dynamic-clients setup

[BuzzSaw Code]

We have a long running FreeRADIUS 3.2.x install that has been working
great but I wanted to add dynamic client support to it.  We currently
have an external script that builds clients from LDAP that I'd like to
retire.

I've followed the setup for the virtual-clients server and added this
on our test server to clients.conf:

clients clients-ipv4 {
    ipaddr = XXX.YYY.0.0/16
    dynamic_clients = dynamic_client_server
    lifetime = 3600
}

clients clients-ipv6 {
    ipv6addr = MMMM:NNNN::/32
    dynamic_clients = dynamic_client_server
    lifetime = 3600
}

But running the server with 'radiusd -X' it doesn't even appear to
attempt to look up the test client that is making the request - it
just rejects it outright without calling the dynamic clients server.
Is there more to setting it up than that ?

# /usr/sbin/radiusd -X

FreeRADIUS Version 3.2.4

Copyright (C) 1999-2023 The FreeRADIUS server project and contributors

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE

You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License

For more information about these matters, see the file named COPYRIGHT

Starting - reading configuration files ...

including dictionary file /usr/share/freeradius/dictionary

including dictionary file /usr/share/freeradius/dictionary.dhcp

including dictionary file /usr/share/freeradius/dictionary.vqp

including dictionary file /etc/raddb/dictionary

including configuration file /etc/raddb/radiusd.conf

including configuration file /etc/raddb/proxy.conf

including configuration file /etc/raddb/clients.conf

including files in directory /etc/raddb/mods-enabled/

including configuration file /etc/raddb/mods-enabled/always

including configuration file /etc/raddb/mods-enabled/attr_filter

including configuration file /etc/raddb/mods-enabled/date

including configuration file /etc/raddb/mods-enabled/detail.log

including configuration file /etc/raddb/mods-enabled/dynamic_clients

including configuration file /etc/raddb/mods-enabled/exec

including configuration file /etc/raddb/mods-enabled/expr

including configuration file /etc/raddb/mods-enabled/linelog

including configuration file /etc/raddb/mods-enabled/mschap

including configuration file /etc/raddb/mods-enabled/pap

including configuration file /etc/raddb/mods-enabled/passwd

including configuration file /etc/raddb/mods-enabled/radutmp

including configuration file /etc/raddb/mods-enabled/replicate

including configuration file /etc/raddb/mods-enabled/sradutmp

including configuration file /etc/raddb/mods-enabled/unpack

including configuration file /etc/raddb/mods-enabled/eap

including configuration file /etc/raddb/mods-enabled/dren_ldap

including configuration file /etc/raddb/mods-enabled/dren_realm

including configuration file /etc/raddb/mods-enabled/detail

including configuration file /etc/raddb/mods-enabled/radius_2fa

including configuration file /etc/raddb/mods-enabled/chap

including configuration file /etc/raddb/mods-enabled/digest

including configuration file /etc/raddb/mods-enabled/echo

including configuration file /etc/raddb/mods-enabled/expiration

including configuration file /etc/raddb/mods-enabled/files

including configuration file /etc/raddb/mods-enabled/logintime

including configuration file /etc/raddb/mods-enabled/ntlm_auth

including configuration file /etc/raddb/mods-enabled/preprocess

including configuration file /etc/raddb/mods-enabled/realm

including configuration file /etc/raddb/mods-enabled/soh

including configuration file /etc/raddb/mods-enabled/totp

including configuration file /etc/raddb/mods-enabled/unix

including configuration file /etc/raddb/mods-enabled/utf8

including files in directory /etc/raddb/policy.d/

including configuration file /etc/raddb/policy.d/abfab-tr

including configuration file /etc/raddb/policy.d/accounting

including configuration file /etc/raddb/policy.d/canonicalization

including configuration file /etc/raddb/policy.d/control

including configuration file /etc/raddb/policy.d/cui

including configuration file /etc/raddb/policy.d/debug

including configuration file /etc/raddb/policy.d/dhcp

including configuration file /etc/raddb/policy.d/eap

including configuration file /etc/raddb/policy.d/filter

including configuration file /etc/raddb/policy.d/moonshot-targeted-ids

including configuration file /etc/raddb/policy.d/operator-name

including configuration file /etc/raddb/policy.d/rfc7542

including configuration file /etc/raddb/policy.d/dren_policy

including files in directory /etc/raddb/sites-local/

including configuration file /etc/raddb/sites-local/dynamic-clients

including configuration file /etc/raddb/sites-local/dren_macauth

including configuration file /etc/raddb/sites-local/dren_pki

including configuration file /etc/raddb/sites-local/dren_user

including configuration file /etc/raddb/sites-local/dren_default

main {

 security {

  user = "radiusd"

  group = "radiusd"

  allow_core_dumps = no

 }

name = "radiusd"

prefix = "/usr"

localstatedir = "/var"

logdir = "/var/log/radius"

run_dir = "/var/run/radiusd"

}

main {

name = "radiusd"

prefix = "/usr"

localstatedir = "/var"

sbindir = "/usr/sbin"

logdir = "/var/log/radius"

run_dir = "/var/run/radiusd"

libdir = "/usr/lib"

radacctdir = "/var/log/radius/radacct"

hostname_lookups = no

max_request_time = 30

proxy_dedup_window = 1

cleanup_delay = 5

max_requests = 16384

max_fds = 512

postauth_client_lost = no

pidfile = "/var/run/radiusd/radiusd.pid"

checkrad = "/usr/sbin/checkrad"

debug_level = 0

proxy_requests = yes

 log {

  stripped_names = no

  auth = yes

  auth_badpass = no

  auth_goodpass = no

  colourise = yes

  msg_denied = "You are already logged in - access denied"

 }

 resources {

 }

 security {

  max_attributes = 0

  reject_delay = 0.000000

  status_server = yes

  allow_vulnerable_openssl = "no"

 }

}

radiusd: #### Loading Realms and Home Servers ####

 proxy server {

  retry_delay = 5

  retry_count = 3

  default_fallback = no

  dead_time = 120

  wake_all_if_all_dead = no

 }

 home_server localhost {

  nonblock = no

  ipaddr = 127.0.0.1

  port = 1812

  type = "auth"

  secret = <<< secret >>>

  response_window = 20.000000

  response_timeouts = 1

  max_outstanding = 65536

  zombie_period = 40

  status_check = "status-server"

  ping_interval = 30

  check_interval = 30

  check_timeout = 4

  num_answers_to_alive = 3

  revive_interval = 120

  limit {

  max_connections = 16

  max_requests = 0

  lifetime = 0

  idle_timeout = 0

  }

  coa {

  irt = 2

  mrt = 16

  mrc = 5

  mrd = 30

  }

 }

 home_server_pool my_auth_failover {

type = fail-over

home_server = localhost

 }

 realm example.com {

auth_pool = my_auth_failover

 }

 realm LOCAL {

 }

radiusd: #### Loading Clients ####

Debugger not attached

systemd watchdog is disabled

 # Creating Auth-Type = MACAUTH

 # Creating Auth-Type = eap

 # Creating Post-Auth-Type = ACCEPT

radiusd: #### Instantiating modules ####

 modules {

  # Loaded module rlm_always

  # Loading module "reject" from file /etc/raddb/mods-enabled/always

  always reject {

  rcode = "reject"

  simulcount = 0

  mpp = no

  }

  # Loading module "fail" from file /etc/raddb/mods-enabled/always

  always fail {

  rcode = "fail"

  simulcount = 0

  mpp = no

  }

  # Loading module "ok" from file /etc/raddb/mods-enabled/always

  always ok {

  rcode = "ok"

  simulcount = 0

  mpp = no

  }

  # Loading module "handled" from file /etc/raddb/mods-enabled/always

  always handled {

  rcode = "handled"

  simulcount = 0

  mpp = no

  }

  # Loading module "invalid" from file /etc/raddb/mods-enabled/always

  always invalid {

  rcode = "invalid"

  simulcount = 0

  mpp = no

  }

  # Loading module "userlock" from file /etc/raddb/mods-enabled/always

  always userlock {

  rcode = "userlock"

  simulcount = 0

  mpp = no

  }

  # Loading module "notfound" from file /etc/raddb/mods-enabled/always

  always notfound {

  rcode = "notfound"

  simulcount = 0

  mpp = no

  }

  # Loading module "noop" from file /etc/raddb/mods-enabled/always

  always noop {

  rcode = "noop"

  simulcount = 0

  mpp = no

  }

  # Loading module "updated" from file /etc/raddb/mods-enabled/always

  always updated {

  rcode = "updated"

  simulcount = 0

  mpp = no

  }

  # Loaded module rlm_attr_filter

  # Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.post-proxy {

  filename = "/etc/raddb/mods-config/attr_filter/post-proxy"

  key = "%{Realm}"

  relaxed = no

  }

  # Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.pre-proxy {

  filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"

  key = "%{Realm}"

  relaxed = no

  }

  # Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.access_reject {

  filename = "/etc/raddb/mods-config/attr_filter/access_reject"

  key = "%{User-Name}"

  relaxed = no

  }

  # Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.access_challenge {

  filename = "/etc/raddb/mods-config/attr_filter/access_challenge"

  key = "%{User-Name}"

  relaxed = no

  }

  # Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.accounting_response {

  filename = "/etc/raddb/mods-config/attr_filter/accounting_response"

  key = "%{User-Name}"

  relaxed = no

  }

  # Loading module "attr_filter.coa" from file
/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.coa {

  filename = "/etc/raddb/mods-config/attr_filter/coa"

  key = "%{User-Name}"

  relaxed = no

  }

  # Loaded module rlm_date

  # Loading module "date" from file /etc/raddb/mods-enabled/date

  date {

  format = "%b %e %Y %H:%M:%S %Z"

  utc = no

  }

  # Loading module "wispr2date" from file /etc/raddb/mods-enabled/date

  date wispr2date {

  format = "%Y-%m-%dT%H:%M:%S"

  utc = no

  }

  # Loaded module rlm_detail

  # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log

  detail auth_log {

  filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"

  header = "%t"

  permissions = 384

  locking = no

  dates_as_integer = no

  escape_filenames = no

  log_packet_header = no

  }

  # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log

  detail reply_log {

  filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"

  header = "%t"

  permissions = 384

  locking = no

  dates_as_integer = no

  escape_filenames = no

  log_packet_header = no

  }

  # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log

  detail pre_proxy_log {

  filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"

  header = "%t"

  permissions = 384

  locking = no

  dates_as_integer = no

  escape_filenames = no

  log_packet_header = no

  }

  # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log

  detail post_proxy_log {

  filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"

  header = "%t"

  permissions = 384

  locking = no

  dates_as_integer = no

  escape_filenames = no

  log_packet_header = no

  }

  # Loaded module rlm_dynamic_clients

  # Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients

  # Loaded module rlm_exec

  # Loading module "exec" from file /etc/raddb/mods-enabled/exec

  exec {

  wait = no

  input_pairs = "request"

  shell_escape = yes

  timeout = 10

  }

  # Loaded module rlm_expr

  # Loading module "expr" from file /etc/raddb/mods-enabled/expr

  expr {

  safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"

  }

  # Loaded module rlm_linelog

  # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog

  linelog {

  filename = "/var/log/radius/linelog"

  escape_filenames = no

  syslog_severity = "info"

  permissions = 384

  format = "This is a log message for %{User-Name}"

  reference = "messages.%{%{reply:Packet-Type}:-default}"

  }

  # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog

  linelog log_accounting {

  filename = "/var/log/radius/linelog-accounting"

  escape_filenames = no

  syslog_severity = "info"

  permissions = 384

  format = ""

  reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"

  }

  # Loaded module rlm_mschap

  # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap

  mschap {

  use_mppe = yes

  require_encryption = no

  require_strong = no

  with_ntdomain_hack = yes

   passchange {

   }

  allow_retry = yes

  winbind_retry_with_normalised_username = no

  }

  # Loaded module rlm_pap

  # Loading module "pap" from file /etc/raddb/mods-enabled/pap

  pap {

  normalise = yes

  }

  # Loaded module rlm_passwd

  # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd

  passwd etc_passwd {

  filename = "/etc/passwd"

  format = "*User-Name:Crypt-Password:"

  delimiter = ":"

  ignore_nislike = no

  ignore_empty = yes

  allow_multiple_keys = no

  hash_size = 100

  }

  # Loaded module rlm_radutmp

  # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp

  radutmp {

  filename = "/var/log/radius/radutmp"

  username = "%{User-Name}"

  case_sensitive = yes

  check_with_nas = yes

  permissions = 384

  caller_id = yes

  }

  # Loaded module rlm_replicate

  # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate

  # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp

  radutmp sradutmp {

  filename = "/var/log/radius/sradutmp"

  username = "%{User-Name}"

  case_sensitive = yes

  check_with_nas = yes

  permissions = 420

  caller_id = no

  }

  # Loaded module rlm_unpack

  # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack

  # Loaded module rlm_eap

  # Loading module "eap" from file /etc/raddb/mods-enabled/eap

  eap {

  default_eap_type = "tls"

  timer_expire = 120

  max_eap_type = 52

  ignore_unknown_eap_types = no

  cisco_accounting_username_bug = no

  max_sessions = 16384

  dedup_key = ""

  }

  # Loaded module rlm_ldap

  # Loading module "dren_ldap" from file /etc/raddb/mods-enabled/dren_ldap

  ldap dren_ldap {

  server = "ldap-west.dren.mil"

  port = 636

   sasl {

   }

   user {

   scope = "sub"

   access_positive = yes

    sasl {

    }

   }

   group {

   filter = "(objectClass=posixGroup)"

   scope = "sub"

   name_attribute = "cn"

   membership_filter = "(&(memberuid=%{User-Name}))"

   cacheable_name = yes

   cacheable_dn = yes

   cache_attribute = "LDAP-Cached-Membership"

   allow_dangling_group_ref = no

   }

   client {

   scope = "sub"

   base_dn = ""

   }

   profile {

   }

   options {

   ldap_debug = 0

   rebind = yes

   net_timeout = 10

   res_timeout = 10

   srv_timelimit = 10

   idle = 60

   probes = 3

   interval = 3

   }

   tls {

   check_crl = no

   start_tls = no

   }

  }

Creating attribute dren_ldap-LDAP-Group

  # Loaded module rlm_realm

  # Loading module "MACAUTH" from file /etc/raddb/mods-enabled/dren_realm

  realm MACAUTH {

  format = "suffix"

  delimiter = "@"

  ignore_default = no

  ignore_null = no

  }

  # Loading module "USERAUTH" from file /etc/raddb/mods-enabled/dren_realm

  realm USERAUTH {

  format = "suffix"

  delimiter = "@"

  ignore_default = no

  ignore_null = no

  }

  # Loading module "PKIAUTH" from file /etc/raddb/mods-enabled/dren_realm

  realm PKIAUTH {

  format = "suffix"

  delimiter = "@"

  ignore_default = no

  ignore_null = no

  }

  # Loading module "detail" from file /etc/raddb/mods-enabled/detail

  detail {

  filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"

  header = "%t"

  permissions = 432

  group = "radiusd"

  locking = no

  dates_as_integer = no

  escape_filenames = no

  log_packet_header = no

  }

  # Loading module "relay_detail" from file /etc/raddb/mods-enabled/detail

  detail relay_detail {

  filename = "/var/log/radius/radacct/relay-detail"

  header = "%t"

  permissions = 432

  group = "radiusd"

  locking = no

  dates_as_integer = no

  escape_filenames = no

  log_packet_header = no

  }

  # Loading module "detail_coa" from file /etc/raddb/mods-enabled/detail

  detail detail_coa {

  filename = "/var/log/radius/radacct/detail_coa"

  header = "%t"

  permissions = 432

  locking = yes

  dates_as_integer = no

  escape_filenames = no

  log_packet_header = no

  }

  # Loaded module rlm_perl

  # Loading module "radius_2fa" from file /etc/raddb/mods-enabled/radius_2fa

  perl radius_2fa {

  filename = "/etc/raddb/mods-config/radius_2fa/radius_2fa.pl"

  func_authorize = "authorize"

  func_authenticate = "authenticate"

  func_post_auth = "post_auth"

  func_accounting = "accounting"

  func_preacct = "preacct"

  func_checksimul = "checksimul"

  func_detach = "detach"

  func_xlat = "xlat"

  func_pre_proxy = "pre_proxy"

  func_post_proxy = "post_proxy"

  func_recv_coa = "recv_coa"

  func_send_coa = "send_coa"

  }

Perl version: 5.26.0

  # Loaded module rlm_chap

  # Loading module "chap" from file /etc/raddb/mods-enabled/chap

  # Loaded module rlm_digest

  # Loading module "digest" from file /etc/raddb/mods-enabled/digest

  # Loading module "echo" from file /etc/raddb/mods-enabled/echo

  exec echo {

  wait = yes

  program = "/bin/echo %{User-Name}"

  input_pairs = "request"

  output_pairs = "reply"

  shell_escape = yes

  }

  # Loaded module rlm_expiration

  # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration

  # Loaded module rlm_files

  # Loading module "files" from file /etc/raddb/mods-enabled/files

  files {

  filename = "/etc/raddb/mods-config/files/authorize"

  acctusersfile = "/etc/raddb/mods-config/files/accounting"

  preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"

  }

  # Loaded module rlm_logintime

  # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime

  logintime {

  minimum_timeout = 60

  }

  # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth

  exec ntlm_auth {

  wait = yes

  program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"

  shell_escape = yes

  }

  # Loaded module rlm_preprocess

  # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess

  preprocess {

  huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"

  hints = "/etc/raddb/mods-config/preprocess/hints"

  with_ascend_hack = no

  ascend_channels_per_line = 23

  with_ntdomain_hack = no

  with_specialix_jetstream_hack = no

  with_cisco_vsa_hack = no

  with_alvarion_vsa_hack = no

  }

  # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm

  realm IPASS {

  format = "prefix"

  delimiter = "/"

  ignore_default = no

  ignore_null = no

  }

  # Loading module "suffix" from file /etc/raddb/mods-enabled/realm

  realm suffix {

  format = "suffix"

  delimiter = "@"

  ignore_default = no

  ignore_null = no

  }

  # Loading module "bangpath" from file /etc/raddb/mods-enabled/realm

  realm bangpath {

  format = "prefix"

  delimiter = "!"

  ignore_default = no

  ignore_null = no

  }

  # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm

  realm realmpercent {

  format = "suffix"

  delimiter = "%"

  ignore_default = no

  ignore_null = no

  }

  # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm

  realm ntdomain {

  format = "prefix"

  delimiter = "\"

  ignore_default = no

  ignore_null = no

  }

  # Loaded module rlm_soh

  # Loading module "soh" from file /etc/raddb/mods-enabled/soh

  soh {

  dhcp = yes

  }

  # Loaded module rlm_totp

  # Loading module "totp" from file /etc/raddb/mods-enabled/totp

  totp {

  time_step = 30

  otp_length = 8

  lookback_steps = 1

  lookback_interval = 30

  lookforward_steps = 0

  }

  # Loaded module rlm_unix

  # Loading module "unix" from file /etc/raddb/mods-enabled/unix

  unix {

  radwtmp = "/var/log/radius/radwtmp"

  }

Creating attribute Unix-Group

  # Loaded module rlm_utf8

  # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8

  instantiate {

  # Instantiating module "dren_ldap" from file /etc/raddb/mods-enabled/dren_ldap

rlm_ldap: libldap vendor: OpenLDAP, version: 20446

rlm_ldap (dren_ldap): Couldn't find configuration for accounting, will
return NOOP for calls from this section

rlm_ldap (dren_ldap): Couldn't find configuration for post-auth, will
return NOOP for calls from this section

rlm_ldap (dren_ldap): Initialising connection pool

   pool {

   start = 0

   min = 5

   max = 10

   spare = 3

   uses = 0

   lifetime = 0

   cleanup_interval = 30

   idle_timeout = 60

   retry_delay = 1

   max_retries = 5

   spread = no

   }

  }

  # Instantiating module "reject" from file /etc/raddb/mods-enabled/always

  # Instantiating module "fail" from file /etc/raddb/mods-enabled/always

  # Instantiating module "ok" from file /etc/raddb/mods-enabled/always

  # Instantiating module "handled" from file /etc/raddb/mods-enabled/always

  # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always

  # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always

  # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always

  # Instantiating module "noop" from file /etc/raddb/mods-enabled/always

  # Instantiating module "updated" from file /etc/raddb/mods-enabled/always

  # Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy

  # Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy

  # Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject

  # Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge

  # Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response

  # Instantiating module "attr_filter.coa" from file
/etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/coa

  # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log

rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output

  # Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log

  # Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log

  # Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log

  # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog

  # Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog

  # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap

rlm_mschap (mschap): using internal authentication

  # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap

  # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd

rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no

  # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap

   # Linked to sub-module rlm_eap_md5

   # Linked to sub-module rlm_eap_tls

   tls {

   tls = "tls-common"

   }

   tls-config tls-common {

   verify_depth = 0

   pem_file_type = yes

   private_key_file = "/etc/pki/tls/private/server.key"

   certificate_file = "/etc/pki/tls/certs/server.pem"

   ca_file = "/etc/pki/tls/certs/radiusroots.pem"

   fragment_size = 1024

   include_length = yes

   auto_chain = yes

   check_crl = no

   check_all_crl = no

   ca_path_reload_interval = 0

   cipher_list = "HIGH"

   cipher_server_preference = no

   reject_unknown_intermediate_ca = no

   ecdh_curve = ""

   tls_max_version = "1.2"

   tls_min_version = "1.2"

    cache {

    enable = no

    lifetime = 24

    max_entries = 255

    }

    verify {

    skip_if_ocsp_ok = no

    }

    ocsp {

    enable = yes

    override_cert_url = yes

    url = "http://ocsp.dren.mil/"

    use_nonce = yes

    timeout = 0

    softfail = yes

    }

   }

tls: Ignoring user-selected DH parameters in FIPS mode. Using defaults.

   # Linked to sub-module rlm_eap_ttls

   ttls {

   tls = "tls-pap"

   default_eap_type = "pap"

   copy_request_to_tunnel = yes

   use_tunneled_reply = no

   virtual_server = "user-auth"

   include_length = yes

   require_client_cert = no

   }

   tls-config tls-pap {

   verify_depth = 0

   pem_file_type = yes

   private_key_file = "/etc/pki/tls/private/server.key"

   certificate_file = "/etc/pki/tls/certs/server.pem"

   ca_file = "/etc/pki/tls/certs/dodroots.pem"

   fragment_size = 1024

   include_length = yes

   auto_chain = yes

   check_crl = no

   check_all_crl = no

   ca_path_reload_interval = 0

   cipher_list = "HIGH"

   cipher_server_preference = no

   reject_unknown_intermediate_ca = no

   ecdh_curve = ""

   tls_max_version = "1.2"

   tls_min_version = "1.2"

    cache {

    enable = no

    lifetime = 24

    max_entries = 255

    }

    verify {

    skip_if_ocsp_ok = no

    }

    ocsp {

    enable = yes

    override_cert_url = yes

    url = "http://ocsp.dren.mil/"

    use_nonce = yes

    timeout = 0

    softfail = yes

    }

   }

tls: Ignoring user-selected DH parameters in FIPS mode. Using defaults.

  # Instantiating module "MACAUTH" from file /etc/raddb/mods-enabled/dren_realm

  # Instantiating module "USERAUTH" from file /etc/raddb/mods-enabled/dren_realm

  # Instantiating module "PKIAUTH" from file /etc/raddb/mods-enabled/dren_realm

  # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail

  # Instantiating module "relay_detail" from file /etc/raddb/mods-enabled/detail

  # Instantiating module "detail_coa" from file /etc/raddb/mods-enabled/detail

  # Instantiating module "radius_2fa" from file
/etc/raddb/mods-enabled/radius_2fa

  # Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration

  # Instantiating module "files" from file /etc/raddb/mods-enabled/files

reading pairlist file /etc/raddb/mods-config/files/authorize

reading pairlist file /etc/raddb/mods-config/files/accounting

reading pairlist file /etc/raddb/mods-config/files/pre-proxy

  # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime

  # Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess

reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups

reading pairlist file /etc/raddb/mods-config/preprocess/hints

  # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm

  # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm

  # Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm

  # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm

  # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm

  # Instantiating module "totp" from file /etc/raddb/mods-enabled/totp

 } # modules

radiusd: #### Loading Virtual Servers ####

server { # from file /etc/raddb/radiusd.conf

} # server

server dynamic_clients { # from file /etc/raddb/sites-local/dynamic-clients

 # Loading authorize {...}

} # server dynamic_clients

server mac-auth { # from file /etc/raddb/sites-local/dren_macauth

 # Loading authenticate {...}

Compiling Auth-Type MACAUTH for attr Auth-Type

 # Loading authorize {...}

 # Loading post-auth {...}

} # server mac-auth

server pki-auth { # from file /etc/raddb/sites-local/dren_pki

 # Loading authenticate {...}

Compiling Auth-Type eap for attr Auth-Type

 # Loading authorize {...}

 # Loading post-auth {...}

Compiling Post-Auth-Type REJECT for attr Post-Auth-Type

Compiling Post-Auth-Type ACCEPT for attr Post-Auth-Type

} # server pki-auth

server user-auth { # from file /etc/raddb/sites-local/dren_user

 # Loading authenticate {...}

Compiling Auth-Type eap for attr Auth-Type

 # Loading authorize {...}

 # Loading post-auth {...}

Compiling Post-Auth-Type REJECT for attr Post-Auth-Type

} # server user-auth

server default { # from file /etc/raddb/sites-local/dren_default

 # Loading authorize {...}

 # Loading accounting {...}

} # server default

radiusd: #### Opening IP addresses and Ports ####

listen {

  type = "auth"

  ipaddr = *

  port = 1812

}

listen {

  type = "acct"

  ipaddr = *

  port = 1813

}

listen {

  type = "auth"

  ipv6addr = ::

  port = 1812

}

listen {

  type = "acct"

  ipv6addr = ::
  port = 1813

}

Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 52712
Listening on proxy address :: port 36653
Ready to process requests
Ignoring request to auth address :: port 1812 bound to server default
from unknown client MMMM:NNNN:ab:84::1425 port 60921 proto udp
Ready to process requests