 20000
}
# Loaded module rlm_rest
# Loading module "rest" from file /usr/local/pf/raddb/mods-enabled/rest
rest {
connect_uri = "http://127.0.0.1:7070/"
connect_timeout = 4.000000
}
# Loading module "rest-cli" from file
/usr/local/pf/raddb/mods-enabled/rest
rest rest-cli {
connect_uri = "http://127.0.0.1:7070/"
connect_timeout = 4.000000
}
# Loaded module rlm_sql
# Loading module "sql" from file /usr/local/pf/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret,
server, tenant_id FROM radius_nas where 1=0"
authorize_check_query = "SELECT id, username, attribute, value,
op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress, callingstationid,
framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND
acctstoptime IS NULL"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
start {
query = "CALL acct_start ( '%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}),
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0',
'%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}',
'%{Acct-Status-Type}','%{NAS-Identifier}', '%{Called-Station-SSID}',
'%{control:PacketFence-Tenant-Id}')"
}
interim-update {
query = "CALL acct_update (
FROM_UNIXTIME(%{integer:Event-Timestamp}), '%{Framed-IP-Address}',
'%{%{Acct-Session-Time}:-0}', '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Acct-Unique-Session-Id}',
'%{Acct-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', '%{Acct-Authentic}', '%{Connect-Info}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Acct-Status-Type}','%{NAS-Identifier}',
'%{Called-Station-SSID}', '%{control:PacketFence-Tenant-Id}')"
}
stop {
query = "CALL acct_stop (
FROM_UNIXTIME(%{integer:Event-Timestamp}), '%{Framed-IP-Address}',
'%{%{Acct-Session-Time}:-0}', '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Acct-Unique-Session-Id}',
'%{Acct-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', '%{Acct-Authentic}', '%{Connect-Info}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Acct-Terminate-Cause}', '%{Acct-Status-Type}',
'%{NAS-Identifier}', '%{Called-Station-SSID}',
'%{control:PacketFence-Tenant-Id}')"
}
}
}
post-auth {
reference = "type.accept.query"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
# Loading module "pfguest" from file /usr/local/pf/raddb/mods-enabled/sql
sql pfguest {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "guest"
AND ( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
group_membership_query = "select 1"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (pfguest): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pfguest-SQL-Group
# Loading module "pfsponsor" from file
/usr/local/pf/raddb/mods-enabled/sql
sql pfsponsor {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "sponsor"
AND ( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
group_membership_query = "select 1"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (pfsponsor): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pfsponsor-SQL-Group
# Loading module "pfsms" from file /usr/local/pf/raddb/mods-enabled/sql
sql pfsms {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "sms" AND
( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
group_membership_query = "select 1"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (pfsms): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and
linked
Creating attribute pfsms-SQL-Group
# Loading module "pflocal" from file /usr/local/pf/raddb/mods-enabled/sql
sql pflocal {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password WHERE pid =
'%{SQL-User-Name}' AND password.tenant_id =
'%{control:PacketFence-Tenant-Id}' AND NOT EXISTS (SELECT pid FROM
activation WHERE pid = '%{SQL-User-Name}')"
group_membership_query = "select 1"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (pflocal): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pflocal-SQL-Group
# Loading module "sql_reject" from file
/usr/local/pf/raddb/mods-enabled/sql
sql sql_reject {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = ""
authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{Calling-Station-Id}' ORDER BY id"
group_membership_query = ""
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = "type.reject.query"
}
}
rlm_sql (sql_reject): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute sql_reject-SQL-Group
# Loading module "sql_degraded" from file
/usr/local/pf/raddb/mods-enabled/sql
sql sql_degraded {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{Calling-Station-Id}' ORDER BY id"
group_membership_query = ""
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"
auto_escape = no
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = "type.reject.query"
}
}
rlm_sql (sql_degraded): Driver rlm_sql_mysql (module rlm_sql_mysql)
loaded and linked
Creating attribute sql_degraded-SQL-Group
# Loaded module rlm_mschap
# Loading module "mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/local/pf/bin/ntlm_auth_wrapper -p 8125 --
--request-nt-key
--username=%{%{control:AD-Samaccountname}:-%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
ntlm_auth_timeout = 3
passchange {
}
allow_retry = no
winbind_retry_with_normalised_username = no
}
# Loading module "chrooted_mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap chrooted_mschap {
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/sudo /usr/sbin/chroot
/chroots/%{PacketFence-Domain} /usr/local/pf/bin/ntlm_auth_wrapper -p
8125 -- --request-nt-key
--username=%{%{control:AD-Samaccountname}:-%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
ntlm_auth_timeout = 3
passchange {
}
allow_retry = no
winbind_retry_with_normalised_username = no
}
# Loading module "chrooted_mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap chrooted_mschap_machine {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/sudo /usr/sbin/chroot
/chroots/%{PacketFence-Domain} /usr/local/pf/bin/ntlm_auth_wrapper -p
8125 -- --request-nt-key
--username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
ntlm_auth_timeout = 3
passchange {
}
allow_retry = no
winbind_retry_with_normalised_username = no
}
# Loading module "mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap mschap_machine {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/local/pf/bin/ntlm_auth_wrapper -p 8125 --
--request-nt-key --username=%{mschap:User-Name:-None}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
ntlm_auth_timeout = 3
passchange {
}
allow_retry = no
winbind_retry_with_normalised_username = no
}
# Loading module "mschap_local" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap mschap_local {
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_always
# Loading module "reject" from file
/usr/local/pf/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/pf/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/pf/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file
/usr/local/pf/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file
/usr/local/pf/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file
/usr/local/pf/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file
/usr/local/pf/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/pf/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file
/usr/local/pf/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/pf/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/pf/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.packetfence_post_auth" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.packetfence_post_auth {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/packetfence-post-auth"
key = "%{User-Name}"
relaxed = yes
}
# Loading module "attr_filter.packetfence_pre_proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.packetfence_pre_proxy {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/packetfence-pre-proxy"
key = "%{User-Name}"
relaxed = yes
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file
/usr/local/pf/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "cache_ntlm" from file
/usr/local/pf/raddb/mods-enabled/cache_ntlm
cache cache_ntlm {
driver = "rlm_cache_rbtree"
key = "%{User-Name}%{Calling-Station-Id}"
ttl = 300
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "cache_password" from file
/usr/local/pf/raddb/mods-enabled/cache_password
cache cache_password {
driver = "rlm_cache_rbtree"
key = "%{User-Name}"
ttl = 3600
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "userprincipalname" from file
/usr/local/pf/raddb/mods-enabled/cache_password
cache userprincipalname {
driver = "rlm_cache_rbtree"
key = "%{User-Name}"
ttl = 3600
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "PacketFence-NTCacheHash" from file
/usr/local/pf/raddb/mods-enabled/cache_password
cache PacketFence-NTCacheHash {
driver = "rlm_cache_rbtree"
key = "%{User-Name}"
ttl = 10
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/pf/raddb/mods-enabled/chap
# Loaded module rlm_detail
# Loading module "detail" from file
/usr/local/pf/raddb/mods-enabled/detail
detail {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file
/usr/local/pf/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/usr/local/pf/raddb/mods-enabled/dynamic_clients
# Loading module "echo" from file /usr/local/pf/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /usr/local/pf/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file
/usr/local/pf/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/pf/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /usr/local/pf/raddb/mods-enabled/files
files {
filename = "/usr/local/pf/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/pf/raddb/mods-config/files/accounting"
preproxy_usersfile =
"/usr/local/pf/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file
/usr/local/pf/raddb/mods-enabled/linelog
linelog {
filename = "syslog"
escape_filenames = no
syslog_facility = "local1"
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/usr/local/pf/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "syslog"
escape_filenames = no
syslog_facility = "local2"
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
instantiate {
# Instantiating module "redis" from file
/usr/local/pf/raddb/mods-enabled/redis
rlm_redis (redis): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
retry_delay = 30
spread = no
}
# Instantiating module "rest" from file
/usr/local/pf/raddb/mods-enabled/rest
authorize {
uri = "http://127.0.0.1:7070//radius/rest/filter"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
authenticate {
uri = "http://127.0.0.1:7070//radius/rest/filter"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
preacct {
uri = "http://127.0.0.1:7070//radius/rest/filter"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
accounting {
uri = "http://127.0.0.1:7070//radius/rest/accounting"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
pre-proxy {
uri = "http://127.0.0.1:7070//radius/rest/filter"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
post-proxy {
uri = "http://127.0.0.1:7070//radius/rest/filter"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
post-auth {
uri = "http://127.0.0.1:7070//radius/rest/authorize"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
rlm_rest: libcurl version: libcurl/7.29.0 NSS/3.44 zlib/1.2.7
libidn/1.28 libssh2/1.8.0
rlm_rest (rest): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
# Instantiating module "raw" from file
/usr/local/pf/raddb/mods-enabled/raw
}
# Instantiating module "logintime" from file
/usr/local/pf/raddb/mods-enabled/logintime
# Instantiating module "pap" from file
/usr/local/pf/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file
/usr/local/pf/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "perl" from file
/usr/local/pf/raddb/mods-enabled/perl
# Instantiating module "packetfence" from file
/usr/local/pf/raddb/mods-enabled/perl
# Instantiating module "packetfence-multi-domain" from file
/usr/local/pf/raddb/mods-enabled/perl
# Instantiating module "reply_in_db" from file
/usr/local/pf/raddb/mods-enabled/perl
# Instantiating module "preprocess" from file
/usr/local/pf/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/pf/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/pf/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file
/usr/local/pf/raddb/mods-enabled/realm
# Instantiating module "suffix" from file
/usr/local/pf/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/usr/local/pf/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file
/usr/local/pf/raddb/mods-enabled/realm
# Instantiating module "redis_ntlm" from file
/usr/local/pf/raddb/mods-enabled/redis
rlm_redis (redis_ntlm): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
retry_delay = 30
spread = no
}
# Instantiating module "eap" from file
/usr/local/pf/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "packetfence-degraded-tunnel"
soh = no
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
pem_file_type = yes
private_key_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.key"
certificate_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.crt"
ca_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.pem"
dh_file = "/usr/local/pf/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1:22225/api/v1/pki/ocsp"
use_nonce = yes
timeout = 0
softfail = no
}
}
The configuration allows TLS 1.0 and/or TLS 1.1. We STRONGLY recommned
using only TLS 1.2 for security
Please set: tls_min_version = "1.2"
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "packetfence-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Instantiating module "eap-degraded" from file
/usr/local/pf/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "packetfence-tunnel"
soh = no
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
pem_file_type = yes
private_key_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.key"
certificate_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.crt"
ca_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.pem"
dh_file = "/usr/local/pf/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1:22225/api/v1/pki/ocsp"
use_nonce = yes
timeout = 0
softfail = no
}
}
The configuration allows TLS 1.0 and/or TLS 1.1. We STRONGLY recommned
using only TLS 1.2 for security
Please set: tls_min_version = "1.2"
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "packetfence-degraded-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Instantiating module "rest-cli" from file
/usr/local/pf/raddb/mods-enabled/rest
authorize {
uri = "http://127.0.0.1:7070//radius/rest/switch/authorize"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
authenticate {
uri = ""
method = "GET"
body = "none"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
accounting {
uri = ""
method = "GET"
body = "none"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
post-auth {
uri = ""
method = "GET"
body = "none"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
rlm_rest (rest-cli): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
# Instantiating module "sql" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql_mysql: libmysql version: 10.1.21-MariaDB
mysql {
tls {
tls_required = no
}
warnings = "auto"
}
rlm_sql (sql): Attempting to connect to database "pf"
rlm_sql (sql): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname,
shortname, type, secret, server, tenant_id FROM radius_nas where 1=0
rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (0), 1 of 64 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname,
type, secret, server, tenant_id FROM radius_nas where 1=0
rlm_sql (sql): Released connection (0)
Need 2 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (1), 1 of 63 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
# Instantiating module "pfguest" from file
/usr/local/pf/raddb/mods-enabled/sql
mysql {
tls {
tls_required = no
}
warnings = "auto"
}
rlm_sql (pfguest): Attempting to connect to database "pf"
# Instantiating module "pfsponsor" from file
/usr/local/pf/raddb/mods-enabled/sql
mysql {
tls {
tls_required = no
}
warnings = "auto"
}
rlm_sql (pfsponsor): Attempting to connect to database "pf"
# Instantiating module "pfsms" from file
/usr/local/pf/raddb/mods-enabled/sql
mysql {
tls {
tls_required = no
}
warnings = "auto"
}
rlm_sql (pfsms): Attempting to connect to database "pf"
# Instantiating module "pflocal" from file
/usr/local/pf/raddb/mods-enabled/sql
mysql {
tls {
tls_required = no
}
warnings = "auto"
}
rlm_sql (pflocal): Attempting to connect to database "pf"
# Instantiating module "sql_reject" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql (sql_reject): groupmemb_query is empty. Please delete it from
the configuration
rlm_sql (sql_reject): authorize_check_query is empty. Please delete it
from the configuration
mysql {
tls {
tls_required = no
}
warnings = "auto"
}
rlm_sql (sql_reject): Attempting to connect to database "pf"
# Instantiating module "sql_degraded" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql (sql_degraded): groupmemb_query is empty. Please delete it from
the configuration
mysql {
tls {
tls_required = no
}
warnings = "auto"
}
rlm_sql (sql_degraded): Attempting to connect to database "pf"
# Instantiating module "mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
# Instantiating module "chrooted_mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (chrooted_mschap): authenticating by calling 'ntlm_auth'
# Instantiating module "chrooted_mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (chrooted_mschap_machine): authenticating by calling 'ntlm_auth'
# Instantiating module "mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap_machine): authenticating by calling 'ntlm_auth'
# Instantiating module "mschap_local" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap_local): using internal authentication
# Instantiating module "reject" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "fail" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "ok" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "handled" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "invalid" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "userlock" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "notfound" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "noop" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "updated" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/pf/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/pf/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/access_reject
[/usr/local/pf/raddb/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay" found in filter list for realm
"DEFAULT".
[/usr/local/pf/raddb/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay-USec" found in filter list for realm
"DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.packetfence_post_auth" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/packetfence-post-auth
# Instantiating module "attr_filter.packetfence_pre_proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/packetfence-pre-proxy
# Instantiating module "cache_eap" from file
/usr/local/pf/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "cache_ntlm" from file
/usr/local/pf/raddb/mods-enabled/cache_ntlm
rlm_cache (cache_ntlm): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "cache_password" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (cache_password): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "userprincipalname" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (userprincipalname): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "PacketFence-NTCacheHash" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (PacketFence-NTCacheHash): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file
/usr/local/pf/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
# Instantiating module "expiration" from file
/usr/local/pf/raddb/mods-enabled/expiration
# Instantiating module "files" from file
/usr/local/pf/raddb/mods-enabled/files
reading pairlist file /usr/local/pf/raddb/mods-config/files/authorize
reading pairlist file /usr/local/pf/raddb/mods-config/files/accounting
reading pairlist file /usr/local/pf/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file
/usr/local/pf/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/usr/local/pf/raddb/mods-enabled/linelog
} # modules
auth: #### Loading Virtual Servers ####
server { # from file /usr/local/pf/raddb/auth.conf
} # server
server packetfence { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading pre-proxy {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence
server pf-remote { # from file /usr/local/pf/raddb/sites-enabled/packetfence
# Loading authorize {...}
# Loading accounting {...}
# Loading post-proxy {...}
} # server pf-remote
server pf.degraded { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server pf.degraded
server packetfence-degraded-tunnel { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence-degraded-tunnel
server packetfence-tunnel { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence-tunnel
server packetfence-tunnel-fast { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence-tunnel-fast
server packetfence-cli { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cli
# Loading authenticate {...}
# Loading authorize {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence-cli
server dynamic_clients { # from file
/usr/local/pf/raddb/sites-enabled/dynamic-clients
# Loading authorize {...}
} # server dynamic_clients
server status { # from file /usr/local/pf/raddb/sites-enabled/status
# Loading authorize {...}
} # server status
server pf.cluster { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
# Loading authorize {...}
# Loading accounting {...}
# Loading post-proxy {...}
} # server pf.cluster
server pfcli.cluster { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
# Loading authorize {...}
# Loading post-proxy {...}
} # server pfcli.cluster
thread pool {
start_servers = 0
max_servers = 64
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
cleanup_delay = 5
max_queue_size = 65536
auto_limit_acct = no
}
Thread pool initialized
auth: #### Opening IP addresses and Ports ####
listen {
type = "status"
virtual_server = "status"
ipaddr = 127.0.0.1
port = 18121
client admin {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "auth"
virtual_server = "pf-remote"
ipaddr = 172.20.135.4
port = 0
}
listen {
type = "auth+acct"
virtual_server = "packetfence"
ipaddr = 172.20.135.4
port = 2083
proto = "tcp"
tls {
verify_depth = 0
ca_path = "/usr/local/pf/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/pf/raddb/certs/server.key"
certificate_file = "/usr/local/pf/raddb/certs/server.crt"
ca_file = "/usr/local/pf/raddb/certs/ca.pem"
dh_file = "/usr/local/pf/raddb/certs/dh"
fragment_size = 8192
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
require_client_cert = yes
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
The configuration allows TLS 1.0 and/or TLS 1.1. We STRONGLY recommned
using only TLS 1.2 for security
Please set: tls_min_version = "1.2"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "control"
listen {
socket = "/usr/local/pf/var/run/radiusd.sock"
mode = "rw"
peercred = yes
}
}
Listening on status address 127.0.0.1 port 18121 bound to server status
Listening on auth address 172.20.135.4 port 1812 bound to server pf-remote
Listening on auth+acct proto tcp address 172.20.135.4 port 2083 (TLS)
bound to server packetfence
Listening on command file /usr/local/pf/var/run/radiusd.sock
Listening on proxy address * port 63313
Ready to process requests
Threads: Spawning 3 spares
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Waking up in 0.3 seconds.
Thread 3 waiting to be assigned a request
Thread 3 got semaphore
Thread 2 waiting to be assigned a request
Thread 1 waiting to be assigned a request
Thread 3 handling request 0, (1 handled so far)
(0) Received Access-Request Id 187 from 172.20.135.5:65296 to
172.20.135.4:1812 length 243
(0) User-Name = "64-76-ba-89-71-4c"
(0) User-Password = "64-76-ba-89-71-4c"
(0) NAS-IP-Address = 172.20.110.250
(0) NAS-Port = 0
(0) Service-Type = Call-Check
(0) Called-Station-Id = "00:1a:1e:01:68:f8"
(0) Calling-Station-Id = "64:76:ba:89:71:4c"
(0) NAS-Port-Type = Wireless-802.11
(0) Aruba-Essid-Name = "CPS-District"
(0) Aruba-Location-Id = "MS-A181"
(0) Aruba-AP-Group = "MS"
(0) PacketFence-KeyBalanced = "2cab901e9652f08e98b274d193485eb3"
(0) Message-Authenticator = 0xc9b164a131d9c0875f68c065f031408e
(0) Proxy-State = 0x323338
(0) # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0) authorize {
(0) update control {
(0) EXPAND %{Calling-Station-Id}
(0) --> 64:76:ba:89:71:4c
(0) Load-Balance-Key := 64:76:ba:89:71:4c
(0) Proxy-To-Realm := "remote"
(0) } # update control = noop
(0) if (!NAS-IP-Address){
(0) if (!NAS-IP-Address) -> FALSE
(0) } # authorize = noop
(0) Starting proxy to home server 172.20.135.10 port 1812
(0) server pf-remote {
(0) }
(0) Proxying request to home server 172.20.135.10 port 1812 timeout 6.000000
(0) Sent Access-Request Id 211 from 172.20.135.4:41039 to
172.20.135.10:1812 length 248
(0) User-Name = "64-76-ba-89-71-4c"
(0) User-Password = "64-76-ba-89-71-4c"
(0) NAS-IP-Address = 172.20.110.250
(0) NAS-Port = 0
(0) Service-Type = Call-Check
(0) Called-Station-Id = "00:1a:1e:01:68:f8"
(0) Calling-Station-Id = "64:76:ba:89:71:4c"
(0) NAS-Port-Type = Wireless-802.11
(0) Aruba-Essid-Name = "CPS-District"
(0) Aruba-Location-Id = "MS-A181"
(0) Aruba-AP-Group = "MS"
(0) PacketFence-KeyBalanced = "2cab901e9652f08e98b274d193485eb3"
(0) Message-Authenticator = 0xc9b164a131d9c0875f68c065f031408e
(0) Proxy-State = 0x323338
(0) Proxy-State = 0x313837
Thread 3 waiting to be assigned a request
Listening on proxy address 172.20.135.4 port 41039
Waking up in 0.3 seconds.
(0) Marking home server 172.20.135.10 port 1812 alive
Threads: total/active/spare threads = 3/0/3
Waking up in 0.3 seconds.
Thread 2 got semaphore
Thread 2 handling request 0, (1 handled so far)
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 211 from 172.20.135.10:1812 to
172.20.135.4:41039 length 47
(0) Tunnel-Type:0 = VLAN
(0) Tunnel-Private-Group-Id:0 = "135"
(0) Tunnel-Medium-Type:0 = IEEE-802
(0) Proxy-State = 0x323338
(0) Proxy-State = 0x313837
(0) server pf-remote {
(0) # Executing section post-proxy from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0) post-proxy {
(0) update control {
(0) EXPAND %{home_server:ipaddr}
(0) --> 172.20.135.10
(0) PacketFence-Proxied-To := 172.20.135.10
(0) } # update control = noop
(0) if (&proxy-reply:Packet-Type == Access-Accept) {
(0) EXPAND &proxy-reply:Packet-Type
(0) --> Access-Accept
(0) if (&proxy-reply:Packet-Type == Access-Accept) -> TRUE
(0) if (&proxy-reply:Packet-Type == Access-Accept) {
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (2), 1 of 62 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
(0) EXPAND %{User-Name}
(0) --> 64-76-ba-89-71-4c
(0) SQL-User-Name set to '64-76-ba-89-71-4c'
rlm_sql (sql): Reserved connection (1)
(0) Executing query: DELETE FROM radreply where
username="64:76:ba:89:71:4c"
rlm_sql (sql): Released connection (1)
(0) EXPAND %{sql_degraded:DELETE FROM radreply where
username="%{Calling-Station-Id}"}
(0) --> 3
(0) reply_in_db: $RAD_REQUEST{'User-Name'} = &request:User-Name ->
'64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST{'User-Password'} =
&request:User-Password -> '64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST{'NAS-IP-Address'} =
&request:NAS-IP-Address -> '172.20.110.250'
(0) reply_in_db: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '0'
(0) reply_in_db: $RAD_REQUEST{'Service-Type'} = &request:Service-Type
-> 'Call-Check'
(0) reply_in_db: $RAD_REQUEST{'Called-Station-Id'} =
&request:Called-Station-Id -> '00:1a:1e:01:68:f8'
(0) reply_in_db: $RAD_REQUEST{'Calling-Station-Id'} =
&request:Calling-Station-Id -> '64:76:ba:89:71:4c'
(0) reply_in_db: $RAD_REQUEST{'Proxy-State'} = &request:Proxy-State ->
'0x323338'
(0) reply_in_db: $RAD_REQUEST{'NAS-Port-Type'} =
&request:NAS-Port-Type -> 'Wireless-802.11'
(0) reply_in_db: $RAD_REQUEST{'Message-Authenticator'} =
&request:Message-Authenticator -> '0xc9b164a131d9c0875f68c065f031408e'
(0) reply_in_db: $RAD_REQUEST{'Aruba-Essid-Name'} =
&request:Aruba-Essid-Name -> 'CPS-District'
(0) reply_in_db: $RAD_REQUEST{'Aruba-Location-Id'} =
&request:Aruba-Location-Id -> 'MS-A181'
(0) reply_in_db: $RAD_REQUEST{'Aruba-AP-Group'} =
&request:Aruba-AP-Group -> 'MS'
(0) reply_in_db: $RAD_REQUEST{'Realm'} = &request:Realm -> 'remote'
(0) reply_in_db: $RAD_REQUEST{'SQL-User-Name'} =
&request:SQL-User-Name -> '64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST{'PacketFence-KeyBalanced'} =
&request:PacketFence-KeyBalanced -> '2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: $RAD_CHECK{'Load-Balance-Key'} =
&control:Load-Balance-Key -> '64:76:ba:89:71:4c'
(0) reply_in_db: $RAD_CHECK{'Proxy-To-Realm'} =
&control:Proxy-To-Realm -> 'remote'
(0) reply_in_db: $RAD_CHECK{'PacketFence-Proxied-To'} =
&control:PacketFence-Proxied-To -> '172.20.135.10'
(0) reply_in_db: $RAD_CONFIG{'Load-Balance-Key'} =
&control:Load-Balance-Key -> '64:76:ba:89:71:4c'
(0) reply_in_db: $RAD_CONFIG{'Proxy-To-Realm'} =
&control:Proxy-To-Realm -> 'remote'
(0) reply_in_db: $RAD_CONFIG{'PacketFence-Proxied-To'} =
&control:PacketFence-Proxied-To -> '172.20.135.10'
(0) reply_in_db: $RAD_REQUEST_PROXY{'User-Name'} =
&proxy-request:User-Name -> '64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST_PROXY{'User-Password'} =
&proxy-request:User-Password -> '64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST_PROXY{'NAS-IP-Address'} =
&proxy-request:NAS-IP-Address -> '172.20.110.250'
(0) reply_in_db: $RAD_REQUEST_PROXY{'NAS-Port'} =
&proxy-request:NAS-Port -> '0'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Service-Type'} =
&proxy-request:Service-Type -> 'Call-Check'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Called-Station-Id'} =
&proxy-request:Called-Station-Id -> '00:1a:1e:01:68:f8'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Calling-Station-Id'} =
&proxy-request:Calling-Station-Id -> '64:76:ba:89:71:4c'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Proxy-State'}[0] =
&proxy-request:Proxy-State -> '0x313837'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Proxy-State'}[1] =
&proxy-request:Proxy-State -> '0x323338'
(0) reply_in_db: $RAD_REQUEST_PROXY{'NAS-Port-Type'} =
&proxy-request:NAS-Port-Type -> 'Wireless-802.11'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Message-Authenticator'} =
&proxy-request:Message-Authenticator -> '0xc9b164a131d9c0875f68c065f031408e'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Aruba-Essid-Name'} =
&proxy-request:Aruba-Essid-Name -> 'CPS-District'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Aruba-Location-Id'} =
&proxy-request:Aruba-Location-Id -> 'MS-A181'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Aruba-AP-Group'} =
&proxy-request:Aruba-AP-Group -> 'MS'
(0) reply_in_db: $RAD_REQUEST_PROXY{'PacketFence-KeyBalanced'} =
&proxy-request:PacketFence-KeyBalanced -> '2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Proxy-State'}[0] =
&proxy-reply:Proxy-State -> '0x323338'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Proxy-State'}[1] =
&proxy-reply:Proxy-State -> '0x313837'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Tunnel-Type'} =
&proxy-reply:Tunnel-Type -> 'VLAN'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Tunnel-Medium-Type'} =
&proxy-reply:Tunnel-Medium-Type -> 'IEEE-802'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Tunnel-Private-Group-Id'} =
&proxy-reply:Tunnel-Private-Group-Id -> '135'
(0) reply_in_db: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'}
-> 'Wireless-802.11'
(0) reply_in_db: &request:Proxy-State = $RAD_REQUEST{'Proxy-State'} ->
'0x323338'
(0) reply_in_db: &request:Service-Type = $RAD_REQUEST{'Service-Type'} ->
'Call-Check'
(0) reply_in_db: &request:Called-Station-Id =
$RAD_REQUEST{'Called-Station-Id'} -> '00:1a:1e:01:68:f8'
(0) reply_in_db: &request:Message-Authenticator =
$RAD_REQUEST{'Message-Authenticator'} ->
'0xc9b164a131d9c0875f68c065f031408e'
(0) reply_in_db: &request:Realm = $RAD_REQUEST{'Realm'} -> 'remote'
(0) reply_in_db: &request:NAS-IP-Address =
$RAD_REQUEST{'NAS-IP-Address'} -> '172.20.110.250'
(0) reply_in_db: &request:SQL-User-Name = $RAD_REQUEST{'SQL-User-Name'}
-> '64-76-ba-89-71-4c'
(0) reply_in_db: &request:Calling-Station-Id =
$RAD_REQUEST{'Calling-Station-Id'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &request:Aruba-Essid-Name =
$RAD_REQUEST{'Aruba-Essid-Name'} -> 'CPS-District'
(0) reply_in_db: &request:PacketFence-KeyBalanced =
$RAD_REQUEST{'PacketFence-KeyBalanced'} ->
'2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: &request:Aruba-AP-Group =
$RAD_REQUEST{'Aruba-AP-Group'} -> 'MS'
(0) reply_in_db: &request:User-Name = $RAD_REQUEST{'User-Name'} ->
'64-76-ba-89-71-4c'
(0) reply_in_db: &request:Aruba-Location-Id =
$RAD_REQUEST{'Aruba-Location-Id'} -> 'MS-A181'
(0) reply_in_db: &request:User-Password = $RAD_REQUEST{'User-Password'}
-> '64-76-ba-89-71-4c'
(0) reply_in_db: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '0'
(0) reply_in_db: &control:PacketFence-Proxied-To =
$RAD_CHECK{'PacketFence-Proxied-To'} -> '172.20.135.10'
(0) reply_in_db: &control:Load-Balance-Key =
$RAD_CHECK{'Load-Balance-Key'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &control:PacketFence-reply-insert =
$RAD_CHECK{'PacketFence-reply-insert'} -> 'INSERT into radreply
(username, attribute, value) values
('64:76:ba:89:71:4c','Tunnel-Medium-Type:0','IEEE-802'),
('64:76:ba:89:71:4c','Tunnel-Private-Group-Id:0','135'),
('64:76:ba:89:71:4c','Tunnel-Type:0','VLAN')'
(0) reply_in_db: &control:Proxy-To-Realm = $RAD_CHECK{'Proxy-To-Realm'}
-> 'remote'
(0) reply_in_db: &proxy-request:NAS-Port-Type =
$RAD_REQUEST_PROXY{'NAS-Port-Type'} -> 'Wireless-802.11'
(0) reply_in_db: &proxy-request:Proxy-State +=
$RAD_REQUEST_PROXY{'Proxy-State'} -> '0x313837'
(0) reply_in_db: &proxy-request:Proxy-State +=
$RAD_REQUEST_PROXY{'Proxy-State'} -> '0x323338'
(0) reply_in_db: &proxy-request:Service-Type =
$RAD_REQUEST_PROXY{'Service-Type'} -> 'Call-Check'
(0) reply_in_db: &proxy-request:Aruba-Essid-Name =
$RAD_REQUEST_PROXY{'Aruba-Essid-Name'} -> 'CPS-District'
(0) reply_in_db: &proxy-request:Calling-Station-Id =
$RAD_REQUEST_PROXY{'Calling-Station-Id'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &proxy-request:Called-Station-Id =
$RAD_REQUEST_PROXY{'Called-Station-Id'} -> '00:1a:1e:01:68:f8'
(0) reply_in_db: &proxy-request:PacketFence-KeyBalanced =
$RAD_REQUEST_PROXY{'PacketFence-KeyBalanced'} ->
'2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: &proxy-request:Message-Authenticator =
$RAD_REQUEST_PROXY{'Message-Authenticator'} ->
'0xc9b164a131d9c0875f68c065f031408e'
(0) reply_in_db: &proxy-request:Aruba-AP-Group =
$RAD_REQUEST_PROXY{'Aruba-AP-Group'} -> 'MS'
(0) reply_in_db: &proxy-request:Aruba-Location-Id =
$RAD_REQUEST_PROXY{'Aruba-Location-Id'} -> 'MS-A181'
(0) reply_in_db: &proxy-request:User-Name =
$RAD_REQUEST_PROXY{'User-Name'} -> '64-76-ba-89-71-4c'
(0) reply_in_db: &proxy-request:User-Password =
$RAD_REQUEST_PROXY{'User-Password'} -> '64-76-ba-89-71-4c'
(0) reply_in_db: &proxy-request:NAS-IP-Address =
$RAD_REQUEST_PROXY{'NAS-IP-Address'} -> '172.20.110.250'
(0) reply_in_db: &proxy-request:NAS-Port =
$RAD_REQUEST_PROXY{'NAS-Port'} -> '0'
(0) reply_in_db: &proxy-reply:Tunnel-Private-Group-Id:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Private-Group-Id:0'} -> '135'
(0) reply_in_db: &proxy-reply:Tunnel-Medium-Type:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Medium-Type:0'} -> 'IEEE-802'
(0) reply_in_db: &proxy-reply:Tunnel-Type:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Type:0'} -> 'VLAN'
(0) reply_in_db: &proxy-reply:Proxy-State +=
$RAD_REQUEST_PROXY_REPLY{'Proxy-State'} -> '0x323338'
(0) reply_in_db: &proxy-reply:Proxy-State +=
$RAD_REQUEST_PROXY_REPLY{'Proxy-State'} -> '0x313837'
(0) [reply_in_db] = ok
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
(0) EXPAND %{User-Name}
(0) --> 64-76-ba-89-71-4c
(0) SQL-User-Name set to '64-76-ba-89-71-4c'
rlm_sql (sql): Reserved connection (2)
(0) Executing query: INSERT into radreply =28username=2C
attribute=2C value=29 values
=28=2764:76:ba:89:71:4c=27=2C=27Tunnel-Medium-Type:0=27=2C=27IEEE-802=27=29=2C
=28=2764:76:ba:89:71:4c=27=2C=27Tunnel-Private-Group-Id:0=27=2C=27135=27=29=2C
=28=2764:76:ba:89:71:4c=27=2C=27Tunnel-Type:0=27=2C=27VLAN=27=29
(0) ERROR: rlm_sql_mysql: ERROR 1064 (You have an error in your
SQL syntax; check the manual that corresponds to your MariaDB server
version for the right syntax to use near '=28username=2C attribute=2C
value=29 values =28=2764:76:ba:89:71:4c=27=2C=27Tunn' at line 1): 42000
(0) ERROR: SQL query failed: server error
rlm_sql (sql): Released connection (2)
(0) EXPAND %{sql_degraded:%{control:PacketFence-reply-insert}}
(0) -->
(0) } # if (&proxy-reply:Packet-Type == Access-Accept) = ok
(0) ... skipping else: Preceding "if" was taken
(0) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
(0) attr_filter.packetfence_post_auth: --> 64-76-ba-89-71-4c
(0) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
(0) [attr_filter.packetfence_post_auth] = updated
(0) } # post-proxy = updated
(0) }
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) Login OK: [64-76-ba-89-71-4c] (from client pf port 0 cli
64:76:ba:89:71:4c)
(0) Sent Access-Accept Id 187 from 172.20.135.4:1812 to
172.20.135.5:65296 length 0
(0) Tunnel-Private-Group-Id:0 = "135"
(0) Tunnel-Medium-Type:0 = IEEE-802
(0) Tunnel-Type:0 = VLAN
(0) Proxy-State = 0x323338
(0) Finished request
Thread 2 waiting to be assigned a request
Waking up in 4.6 seconds.
```
```
FreeRADIUS Version 3.0.13
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /usr/local/pf/raddb/dictionary
including configuration file /usr/local/pf/raddb/auth.conf
including configuration file /usr/local/pf/raddb/radiusd.conf
including configuration file /usr/local/pf/raddb/proxy.conf
including configuration file /usr/local/pf/raddb/proxy.conf.inc
including configuration file /usr/local/pf/raddb/clients.conf
including configuration file /usr/local/pf/raddb/clients.conf.inc
including configuration file /usr/local/pf/raddb/clients.eduroam.conf.inc
including files in directory /usr/local/pf/raddb/mods-enabled/
including configuration file /usr/local/pf/raddb/mods-enabled/logintime
including configuration file /usr/local/pf/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/pf/raddb/mods-enabled/pap
including configuration file /usr/local/pf/raddb/mods-enabled/passwd
including configuration file /usr/local/pf/raddb/mods-enabled/perl
including configuration file /usr/local/pf/raddb/mods-enabled/preprocess
including configuration file /usr/local/pf/raddb/mods-enabled/radutmp
including configuration file /usr/local/pf/raddb/mods-enabled/raw
including configuration file /usr/local/pf/raddb/mods-enabled/realm
including configuration file /usr/local/pf/raddb/mods-enabled/redis
including configuration file /usr/local/pf/raddb/mods-enabled/replicate
including configuration file /usr/local/pf/raddb/mods-enabled/soh
including configuration file /usr/local/pf/raddb/mods-enabled/sradutmp
including configuration file /usr/local/pf/raddb/mods-enabled/unix
including configuration file /usr/local/pf/raddb/mods-enabled/unpack
including configuration file /usr/local/pf/raddb/mods-enabled/utf8
including configuration file /usr/local/pf/raddb/mods-enabled/eap
including configuration file /usr/local/pf/raddb/mods-enabled/rest
including configuration file /usr/local/pf/raddb/mods-enabled/sql
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/queries.conf
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/reject.conf
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/reject.conf
including configuration file /usr/local/pf/raddb/mods-enabled/mschap
including configuration file /usr/local/pf/raddb/mods-enabled/go
including configuration file /usr/local/pf/raddb/mods-enabled/always
including configuration file /usr/local/pf/raddb/mods-enabled/attr_filter
including configuration file /usr/local/pf/raddb/mods-enabled/cache_eap
including configuration file /usr/local/pf/raddb/mods-enabled/cache_ntlm
including configuration file /usr/local/pf/raddb/mods-enabled/cache_password
including configuration file /usr/local/pf/raddb/mods-enabled/chap
including configuration file /usr/local/pf/raddb/mods-enabled/detail
including configuration file /usr/local/pf/raddb/mods-enabled/detail.log
including configuration file /usr/local/pf/raddb/mods-enabled/digest
including configuration file
/usr/local/pf/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/pf/raddb/mods-enabled/echo
including configuration file /usr/local/pf/raddb/mods-enabled/exec
including configuration file /usr/local/pf/raddb/mods-enabled/expiration
including configuration file /usr/local/pf/raddb/mods-enabled/expr
including configuration file /usr/local/pf/raddb/mods-enabled/files
including configuration file /usr/local/pf/raddb/mods-enabled/linelog
including files in directory /usr/local/pf/raddb/policy.d/
including configuration file /usr/local/pf/raddb/policy.d/abfab-tr
including configuration file /usr/local/pf/raddb/policy.d/accounting
including configuration file /usr/local/pf/raddb/policy.d/canonicalization
including configuration file /usr/local/pf/raddb/policy.d/control
including configuration file /usr/local/pf/raddb/policy.d/cui
including configuration file /usr/local/pf/raddb/policy.d/debug
including configuration file /usr/local/pf/raddb/policy.d/dhcp
including configuration file /usr/local/pf/raddb/policy.d/eap
including configuration file /usr/local/pf/raddb/policy.d/filter
including configuration file /usr/local/pf/raddb/policy.d/operator-name
including configuration file /usr/local/pf/raddb/policy.d/packetfence
including files in directory /usr/local/pf/raddb/sites-enabled/
including configuration file /usr/local/pf/raddb/sites-enabled/packetfence
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-cli
including configuration file
/usr/local/pf/raddb/sites-enabled/dynamic-clients
including configuration file /usr/local/pf/raddb/sites-enabled/status
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
main {
security {
user = "pf"
group = "pf"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/usr/local/pf/var"
logdir = "/usr/local/pf/logs"
run_dir = "/usr/local/pf/var/run"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/usr/local/pf/var"
sbindir = "/usr/sbin"
logdir = "/usr/local/pf/logs"
run_dir = "/usr/local/pf/var/run"
libdir = "/usr/lib64/freeradius:/usr/lib/freeradius"
radacctdir = "/usr/local/pf/logs/radacct"
hostname_lookups = no
max_request_time = 10
cleanup_delay = 5
max_requests = 20000
pidfile = "/usr/local/pf/var/run/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "yes"
}
}
auth: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
WARNING: Ignoring "response_window = 20.000000", forcing to
"response_window = 10.000000"
home_server pf.remote {
ipaddr = 172.20.135.10
port = 1812
type = "auth+acct"
secret = <<< secret >>>
src_ipaddr = "172.20.135.4"
response_window = 6.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server degraded {
virtual_server = "pf.degraded"
port = 0
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
WARNING: Ignoring "response_window = 30.000000", forcing to
"response_window = 10.000000"
home_server pf0.cluster {
ipaddr = 172.20.135.4
port = 1812
type = "auth+acct"
secret = <<< secret >>>
src_ipaddr = "172.20.135.5"
response_window = 6.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server pf0.cli.cluster {
ipaddr = 172.20.135.4
port = 1815
type = "auth"
secret = <<< secret >>>
src_ipaddr = "172.20.135.5"
response_window = 6.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm default {
}
realm local {
}
realm null {
}
realm bob {
}
realm bibi {
}
realm inverse.inc {
}
realm eduroam.default {
}
realm eduroam.local {
}
realm eduroam.null {
}
realm eduroam.bob {
}
realm eduroam.bibi {
}
realm eduroam.inverse.inc {
}
home_server_pool pf_auth_pool {
type = fail-over
home_server = pf.remote
home_server = degraded
}
home_server_pool pf_acct_pool {
type = fail-over
home_server = pf.remote
}
realm remote {
auth_pool = pf_auth_pool
acct_pool = pf_acct_pool
}
home_server_pool pf_pool.cluster {
type = keyed-balance
home_server = pf0.cluster
}
home_server_pool pfacct_pool.cluster {
type = load-balance
home_server = pf0.cluster
}
realm packetfence {
auth_pool = pf_pool.cluster
acct_pool = pfacct_pool.cluster
}
home_server_pool pfcli_pool.cluster {
type = keyed-balance
home_server = pf0.cli.cluster
}
realm packetfence-cli {
auth_pool = pfcli_pool.cluster
}
auth: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.20.135.4 {
ipaddr = 172.20.135.4
require_message_authenticator = no
secret = <<< secret >>>
shortname = "pf"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.20.135.5 {
ipaddr = 172.20.135.5
require_message_authenticator = no
secret = <<< secret >>>
shortname = "pf"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client dynamic {
ipaddr = 0.0.0.0/0
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
dynamic_clients = "dynamic_clients"
lifetime = 300
}
Debugger not attached
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = eap-degraded
# Creating Autz-Type = Status-Server
auth: #### Instantiating modules ####
modules {
# Loaded module rlm_logintime
# Loading module "logintime" from file
/usr/local/pf/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file
/usr/local/pf/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/pf/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/usr/local/pf/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_perl
# Loading module "perl" from file /usr/local/pf/raddb/mods-enabled/perl
perl {
filename = "/usr/local/pf/raddb/mods-config/perl/example.pl"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loading module "packetfence" from file
/usr/local/pf/raddb/mods-enabled/perl
perl packetfence {
filename = "/usr/local/pf/raddb/mods-config/perl/packetfence.pm"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loading module "packetfence-multi-domain" from file
/usr/local/pf/raddb/mods-enabled/perl
perl packetfence-multi-domain {
filename =
"/usr/local/pf/raddb/mods-config/perl/packetfence-multi-domain.pm"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loading module "reply_in_db" from file
/usr/local/pf/raddb/mods-enabled/perl
perl reply_in_db {
filename = "/usr/local/pf/raddb/mods-config/perl/reply_in_db.pm"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/usr/local/pf/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/pf/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/pf/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file
/usr/local/pf/raddb/mods-enabled/radutmp
radutmp {
filename = "/usr/local/pf/logs/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_raw
# Loading module "raw" from file /usr/local/pf/raddb/mods-enabled/raw
raw {
name = "raw"
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/pf/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file
/usr/local/pf/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = yes
}
# Loading module "realmpercent" from file
/usr/local/pf/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file
/usr/local/pf/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_redis
# Loading module "redis" from file /usr/local/pf/raddb/mods-enabled/redis
redis {
server = "127.0.0.1"
port = 6379
database = 0
}
rlm_redis: libhiredis version: 0.12.1
# Loading module "redis_ntlm" from file
/usr/local/pf/raddb/mods-enabled/redis
redis redis_ntlm {
server = "127.0.0.1"
port = 6383
database = 0
}
rlm_redis: libhiredis version: 0.12.1
# Loaded module rlm_replicate
# Loading module "replicate" from file
/usr/local/pf/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/pf/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file
/usr/local/pf/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/usr/local/pf/logs/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/pf/raddb/mods-enabled/unix
unix {
radwtmp = "/usr/local/pf/logs/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file
/usr/local/pf/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/pf/raddb/mods-enabled/utf8
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/pf/raddb/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 20000
}
# Loading module "eap-degraded" from file
/usr/local/pf/raddb/mods-enabled/eap
eap eap-degraded {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 20000
}
# Loaded module rlm_rest
# Loading module "rest" from file /usr/local/pf/raddb/mods-enabled/rest
rest {
connect_uri = "http://127.0.0.1:7070/"
connect_timeout = 4.000000
}
# Loading module "rest-cli" from file
/usr/local/pf/raddb/mods-enabled/rest
rest rest-cli {
connect_uri = "http://127.0.0.1:7070/"
connect_timeout = 4.000000
}
# Loaded module rlm_sql
# Loading module "sql" from file /usr/local/pf/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret,
server, tenant_id FROM radius_nas where 1=0"
authorize_check_query = "SELECT id, username, attribute, value,
op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress, callingstationid,
framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND
acctstoptime IS NULL"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
start {
query = "CALL acct_start ( '%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}),
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0',
'%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}',
'%{Acct-Status-Type}','%{NAS-Identifier}', '%{Called-Station-SSID}',
'%{control:PacketFence-Tenant-Id}')"
}
interim-update {
query = "CALL acct_update (
FROM_UNIXTIME(%{integer:Event-Timestamp}), '%{Framed-IP-Address}',
'%{%{Acct-Session-Time}:-0}', '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Acct-Unique-Session-Id}',
'%{Acct-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', '%{Acct-Authentic}', '%{Connect-Info}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Acct-Status-Type}','%{NAS-Identifier}',
'%{Called-Station-SSID}', '%{control:PacketFence-Tenant-Id}')"
}
stop {
query = "CALL acct_stop (
FROM_UNIXTIME(%{integer:Event-Timestamp}), '%{Framed-IP-Address}',
'%{%{Acct-Session-Time}:-0}', '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Acct-Unique-Session-Id}',
'%{Acct-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', '%{Acct-Authentic}', '%{Connect-Info}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Acct-Terminate-Cause}', '%{Acct-Status-Type}',
'%{NAS-Identifier}', '%{Called-Station-SSID}',
'%{control:PacketFence-Tenant-Id}')"
}
}
}
post-auth {
reference = "type.accept.query"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
# Loading module "pfguest" from file /usr/local/pf/raddb/mods-enabled/sql
sql pfguest {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "guest"
AND ( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
group_membership_query = "select 1"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (pfguest): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pfguest-SQL-Group
# Loading module "pfsponsor" from file
/usr/local/pf/raddb/mods-enabled/sql
sql pfsponsor {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "sponsor"
AND ( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
group_membership_query = "select 1"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (pfsponsor): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pfsponsor-SQL-Group
# Loading module "pfsms" from file /usr/local/pf/raddb/mods-enabled/sql
sql pfsms {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "sms" AND
( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
group_membership_query = "select 1"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (pfsms): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and
linked
Creating attribute pfsms-SQL-Group
# Loading module "pflocal" from file /usr/local/pf/raddb/mods-enabled/sql
sql pflocal {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password WHERE pid =
'%{SQL-User-Name}' AND password.tenant_id =
'%{control:PacketFence-Tenant-Id}' AND NOT EXISTS (SELECT pid FROM
activation WHERE pid = '%{SQL-User-Name}')"
group_membership_query = "select 1"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (pflocal): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pflocal-SQL-Group
# Loading module "sql_reject" from file
/usr/local/pf/raddb/mods-enabled/sql
sql sql_reject {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = ""
authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{Calling-Station-Id}' ORDER BY id"
group_membership_query = ""
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = "type.reject.query"
}
}
rlm_sql (sql_reject): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute sql_reject-SQL-Group
# Loading module "sql_degraded" from file
/usr/local/pf/raddb/mods-enabled/sql
sql sql_degraded {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
port = 3306
login = "pf"
password = <<< secret >>>
radius_db = "pf"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{Calling-Station-Id}' ORDER BY id"
group_membership_query = ""
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = "type.reject.query"
}
}
rlm_sql (sql_degraded): Driver rlm_sql_mysql (module rlm_sql_mysql)
loaded and linked
Creating attribute sql_degraded-SQL-Group
# Loaded module rlm_mschap
# Loading module "mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/local/pf/bin/ntlm_auth_wrapper -p 8125 --
--request-nt-key
--username=%{%{control:AD-Samaccountname}:-%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
ntlm_auth_timeout = 3
passchange {
}
allow_retry = no
winbind_retry_with_normalised_username = no
}
# Loading module "chrooted_mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap chrooted_mschap {
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/sudo /usr/sbin/chroot
/chroots/%{PacketFence-Domain} /usr/local/pf/bin/ntlm_auth_wrapper -p
8125 -- --request-nt-key
--username=%{%{control:AD-Samaccountname}:-%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
ntlm_auth_timeout = 3
passchange {
}
allow_retry = no
winbind_retry_with_normalised_username = no
}
# Loading module "chrooted_mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap chrooted_mschap_machine {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/sudo /usr/sbin/chroot
/chroots/%{PacketFence-Domain} /usr/local/pf/bin/ntlm_auth_wrapper -p
8125 -- --request-nt-key
--username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
ntlm_auth_timeout = 3
passchange {
}
allow_retry = no
winbind_retry_with_normalised_username = no
}
# Loading module "mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap mschap_machine {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/local/pf/bin/ntlm_auth_wrapper -p 8125 --
--request-nt-key --username=%{mschap:User-Name:-None}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
ntlm_auth_timeout = 3
passchange {
}
allow_retry = no
winbind_retry_with_normalised_username = no
}
# Loading module "mschap_local" from file
/usr/local/pf/raddb/mods-enabled/mschap
mschap mschap_local {
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_always
# Loading module "reject" from file
/usr/local/pf/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/pf/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/pf/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file
/usr/local/pf/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file
/usr/local/pf/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file
/usr/local/pf/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file
/usr/local/pf/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/pf/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file
/usr/local/pf/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/pf/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/pf/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.packetfence_post_auth" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.packetfence_post_auth {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/packetfence-post-auth"
key = "%{User-Name}"
relaxed = yes
}
# Loading module "attr_filter.packetfence_pre_proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
attr_filter attr_filter.packetfence_pre_proxy {
filename =
"/usr/local/pf/raddb/mods-config/attr_filter/packetfence-pre-proxy"
key = "%{User-Name}"
relaxed = yes
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file
/usr/local/pf/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "cache_ntlm" from file
/usr/local/pf/raddb/mods-enabled/cache_ntlm
cache cache_ntlm {
driver = "rlm_cache_rbtree"
key = "%{User-Name}%{Calling-Station-Id}"
ttl = 300
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "cache_password" from file
/usr/local/pf/raddb/mods-enabled/cache_password
cache cache_password {
driver = "rlm_cache_rbtree"
key = "%{User-Name}"
ttl = 3600
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "userprincipalname" from file
/usr/local/pf/raddb/mods-enabled/cache_password
cache userprincipalname {
driver = "rlm_cache_rbtree"
key = "%{User-Name}"
ttl = 3600
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "PacketFence-NTCacheHash" from file
/usr/local/pf/raddb/mods-enabled/cache_password
cache PacketFence-NTCacheHash {
driver = "rlm_cache_rbtree"
key = "%{User-Name}"
ttl = 10
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/pf/raddb/mods-enabled/chap
# Loaded module rlm_detail
# Loading module "detail" from file
/usr/local/pf/raddb/mods-enabled/detail
detail {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file
/usr/local/pf/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/usr/local/pf/raddb/mods-enabled/dynamic_clients
# Loading module "echo" from file /usr/local/pf/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /usr/local/pf/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file
/usr/local/pf/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/pf/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /usr/local/pf/raddb/mods-enabled/files
files {
filename = "/usr/local/pf/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/pf/raddb/mods-config/files/accounting"
preproxy_usersfile =
"/usr/local/pf/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file
/usr/local/pf/raddb/mods-enabled/linelog
linelog {
filename = "syslog"
escape_filenames = no
syslog_facility = "local1"
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/usr/local/pf/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "syslog"
escape_filenames = no
syslog_facility = "local2"
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
instantiate {
# Instantiating module "redis" from file
/usr/local/pf/raddb/mods-enabled/redis
rlm_redis (redis): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
retry_delay = 30
spread = no
}
# Instantiating module "rest" from file
/usr/local/pf/raddb/mods-enabled/rest
authorize {
uri = "http://127.0.0.1:7070//radius/rest/filter"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
authenticate {
uri = "http://127.0.0.1:7070//radius/rest/filter"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
accounting {
uri = "http://127.0.0.1:7070//radius/rest/accounting"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
post-auth {
uri = "http://127.0.0.1:7070//radius/rest/authorize"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
rlm_rest: libcurl version: libcurl/7.29.0 NSS/3.44 zlib/1.2.7
libidn/1.28 libssh2/1.8.0
rlm_rest (rest): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
# Instantiating module "raw" from file
/usr/local/pf/raddb/mods-enabled/raw
}
# Instantiating module "logintime" from file
/usr/local/pf/raddb/mods-enabled/logintime
# Instantiating module "pap" from file
/usr/local/pf/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file
/usr/local/pf/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "perl" from file
/usr/local/pf/raddb/mods-enabled/perl
# Instantiating module "packetfence" from file
/usr/local/pf/raddb/mods-enabled/perl
# Instantiating module "packetfence-multi-domain" from file
/usr/local/pf/raddb/mods-enabled/perl
# Instantiating module "reply_in_db" from file
/usr/local/pf/raddb/mods-enabled/perl
# Instantiating module "preprocess" from file
/usr/local/pf/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/pf/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/pf/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file
/usr/local/pf/raddb/mods-enabled/realm
# Instantiating module "suffix" from file
/usr/local/pf/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/usr/local/pf/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file
/usr/local/pf/raddb/mods-enabled/realm
# Instantiating module "redis_ntlm" from file
/usr/local/pf/raddb/mods-enabled/redis
rlm_redis (redis_ntlm): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
retry_delay = 30
spread = no
}
# Instantiating module "eap" from file
/usr/local/pf/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "packetfence-degraded-tunnel"
soh = no
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
pem_file_type = yes
private_key_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.key"
certificate_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.crt"
ca_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.pem"
dh_file = "/usr/local/pf/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1:22225/api/v1/pki/ocsp"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "packetfence-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Instantiating module "eap-degraded" from file
/usr/local/pf/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "packetfence-tunnel"
soh = no
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
pem_file_type = yes
private_key_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.key"
certificate_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.crt"
ca_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.pem"
dh_file = "/usr/local/pf/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1:22225/api/v1/pki/ocsp"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "packetfence-degraded-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Instantiating module "rest-cli" from file
/usr/local/pf/raddb/mods-enabled/rest
authorize {
uri = "http://127.0.0.1:7070//radius/rest/switch/authorize"
method = "post"
body = "json"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
authenticate {
uri = ""
method = "GET"
body = "none"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
accounting {
uri = ""
method = "GET"
body = "none"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
post-auth {
uri = ""
method = "GET"
body = "none"
auth = "none"
require_auth = no
timeout = 4.000000
chunk = 0
tls {
check_cert = yes
check_cert_cn = yes
}
}
rlm_rest (rest-cli): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
# Instantiating module "sql" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql_mysql: libmysql version: 10.1.21-MariaDB
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (sql): Attempting to connect to database "pf"
rlm_sql (sql): Initialising connection pool
pool {
start = 0
min = 3
max = 64
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname,
shortname, type, secret, server, tenant_id FROM radius_nas where 1=0
rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (0), 1 of 64 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname,
type, secret, server, tenant_id FROM radius_nas where 1=0
rlm_sql (sql): Released connection (0)
Need 2 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (1), 1 of 63 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
# Instantiating module "pfguest" from file
/usr/local/pf/raddb/mods-enabled/sql
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (pfguest): Attempting to connect to database "pf"
# Instantiating module "pfsponsor" from file
/usr/local/pf/raddb/mods-enabled/sql
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (pfsponsor): Attempting to connect to database "pf"
# Instantiating module "pfsms" from file
/usr/local/pf/raddb/mods-enabled/sql
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (pfsms): Attempting to connect to database "pf"
# Instantiating module "pflocal" from file
/usr/local/pf/raddb/mods-enabled/sql
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (pflocal): Attempting to connect to database "pf"
# Instantiating module "sql_reject" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql (sql_reject): groupmemb_query is empty. Please delete it from
the configuration
rlm_sql (sql_reject): authorize_check_query is empty. Please delete it
from the configuration
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (sql_reject): Attempting to connect to database "pf"
# Instantiating module "sql_degraded" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql (sql_degraded): groupmemb_query is empty. Please delete it from
the configuration
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (sql_degraded): Attempting to connect to database "pf"
# Instantiating module "mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
# Instantiating module "chrooted_mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (chrooted_mschap): authenticating by calling 'ntlm_auth'
# Instantiating module "chrooted_mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (chrooted_mschap_machine): authenticating by calling 'ntlm_auth'
# Instantiating module "mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap_machine): authenticating by calling 'ntlm_auth'
# Instantiating module "mschap_local" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap_local): using internal authentication
# Instantiating module "reject" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "fail" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "ok" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "handled" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "invalid" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "userlock" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "notfound" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "noop" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "updated" from file
/usr/local/pf/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/pf/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/pf/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/access_reject
[/usr/local/pf/raddb/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay" found in filter list for realm
"DEFAULT".
[/usr/local/pf/raddb/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay-USec" found in filter list for realm
"DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.packetfence_post_auth" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/packetfence-post-auth
# Instantiating module "attr_filter.packetfence_pre_proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/packetfence-pre-proxy
# Instantiating module "cache_eap" from file
/usr/local/pf/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "cache_ntlm" from file
/usr/local/pf/raddb/mods-enabled/cache_ntlm
rlm_cache (cache_ntlm): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "cache_password" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (cache_password): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "userprincipalname" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (userprincipalname): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "PacketFence-NTCacheHash" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (PacketFence-NTCacheHash): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file
/usr/local/pf/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
# Instantiating module "expiration" from file
/usr/local/pf/raddb/mods-enabled/expiration
# Instantiating module "files" from file
/usr/local/pf/raddb/mods-enabled/files
reading pairlist file /usr/local/pf/raddb/mods-config/files/authorize
reading pairlist file /usr/local/pf/raddb/mods-config/files/accounting
reading pairlist file /usr/local/pf/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file
/usr/local/pf/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/usr/local/pf/raddb/mods-enabled/linelog
} # modules
auth: #### Loading Virtual Servers ####
server { # from file /usr/local/pf/raddb/auth.conf
} # server
server packetfence { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading pre-proxy {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence
server pf-remote { # from file /usr/local/pf/raddb/sites-enabled/packetfence
# Loading authorize {...}
# Loading accounting {...}
# Loading post-proxy {...}
} # server pf-remote
server pf.degraded { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server pf.degraded
server packetfence-degraded-tunnel { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence-degraded-tunnel
server packetfence-tunnel { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence-tunnel
server packetfence-tunnel-fast { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence-tunnel-fast
server packetfence-cli { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cli
# Loading authenticate {...}
# Loading authorize {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server packetfence-cli
server dynamic_clients { # from file
/usr/local/pf/raddb/sites-enabled/dynamic-clients
# Loading authorize {...}
} # server dynamic_clients
server status { # from file /usr/local/pf/raddb/sites-enabled/status
# Loading authorize {...}
} # server status
server pf.cluster { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
# Loading authorize {...}
# Loading accounting {...}
# Loading post-proxy {...}
} # server pf.cluster
server pfcli.cluster { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
# Loading authorize {...}
# Loading post-proxy {...}
} # server pfcli.cluster
thread pool {
start_servers = 0
max_servers = 64
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
cleanup_delay = 5
max_queue_size = 65536
auto_limit_acct = no
}
Thread pool initialized
auth: #### Opening IP addresses and Ports ####
listen {
type = "status"
virtual_server = "status"
ipaddr = 127.0.0.1
port = 18121
client admin {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "auth"
virtual_server = "pf-remote"
ipaddr = 172.20.135.4
port = 0
}
listen {
type = "auth+acct"
virtual_server = "packetfence"
ipaddr = 172.20.135.4
port = 2083
proto = "tcp"
tls {
verify_depth = 0
ca_path = "/usr/local/pf/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/pf/raddb/certs/server.key"
certificate_file = "/usr/local/pf/raddb/certs/server.crt"
ca_file = "/usr/local/pf/raddb/certs/ca.pem"
dh_file = "/usr/local/pf/raddb/certs/dh"
fragment_size = 8192
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
require_client_cert = yes
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "control"
listen {
socket = "/usr/local/pf/var/run/radiusd.sock"
mode = "rw"
peercred = yes
}
}
Listening on status address 127.0.0.1 port 18121 bound to server status
Listening on auth address 172.20.135.4 port 1812 bound to server pf-remote
Listening on auth+acct proto tcp address 172.20.135.4 port 2083 (TLS)
bound to server packetfence
Listening on command file /usr/local/pf/var/run/radiusd.sock
Listening on proxy address * port 51771
Ready to process requests
Threads: Spawning 3 spares
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Waking up in 0.3 seconds.
Thread 1 waiting to be assigned a request
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
Thread 3 waiting to be assigned a request
(0) Received Access-Request Id 19 from 172.20.135.5:57221 to
172.20.135.4:1812 length 243
(0) User-Name = "64-76-ba-89-71-4c"
(0) User-Password = "64-76-ba-89-71-4c"
(0) NAS-IP-Address = 172.20.110.250
(0) NAS-Port = 0
(0) Service-Type = Call-Check
(0) Called-Station-Id = "00:1a:1e:01:68:f8"
(0) Calling-Station-Id = "64:76:ba:89:71:4c"
(0) NAS-Port-Type = Wireless-802.11
(0) Aruba-Essid-Name = "CPS-District"
(0) Aruba-Location-Id = "MS-A181"
(0) Aruba-AP-Group = "MS"
(0) PacketFence-KeyBalanced = "2cab901e9652f08e98b274d193485eb3"
(0) Message-Authenticator = 0xe8f25d7438b80d1efc0f74b8a8951fcf
(0) Proxy-State = 0x323531
(0) # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0) authorize {
(0) update control {
(0) EXPAND %{Calling-Station-Id}
(0) --> 64:76:ba:89:71:4c
(0) Load-Balance-Key := 64:76:ba:89:71:4c
(0) Proxy-To-Realm := "remote"
(0) } # update control = noop
(0) if (!NAS-IP-Address){
(0) if (!NAS-IP-Address) -> FALSE
(0) } # authorize = noop
(0) Starting proxy to home server 172.20.135.10 port 1812
(0) Proxying request to home server 172.20.135.10 port 1812 timeout 6.000000
Listening on proxy address 172.20.135.4 port 46328
Waking up in 0.3 seconds.
(0) Sent Access-Request Id 189 from 172.20.135.4:46328 to
172.20.135.10:1812 length 247
(0) User-Name = "64-76-ba-89-71-4c"
(0) User-Password = "64-76-ba-89-71-4c"
(0) NAS-IP-Address = 172.20.110.250
(0) NAS-Port = 0
(0) Service-Type = Call-Check
(0) Called-Station-Id = "00:1a:1e:01:68:f8"
(0) Calling-Station-Id = "64:76:ba:89:71:4c"
(0) NAS-Port-Type = Wireless-802.11
(0) Aruba-Essid-Name = "CPS-District"
(0) Aruba-Location-Id = "MS-A181"
(0) Aruba-AP-Group = "MS"
(0) PacketFence-KeyBalanced = "2cab901e9652f08e98b274d193485eb3"
(0) Message-Authenticator = 0xe8f25d7438b80d1efc0f74b8a8951fcf
(0) Proxy-State = 0x323531
(0) Proxy-State = 0x3139
Thread 1 waiting to be assigned a request
Thread 2 waiting to be assigned a request
(0) Marking home server 172.20.135.10 port 1812 alive
Threads: total/active/spare threads = 3/0/3
Waking up in 0.3 seconds.
Thread 3 got semaphore
Thread 3 handling request 0, (1 handled so far)
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 189 from 172.20.135.10:1812 to
172.20.135.4:46328 length 46
(0) Tunnel-Type:0 = VLAN
(0) Tunnel-Private-Group-Id:0 = "135"
(0) Tunnel-Medium-Type:0 = IEEE-802
(0) Proxy-State = 0x323531
(0) Proxy-State = 0x3139
(0) # Executing section post-proxy from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0) post-proxy {
(0) update control {
(0) EXPAND %{home_server:ipaddr}
(0) --> 172.20.135.10
(0) PacketFence-Proxied-To := 172.20.135.10
(0) } # update control = noop
(0) if (&proxy-reply:Packet-Type == Access-Accept) {
(0) EXPAND &proxy-reply:Packet-Type
(0) --> Access-Accept
(0) if (&proxy-reply:Packet-Type == Access-Accept) -> TRUE
(0) if (&proxy-reply:Packet-Type == Access-Accept) {
(0) EXPAND %{User-Name}
(0) --> 64-76-ba-89-71-4c
(0) SQL-User-Name set to '64-76-ba-89-71-4c'
rlm_sql (sql): Reserved connection (0)
(0) Executing query: DELETE FROM radreply where
username="64:76:ba:89:71:4c"
rlm_sql (sql): Released connection (0)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (2), 1 of 62 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
(0) EXPAND %{sql_degraded:DELETE FROM radreply where
username="%{Calling-Station-Id}"}
(0) --> 3
(0) reply_in_db: $RAD_REQUEST{'User-Name'} = &request:User-Name ->
'64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST{'User-Password'} =
&request:User-Password -> '64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST{'NAS-IP-Address'} =
&request:NAS-IP-Address -> '172.20.110.250'
(0) reply_in_db: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '0'
(0) reply_in_db: $RAD_REQUEST{'Service-Type'} = &request:Service-Type
-> 'Call-Check'
(0) reply_in_db: $RAD_REQUEST{'Called-Station-Id'} =
&request:Called-Station-Id -> '00:1a:1e:01:68:f8'
(0) reply_in_db: $RAD_REQUEST{'Calling-Station-Id'} =
&request:Calling-Station-Id -> '64:76:ba:89:71:4c'
(0) reply_in_db: $RAD_REQUEST{'Proxy-State'} = &request:Proxy-State ->
'0x323531'
(0) reply_in_db: $RAD_REQUEST{'NAS-Port-Type'} =
&request:NAS-Port-Type -> 'Wireless-802.11'
(0) reply_in_db: $RAD_REQUEST{'Message-Authenticator'} =
&request:Message-Authenticator -> '0xe8f25d7438b80d1efc0f74b8a8951fcf'
(0) reply_in_db: $RAD_REQUEST{'Aruba-Essid-Name'} =
&request:Aruba-Essid-Name -> 'CPS-District'
(0) reply_in_db: $RAD_REQUEST{'Aruba-Location-Id'} =
&request:Aruba-Location-Id -> 'MS-A181'
(0) reply_in_db: $RAD_REQUEST{'Aruba-AP-Group'} =
&request:Aruba-AP-Group -> 'MS'
(0) reply_in_db: $RAD_REQUEST{'Realm'} = &request:Realm -> 'remote'
(0) reply_in_db: $RAD_REQUEST{'SQL-User-Name'} =
&request:SQL-User-Name -> '64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST{'PacketFence-KeyBalanced'} =
&request:PacketFence-KeyBalanced -> '2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: $RAD_CHECK{'Load-Balance-Key'} =
&control:Load-Balance-Key -> '64:76:ba:89:71:4c'
(0) reply_in_db: $RAD_CHECK{'Proxy-To-Realm'} =
&control:Proxy-To-Realm -> 'remote'
(0) reply_in_db: $RAD_CHECK{'PacketFence-Proxied-To'} =
&control:PacketFence-Proxied-To -> '172.20.135.10'
(0) reply_in_db: $RAD_CONFIG{'Load-Balance-Key'} =
&control:Load-Balance-Key -> '64:76:ba:89:71:4c'
(0) reply_in_db: $RAD_CONFIG{'Proxy-To-Realm'} =
&control:Proxy-To-Realm -> 'remote'
(0) reply_in_db: $RAD_CONFIG{'PacketFence-Proxied-To'} =
&control:PacketFence-Proxied-To -> '172.20.135.10'
(0) reply_in_db: $RAD_REQUEST_PROXY{'User-Name'} =
&proxy-request:User-Name -> '64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST_PROXY{'User-Password'} =
&proxy-request:User-Password -> '64-76-ba-89-71-4c'
(0) reply_in_db: $RAD_REQUEST_PROXY{'NAS-IP-Address'} =
&proxy-request:NAS-IP-Address -> '172.20.110.250'
(0) reply_in_db: $RAD_REQUEST_PROXY{'NAS-Port'} =
&proxy-request:NAS-Port -> '0'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Service-Type'} =
&proxy-request:Service-Type -> 'Call-Check'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Called-Station-Id'} =
&proxy-request:Called-Station-Id -> '00:1a:1e:01:68:f8'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Calling-Station-Id'} =
&proxy-request:Calling-Station-Id -> '64:76:ba:89:71:4c'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Proxy-State'}[0] =
&proxy-request:Proxy-State -> '0x3139'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Proxy-State'}[1] =
&proxy-request:Proxy-State -> '0x323531'
(0) reply_in_db: $RAD_REQUEST_PROXY{'NAS-Port-Type'} =
&proxy-request:NAS-Port-Type -> 'Wireless-802.11'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Message-Authenticator'} =
&proxy-request:Message-Authenticator -> '0xe8f25d7438b80d1efc0f74b8a8951fcf'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Aruba-Essid-Name'} =
&proxy-request:Aruba-Essid-Name -> 'CPS-District'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Aruba-Location-Id'} =
&proxy-request:Aruba-Location-Id -> 'MS-A181'
(0) reply_in_db: $RAD_REQUEST_PROXY{'Aruba-AP-Group'} =
&proxy-request:Aruba-AP-Group -> 'MS'
(0) reply_in_db: $RAD_REQUEST_PROXY{'PacketFence-KeyBalanced'} =
&proxy-request:PacketFence-KeyBalanced -> '2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Proxy-State'}[0] =
&proxy-reply:Proxy-State -> '0x323531'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Proxy-State'}[1] =
&proxy-reply:Proxy-State -> '0x3139'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Tunnel-Type'} =
&proxy-reply:Tunnel-Type -> 'VLAN'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Tunnel-Medium-Type'} =
&proxy-reply:Tunnel-Medium-Type -> 'IEEE-802'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Tunnel-Private-Group-Id'} =
&proxy-reply:Tunnel-Private-Group-Id -> '135'
(0) reply_in_db: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'}
-> 'Wireless-802.11'
(0) reply_in_db: &request:Proxy-State = $RAD_REQUEST{'Proxy-State'} ->
'0x323531'
(0) reply_in_db: &request:Service-Type = $RAD_REQUEST{'Service-Type'} ->
'Call-Check'
(0) reply_in_db: &request:Called-Station-Id =
$RAD_REQUEST{'Called-Station-Id'} -> '00:1a:1e:01:68:f8'
(0) reply_in_db: &request:Message-Authenticator =
$RAD_REQUEST{'Message-Authenticator'} ->
'0xe8f25d7438b80d1efc0f74b8a8951fcf'
(0) reply_in_db: &request:Realm = $RAD_REQUEST{'Realm'} -> 'remote'
(0) reply_in_db: &request:NAS-IP-Address =
$RAD_REQUEST{'NAS-IP-Address'} -> '172.20.110.250'
(0) reply_in_db: &request:SQL-User-Name = $RAD_REQUEST{'SQL-User-Name'}
-> '64-76-ba-89-71-4c'
(0) reply_in_db: &request:Calling-Station-Id =
$RAD_REQUEST{'Calling-Station-Id'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &request:Aruba-Essid-Name =
$RAD_REQUEST{'Aruba-Essid-Name'} -> 'CPS-District'
(0) reply_in_db: &request:PacketFence-KeyBalanced =
$RAD_REQUEST{'PacketFence-KeyBalanced'} ->
'2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: &request:Aruba-AP-Group =
$RAD_REQUEST{'Aruba-AP-Group'} -> 'MS'
(0) reply_in_db: &request:User-Name = $RAD_REQUEST{'User-Name'} ->
'64-76-ba-89-71-4c'
(0) reply_in_db: &request:Aruba-Location-Id =
$RAD_REQUEST{'Aruba-Location-Id'} -> 'MS-A181'
(0) reply_in_db: &request:User-Password = $RAD_REQUEST{'User-Password'}
-> '64-76-ba-89-71-4c'
(0) reply_in_db: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '0'
(0) reply_in_db: &control:PacketFence-Proxied-To =
$RAD_CHECK{'PacketFence-Proxied-To'} -> '172.20.135.10'
(0) reply_in_db: &control:Load-Balance-Key =
$RAD_CHECK{'Load-Balance-Key'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &control:PacketFence-reply-insert =
$RAD_CHECK{'PacketFence-reply-insert'} -> 'INSERT into radreply
(username, attribute, value) values
('64:76:ba:89:71:4c','Tunnel-Medium-Type:0','IEEE-802'),
('64:76:ba:89:71:4c','Tunnel-Private-Group-Id:0','135'),
('64:76:ba:89:71:4c','Tunnel-Type:0','VLAN')'
(0) reply_in_db: &control:Proxy-To-Realm = $RAD_CHECK{'Proxy-To-Realm'}
-> 'remote'
(0) reply_in_db: &proxy-request:NAS-Port-Type =
$RAD_REQUEST_PROXY{'NAS-Port-Type'} -> 'Wireless-802.11'
(0) reply_in_db: &proxy-request:Proxy-State +=
$RAD_REQUEST_PROXY{'Proxy-State'} -> '0x3139'
(0) reply_in_db: &proxy-request:Proxy-State +=
$RAD_REQUEST_PROXY{'Proxy-State'} -> '0x323531'
(0) reply_in_db: &proxy-request:Service-Type =
$RAD_REQUEST_PROXY{'Service-Type'} -> 'Call-Check'
(0) reply_in_db: &proxy-request:Aruba-Essid-Name =
$RAD_REQUEST_PROXY{'Aruba-Essid-Name'} -> 'CPS-District'
(0) reply_in_db: &proxy-request:Calling-Station-Id =
$RAD_REQUEST_PROXY{'Calling-Station-Id'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &proxy-request:Called-Station-Id =
$RAD_REQUEST_PROXY{'Called-Station-Id'} -> '00:1a:1e:01:68:f8'
(0) reply_in_db: &proxy-request:PacketFence-KeyBalanced =
$RAD_REQUEST_PROXY{'PacketFence-KeyBalanced'} ->
'2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: &proxy-request:Message-Authenticator =
$RAD_REQUEST_PROXY{'Message-Authenticator'} ->
'0xe8f25d7438b80d1efc0f74b8a8951fcf'
(0) reply_in_db: &proxy-request:Aruba-AP-Group =
$RAD_REQUEST_PROXY{'Aruba-AP-Group'} -> 'MS'
(0) reply_in_db: &proxy-request:Aruba-Location-Id =
$RAD_REQUEST_PROXY{'Aruba-Location-Id'} -> 'MS-A181'
(0) reply_in_db: &proxy-request:User-Name =
$RAD_REQUEST_PROXY{'User-Name'} -> '64-76-ba-89-71-4c'
(0) reply_in_db: &proxy-request:User-Password =
$RAD_REQUEST_PROXY{'User-Password'} -> '64-76-ba-89-71-4c'
(0) reply_in_db: &proxy-request:NAS-IP-Address =
$RAD_REQUEST_PROXY{'NAS-IP-Address'} -> '172.20.110.250'
(0) reply_in_db: &proxy-request:NAS-Port =
$RAD_REQUEST_PROXY{'NAS-Port'} -> '0'
(0) reply_in_db: &proxy-reply:Tunnel-Private-Group-Id:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Private-Group-Id:0'} -> '135'
(0) reply_in_db: &proxy-reply:Tunnel-Medium-Type:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Medium-Type:0'} -> 'IEEE-802'
(0) reply_in_db: &proxy-reply:Tunnel-Type:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Type:0'} -> 'VLAN'
(0) reply_in_db: &proxy-reply:Proxy-State +=
$RAD_REQUEST_PROXY_REPLY{'Proxy-State'} -> '0x323531'
(0) reply_in_db: &proxy-reply:Proxy-State +=
$RAD_REQUEST_PROXY_REPLY{'Proxy-State'} -> '0x3139'
(0) [reply_in_db] = ok
(0) EXPAND %{User-Name}
(0) --> 64-76-ba-89-71-4c
(0) SQL-User-Name set to '64-76-ba-89-71-4c'
rlm_sql (sql): Reserved connection (1)
(0) Executing query: INSERT into radreply (username, attribute,
value) values ('64:76:ba:89:71:4c','Tunnel-Medium-Type:0','IEEE-802'),
('64:76:ba:89:71:4c','Tunnel-Private-Group-Id:0','135'),
('64:76:ba:89:71:4c','Tunnel-Type:0','VLAN')
rlm_sql_mysql: Records: 3 Duplicates: 0 Warnings: 0
rlm_sql (sql): Released connection (1)
(0) EXPAND %{sql_degraded:%{control:PacketFence-reply-insert}}
(0) --> 3
(0) } # if (&proxy-reply:Packet-Type == Access-Accept) = ok
(0) ... skipping else: Preceding "if" was taken
(0) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
(0) attr_filter.packetfence_post_auth: --> 64-76-ba-89-71-4c
(0) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
(0) [attr_filter.packetfence_post_auth] = updated
(0) } # post-proxy = updated
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) Login OK: [64-76-ba-89-71-4c] (from client pf port 0 cli
64:76:ba:89:71:4c)
(0) Sent Access-Accept Id 19 from 172.20.135.4:1812 to
172.20.135.5:57221 length 0
(0) Tunnel-Private-Group-Id:0 = "135"
(0) Tunnel-Medium-Type:0 = IEEE-802
(0) Tunnel-Type:0 = VLAN
(0) Proxy-State = 0x323531
(0) Finished request
Thread 3 waiting to be assigned a request
Waking up in 4.6 seconds.
```
--
Fabrice Durand
fdurand at inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
More information about the Freeradius-Users
mailing list