Simultaneous-Use, Session section not executing
Erdal Emlik
erdalemlik at icloud.com
Sat Jan 11 23:20:06 UTC 2025
Hi, I’m trying to implement Simultaneous-Use with postgreSQL. I add Simultaneous-Use for every group at radgroupcheck. Uncommented simultaneous use checking queries at queries.conf. Uncommented sql in default and inner-tunnel at session section. Trying to simulate Simultaneous-Use from proxy. I know NAS sending accounting-request. I’m sending manual Access-Request and I sent Accounting-Response before that and I see at my radacct table I have accounting record with acctstoptime is null. So at the end of the day, I have access-request, I have accounting at the radacct table which it has acctstoptime is null. I expect to see when I send Access-Request RADIUS should return Access-Reject because user already have session with acctstoptime is null. Here is my radius debug and Im not seeing executing of session section in my debug.
FreeRADIUS Version 3.2.1
Copyright (C) 1999-2022 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/python3
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/sql
including configuration file /etc/freeradius/mods-config/sql/main/postgresql/queries.conf
including configuration file /etc/freeradius/mods-config/sql/main/postgresql/queries.conf
including configuration file /etc/freeradius/mods-enabled/sqlcounter
including configuration file /etc/freeradius/mods-config/sql/counter/postgresql/dailycounter.conf
including configuration file /etc/freeradius/mods-config/sql/counter/postgresql/monthlycounter.conf
including configuration file /etc/freeradius/mods-config/sql/counter/postgresql/noresetcounter.conf
including configuration file /etc/freeradius/mods-config/sql/counter/postgresql/expire_on_login.conf
including configuration file /etc/freeradius/mods-enabled/sqlippool
including configuration file /etc/freeradius/mods-config/sql/ippool/postgresql/queries.conf
including configuration file /etc/freeradius/mods-config/sql/ippool/postgresql/ippoolv6DelegatedQuery.conf
including configuration file /etc/freeradius/mods-config/sql/ippool/postgresql/ippoolv6FramedQuery.conf
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/totp
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/unpack
including configuration file /etc/freeradius/mods-enabled/utf8
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/eap
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/cache
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/date
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/digest
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/passwd
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/abfab-tr
including configuration file /etc/freeradius/policy.d/accounting
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/control
including configuration file /etc/freeradius/policy.d/cui
including configuration file /etc/freeradius/policy.d/debug
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/eap
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/rfc7542
including configuration file /etc/freeradius/policy.d/reject_attributes
including configuration file /etc/freeradius/policy.d/accounting.dpkg-old
including configuration file /etc/freeradius/policy.d/eap.dpkg-old
including configuration file /etc/freeradius/policy.d/bng_forwarding_attributes
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/status
including configuration file /etc/freeradius/sites-enabled/monitor-socket
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/coa
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
postauth_client_lost = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
recv_coa {
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm turk.net {
}
realm netoneadsl {
}
realm netonesdsl {
}
radiusd: #### Loading Clients ####
client local {
ipaddr = 10.2.105.0/0
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
lifetime = 3600
}
client local {
ipaddr = 10.2.134.249/32
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
lifetime = 3600
}
Debugger not attached
systemd watchdog is disabled
# Creating Autz-Type = Status-Server
# Creating Auth-Type = PAP
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = yes
with_alvarion_vsa_hack = no
}
# Loaded module rlm_python3
# Loading module "python3" from file /etc/freeradius/mods-enabled/python3
python3 {
mod_instantiate = "example"
func_instantiate = "instantiate"
mod_authenticate = "example"
func_authenticate = "authenticate"
mod_accounting = "example"
func_accounting = "accounting"
mod_detach = "example"
func_detach = "detach"
python_path = "/etc/freeradius/mods-config/python3"
cext_compat = yes
pass_all_vps = no
pass_all_vps_dict = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_sql
# Loading module "sqlrw" from file /etc/freeradius/mods-enabled/sql
sql sqlrw {
driver = "rlm_sql_postgresql"
server = "10.2.134.251"
port = 5432
login = "au_freeradius"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT A.id, A.nasname, CONCAT(shortname, '|', groupname, '|', servicepolicyenabled) as shortname, type, secret, server FROM nas A JOIN radhuntgroup B ON B.nasipaddress = A.nasname"
authorize_check_query = "SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' and devicetype IN ( '%{&Bng-Model}','OTHER') and ((isservicepolicyenabled = 1 and '%{&Huntgroup-Name}' = 'CGNAT' and iscgnat = 1 and '%{&Customer-Static-IP}' != 1 ) or (iscgnat =0) or (isservicepolicyenabled=2)) and not ( '%{&User-Group-Name}' in ('Suspend','Freeze') and Attribute in ('Framed-IP-Address','Framed-Ipv6-Prefix','Framed-Route')) ORDER BY id"
authorize_group_check_query = " SELECT id, GroupName, Attribute, case when ( Attribute= 'Pool-Name-DelegatedIPV6' or Attribute= 'Pool-Name-FramedIPV6' ) and '%{&Customer-Static-IP}' = 1 then REPLACE(Value,'Dinamic','Static') when ( Attribute= 'Pool-Name-DelegatedIPV6' or Attribute= 'Pool-Name-FramedIPV6' ) then Value when Attribute='Pool-Name' and '%{&Huntgroup-Name}' = 'CGNAT' then REPLACE(Value,'internet','cgnat') ELSE Value END as Value , op FROM radgroupcheck WHERE GroupName = '%{&User-Group-Name}' and ( '%{&Customer-Static-IPv6}' = 1 or ('%{&Customer-Static-IPv6}' = 0 and not ( Attribute= 'Pool-Name-DelegatedIPV6' or Attribute= 'Pool-Name-FramedIPV6'))) ORDER BY id"
authorize_group_reply_query = "SELECT id, GroupName, Attribute, case when '%{&Customer-Static-IP}' = 1 and GroupName like 'Secure%%' THEN REPLACE(Value,'INTERNET_','STATIC_') when '%{&Customer-Static-IP}' = 1 and GroupName ='CGNAT' THEN REPLACE(Value,'CGNAT','INTERNET') when '%{&Customer-Static-IP}' = 1 and GroupName ='CGNATIPV6' THEN REPLACE(Value,'CGNAT','INTERNET') ELSE Value End as Value, op FROM radgroupreply WHERE GroupName = '%{&User-Group-Name}' and devicetype IN ( '%{&Bng-Model}','OTHER') ORDER BY id"
group_membership_query = " SELECT '' as GroupName "
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL"
simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = "%{tolower:type.%{%{Acct-Status-Type}:-none}.query}"
type {
accounting-on {
query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))), AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE AcctStopTime IS NULL AND NASIPAddress= '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <= '%S'::timestamp"
}
accounting-off {
query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))), AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE AcctStopTime IS NULL AND NASIPAddress= '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <= '%S'::timestamp"
}
start {
query = "INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress, portbegin, portend, realipaddress, acctid, iscgnat, tunneltype, tunnelclientid, tunnelserver, tunnelclient, tunnelserverid, tunnellastid, actual_data_rate_upstream, actual_data_rate_downstream, minimum_data_rate_upstream, minimum_data_rate_downstream, maximum_data_rate_upstream, maximum_data_rate_downstream, attainable_data_rate_upstream, attainable_data_rate_downstream, framedipv6prefix, delegatedipv6prefix, modemmacaddress, acctinputoctetsipv6, acctoutputoctetsipv6 ) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet, %{Port-Begin}, %{Port-End}, NULLIF('%{Real-IpAddress}', ''), isnumeric(%{Account-Id}), %{Is-CgNat}, '%{Tunnel-Type}', '%{Tunnel-Server-Auth-Id}', '%{Tunnel-Server-Endpoint}', '%{Tunnel-Client-Endpoint}', '%{Tunnel-Assignment-Id}', '%{Tunnel-Client-Auth-Id}', isnumeric(%{actual-data-rate-upstream}), isnumeric(%{actual-data-rate-downstream}), isnumeric(%{minimum-data-rate-upstream}), isnumeric(%{minimum-data-rate-downstream}), isnumeric(%{maximum-data-rate-upstream}), isnumeric(%{maximum-data-rate-downstream}), isnumeric(%{attainable-data-rate-upstream}), isnumeric(%{attainable-data-rate-downstream}), NULLIF('%{Framed-IPv6-Prefix}','')::inet, NULLIF('%{Delegated-IPv6-Prefix}','')::inet, '%{client-mac-address}', 0, 0)"
}
interim-update {
query = "UPDATE radacct SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, AcctSessionTime = %{%{Acct-Session-Time}:-NULL}, AcctInterval = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM (COALESCE(AcctUpdateTime, AcctStartTime)))), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), AcctInputOctetsIpV6 = (('%{%{Acct-Input-Gigawords-IPv6}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets-IPv6}:-0}'::bigint), AcctOutputOctetsIpV6 = (('%{%{Acct-Output-Gigawords-IPv6}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets-IPv6}:-0}'::bigint) WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' AND AcctStopTime IS NULL"
}
stop {
query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = COALESCE(%{%{Acct-Session-Time}:-NULL}, (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime)))), AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), AcctTerminateCause = '%{Acct-Terminate-Cause}', FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, ConnectInfo_stop = '%{Connect-Info}', AcctInputOctetsIpV6 = (('%{%{Acct-Input-Gigawords-IPv6}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets-IPv6}:-0}'::bigint), AcctOutputOctetsIpV6 = (('%{%{Acct-Output-Gigawords-IPv6}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets-IPv6}:-0}'::bigint) WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' AND AcctStopTime IS NULL"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, callingstationid, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Calling-Station-Id}', NOW())"
}
}
rlm_sql (sqlrw): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked
Creating attribute sqlrw-SQL-Group
# Loading module "sqlro" from file /etc/freeradius/mods-enabled/sql
sql sqlro {
driver = "rlm_sql_postgresql"
server = "10.2.134.251"
port = 5432
login = "au_freeradius"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT A.id, A.nasname, CONCAT(shortname, '|', groupname, '|', servicepolicyenabled) as shortname, type, secret, server FROM nas A JOIN radhuntgroup B ON B.nasipaddress = A.nasname"
authorize_check_query = "SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' and devicetype IN ( '%{&Bng-Model}','OTHER') and ((isservicepolicyenabled = 1 and '%{&Huntgroup-Name}' = 'CGNAT' and iscgnat = 1 and '%{&Customer-Static-IP}' != 1 ) or (iscgnat =0) or (isservicepolicyenabled=2)) and not ( '%{&User-Group-Name}' in ('Suspend','Freeze') and Attribute in ('Framed-IP-Address','Framed-Ipv6-Prefix','Framed-Route')) ORDER BY id"
authorize_group_check_query = " SELECT id, GroupName, Attribute, case when ( Attribute= 'Pool-Name-DelegatedIPV6' or Attribute= 'Pool-Name-FramedIPV6' ) and '%{&Customer-Static-IP}' = 1 then REPLACE(Value,'Dinamic','Static') when ( Attribute= 'Pool-Name-DelegatedIPV6' or Attribute= 'Pool-Name-FramedIPV6' ) then Value when Attribute='Pool-Name' and '%{&Huntgroup-Name}' = 'CGNAT' then REPLACE(Value,'internet','cgnat') ELSE Value END as Value , op FROM radgroupcheck WHERE GroupName = '%{&User-Group-Name}' and ( '%{&Customer-Static-IPv6}' = 1 or ('%{&Customer-Static-IPv6}' = 0 and not ( Attribute= 'Pool-Name-DelegatedIPV6' or Attribute= 'Pool-Name-FramedIPV6'))) ORDER BY id"
authorize_group_reply_query = "SELECT id, GroupName, Attribute, case when '%{&Customer-Static-IP}' = 1 and GroupName like 'Secure%%' THEN REPLACE(Value,'INTERNET_','STATIC_') when '%{&Customer-Static-IP}' = 1 and GroupName ='CGNAT' THEN REPLACE(Value,'CGNAT','INTERNET') when '%{&Customer-Static-IP}' = 1 and GroupName ='CGNATIPV6' THEN REPLACE(Value,'CGNAT','INTERNET') ELSE Value End as Value, op FROM radgroupreply WHERE GroupName = '%{&User-Group-Name}' and devicetype IN ( '%{&Bng-Model}','OTHER') ORDER BY id"
group_membership_query = " SELECT '' as GroupName "
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL"
simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = "%{tolower:type.%{%{Acct-Status-Type}:-none}.query}"
type {
accounting-on {
query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))), AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE AcctStopTime IS NULL AND NASIPAddress= '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <= '%S'::timestamp"
}
accounting-off {
query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))), AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE AcctStopTime IS NULL AND NASIPAddress= '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <= '%S'::timestamp"
}
start {
query = "INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress, portbegin, portend, realipaddress, acctid, iscgnat, tunneltype, tunnelclientid, tunnelserver, tunnelclient, tunnelserverid, tunnellastid, actual_data_rate_upstream, actual_data_rate_downstream, minimum_data_rate_upstream, minimum_data_rate_downstream, maximum_data_rate_upstream, maximum_data_rate_downstream, attainable_data_rate_upstream, attainable_data_rate_downstream, framedipv6prefix, delegatedipv6prefix, modemmacaddress, acctinputoctetsipv6, acctoutputoctetsipv6 ) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet, %{Port-Begin}, %{Port-End}, NULLIF('%{Real-IpAddress}', ''), isnumeric(%{Account-Id}), %{Is-CgNat}, '%{Tunnel-Type}', '%{Tunnel-Server-Auth-Id}', '%{Tunnel-Server-Endpoint}', '%{Tunnel-Client-Endpoint}', '%{Tunnel-Assignment-Id}', '%{Tunnel-Client-Auth-Id}', isnumeric(%{actual-data-rate-upstream}), isnumeric(%{actual-data-rate-downstream}), isnumeric(%{minimum-data-rate-upstream}), isnumeric(%{minimum-data-rate-downstream}), isnumeric(%{maximum-data-rate-upstream}), isnumeric(%{maximum-data-rate-downstream}), isnumeric(%{attainable-data-rate-upstream}), isnumeric(%{attainable-data-rate-downstream}), NULLIF('%{Framed-IPv6-Prefix}','')::inet, NULLIF('%{Delegated-IPv6-Prefix}','')::inet, '%{client-mac-address}', 0, 0)"
}
interim-update {
query = "UPDATE radacct SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, AcctSessionTime = %{%{Acct-Session-Time}:-NULL}, AcctInterval = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM (COALESCE(AcctUpdateTime, AcctStartTime)))), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), AcctInputOctetsIpV6 = (('%{%{Acct-Input-Gigawords-IPv6}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets-IPv6}:-0}'::bigint), AcctOutputOctetsIpV6 = (('%{%{Acct-Output-Gigawords-IPv6}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets-IPv6}:-0}'::bigint) WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' AND AcctStopTime IS NULL"
}
stop {
query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = COALESCE(%{%{Acct-Session-Time}:-NULL}, (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime)))), AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), AcctTerminateCause = '%{Acct-Terminate-Cause}', FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, ConnectInfo_stop = '%{Connect-Info}', AcctInputOctetsIpV6 = (('%{%{Acct-Input-Gigawords-IPv6}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets-IPv6}:-0}'::bigint), AcctOutputOctetsIpV6 = (('%{%{Acct-Output-Gigawords-IPv6}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets-IPv6}:-0}'::bigint) WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' AND AcctStopTime IS NULL"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, callingstationid, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Calling-Station-Id}', NOW())"
}
}
rlm_sql (sqlro): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked
Creating attribute sqlro-SQL-Group
# Loaded module rlm_sqlcounter
# Loading module "dailycounter" from file /etc/freeradius/mods-enabled/sqlcounter
sqlcounter dailycounter {
sql_module_instance = "sql"
key = "User-Name"
query = "SELECT SUM(AcctSessionTime - GREATER((%%b - AcctStartTime::ABSTIME::INT4), 0)) FROM radacct WHERE UserName='%{User-Name}' AND AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%%b'"
reset = "daily"
reset_day = 1
counter_name = "Daily-Session-Time"
check_name = "Max-Daily-Session"
reply_name = "Session-Timeout"
}
# Loading module "monthlycounter" from file /etc/freeradius/mods-enabled/sqlcounter
sqlcounter monthlycounter {
sql_module_instance = "sql"
key = "User-Name"
query = "SELECT SUM(AcctSessionTime - GREATER((%%b - AcctStartTime::ABSTIME::INT4), 0)) FROM radacct WHERE UserName='%{User-Name}' AND AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%%b'"
reset = "monthly"
reset_day = 1
counter_name = "Monthly-Session-Time"
check_name = "Max-Monthly-Session"
reply_name = "Session-Timeout"
}
# Loading module "noresetcounter" from file /etc/freeradius/mods-enabled/sqlcounter
sqlcounter noresetcounter {
sql_module_instance = "sql"
key = "User-Name"
query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}'"
reset = "never"
reset_day = 1
counter_name = "Max-All-Session-Time"
check_name = "Max-All-Session"
reply_name = "Session-Timeout"
}
# Loading module "expire_on_login" from file /etc/freeradius/mods-enabled/sqlcounter
sqlcounter expire_on_login {
sql_module_instance = "sql"
key = "User-Name"
query = "SELECT EXTRACT(EPOCH FROM (NOW() - acctstarttime)) FROM radacct WHERE UserName='%{User-Name}' ORDER BY acctstarttime LIMIT 1;"
reset = "never"
reset_day = 1
counter_name = "Expire-After-Initial-Login"
check_name = "Expire-After"
reply_name = "Session-Timeout"
}
# Loaded module rlm_sqlippool
# Loading module "ippoolv4" from file /etc/freeradius/mods-enabled/sqlippool
sqlippool ippoolv4 {
sql_module_instance = "sqlrw"
lease_duration = 28800
pool_name = "Pool-Name"
default_pool = "main_pool"
attribute_name = "Framed-IP-Address"
allocate_begin = ""
allocate_clear = ""
allocate_clear_timeout = 1
allocate_existing = ""
allocate_requested = ""
allocate_find = "SELECT fr_allocate_previous_or_new_framedipaddress( '%{control:Pool-Name}', '%{User-Name}', '%{NAS-IP-Address}', 28800 )"
allocate_update = ""
allocate_commit = ""
pool_check = "SELECT id FROM radippool WHERE pool_name='%{control:Pool-Name}' LIMIT 1"
start_begin = ""
start_update = "UPDATE radippool SET expiry_time = 'now'::timestamp(0) + '28800 second'::interval, acctsessionid = '%{Acct-Unique-Session-Id}' WHERE framedipaddress = '%{Framed-IP-Address}'"
start_commit = ""
alive_begin = ""
alive_update = "UPDATE radippool SET expiry_time = 'now'::timestamp(0) + '28800 seconds'::interval WHERE framedipaddress = case when '%{Framed-IP-Address}' = '' then '1.1.1.1'::inet else '%{Framed-IP-Address}'::inet end"
alive_commit = ""
stop_begin = ""
stop_clear = "UPDATE radippool SET callingstationid = '', username = '', expiry_time = 'now'::timestamp(0) + '5 minute'::interval, acctsessionid = '' WHERE framedipaddress = case when '%{Framed-IP-Address}' = '' then '1.1.1.1'::inet else '%{Framed-IP-Address}'::inet end and acctsessionid = '%{Acct-Unique-Session-Id}'"
stop_commit = ""
on_begin = ""
on_clear = "UPDATE radippool SET username = '' , callingstationid = '', expiry_time = 'now'::timestamp(0) - '1 second'::interval WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'"
on_commit = ""
off_begin = ""
off_clear = "UPDATE radippool SET username = '', callingstationid = '', expiry_time = 'now'::timestamp(0) - '1 second'::interval WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'"
off_commit = ""
messages {
exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP Framed-IP-Address (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
}
# Loading module "ippoolv6Delegated" from file /etc/freeradius/mods-enabled/sqlippool
sqlippool ippoolv6Delegated {
sql_module_instance = "sqlrw"
lease_duration = 14400
pool_name = "Pool-Name"
default_pool = "main_pool"
attribute_name = "Delegated-IPv6-Prefix"
allocate_begin = ""
allocate_clear = ""
allocate_clear_timeout = 1
allocate_existing = ""
allocate_requested = ""
allocate_find = "SELECT fr_allocate_previous_or_new_framedipV6address( '%{control:Pool-Name-DelegatedIPV6}', '%{User-Name}', '%{NAS-IP-Address}', 14400 )"
allocate_update = ""
allocate_commit = ""
pool_check = "SELECT id FROM radipv6pool WHERE pool_name='%{control:Pool-Name-DelegatedIPV6}' LIMIT 1"
start_begin = ""
start_update = "UPDATE radipv6pool SET expiry_time = 'now'::timestamp(0) + '14400 second'::interval WHERE framedipaddress = '%{Delegated-IPv6-Prefix}'"
start_commit = ""
alive_begin = ""
alive_update = "UPDATE radipv6pool SET expiry_time = 'now'::timestamp(0) + '14400 seconds'::interval WHERE framedipaddress = '%{Delegated-IPv6-Prefix}' "
alive_commit = ""
stop_begin = ""
stop_clear = "UPDATE radipv6pool SET username = '', expiry_time = 'now'::timestamp(0) + '1 minute'::interval WHERE username = '%{SQL-User-Name}'"
stop_commit = ""
on_begin = ""
on_clear = ""
on_commit = ""
off_begin = ""
off_clear = ""
off_commit = ""
messages {
exists = "Existing IP: %{reply:Delegated-IPv6-Prefix} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:Delegated-IPv6-Prefix} from %{control:Pool-Name-DelegatedIPV6} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP Delegated-IPv6-Prefix (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:Pool-Name-DelegatedIPV6} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No Pool-Name-DelegatedIPV6 defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
}
# Loading module "ippoolv6Framed" from file /etc/freeradius/mods-enabled/sqlippool
sqlippool ippoolv6Framed {
sql_module_instance = "sqlrw"
lease_duration = 14400
pool_name = "Pool-Name"
default_pool = "main_pool"
attribute_name = "Framed-Ipv6-Prefix"
allocate_begin = ""
allocate_clear = ""
allocate_clear_timeout = 1
allocate_existing = ""
allocate_requested = ""
allocate_find = "SELECT fr_allocate_previous_or_new_framedipV6address( '%{control:Pool-Name-FramedIPV6}', '%{User-Name}', '%{NAS-IP-Address}', 14400 )"
allocate_update = ""
allocate_commit = ""
pool_check = "SELECT id FROM radipv6pool WHERE pool_name='%{control:Pool-Name-FramedIPV6}' LIMIT 1"
start_begin = ""
start_update = "UPDATE radipv6pool SET expiry_time = 'now'::timestamp(0) + '14400 second'::interval WHERE framedipaddress = '%{Framed-Ipv6-Prefix}'"
start_commit = ""
alive_begin = ""
alive_update = "UPDATE radipv6pool SET expiry_time = 'now'::timestamp(0) + '14400 seconds'::interval WHERE framedipaddress = '%{Framed-Ipv6-Prefix}' "
alive_commit = ""
stop_begin = ""
stop_clear = "UPDATE radipv6pool SET username = '', expiry_time = 'now'::timestamp(0) + '1 minute'::interval WHERE username = '%{SQL-User-Name}'"
stop_commit = ""
on_begin = ""
on_clear = "UPDATE radipv6pool SET username = '' , expiry_time = 'now'::timestamp(0) - '1 second'::interval WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'"
on_commit = ""
off_begin = ""
off_clear = "UPDATE radipv6pool SET username = '', expiry_time = 'now'::timestamp(0) - '1 second'::interval WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'"
off_commit = ""
messages {
exists = "Existing IP: %{reply:Framed-Ipv6-Prefix} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:Framed-Ipv6-Prefix} from %{control:Pool-Name-FramedIPV6} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP Framed-Ipv6-Prefix (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:Pool-Name-FramedIPV6} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No Pool-Name-FramedIPV6 defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
}
# Loading module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_totp
# Loading module "totp" from file /etc/freeradius/mods-enabled/totp
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache" from file /etc/freeradius/mods-enabled/cache
cache {
driver = "rlm_cache_rbtree"
key = "%{User-Name}"
ttl = 10
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /etc/freeradius/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "detail" from file /etc/freeradius/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients
# Loaded module rlm_exec
# Loading module "echo" from file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /etc/freeradius/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/mods-enabled/files
files {
filename = "/etc/freeradius/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
instantiate {
# Instantiating module "sqlro" from file /etc/freeradius/mods-enabled/sql
postgresql {
send_application_name = no
}
rlm_sql (sqlro): Attempting to connect to database "radius"
rlm_sql (sqlro): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='10.2.134.251' port=5432 user='au_freeradius' password='Patates5'
Connected to database 'radius' on '10.2.134.251' server version 120012, protocol version 3, backend PID 3465472
# Instantiating module "sqlrw" from file /etc/freeradius/mods-enabled/sql
postgresql {
send_application_name = no
}
rlm_sql (sqlrw): Attempting to connect to database "radius"
rlm_sql (sqlrw): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sqlrw): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='10.2.134.251' port=5432 user='au_freeradius' password='Patates5'
Connected to database 'radius' on '10.2.134.251' server version 120012, protocol version 3, backend PID 3465473
rlm_sql (sqlrw): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='10.2.134.251' port=5432 user='au_freeradius' password='Patates5'
Connected to database 'radius' on '10.2.134.251' server version 120012, protocol version 3, backend PID 3465474
rlm_sql (sqlrw): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='10.2.134.251' port=5432 user='au_freeradius' password='Patates5'
Connected to database 'radius' on '10.2.134.251' server version 120012, protocol version 3, backend PID 3465475
rlm_sql (sqlrw): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='10.2.134.251' port=5432 user='au_freeradius' password='Patates5'
Connected to database 'radius' on '10.2.134.251' server version 120012, protocol version 3, backend PID 3465476
rlm_sql (sqlrw): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='10.2.134.251' port=5432 user='au_freeradius' password='Patates5'
Connected to database 'radius' on '10.2.134.251' server version 120012, protocol version 3, backend PID 3465477
}
# Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/mods-config/preprocess/hints
# Instantiating module "python3" from file /etc/freeradius/mods-enabled/python3
Python version: 3.8.10 (default, Nov 7 2024, 13:10:47) [GCC 9.4.0]
# Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "dailycounter" from file /etc/freeradius/mods-enabled/sqlcounter
rlm_sqlcounter: Current Time: 1736607085 [2025-01-11 17:51:25], Prev reset 1736542800 [2025-01-11 00:00:00]
# Instantiating module "monthlycounter" from file /etc/freeradius/mods-enabled/sqlcounter
rlm_sqlcounter: Current Time: 1736607085 [2025-01-11 17:51:25], Prev reset 1735678800 [2025-01-01 00:00:00], Reset day [1]
# Instantiating module "noresetcounter" from file /etc/freeradius/mods-enabled/sqlcounter
rlm_sqlcounter: Current Time: 1736607085 [2025-01-11 17:51:25], Prev reset 0 [2025-01-11 17:00:00]
# Instantiating module "expire_on_login" from file /etc/freeradius/mods-enabled/sqlcounter
rlm_sqlcounter: Current Time: 1736607085 [2025-01-11 17:51:25], Prev reset 0 [2025-01-11 17:00:00]
# Instantiating module "ippoolv4" from file /etc/freeradius/mods-enabled/sqlippool
Ignoring "allocate_clear_timeout = 1", forcing to "allocate_clear_timeout = 1"
# Instantiating module "ippoolv6Delegated" from file /etc/freeradius/mods-enabled/sqlippool
Ignoring "allocate_clear_timeout = 1", forcing to "allocate_clear_timeout = 1"
# Instantiating module "ippoolv6Framed" from file /etc/freeradius/mods-enabled/sqlippool
Ignoring "allocate_clear_timeout = 1", forcing to "allocate_clear_timeout = 1"
# Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
rlm_eap (EAP): Ignoring EAP method 'leap', because it is no longer supported
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
ca_file = "/etc/ssl/certs/ca-certificates.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT"
cipher_server_preference = no
reject_unknown_intermediate_ca = no
ecdh_curve = "prime256v1"
disable_tlsv1 = yes
disable_tlsv1_1 = yes
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
tls: Please use 'tls_min_version' and 'tls_max_version' instead of 'disable_tlsv1'
tls: Please use 'tls_min_version' and 'tls_max_version' instead of 'disable_tlsv1_1'
tls: Setting DH parameters from /etc/freeradius/certs/dh - this is no longer necessary.
tls: You should comment out the 'dh_file' configuration item.
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "reject" from file /etc/freeradius/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay"found in filter list for realm "DEFAULT".
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec"found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response
# Instantiating module "cache" from file /etc/freeradius/mods-enabled/cache
rlm_cache (cache): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail
# Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Instantiating module "files" from file /etc/freeradius/mods-enabled/files
reading pairlist file /etc/freeradius/mods-config/files/authorize
reading pairlist file /etc/freeradius/mods-config/files/accounting
reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
# Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime
# Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
# Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server status { # from file /etc/freeradius/sites-enabled/status
# Loading authorize {...}
Compiling Autz-Type Status-Server for attr Autz-Type
} # server status
server default { # from file /etc/freeradius/sites-enabled/default
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
# Loading authorize {...}
Compiling Autz-Type Status-Server for attr Autz-Type
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
} # server default
server coa { # from file /etc/freeradius/sites-enabled/coa
# Loading recv-coa {...}
# Loading send-coa {...}
} # server coa
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "control"
listen {
socket = "/var/run/freeradius/monitor/monitor.sock"
uid = "freerad"
gid = "freerad"
mode = "rw"
peercred = yes
}
}
listen {
type = "coa"
virtual_server = "coa"
ipaddr = *
port = 3799
}
listen {
type = "status"
ipaddr = 127.0.0.1
port = 18121
client admin {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "auth"
ipaddr = *
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on command file /var/run/freeradius/monitor/monitor.sock
Listening on coa address * port 3799 bound to server coa
Listening on status address 127.0.0.1 port 18121 bound to server status
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Ready to process requests
(0) Received Access-Request Id 123 from 10.2.134.249:51420 to 10.2.134.250:1812 length 136
(0) Framed-Protocol = PPP
(0) User-Name = "2518932data at turk.net"
(0) User-Password = "f89cedf00c"
(0) Connect-Info = "4294967295/0"
(0) NAS-Port-Type = Virtual
(0) Service-Type = Framed-User
(0) NAS-IP-Address = 193.192.126.219
(0) NAS-Identifier = "CISCO|CGNAT|0"
(0) Message-Authenticator = 0x5617c937f3b28aba37ca5298db078ae5
(0) Proxy-State = 0x323134
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) update request {
(0) Customer-Static-IP := 0
(0) Customer-Static-IPv6 := 0
(0) } # update request = noop
(0) if ("%{NAS-Identifier}" =~ /^([^|]+)\|([^|]+)\|([^|]+)$/) {
(0) EXPAND %{NAS-Identifier}
(0) --> CISCO|CGNAT|0
(0) if ("%{NAS-Identifier}" =~ /^([^|]+)\|([^|]+)\|([^|]+)$/) -> TRUE
(0) if ("%{NAS-Identifier}" =~ /^([^|]+)\|([^|]+)\|([^|]+)$/) {
(0) update request {
(0) EXPAND %{1}
(0) --> CISCO
(0) &Bng-Model := CISCO
(0) EXPAND %{2}
(0) --> CGNAT
(0) &Huntgroup-Name := CGNAT
(0) EXPAND %{3}
(0) --> 0
(0) &Service-Policy-Enabled := 0
rlm_sql (sqlro): Reserved connection (1)
rlm_sql (sqlro): Released connection (1)
Need more connections to reach 10 spares
rlm_sql (sqlro): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='10.2.134.251' port=5432 user='au_freeradius' password='Patates5'
Connected to database 'radius' on '10.2.134.251' server version 120012, protocol version 3, backend PID 3465480
rlm_sql (sqlro): Reserved connection (2)
rlm_sql (sqlro): Released connection (2)
rlm_sql (sqlro): Reserved connection (3)
rlm_sql (sqlro): Released connection (3)
rlm_sql (sqlro): Reserved connection (4)
rlm_sql (sqlro): Released connection (4)
(0) EXPAND %{User-Name}
(0) --> 2518932data at turk.net
(0) SQL-User-Name set to '2518932data at turk.net'
rlm_sql (sqlro): Reserved connection (0)
(0) Executing select query: SELECT CASE WHEN GroupName = 'Internet' THEN 'CGNAT' WHEN GroupName ='ServicePolicy' and 'CGNAT'= 'CGNAT' THEN 'ServicePolicyCgnat' WHEN GroupName = 'InternetIPV6' THEN 'CGNAT'||'IPV6' ELSE GroupName END FROM radusergroup WHERE UserName='2518932data at turk.net' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sqlro): Released connection (0)
(0) EXPAND %{sqlro:SELECT CASE WHEN GroupName = 'Internet' THEN '%{Huntgroup-Name}' WHEN GroupName ='ServicePolicy' and '%{Huntgroup-Name}'= 'CGNAT' THEN 'ServicePolicyCgnat' WHEN GroupName = 'InternetIPV6' THEN '%{Huntgroup-Name}'||'IPV6' ELSE GroupName END FROM radusergroup WHERE UserName='%{User-Name}' ORDER BY priority}
(0) --> CGNAT
(0) User-Group-Name := CGNAT
(0) } # update request = noop
(0) } # if ("%{NAS-Identifier}" =~ /^([^|]+)\|([^|]+)\|([^|]+)$/) = noop
(0) if (&Huntgroup-Name == "CGNAT") {
(0) if (&Huntgroup-Name == "CGNAT") -> TRUE
(0) if (&Huntgroup-Name == "CGNAT") {
(0) update request {
rlm_sql (sqlro): Reserved connection (5)
rlm_sql (sqlro): Released connection (5)
(0) EXPAND %{User-Name}
(0) --> 2518932data at turk.net
(0) SQL-User-Name set to '2518932data at turk.net'
rlm_sql (sqlro): Reserved connection (1)
(0) Executing select query: SELECT COUNT(id) FROM radreply WHERE username='2518932data at turk.net' and attribute='Framed-IP-Address' limit 1
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sqlro): Released connection (1)
(0) EXPAND %{sqlro:SELECT COUNT(id) FROM radreply WHERE username='%{User-Name}' and attribute='Framed-IP-Address' limit 1}
(0) --> 0
(0) Customer-Static-IP := 0
(0) } # update request = noop
(0) update request {
rlm_sql (sqlro): Reserved connection (6)
rlm_sql (sqlro): Released connection (6)
(0) EXPAND %{User-Name}
(0) --> 2518932data at turk.net
(0) SQL-User-Name set to '2518932data at turk.net'
rlm_sql (sqlro): Reserved connection (2)
(0) Executing select query: SELECT case when ( isautomaticassignmentipv6 = true ) then 1 else 0 end FROM tcxdsl WHERE usernamewithrealm='2518932data at turk.net' limit 1
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sqlro): Released connection (2)
(0) EXPAND %{sqlro:SELECT case when ( isautomaticassignmentipv6 = true ) then 1 else 0 end FROM tcxdsl WHERE usernamewithrealm='%{User-Name}' limit 1}
(0) --> 0
(0) Customer-Static-IPv6 := 0
(0) } # update request = noop
(0) } # if (&Huntgroup-Name == "CGNAT") = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "turk.net" for User-Name = "2518932data at turk.net"
(0) suffix: Found realm "turk.net"
(0) suffix: Adding Stripped-User-Name = "2518932data"
(0) suffix: Adding Realm = "turk.net"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
(0) sqlrw: EXPAND %{User-Name}
(0) sqlrw: --> 2518932data at turk.net
(0) sqlrw: SQL-User-Name set to '2518932data at turk.net'
rlm_sql (sqlrw): Reserved connection (0)
(0) sqlrw: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(0) sqlrw: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '2518932data at turk.net' ORDER BY id
(0) sqlrw: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '2518932data at turk.net' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
(0) sqlrw: User found in radcheck table
(0) sqlrw: Conditional check items matched, merging assignment check items
(0) sqlrw: Cleartext-Password := "f89cedf00c"
(0) sqlrw: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' and devicetype IN ( '%{&Bng-Model}','OTHER') and ((isservicepolicyenabled = 1 and '%{&Huntgroup-Name}' = 'CGNAT' and iscgnat = 1 and '%{&Customer-Static-IP}' != 1 ) or (iscgnat =0) or (isservicepolicyenabled=2)) and not ( '%{&User-Group-Name}' in ('Suspend','Freeze') and Attribute in ('Framed-IP-Address','Framed-Ipv6-Prefix','Framed-Route')) ORDER BY id
(0) sqlrw: --> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '2518932data at turk.net' and devicetype IN ( 'CISCO','OTHER') and ((isservicepolicyenabled = 1 and 'CGNAT' = 'CGNAT' and iscgnat = 1 and '0' != 1 ) or (iscgnat =0) or (isservicepolicyenabled=2)) and not ( 'CGNAT' in ('Suspend','Freeze') and Attribute in ('Framed-IP-Address','Framed-Ipv6-Prefix','Framed-Route')) ORDER BY id
(0) sqlrw: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '2518932data at turk.net' and devicetype IN ( 'CISCO','OTHER') and ((isservicepolicyenabled = 1 and 'CGNAT' = 'CGNAT' and iscgnat = 1 and '0' != 1 ) or (iscgnat =0) or (isservicepolicyenabled=2)) and not ( 'CGNAT' in ('Suspend','Freeze') and Attribute in ('Framed-IP-Address','Framed-Ipv6-Prefix','Framed-Route')) ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 3 , fields = 5
(0) sqlrw: User found in radreply table, merging reply items
(0) sqlrw: Cisco-AVPair := "ip:ip-unnumbered=Loopback 10"
(0) sqlrw: Cisco-AVPair := "ip:dns-servers=193.192.98.8 212.154.100.18"
(0) sqlrw: Cisco-Account-Info := "AINTERNET"
(0) sqlrw: EXPAND SELECT '' as GroupName
(0) sqlrw: --> SELECT '' as GroupName
(0) sqlrw: Executing select query: SELECT '' as GroupName
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
(0) sqlrw: User found in the group table
(0) sqlrw: EXPAND SELECT id, GroupName, Attribute, case when ( Attribute= 'Pool-Name-DelegatedIPV6' or Attribute= 'Pool-Name-FramedIPV6' ) and '%{&Customer-Static-IP}' = 1 then REPLACE(Value,'Dinamic','Static') when ( Attribute= 'Pool-Name-DelegatedIPV6' or Attribute= 'Pool-Name-FramedIPV6' ) then Value when Attribute='Pool-Name' and '%{&Huntgroup-Name}' = 'CGNAT' then REPLACE(Value,'internet','cgnat') ELSE Value END as Value , op FROM radgroupcheck WHERE GroupName = '%{&User-Group-Name}' and ( '%{&Customer-Static-IPv6}' = 1 or ('%{&Customer-Static-IPv6}' = 0 and not ( Attribute= 'Pool-Name-DelegatedIPV6' or Attribute= 'Pool-Name-FramedIPV6'))) ORDER BY id
(0) sqlrw: --> SELECT id, GroupName, Attribute, case when ( Attribute= 'Pool-Name-DelegatedIPV6' or Attribute= 'Pool-Name-FramedIPV6' ) and '0' = 1 then REPLACE(Value,'Dinamic','Static') when ( Attribute= 'Pool-Name-DelegatedIPV6' or Attribute= 'Pool-Name-FramedIPV6' ) then Value when Attribute='Pool-Name' and 'CGNAT' = 'CGNAT' then REPLACE(Value,'internet','cgnat') ELSE Value END as Value , op FROM radgroupcheck WHERE GroupName = 'CGNAT' and ( '0' = 1 or ('0' = 0 and not ( Attribute= 'Pool-Name-DelegatedIPV6' or Attribute= 'Pool-Name-FramedIPV6'))) ORDER BY id
(0) sqlrw: Executing select query: SELECT id, GroupName, Attribute, case when ( Attribute= 'Pool-Name-DelegatedIPV6' or Attribute= 'Pool-Name-FramedIPV6' ) and '0' = 1 then REPLACE(Value,'Dinamic','Static') when ( Attribute= 'Pool-Name-DelegatedIPV6' or Attribute= 'Pool-Name-FramedIPV6' ) then Value when Attribute='Pool-Name' and 'CGNAT' = 'CGNAT' then REPLACE(Value,'internet','cgnat') ELSE Value END as Value , op FROM radgroupcheck WHERE GroupName = 'CGNAT' and ( '0' = 1 or ('0' = 0 and not ( Attribute= 'Pool-Name-DelegatedIPV6' or Attribute= 'Pool-Name-FramedIPV6'))) ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 2 , fields = 5
(0) sqlrw: Group "": Conditional check items matched
(0) sqlrw: Group "": Merging assignment check items
(0) sqlrw: Simultaneous-Use := 1
(0) sqlrw: Pool-Name := "cgnat_pool"
(0) sqlrw: EXPAND SELECT id, GroupName, Attribute, case when '%{&Customer-Static-IP}' = 1 and GroupName like 'Secure%%' THEN REPLACE(Value,'INTERNET_','STATIC_') when '%{&Customer-Static-IP}' = 1 and GroupName ='CGNAT' THEN REPLACE(Value,'CGNAT','INTERNET') when '%{&Customer-Static-IP}' = 1 and GroupName ='CGNATIPV6' THEN REPLACE(Value,'CGNAT','INTERNET') ELSE Value End as Value, op FROM radgroupreply WHERE GroupName = '%{&User-Group-Name}' and devicetype IN ( '%{&Bng-Model}','OTHER') ORDER BY id
(0) sqlrw: --> SELECT id, GroupName, Attribute, case when '0' = 1 and GroupName like 'Secure%' THEN REPLACE(Value,'INTERNET_','STATIC_') when '0' = 1 and GroupName ='CGNAT' THEN REPLACE(Value,'CGNAT','INTERNET') when '0' = 1 and GroupName ='CGNATIPV6' THEN REPLACE(Value,'CGNAT','INTERNET') ELSE Value End as Value, op FROM radgroupreply WHERE GroupName = 'CGNAT' and devicetype IN ( 'CISCO','OTHER') ORDER BY id
(0) sqlrw: Executing select query: SELECT id, GroupName, Attribute, case when '0' = 1 and GroupName like 'Secure%' THEN REPLACE(Value,'INTERNET_','STATIC_') when '0' = 1 and GroupName ='CGNAT' THEN REPLACE(Value,'CGNAT','INTERNET') when '0' = 1 and GroupName ='CGNATIPV6' THEN REPLACE(Value,'CGNAT','INTERNET') ELSE Value End as Value, op FROM radgroupreply WHERE GroupName = 'CGNAT' and devicetype IN ( 'CISCO','OTHER') ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 6 , fields = 5
(0) sqlrw: Group "": Merging reply items
(0) sqlrw: Service-Type := Framed-User
(0) sqlrw: Framed-Protocol := PPP
(0) sqlrw: Cisco-AVPair := "ip:dns-servers=193.192.98.8 212.154.100.18"
(0) sqlrw: Cisco-AVPair := "ip:vrf-id=CGNAT"
(0) sqlrw: Cisco-AVPair := "ip:ip-unnumbered=Loopback 10"
(0) sqlrw: Cisco-AVPair := "ipv6-dns-servers-addr=2A02:FF0:2:327:193:192:98:30"
rlm_sql (sqlrw): Released connection (0)
Need more connections to reach 10 spares
rlm_sql (sqlrw): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='10.2.134.251' port=5432 user='au_freeradius' password='Patates5'
Connected to database 'radius' on '10.2.134.251' server version 120012, protocol version 3, backend PID 3465481
(0) [sqlrw] = ok
(0) if (notfound) {
(0) if (notfound) -> FALSE
(0) if (reject) {
(0) if (reject) -> FALSE
(0) update control {
(0) Auth-Type := PAP
(0) } # update control = noop
(0) if (&User-Group-Name == "BngForwarding" ) {
(0) if (&User-Group-Name == "BngForwarding" ) -> FALSE
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0) [pap] = ok
(0) if (noop) {
(0) if (noop) -> FALSE
(0) if (reject) {
(0) if (reject) -> FALSE
(0) if (fail) {
(0) if (fail) -> FALSE
(0) update request {
rlm_sql (sqlro): Reserved connection (3)
rlm_sql (sqlro): Released connection (3)
(0) EXPAND %{User-Name}
(0) --> 2518932data at turk.net
(0) SQL-User-Name set to '2518932data at turk.net'
rlm_sql (sqlro): Reserved connection (4)
(0) Executing select query: SELECT VALUE FROM RADCHECK WHERE USERNAME = '2518932data at turk.net' AND ATTRIBUTE IN ('Calling-Station-Id', 'NAS-Port-Id') ORDER BY ATTRIBUTE DESC LIMIT 1
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
(0) SQL query returned no results
rlm_sql (sqlro): Released connection (4)
(0) EXPAND %{sqlro:SELECT VALUE FROM RADCHECK WHERE USERNAME = '%{User-Name}' AND ATTRIBUTE IN ('Calling-Station-Id', 'NAS-Port-Id') ORDER BY ATTRIBUTE DESC LIMIT 1}
(0) -->
(0) InventoryPortInfo :=
(0) } # update request = noop
(0) [python3] = ok
(0) if (reject){
(0) if (reject) -> FALSE
(0) policy accept {
(0) update control {
(0) &Response-Packet-Type = Access-Accept
(0) } # update control = noop
(0) [handled] = handled
(0) } # policy accept = handled
(0) } # Auth-Type PAP = handled
(0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated for RHS &session-state:
(0) } # update = noop
(0) if (&Customer-Static-IP == 1 && (&User-Group-Name == "Closed" || &User-Group-Name == "Freeze")){
(0) if (&Customer-Static-IP == 1 && (&User-Group-Name == "Closed" || &User-Group-Name == "Freeze")) -> FALSE
rlm_sql (sqlrw): Reserved connection (1)
(0) ippoolv4: EXPAND %{User-Name}
(0) ippoolv4: --> 2518932data at turk.net
(0) ippoolv4: SQL-User-Name set to '2518932data at turk.net'
(0) ippoolv4: EXPAND SELECT fr_allocate_previous_or_new_framedipaddress( '%{control:Pool-Name}', '%{User-Name}', '%{NAS-IP-Address}', 28800 )
(0) ippoolv4: --> SELECT fr_allocate_previous_or_new_framedipaddress( 'cgnat_pool', '2518932data at turk.net', '193.192.126.219', 28800 )
(0) ippoolv4: Executing select query: SELECT fr_allocate_previous_or_new_framedipaddress( 'cgnat_pool', '2518932data at turk.net', '193.192.126.219', 28800 )
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
(0) ippoolv4: Allocated IP 100.101.163.110
rlm_sql (sqlrw): Released connection (1)
(0) ippoolv4: EXPAND Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})
(0) ippoolv4: --> Allocated IP: 100.101.163.110 from cgnat_pool (did cli port user 2518932data at turk.net)
(0) [ippoolv4] = ok
(0) if ( &Customer-Static-IPv6 == 1 && &User-Group-Name != "Suspend" && &User-Group-Name != "Closed" && &User-Group-Name != "Freeze" ) {
(0) if ( &Customer-Static-IPv6 == 1 && &User-Group-Name != "Suspend" && &User-Group-Name != "Closed" && &User-Group-Name != "Freeze" ) -> FALSE
(0) sqlrw: EXPAND .query
(0) sqlrw: --> .query
(0) sqlrw: Using query template 'query'
rlm_sql (sqlrw): Reserved connection (2)
(0) sqlrw: EXPAND %{User-Name}
(0) sqlrw: --> 2518932data at turk.net
(0) sqlrw: SQL-User-Name set to '2518932data at turk.net'
(0) sqlrw: EXPAND INSERT INTO radpostauth (username, pass, reply, callingstationid, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Calling-Station-Id}', NOW())
(0) sqlrw: --> INSERT INTO radpostauth (username, pass, reply, callingstationid, authdate) VALUES('2518932data at turk.net', 'f89cedf00c', 'Access-Accept', '', NOW())
(0) sqlrw: Executing query: INSERT INTO radpostauth (username, pass, reply, callingstationid, authdate) VALUES('2518932data at turk.net', 'f89cedf00c', 'Access-Accept', '', NOW())
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
(0) sqlrw: SQL query returned: success
(0) sqlrw: 1 record(s) updated
rlm_sql (sqlrw): Released connection (2)
(0) [sqlrw] = ok
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Login OK: [2518932data at turk.net/f89cedf00c] (from client local port 0)
(0) Sent Access-Accept Id 123 from 10.2.134.250:1812 to 10.2.134.249:51420 length 227
(0) Cisco-AVPair = "ip:dns-servers=193.192.98.8 212.154.100.18"
(0) Cisco-AVPair = "ip:vrf-id=CGNAT"
(0) Cisco-Account-Info = "AINTERNET"
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) Cisco-AVPair = "ip:ip-unnumbered=Loopback 10"
(0) Cisco-AVPair = "ipv6-dns-servers-addr=2A02:FF0:2:327:193:192:98:30"
(0) Proxy-State = 0x323134
(0) Framed-IP-Address = 100.101.163.110
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 123 with timestamp +3 due to cleanup_delay was reached
Ready to process requests
Best Regards,
More information about the Freeradius-Users
mailing list