Freeradius nanostation m2

1. AP: Ubiquiti nanostation M2, authentification et accounting Activé
2. Nas type: other
3.  
4. /etc/freeradius/3.0/mods-available/sql
5. <code># -*- text -*-
6. ##
7. ## mods-available/sql -- SQL modules
8. ##
9. ## $Id: 7e9eee03c58bab67206ec10249db79ebbc0baa3c $
10.  
11. ######################################################################
12. #
13. # Configuration for the SQL module
14. #
15. # The database schemas and queries are located in subdirectories:
16. #
17. # sql/<DB>/main/schema.sql Schema
18. # sql/<DB>/main/queries.conf Authorisation and Accounting queries
19. #
20. # Where "DB" is mysql, mssql, oracle, or postgresql.
21. #
22. # The name used to query SQL is sql_user_name, which is set in the file
23. #
24. # raddb/mods-config/sql/main/${dialect}/queries.conf
25. #
26. # If you are using realms, that configuration should be changed to use
27. # the Stripped-User-Name attribute. See the comments around sql_user_name
28. # for more information.
29. #
30.  
31. sql {
32. #
33. # The dialect of SQL being used.
34. #
35. # Allowed dialects are:
36. #
37. # mssql
38. # mysql
39. # oracle
40. # postgresql
41. # sqlite
42. # mongo
43. #
44. dialect = "mysql"
45.  
46. #
47. # The driver module used to execute the queries. Since we
48. # don't know which SQL drivers are being used, the default is
49. # "rlm_sql_null", which just logs the queries to disk via the
50. # "logfile" directive, below.
51. #
52. # In order to talk to a real database, delete the next line,
53. # and uncomment the one after it.
54. #
55. # If the dialect is "mssql", then the driver should be set to
56. # one of the following values, depending on your system:
57. #
58. # rlm_sql_db2
59. # rlm_sql_firebird
60. # rlm_sql_freetds
61. # rlm_sql_iodbc
62. # rlm_sql_unixodbc
63. #
64. # driver = "rlm_sql_null"
65. driver = "rlm_sql_${dialect}"
66.  
67. #
68. # Driver-specific subsections. They will only be loaded and
69. # used if "driver" is something other than "rlm_sql_null".
70. # When a real driver is used, the relevant driver
71. # configuration section is loaded, and all other driver
72. # configuration sections are ignored.
73. #
74. sqlite {
75. # Path to the sqlite database
76. filename = "/tmp/freeradius.db"
77.  
78. # How long to wait for write locks on the database to be
79. # released (in ms) before giving up.
80. busy_timeout = 200
81.  
82. # If the file above does not exist and bootstrap is set
83. # a new database file will be created, and the SQL statements
84. # contained within the bootstrap file will be executed.
85. bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
86. }
87.  
88. mysql {
89. # If any of the files below are set, TLS encryption is enabled
90. tls {
91. # ca_file = "/etc/ssl/certs/my_ca.crt"
92. # ca_path = "/etc/ssl/certs/"
93. # certificate_file = "/etc/ssl/certs/private/client.crt"
94. # private_key_file = "/etc/ssl/certs/private/client.key"
95. # cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
96.  
97. tls_required = no
98. tls_check_cert = no
99. tls_check_cert_cn = no
100. }
101.  
102. # If yes, (or auto and libmysqlclient reports warnings are
103. # available), will retrieve and log additional warnings from
104. # the server if an error has occured. Defaults to 'auto'
105. warnings = auto
106. }
107.  
108. postgresql {
109.  
110. # unlike MySQL, which has a tls{} connection configuration, postgresql
111. # uses its connection parameters - see the radius_db option below in
112. # this file
113.  
114. # Send application_name to the postgres server
115. # Only supported in PG 9.0 and greater. Defaults to no.
116. send_application_name = yes
117. }
118.  
119. #
120. # Configuration for Mongo.
121. #
122. # Note that the Mongo driver is experimental. The FreeRADIUS developers
123. # are unable to help with the syntax of the Mongo queries. Please see
124. # the Mongo documentation for that syntax.
125. #
126. # The Mongo driver supports only the following methods:
127. #
128. # aggregate
129. # findAndModify
130. # findOne
131. # insert
132. #
133. # For examples, see the query files:
134. #
135. # raddb/mods-config/sql/main/mongo/queries.conf
136. # raddb/mods-config/sql/main/ippool/queries.conf
137. #
138. mongo {
139. #
140. # The application name to use.
141. #
142. appname = "freeradius"
143.  
144. #
145. # The TLS parameters here map directly to the Mongo TLS configuration
146. #
147. tls {
148. certificate_file = /path/to/file
149. certificate_password = "password"
150. ca_file = /path/to/file
151. ca_dir = /path/to/directory
152. crl_file = /path/to/file
153. weak_cert_validation = false
154. allow_invalid_hostname = false
155. }
156. }
157.  
158. # Connection info:
159. #
160. server = "localhost"
161. port = 3306
162. login = "freeradius"
163. password = "kamini123"
164.  
165. # Connection info for Mongo
166. # Authentication Without SSL
167. # server = "mongodb://USER:[email protected]:PORT/DATABASE?authSource=admin&ssl=false"
168.  
169. # Authentication With SSL
170. # server = "mongodb://USER:[email protected]:PORT/DATABASE?authSource=admin&ssl=true"
171.  
172. # Authentication with Certificate
173. # Use this command for retrieve Derived username:
174. # openssl x509 -in mycert.pem -inform PEM -subject -nameopt RFC2253
175. # server = mongodb://<DERIVED USERNAME>@192.168.0.2:PORT/DATABASE?authSource=$external&ssl=true&authMechanism=MONGODB-X509
176.  
177. # Database table configuration for everything except Oracle
178. radius_db = "radius"
179.  
180. # If you are using Oracle then use this instead
181. # radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
182.  
183. # If you're using postgresql this can also be used instead of the connection info parameters
184. # radius_db = "dbname=radius host=localhost user=radius password=raddpass"
185.  
186. # Postgreql doesn't take tls{} options in its module config like mysql does - if you want to
187. # use SSL connections then use this form of connection info parameter
188. # radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt"
189.  
190. # If you want both stop and start records logged to the
191. # same SQL table, leave this as is. If you want them in
192. # different tables, put the start table in acct_table1
193. # and stop table in acct_table2
194. acct_table1 = "radacct"
195. acct_table2 = "radacct"
196.  
197. # Allow for storing data after authentication
198. postauth_table = "radpostauth"
199.  
200. # Tables containing 'check' items
201. authcheck_table = "radcheck"
202. groupcheck_table = "radgroupcheck"
203.  
204. # Tables containing 'reply' items
205. authreply_table = "radreply"
206. groupreply_table = "radgroupreply"
207.  
208. # Table to keep group info
209. usergroup_table = "radusergroup"
210.  
211. # If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table.
212. # If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table.
213. # read_groups = yes
214.  
215. # If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table.
216. # If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table.
217. # read_profiles = yes
218.  
219. # Remove stale session if checkrad does not see a double login
220. delete_stale_sessions = yes
221.  
222. # Write SQL queries to a logfile. This is potentially useful for tracing
223. # issues with authorization queries. See also "logfile" directives in
224. # mods-config/sql/main/*/queries.conf. You can enable per-section logging
225. # by enabling "logfile" there, or global logging by enabling "logfile" here.
226. #
227. # Per-section logging can be disabled by setting "logfile = ''"
228. # logfile = ${logdir}/sqllog.sql
229.  
230. # Set the maximum query duration and connection timeout
231. # for rlm_sql_mysql.
232. # query_timeout = 5
233.  
234. # As of version 3.0, the "pool" section has replaced the
235. # following configuration items:
236. #
237. # num_sql_socks
238. # connect_failure_retry_delay
239. # lifetime
240. # max_queries
241.  
242. #
243. # The connection pool is new for 3.0, and will be used in many
244. # modules, for all kinds of connection-related activity.
245. #
246. # When the server is not threaded, the connection pool
247. # limits are ignored, and only one connection is used.
248. #
249. # If you want to have multiple SQL modules re-use the same
250. # connection pool, use "pool = name" instead of a "pool"
251. # section. e.g.
252. #
253. # sql sql1 {
254. # ...
255. # pool {
256. # ...
257. # }
258. # }
259. #
260. # # sql2 will use the connection pool from sql1
261. # sql sql2 {
262. # ...
263. # pool = sql1
264. # }
265. #
266. pool {
267. # Connections to create during module instantiation.
268. # If the server cannot create specified number of
269. # connections during instantiation it will exit.
270. # Set to 0 to allow the server to start without the
271. # database being available.
272. start = ${thread[pool].start_servers}
273.  
274. # Minimum number of connections to keep open
275. min = ${thread[pool].min_spare_servers}
276.  
277. # Maximum number of connections
278. #
279. # If these connections are all in use and a new one
280. # is requested, the request will NOT get a connection.
281. #
282. # Setting 'max' to LESS than the number of threads means
283. # that some threads may starve, and you will see errors
284. # like 'No connections available and at max connection limit'
285. #
286. # Setting 'max' to MORE than the number of threads means
287. # that there are more connections than necessary.
288. max = ${thread[pool].max_servers}
289.  
290. # Spare connections to be left idle
291. #
292. # NOTE: Idle connections WILL be closed if "idle_timeout"
293. # is set. This should be less than or equal to "max" above.
294. spare = ${thread[pool].max_spare_servers}
295.  
296. # Number of uses before the connection is closed
297. #
298. # 0 means "infinite"
299. uses = 0
300.  
301. # The number of seconds to wait after the server tries
302. # to open a connection, and fails. During this time,
303. # no new connections will be opened.
304. retry_delay = 30
305.  
306. # The lifetime (in seconds) of the connection
307. lifetime = 0
308.  
309. # idle timeout (in seconds). A connection which is
310. # unused for this length of time will be closed.
311. idle_timeout = 60
312.  
313. # NOTE: All configuration settings are enforced. If a
314. # connection is closed because of "idle_timeout",
315. # "uses", or "lifetime", then the total number of
316. # connections MAY fall below "min". When that
317. # happens, it will open a new connection. It will
318. # also log a WARNING message.
319. #
320. # The solution is to either lower the "min" connections,
321. # or increase lifetime/idle_timeout.
322. }
323.  
324. # Set to 'yes' to read radius clients from the database ('nas' table)
325. # Clients will ONLY be read on server startup.
326. read_clients = yes
327.  
328. # Table to keep radius client info
329. client_table = "nas"
330.  
331. #
332. # The group attribute specific to this instance of rlm_sql
333. #
334.  
335. # This entry should be used for additional instances (sql foo {})
336. # of the SQL module.
337. # group_attribute = "${.:instance}-SQL-Group"
338.  
339. # This entry should be used for the default instance (sql {})
340. # of the SQL module.
341. group_attribute = "SQL-Group"
342.  
343. # Read database-specific queries
344. $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
345. }
346. </code>
347.  
348. /etc/freeradius/3.0/sites-available/default
349. <code>######################################################################
350. #
351. # As of 2.0.0, FreeRADIUS supports virtual hosts using the
352. # "server" section, and configuration directives.
353. #
354. # Virtual hosts should be put into the "sites-available"
355. # directory. Soft links should be created in the "sites-enabled"
356. # directory to these files. This is done in a normal installation.
357. #
358. # If you are using 802.1X (EAP) authentication, please see also
359. # the "inner-tunnel" virtual server. You will likely have to edit
360. # that, too, for authentication to work.
361. #
362. # $Id: c60c0ba4c8728fac10b190dbb3b752f9df317c07 $
363. #
364. ######################################################################
365. #
366. # Read "man radiusd" before editing this file. See the section
367. # titled DEBUGGING. It outlines a method where you can quickly
368. # obtain the configuration you want, without running into
369. # trouble. See also "man unlang", which documents the format
370. # of this file.
371. #
372. # This configuration is designed to work in the widest possible
373. # set of circumstances, with the widest possible number of
374. # authentication methods. This means that in general, you should
375. # need to make very few changes to this file.
376. #
377. # The best way to configure the server for your local system
378. # is to CAREFULLY edit this file. Most attempts to make large
379. # edits to this file will BREAK THE SERVER. Any edits should
380. # be small, and tested by running the server with "radiusd -X".
381. # Once the edits have been verified to work, save a copy of these
382. # configuration files somewhere. (e.g. as a "tar" file). Then,
383. # make more edits, and test, as above.
384. #
385. # There are many "commented out" references to modules such
386. # as ldap, sql, etc. These references serve as place-holders.
387. # If you need the functionality of that module, then configure
388. # it in radiusd.conf, and un-comment the references to it in
389. # this file. In most cases, those small changes will result
390. # in the server being able to connect to the DB, and to
391. # authenticate users.
392. #
393. ######################################################################
394.  
395. server default {
396. #
397. # If you want the server to listen on additional addresses, or on
398. # additional ports, you can use multiple "listen" sections.
399. #
400. # Each section make the server listen for only one type of packet,
401. # therefore authentication and accounting have to be configured in
402. # different sections.
403. #
404. # The server ignore all "listen" section if you are using '-i' and '-p'
405. # on the command line.
406. #
407. listen {
408. # Type of packets to listen for.
409. # Allowed values are:
410. # auth listen for authentication packets
411. # acct listen for accounting packets
412. # proxy IP to use for sending proxied packets
413. # detail Read from the detail file. For examples, see
414. # raddb/sites-available/copy-acct-to-home-server
415. # status listen for Status-Server packets. For examples,
416. # see raddb/sites-available/status
417. # coa listen for CoA-Request and Disconnect-Request
418. # packets. For examples, see the file
419. # raddb/sites-available/coa
420. #
421. type = auth
422.  
423. # Note: "type = proxy" lets you control the source IP used for
424. # proxying packets, with some limitations:
425. #
426. # * A proxy listener CANNOT be used in a virtual server section.
427. # * You should probably set "port = 0".
428. # * Any "clients" configuration will be ignored.
429. #
430. # See also proxy.conf, and the "src_ipaddr" configuration entry
431. # in the sample "home_server" section. When you specify the
432. # source IP address for packets sent to a home server, the
433. # proxy listeners are automatically created.
434.  
435. # ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
436. # If multiple ones are listed, only the first one will
437. # be used, and the others will be ignored.
438. #
439. # The configuration options accept the following syntax:
440. #
441. # ipv4addr - IPv4 address (e.g.192.0.2.3)
442. # - wildcard (i.e. *)
443. # - hostname (radius.example.com)
444. # Only the A record for the host name is used.
445. # If there is no A record, an error is returned,
446. # and the server fails to start.
447. #
448. # ipv6addr - IPv6 address (e.g. 2001:db8::1)
449. # - wildcard (i.e. *)
450. # - hostname (radius.example.com)
451. # Only the AAAA record for the host name is used.
452. # If there is no AAAA record, an error is returned,
453. # and the server fails to start.
454. #
455. # ipaddr - IPv4 address as above
456. # - IPv6 address as above
457. # - wildcard (i.e. *), which means IPv4 wildcard.
458. # - hostname
459. # If there is only one A or AAAA record returned
460. # for the host name, it is used.
461. # If multiple A or AAAA records are returned
462. # for the host name, only the first one is used.
463. # If both A and AAAA records are returned
464. # for the host name, only the A record is used.
465. #
466. # ipv4addr = *
467. # ipv6addr = *
468. ipaddr = *
469.  
470. # Port on which to listen.
471. # Allowed values are:
472. # integer port number (1812)
473. # 0 means "use /etc/services for the proper port"
474. port = 0
475.  
476. # Some systems support binding to an interface, in addition
477. # to the IP address. This feature isn't strictly necessary,
478. # but for sites with many IP addresses on one interface,
479. # it's useful to say "listen on all addresses for eth0".
480. #
481. # If your system does not support this feature, you will
482. # get an error if you try to use it.
483. #
484. # interface = eth0
485.  
486. # Per-socket lists of clients. This is a very useful feature.
487. #
488. # The name here is a reference to a section elsewhere in
489. # radiusd.conf, or clients.conf. Having the name as
490. # a reference allows multiple sockets to use the same
491. # set of clients.
492. #
493. # If this configuration is used, then the global list of clients
494. # is IGNORED for this "listen" section. Take care configuring
495. # this feature, to ensure you don't accidentally disable a
496. # client you need.
497. #
498. # See clients.conf for the configuration of "per_socket_clients".
499. #
500. # clients = per_socket_clients
501.  
502. #
503. # Set the default UDP receive buffer size. In most cases,
504. # the default values set by the kernel are fine. However, in
505. # some cases the NASes will send large packets, and many of
506. # them at a time. It is then possible to overflow the
507. # buffer, causing the kernel to drop packets before they
508. # reach FreeRADIUS. Increasing the size of the buffer will
509. # avoid these packet drops.
510. #
511. # recv_buff = 65536
512.  
513. #
514. # Connection limiting for sockets with "proto = tcp".
515. #
516. # This section is ignored for other kinds of sockets.
517. #
518. limit {
519. #
520. # Limit the number of simultaneous TCP connections to the socket
521. #
522. # The default is 16.
523. # Setting this to 0 means "no limit"
524. max_connections = 16
525.  
526. # The per-socket "max_requests" option does not exist.
527.  
528. #
529. # The lifetime, in seconds, of a TCP connection. After
530. # this lifetime, the connection will be closed.
531. #
532. # Setting this to 0 means "forever".
533. lifetime = 0
534.  
535. #
536. # The idle timeout, in seconds, of a TCP connection.
537. # If no packets have been received over the connection for
538. # this time, the connection will be closed.
539. #
540. # Setting this to 0 means "no timeout".
541. #
542. # We STRONGLY RECOMMEND that you set an idle timeout.
543. #
544. idle_timeout = 30
545. }
546. }
547.  
548. #
549. # This second "listen" section is for listening on the accounting
550. # port, too.
551. #
552. listen {
553. ipaddr = *
554. # ipv6addr = ::
555. port = 0
556. type = acct
557. # interface = eth0
558. # clients = per_socket_clients
559.  
560. limit {
561. # The number of packets received can be rate limited via the
562. # "max_pps" configuration item. When it is set, the server
563. # tracks the total number of packets received in the previous
564. # second. If the count is greater than "max_pps", then the
565. # new packet is silently discarded. This helps the server
566. # deal with overload situations.
567. #
568. # The packets/s counter is tracked in a sliding window. This
569. # means that the pps calculation is done for the second
570. # before the current packet was received. NOT for the current
571. # wall-clock second, and NOT for the previous wall-clock second.
572. #
573. # Useful values are 0 (no limit), or 100 to 10000.
574. # Values lower than 100 will likely cause the server to ignore
575. # normal traffic. Few systems are capable of handling more than
576. # 10K packets/s.
577. #
578. # It is most useful for accounting systems. Set it to 50%
579. # more than the normal accounting load, and you can be sure that
580. # the server will never get overloaded
581. #
582. # max_pps = 0
583.  
584. # Only for "proto = tcp". These are ignored for "udp" sockets.
585. #
586. # idle_timeout = 0
587. # lifetime = 0
588. # max_connections = 0
589. }
590. }
591.  
592. # IPv6 versions of the above - read their full config to understand options
593. listen {
594. type = auth
595. ipv6addr = :: # any. ::1 == localhost
596. port = 0
597. # interface = eth0
598. # clients = per_socket_clients
599. limit {
600. max_connections = 16
601. lifetime = 0
602. idle_timeout = 30
603. }
604. }
605.  
606. listen {
607. ipv6addr = ::
608. port = 0
609. type = acct
610. # interface = eth0
611. # clients = per_socket_clients
612.  
613. limit {
614. # max_pps = 0
615. # idle_timeout = 0
616. # lifetime = 0
617. # max_connections = 0
618. }
619. }
620.  
621. # Authorization. First preprocess (hints and huntgroups files),
622. # then realms, and finally look in the "users" file.
623. #
624. # Any changes made here should also be made to the "inner-tunnel"
625. # virtual server.
626. #
627. # The order of the realm modules will determine the order that
628. # we try to find a matching realm.
629. #
630. # Make *sure* that 'preprocess' comes before any realm if you
631. # need to setup hints for the remote radius server
632. authorize {
633. #
634. # Take a User-Name, and perform some checks on it, for spaces and other
635. # invalid characters. If the User-Name appears invalid, reject the
636. # request.
637. #
638. # See policy.d/filter for the definition of the filter_username policy.
639. #
640. filter_username
641.  
642. #
643. # Some broken equipment sends passwords with embedded zeros.
644. # i.e. the debug output will show
645. #
646. # User-Password = "password\000\000"
647. #
648. # This policy will fix it to just be "password".
649. #
650. # filter_password
651.  
652. #
653. # The preprocess module takes care of sanitizing some bizarre
654. # attributes in the request, and turning them into attributes
655. # which are more standard.
656. #
657. # It takes care of processing the 'raddb/mods-config/preprocess/hints'
658. # and the 'raddb/mods-config/preprocess/huntgroups' files.
659. preprocess
660.  
661. # If you intend to use CUI and you require that the Operator-Name
662. # be set for CUI generation and you want to generate CUI also
663. # for your local clients then uncomment the operator-name
664. # below and set the operator-name for your clients in clients.conf
665. # operator-name
666.  
667. #
668. # If you want to generate CUI for some clients that do not
669. # send proper CUI requests, then uncomment the
670. # cui below and set "add_cui = yes" for these clients in clients.conf
671. # cui
672.  
673. #
674. # If you want to have a log of authentication requests,
675. # un-comment the following line.
676. # auth_log
677.  
678. #
679. # The chap module will set 'Auth-Type := CHAP' if we are
680. # handling a CHAP request and Auth-Type has not already been set
681. pap
682.  
683. #
684. # If the users are logging in with an MS-CHAP-Challenge
685. # attribute for authentication, the mschap module will find
686. # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
687. # to the request, which will cause the server to then use
688. # the mschap module for authentication.
689. mschap
690.  
691. #
692. # If you have a Cisco SIP server authenticating against
693. # FreeRADIUS, uncomment the following line, and the 'digest'
694. # line in the 'authenticate' section.
695. digest
696.  
697. #
698. # The WiMAX specification says that the Calling-Station-Id
699. # is 6 octets of the MAC. This definition conflicts with
700. # RFC 3580, and all common RADIUS practices. Un-commenting
701. # the "wimax" module here means that it will fix the
702. # Calling-Station-Id attribute to the normal format as
703. # specified in RFC 3580 Section 3.21
704. # wimax
705.  
706. #
707. # Look for IPASS style 'realm/', and if not found, look for
708. # '@realm', and decide whether or not to proxy, based on
709. # that.
710. # IPASS
711.  
712. #
713. # Look for realms in user@domain format
714. suffix
715. # ntdomain
716.  
717. #
718. # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
719. # authentication.
720. #
721. # It also sets the EAP-Type attribute in the request
722. # attribute list to the EAP type from the packet.
723. #
724. # The EAP module returns "ok" or "updated" if it is not yet ready
725. # to authenticate the user. The configuration below checks for
726. # "ok", and stops processing the "authorize" section if so.
727. #
728. # Any LDAP and/or SQL servers will not be queried for the
729. # initial set of packets that go back and forth to set up
730. # TTLS or PEAP.
731. #
732. # The "updated" check is commented out for compatibility with
733. # previous versions of this configuration, but you may wish to
734. # uncomment it as well; this will further reduce the number of
735. # LDAP and/or SQL queries for TTLS or PEAP.
736. #
737. eap {
738. ok = return
739. # updated = return
740. }
741.  
742. #
743. # Pull crypt'd passwords from /etc/passwd or /etc/shadow,
744. # using the system API's to get the password. If you want
745. # to read /etc/passwd or /etc/shadow directly, see the
746. # mods-available/passwd module.
747. #
748. # unix
749.  
750. #
751. # Read the 'users' file. In v3, this is located in
752. # raddb/mods-config/files/authorize
753. files
754.  
755. #
756. # Look in an SQL database. The schema of the database
757. # is meant to mirror the "users" file.
758. #
759. # See "Authorization Queries" in mods-available/sql
760. -sql
761.  
762. #
763. # If you are using /etc/smbpasswd, and are also doing
764. # mschap authentication, the un-comment this line, and
765. # configure the 'smbpasswd' module.
766. # smbpasswd
767.  
768. #
769. # The ldap module reads passwords from the LDAP database.
770. -ldap
771.  
772. #
773. # Enforce daily limits on time spent logged in.
774. # daily
775.  
776. #
777. expiration
778. logintime
779.  
780. #
781. # If no other module has claimed responsibility for
782. # authentication, then try to use PAP. This allows the
783. # other modules listed above to add a "known good" password
784. # to the request, and to do nothing else. The PAP module
785. # will then see that password, and use it to do PAP
786. # authentication.
787. #
788. # This module should be listed last, so that the other modules
789. # get a chance to set Auth-Type for themselves.
790. #
791. pap
792.  
793. #
794. # If "status_server = yes", then Status-Server messages are passed
795. # through the following section, and ONLY the following section.
796. # This permits you to do DB queries, for example. If the modules
797. # listed here return "fail", then NO response is sent.
798. #
799. # Autz-Type Status-Server {
800. #
801. # }
802. }
803.  
804.  
805. # Authentication.
806. #
807. #
808. # This section lists which modules are available for authentication.
809. # Note that it does NOT mean 'try each module in order'. It means
810. # that a module from the 'authorize' section adds a configuration
811. # attribute 'Auth-Type := FOO'. That authentication type is then
812. # used to pick the appropriate module from the list below.
813. #
814.  
815. # In general, you SHOULD NOT set the Auth-Type attribute. The server
816. # will figure it out on its own, and will do the right thing. The
817. # most common side effect of erroneously setting the Auth-Type
818. # attribute is that one authentication method will work, but the
819. # others will not.
820. #
821. # The common reasons to set the Auth-Type attribute by hand
822. # is to either forcibly reject the user (Auth-Type := Reject),
823. # or to or forcibly accept the user (Auth-Type := Accept).
824. #
825. # Note that Auth-Type := Accept will NOT work with EAP.
826. #
827. # Please do not put "unlang" configurations into the "authenticate"
828. # section. Put them in the "post-auth" section instead. That's what
829. # the post-auth section is for.
830. #
831. authenticate {
832. #
833. # PAP authentication, when a back-end database listed
834. # in the 'authorize' section supplies a password. The
835. # password can be clear-text, or encrypted.
836. Auth-Type PAP {
837. pap
838. }
839.  
840. #
841. # Most people want CHAP authentication
842. # A back-end database listed in the 'authorize' section
843. # MUST supply a CLEAR TEXT password. Encrypted passwords
844. # won't work.
845. Auth-Type CHAP {
846. chap
847. }
848.  
849. #
850. # MSCHAP authentication.
851. Auth-Type MS-CHAP {
852. mschap
853. }
854.  
855. #
856. # For old names, too.
857. #
858. mschap
859.  
860. #
861. # If you have a Cisco SIP server authenticating against
862. # FreeRADIUS, uncomment the following line, and the 'digest'
863. # line in the 'authorize' section.
864. digest
865.  
866. #
867. # Pluggable Authentication Modules.
868. # pam
869.  
870. # Uncomment it if you want to use ldap for authentication
871. #
872. # Note that this means "check plain-text password against
873. # the ldap database", which means that EAP won't work,
874. # as it does not supply a plain-text password.
875. #
876. # We do NOT recommend using this. LDAP servers are databases.
877. # They are NOT authentication servers. FreeRADIUS is an
878. # authentication server, and knows what to do with authentication.
879. # LDAP servers do not.
880. #
881. # Auth-Type LDAP {
882. # ldap
883. # }
884.  
885. #
886. # Allow EAP authentication.
887. eap
888.  
889. #
890. # The older configurations sent a number of attributes in
891. # Access-Challenge packets, which wasn't strictly correct.
892. # If you want to filter out these attributes, uncomment
893. # the following lines.
894. #
895. # Auth-Type eap {
896. # eap {
897. # handled = 1
898. # }
899. # if (handled && (Response-Packet-Type == Access-Challenge)) {
900. # attr_filter.access_challenge.post-auth
901. # handled # override the "updated" code from attr_filter
902. # }
903. # }
904. }
905.  
906.  
907. #
908. # Pre-accounting. Decide which accounting type to use.
909. #
910. preacct {
911. preprocess
912.  
913. #
914. # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
915. # into a single 64bit counter Acct-[Input|Output]-Octets64.
916. #
917. # acct_counters64
918.  
919. #
920. # Session start times are *implied* in RADIUS.
921. # The NAS never sends a "start time". Instead, it sends
922. # a start packet, *possibly* with an Acct-Delay-Time.
923. # The server is supposed to conclude that the start time
924. # was "Acct-Delay-Time" seconds in the past.
925. #
926. # The code below creates an explicit start time, which can
927. # then be used in other modules. It will be *mostly* correct.
928. # Any errors are due to the 1-second resolution of RADIUS,
929. # and the possibility that the time on the NAS may be off.
930. #
931. # The start time is: NOW - delay - session_length
932. #
933.  
934. # update request {
935. # &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
936. # }
937.  
938.  
939. #
940. # Ensure that we have a semi-unique identifier for every
941. # request, and many NAS boxes are broken.
942. acct_unique
943.  
944. #
945. # Look for IPASS-style 'realm/', and if not found, look for
946. # '@realm', and decide whether or not to proxy, based on
947. # that.
948. #
949. # Accounting requests are generally proxied to the same
950. # home server as authentication requests.
951. # IPASS
952. suffix
953. # ntdomain
954.  
955. #
956. # Read the 'acct_users' file
957. files
958. }
959.  
960. #
961. # Accounting. Log the accounting data.
962. #
963. accounting {
964. # Update accounting packet by adding the CUI attribute
965. # recorded from the corresponding Access-Accept
966. # use it only if your NAS boxes do not support CUI themselves
967. # cui
968. #
969. # Create a 'detail'ed log of the packets.
970. # Note that accounting requests which are proxied
971. # are also logged in the detail file.
972. detail
973. # daily
974.  
975. # Update the wtmp file
976. #
977. # If you don't use "radlast", you can delete this line.
978. unix
979.  
980. #
981. # For Simultaneous-Use tracking.
982. #
983. # Due to packet losses in the network, the data here
984. # may be incorrect. There is little we can do about it.
985. radutmp
986. # sradutmp
987.  
988. # Return an address to the IP Pool when we see a stop record.
989. # sqlippool
990.  
991. #
992. # Log traffic to an SQL database.
993. #
994. # See "Accounting queries" in mods-available/sql
995. -sql
996.  
997. #
998. # If you receive stop packets with zero session length,
999. # they will NOT be logged in the database. The SQL module
1000. # will print a message (only in debugging mode), and will
1001. # return "noop".
1002. #
1003. # You can ignore these packets by uncommenting the following
1004. # three lines. Otherwise, the server will not respond to the
1005. # accounting request, and the NAS will retransmit.
1006. #
1007. # if (noop) {
1008. # ok
1009. # }
1010.  
1011. # Cisco VoIP specific bulk accounting
1012. # pgsql-voip
1013.  
1014. # For Exec-Program and Exec-Program-Wait
1015. exec
1016.  
1017. # Filter attributes from the accounting response.
1018. attr_filter.accounting_response
1019.  
1020. #
1021. # See "Autz-Type Status-Server" for how this works.
1022. #
1023. # Acct-Type Status-Server {
1024. #
1025. # }
1026. }
1027.  
1028.  
1029. # Session database, used for checking Simultaneous-Use. Either the radutmp
1030. # or rlm_sql module can handle this.
1031. # The rlm_sql module is *much* faster
1032. session {
1033. # radutmp
1034.  
1035. #
1036. # See "Simultaneous Use Checking Queries" in mods-available/sql
1037. sql
1038. }
1039.  
1040.  
1041. # Post-Authentication
1042. # Once we KNOW that the user has been authenticated, there are
1043. # additional steps we can take.
1044. post-auth {
1045. #
1046. # If you need to have a State attribute, you can
1047. # add it here. e.g. for later CoA-Request with
1048. # State, and Service-Type = Authorize-Only.
1049. #
1050. # if (!&reply:State) {
1051. # update reply {
1052. # State := "0x%{randstr:16h}"
1053. # }
1054. # }
1055.  
1056. #
1057. # For EAP-TTLS and PEAP, add the cached attributes to the reply.
1058. # The "session-state" attributes are automatically cached when
1059. # an Access-Challenge is sent, and automatically retrieved
1060. # when an Access-Request is received.
1061. #
1062. # The session-state attributes are automatically deleted after
1063. # an Access-Reject or Access-Accept is sent.
1064. #
1065. # If both session-state and reply contain a User-Name attribute, remove
1066. # the one in the reply if it is just a copy of the one in the request, so
1067. # we don't end up with two User-Name attributes.
1068.  
1069. if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
1070. update reply {
1071. &User-Name !* ANY
1072. }
1073. }
1074. update {
1075. &reply: += &session-state:
1076. }
1077.  
1078. # Refresh leases when we see a start or alive. Return an address to
1079. # the IP Pool when we see a stop record.
1080. # sqlippool
1081.  
1082.  
1083. # Create the CUI value and add the attribute to Access-Accept.
1084. # Uncomment the line below if *returning* the CUI.
1085. # cui
1086.  
1087. # Create empty accounting session to make simultaneous check
1088. # more robust. See the accounting queries configuration in
1089. # raddb/mods-config/sql/main/*/queries.conf for details.
1090. #
1091. # The "sql_session_start" policy is defined in
1092. # raddb/policy.d/accounting. See that file for more details.
1093. # sql_session_start
1094.  
1095. #
1096. # If you want to have a log of authentication replies,
1097. # un-comment the following line, and enable the
1098. # 'detail reply_log' module.
1099. # reply_log
1100.  
1101. #
1102. # After authenticating the user, do another SQL query.
1103. #
1104. # See "Authentication Logging Queries" in mods-available/sql
1105. -sql
1106.  
1107. #
1108. # Un-comment the following if you want to modify the user's object
1109. # in LDAP after a successful login.
1110. #
1111. # ldap
1112.  
1113. # For Exec-Program and Exec-Program-Wait
1114. exec
1115.  
1116. #
1117. # Calculate the various WiMAX keys. In order for this to work,
1118. # you will need to define the WiMAX NAI, usually via
1119. #
1120. # update request {
1121. # &WiMAX-MN-NAI = "%{User-Name}"
1122. # }
1123. #
1124. # If you want various keys to be calculated, you will need to
1125. # update the reply with "template" values. The module will see
1126. # this, and replace the template values with the correct ones
1127. # taken from the cryptographic calculations. e.g.
1128. #
1129. # update reply {
1130. # &WiMAX-FA-RK-Key = 0x00
1131. # &WiMAX-MSK = "%{reply:EAP-MSK}"
1132. # }
1133. #
1134. # You may want to delete the MS-MPPE-*-Keys from the reply,
1135. # as some WiMAX clients behave badly when those attributes
1136. # are included. See "raddb/modules/wimax", configuration
1137. # entry "delete_mppe_keys" for more information.
1138. #
1139. # wimax
1140.  
1141.  
1142. # If there is a client certificate (EAP-TLS, sometimes PEAP
1143. # and TTLS), then some attributes are filled out after the
1144. # certificate verification has been performed. These fields
1145. # MAY be available during the authentication, or they may be
1146. # available only in the "post-auth" section.
1147. #
1148. # The first set of attributes contains information about the
1149. # issuing certificate which is being used. The second
1150. # contains information about the client certificate (if
1151. # available).
1152. #
1153. # update reply {
1154. # Reply-Message += "%{TLS-Cert-Serial}"
1155. # Reply-Message += "%{TLS-Cert-Expiration}"
1156. # Reply-Message += "%{TLS-Cert-Subject}"
1157. # Reply-Message += "%{TLS-Cert-Issuer}"
1158. # Reply-Message += "%{TLS-Cert-Common-Name}"
1159. # Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
1160. #
1161. # Reply-Message += "%{TLS-Client-Cert-Serial}"
1162. # Reply-Message += "%{TLS-Client-Cert-Expiration}"
1163. # Reply-Message += "%{TLS-Client-Cert-Subject}"
1164. # Reply-Message += "%{TLS-Client-Cert-Issuer}"
1165. # Reply-Message += "%{TLS-Client-Cert-Common-Name}"
1166. # Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
1167. # }
1168.  
1169. # Insert class attribute (with unique value) into response,
1170. # aids matching auth and acct records, and protects against duplicate
1171. # Acct-Session-Id. Note: Only works if the NAS has implemented
1172. # RFC 2865 behaviour for the class attribute, AND if the NAS
1173. # supports long Class attributes. Many older or cheap NASes
1174. # only support 16-octet Class attributes.
1175. # insert_acct_class
1176.  
1177. # MacSEC requires the use of EAP-Key-Name. However, we don't
1178. # want to send it for all EAP sessions. Therefore, the EAP
1179. # modules put required data into the EAP-Session-Id attribute.
1180. # This attribute is never put into a request or reply packet.
1181. #
1182. # Uncomment the next few lines to copy the required data into
1183. # the EAP-Key-Name attribute
1184. # if (&reply:EAP-Session-Id) {
1185. # update reply {
1186. # EAP-Key-Name := &reply:EAP-Session-Id
1187. # }
1188. # }
1189.  
1190. # Remove reply message if the response contains an EAP-Message
1191. remove_reply_message_if_eap
1192.  
1193. #
1194. # Access-Reject packets are sent through the REJECT sub-section of the
1195. # post-auth section.
1196. #
1197. # Add the ldap module name (or instance) if you have set
1198. # 'edir = yes' in the ldap module configuration
1199. #
1200. # The "session-state" attributes are not available here.
1201. #
1202. Post-Auth-Type REJECT {
1203. # log failed authentications in SQL, too.
1204. -sql
1205. attr_filter.access_reject
1206.  
1207. # Insert EAP-Failure message if the request was
1208. # rejected by policy instead of because of an
1209. # authentication failure
1210. eap
1211.  
1212. # Remove reply message if the response contains an EAP-Message
1213. remove_reply_message_if_eap
1214. }
1215.  
1216. #
1217. # Filter access challenges.
1218. #
1219. Post-Auth-Type Challenge {
1220. # remove_reply_message_if_eap
1221. # attr_filter.access_challenge.post-auth
1222. }
1223.  
1224. }
1225.  
1226. #
1227. # When the server decides to proxy a request to a home server,
1228. # the proxied request is first passed through the pre-proxy
1229. # stage. This stage can re-write the request, or decide to
1230. # cancel the proxy.
1231. #
1232. # Only a few modules currently have this method.
1233. #
1234. pre-proxy {
1235. # Before proxing the request add an Operator-Name attribute identifying
1236. # if the operator-name is found for this client.
1237. # No need to uncomment this if you have already enabled this in
1238. # the authorize section.
1239. # operator-name
1240.  
1241. # The client requests the CUI by sending a CUI attribute
1242. # containing one zero byte.
1243. # Uncomment the line below if *requesting* the CUI.
1244. # cui
1245.  
1246. # Uncomment the following line if you want to change attributes
1247. # as defined in the preproxy_users file.
1248. # files
1249.  
1250. # Uncomment the following line if you want to filter requests
1251. # sent to remote servers based on the rules defined in the
1252. # 'attrs.pre-proxy' file.
1253. # attr_filter.pre-proxy
1254.  
1255. # If you want to have a log of packets proxied to a home
1256. # server, un-comment the following line, and the
1257. # 'detail pre_proxy_log' section, above.
1258. # pre_proxy_log
1259. }
1260.  
1261. #
1262. # When the server receives a reply to a request it proxied
1263. # to a home server, the request may be massaged here, in the
1264. # post-proxy stage.
1265. #
1266. post-proxy {
1267.  
1268. # If you want to have a log of replies from a home server,
1269. # un-comment the following line, and the 'detail post_proxy_log'
1270. # section, above.
1271. # post_proxy_log
1272.  
1273. # Uncomment the following line if you want to filter replies from
1274. # remote proxies based on the rules defined in the 'attrs' file.
1275. # attr_filter.post-proxy
1276.  
1277. #
1278. # If you are proxying LEAP, you MUST configure the EAP
1279. # module, and you MUST list it here, in the post-proxy
1280. # stage.
1281. #
1282. # You MUST also use the 'nostrip' option in the 'realm'
1283. # configuration. Otherwise, the User-Name attribute
1284. # in the proxied request will not match the user name
1285. # hidden inside of the EAP packet, and the end server will
1286. # reject the EAP request.
1287. #
1288. eap
1289.  
1290. #
1291. # If the server tries to proxy a request and fails, then the
1292. # request is processed through the modules in this section.
1293. #
1294. # The main use of this section is to permit robust proxying
1295. # of accounting packets. The server can be configured to
1296. # proxy accounting packets as part of normal processing.
1297. # Then, if the home server goes down, accounting packets can
1298. # be logged to a local "detail" file, for processing with
1299. # radrelay. When the home server comes back up, radrelay
1300. # will read the detail file, and send the packets to the
1301. # home server.
1302. #
1303. # See the "mods-available/detail.example.com" file for more
1304. # details on writing a detail file specifically for one
1305. # destination.
1306. #
1307. # See the "sites-available/robust-proxy-accounting" virtual
1308. # server for more details on reading this "detail" file.
1309. #
1310. # With this configuration, the server always responds to
1311. # Accounting-Requests from the NAS, but only writes
1312. # accounting packets to disk if the home server is down.
1313. #
1314. # Post-Proxy-Type Fail-Accounting {
1315. # detail.example.com
1316. # }
1317. }
1318. }
1319. </code>
1320.  
1321. /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf
1322. <code># -*- text -*-
1323. #
1324. # main/mysql/queries.conf-- MySQL configuration for default schema (schema.sql)
1325. #
1326. # $Id: 51560a71ed819a95bc0f5ccc352efe69e374f7c5 $
1327.  
1328. # Use the driver specific SQL escape method.
1329. #
1330. # If you enable this configuration item, the "safe_characters"
1331. # configuration is ignored. FreeRADIUS then uses the MySQL escape
1332. # functions to escape input strings. The only downside to making this
1333. # change is that the MySQL escaping method is not the same the one
1334. # used by FreeRADIUS. So characters which are NOT in the
1335. # "safe_characters" list will now be stored differently in the database.
1336. #
1337. #auto_escape = yes
1338.  
1339. # Safe characters list for sql queries. Everything else is replaced
1340. # with their mime-encoded equivalents.
1341. # The default list should be ok
1342. # Using 'auto_escape' is preferred
1343. safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
1344.  
1345. #######################################################################
1346. # Connection config
1347. #######################################################################
1348. # The character set is not configurable. The default character set of
1349. # the mysql client library is used. To control the character set,
1350. # create/edit my.cnf (typically in /etc/mysql/my.cnf or /etc/my.cnf)
1351. # and enter
1352. # [client]
1353. # default-character-set = utf8
1354. #
1355.  
1356. #######################################################################
1357. # Query config: Username
1358. #######################################################################
1359. # This is the username that will get substituted, escaped, and added
1360. # as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below
1361. # everywhere a username substitution is needed so you you can be sure
1362. # the username passed from the client is escaped properly.
1363. #
1364. # Uncomment the next line, if you want the sql_user_name to mean:
1365. #
1366. # Use Stripped-User-Name, if it's there.
1367. # Else use User-Name, if it's there,
1368. # Else use hard-coded string "DEFAULT" as the user name.
1369. #sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"
1370. #
1371. sql_user_name = "%{User-Name}"
1372.  
1373. #######################################################################
1374. # Query config: Event-Timestamp
1375. #######################################################################
1376. # event_timestamp_epoch is the basis for the time inserted into
1377. # accounting records. Typically this will be the Event-Timestamp of the
1378. # accounting request, which is usually provided by a NAS.
1379. #
1380. # Uncomment the next line, if you want the timestamp to be based on the
1381. # request reception time recorded by this server, for example if you
1382. # distrust the provided Event-Timestamp.
1383. #event_timestamp_epoch = "%l"
1384.  
1385. event_timestamp_epoch = "%{%{integer:Event-Timestamp}:-%l}"
1386.  
1387. # event_timestamp is the SQL snippet for converting an epoch timestamp
1388. # to an SQL date.
1389.  
1390. event_timestamp = "FROM_UNIXTIME(${event_timestamp_epoch})"
1391.  
1392. #######################################################################
1393. # Default profile
1394. #######################################################################
1395. # This is the default profile. It is found in SQL by group membership.
1396. # That means that this profile must be a member of at least one group
1397. # which will contain the corresponding check and reply items.
1398. # This profile will be queried in the authorize section for every user.
1399. # The point is to assign all users a default profile without having to
1400. # manually add each one to a group that will contain the profile.
1401. # The SQL module will also honor the User-Profile attribute. This
1402. # attribute can be set anywhere in the authorize section (ie the users
1403. # file). It is found exactly as the default profile is found.
1404. # If it is set then it will *overwrite* the default profile setting.
1405. # The idea is to select profiles based on checks on the incoming packets,
1406. # not on user group membership. For example:
1407. # -- users file --
1408. # DEFAULT Service-Type == Outbound-User, User-Profile := "outbound"
1409. # DEFAULT Service-Type == Framed-User, User-Profile := "framed"
1410. #
1411. # By default the default_user_profile is not set
1412. #
1413. default_user_profile = "DEFAULT"
1414.  
1415. #######################################################################
1416. # NAS Query
1417. #######################################################################
1418. # This query retrieves the radius clients
1419. #
1420. # 0. Row ID (currently unused)
1421. # 1. Name (or IP address)
1422. # 2. Shortname
1423. # 3. Type
1424. # 4. Secret
1425. # 5. Server
1426. #######################################################################
1427.  
1428. client_query = "\
1429. SELECT id, nasname, shortname, type, secret, server \
1430. FROM ${client_table}"
1431.  
1432. #######################################################################
1433. # Authorization Queries
1434. #######################################################################
1435. # These queries compare the check items for the user
1436. # in ${authcheck_table} and setup the reply items in
1437. # ${authreply_table}. You can use any query/tables
1438. # you want, but the return data for each row MUST
1439. # be in the following order:
1440. #
1441. # 0. Row ID (currently unused)
1442. # 1. UserName/GroupName
1443. # 2. Item Attr Name
1444. # 3. Item Attr Value
1445. # 4. Item Attr Operation
1446. #######################################################################
1447. # Use these for case sensitive usernames.
1448.  
1449. #authorize_check_query = "\
1450. # SELECT id, username, attribute, value, op \
1451. # FROM ${authcheck_table} \
1452. # WHERE username = BINARY '%{SQL-User-Name}' \
1453. # ORDER BY id"
1454.  
1455. #authorize_reply_query = "\
1456. # SELECT id, username, attribute, value, op \
1457. # FROM ${authreply_table} \
1458. # WHERE username = BINARY '%{SQL-User-Name}' \
1459. # ORDER BY id"
1460.  
1461. #
1462. # The default queries are case insensitive. (for compatibility with
1463. # older versions of FreeRADIUS)
1464. #
1465. authorize_check_query = "\
1466. SELECT id, username, attribute, value, op \
1467. FROM ${authcheck_table} \
1468. WHERE username = '%{SQL-User-Name}' \
1469. ORDER BY id"
1470.  
1471. authorize_reply_query = "\
1472. SELECT id, username, attribute, value, op \
1473. FROM ${authreply_table} \
1474. WHERE username = '%{SQL-User-Name}' \
1475. ORDER BY id"
1476.  
1477. #
1478. # Use these for case sensitive usernames.
1479. #
1480. #group_membership_query = "\
1481. # SELECT groupname \
1482. # FROM ${usergroup_table} \
1483. # WHERE username = BINARY '%{SQL-User-Name}' \
1484. # ORDER BY priority"
1485.  
1486. group_membership_query = "\
1487. SELECT groupname \
1488. FROM ${usergroup_table} \
1489. WHERE username = '%{SQL-User-Name}' \
1490. ORDER BY priority"
1491.  
1492. authorize_group_check_query = "\
1493. SELECT id, groupname, attribute, \
1494. Value, op \
1495. FROM ${groupcheck_table} \
1496. WHERE groupname = '%{${group_attribute}}' \
1497. ORDER BY id"
1498.  
1499. authorize_group_reply_query = "\
1500. SELECT id, groupname, attribute, \
1501. value, op \
1502. FROM ${groupreply_table} \
1503. WHERE groupname = '%{${group_attribute}}' \
1504. ORDER BY id"
1505.  
1506. #######################################################################
1507. # Simultaneous Use Checking Queries
1508. #######################################################################
1509. # simul_count_query - query for the number of current connections
1510. # - If this is not defined, no simultaneous use checking
1511. # - will be performed by this module instance
1512. # simul_verify_query - query to return details of current connections
1513. # for verification
1514. # - Leave blank or commented out to disable verification step
1515. # - Note that the returned field order should not be changed.
1516. #######################################################################
1517.  
1518. simul_count_query = "\
1519. SELECT COUNT(*) \
1520. FROM ${acct_table1} \
1521. WHERE username = '%{SQL-User-Name}' \
1522. AND acctstoptime IS NULL"
1523.  
1524. simul_verify_query = "\
1525. SELECT \
1526. radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, \
1527. callingstationid, framedprotocol \
1528. FROM ${acct_table1} \
1529. WHERE username = '%{SQL-User-Name}' \
1530. AND acctstoptime IS NULL"
1531.  
1532. #######################################################################
1533. # Accounting and Post-Auth Queries
1534. #######################################################################
1535. # These queries insert/update accounting and authentication records.
1536. # The query to use is determined by the value of 'reference'.
1537. # This value is used as a configuration path and should resolve to one
1538. # or more 'query's. If reference points to multiple queries, and a query
1539. # fails, the next query is executed.
1540. #
1541. # Behaviour is identical to the old 1.x/2.x module, except we can now
1542. # fail between N queries, and query selection can be based on any
1543. # combination of attributes, or custom 'Acct-Status-Type' values.
1544. #######################################################################
1545. accounting {
1546. reference = "%{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}"
1547.  
1548. # Write SQL queries to a logfile. This is potentially useful for bulk inserts
1549. # when used with the rlm_sql_null driver.
1550. # logfile = ${logdir}/accounting.sql
1551.  
1552. column_list = "\
1553. acctsessionid, acctuniqueid, username, \
1554. realm, nasipaddress, nasportid, \
1555. nasporttype, acctstarttime, acctupdatetime, \
1556. acctstoptime, acctsessiontime, acctauthentic, \
1557. connectinfo_start, connectinfo_stop, acctinputoctets, \
1558. acctoutputoctets, calledstationid, callingstationid, \
1559. acctterminatecause, servicetype, framedprotocol, \
1560. framedipaddress, framedipv6address, framedipv6prefix, \
1561. framedinterfaceid, delegatedipv6prefix"
1562.  
1563. type {
1564. accounting-on {
1565. #
1566. # Bulk terminate all sessions associated with a given NAS
1567. #
1568. query = "\
1569. UPDATE ${....acct_table1} \
1570. SET \
1571. acctstoptime = ${....event_timestamp}, \
1572. acctsessiontime = '${....event_timestamp_epoch}' \
1573. - UNIX_TIMESTAMP(acctstarttime), \
1574. acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' \
1575. WHERE acctstoptime IS NULL \
1576. AND nasipaddress = '%{NAS-IP-Address}' \
1577. AND acctstarttime <= ${....event_timestamp}"
1578. }
1579.  
1580. accounting-off {
1581. query = "${..accounting-on.query}"
1582. }
1583.  
1584. #
1585. # Implement the "sql_session_start" policy.
1586. # See raddb/policy.d/accounting for more details.
1587. #
1588. # You also need to fix the other queries as
1589. # documented below. Look for "sql_session_start".
1590. #
1591. post-auth {
1592. query = "\
1593. INSERT INTO ${....acct_table1} \
1594. (${...column_list}) \
1595. VALUES(\
1596. '%{Acct-Session-Id}', \
1597. '%{Acct-Unique-Session-Id}', \
1598. '%{SQL-User-Name}', \
1599. '%{Realm}', \
1600. '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', \
1601. NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), \
1602. '%{NAS-Port-Type}', \
1603. ${....event_timestamp}, \
1604. NULL, \
1605. NULL, \
1606. 0, \
1607. '', \
1608. '%{Connect-Info}', \
1609. NULL, \
1610. 0, \
1611. 0, \
1612. '%{Called-Station-Id}', \
1613. '%{Calling-Station-Id}', \
1614. '', \
1615. '%{Service-Type}', \
1616. NULL, \
1617. '', \
1618. '', \
1619. '', \
1620. '', \
1621. '')"
1622.  
1623. query = "\
1624. UPDATE ${....acct_table1} SET \
1625. AcctStartTime = ${....event_timestamp}, \
1626. AcctUpdateTime = ${....event_timestamp}, \
1627. ConnectInfo_start = '%{Connect-Info}', \
1628. AcctSessionId = '%{Acct-Session-Id}' \
1629. WHERE UserName = '%{SQL-User-Name}' \
1630. AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \
1631. AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \
1632. AND NASPortType = '%{NAS-Port-Type}' \
1633. AND AcctStopTime IS NULL"
1634. }
1635.  
1636. start {
1637. #
1638. # Insert a new record into the sessions table
1639. #
1640. query = "\
1641. INSERT INTO ${....acct_table1} \
1642. (${...column_list}) \
1643. VALUES \
1644. ('%{Acct-Session-Id}', \
1645. '%{Acct-Unique-Session-Id}', \
1646. '%{SQL-User-Name}', \
1647. '%{Realm}', \
1648. '%{NAS-IP-Address}', \
1649. '%{%{NAS-Port-ID}:-%{NAS-Port}}', \
1650. '%{NAS-Port-Type}', \
1651. ${....event_timestamp}, \
1652. ${....event_timestamp}, \
1653. NULL, \
1654. '0', \
1655. '%{Acct-Authentic}', \
1656. '%{Connect-Info}', \
1657. '', \
1658. '0', \
1659. '0', \
1660. '%{Called-Station-Id}', \
1661. '%{Calling-Station-Id}', \
1662. '', \
1663. '%{Service-Type}', \
1664. '%{Framed-Protocol}', \
1665. '%{Framed-IP-Address}', \
1666. '%{Framed-IPv6-Address}', \
1667. '%{Framed-IPv6-Prefix}', \
1668. '%{Framed-Interface-Id}', \
1669. '%{Delegated-IPv6-Prefix}')"
1670.  
1671. #
1672. # When using "sql_session_start", you should comment out
1673. # the previous query, and enable this one.
1674. #
1675. # Just change the previous query to "-query",
1676. # and this one to "query". The previous one
1677. # will be ignored, and this one will be
1678. # enabled.
1679. #
1680. -query = "\
1681. UPDATE ${....acct_table1} \
1682. SET \
1683. AcctSessionId = '%{Acct-Session-Id}', \
1684. AcctUniqueId = '%{Acct-Unique-Session-Id}', \
1685. AcctAuthentic = '%{Acct-Authentic}', \
1686. ConnectInfo_start = '%{Connect-Info}', \
1687. ServiceType = '%{Service-Type}', \
1688. FramedProtocol = '%{Framed-Protocol}', \
1689. framedipaddress = '%{Framed-IP-Address}', \
1690. framedipv6address = '%{Framed-IPv6-Address}', \
1691. framedipv6prefix = '%{Framed-IPv6-Prefix}', \
1692. framedinterfaceid = '%{Framed-Interface-Id}', \
1693. delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \
1694. AcctStartTime = ${....event_timestamp}, \
1695. AcctUpdateTime = ${....event_timestamp} \
1696. WHERE UserName = '%{SQL-User-Name}' \
1697. AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \
1698. AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \
1699. AND NASPortType = '%{NAS-Port-Type}' \
1700. AND AcctStopTime IS NULL"
1701.  
1702. #
1703. # Key constraints prevented us from inserting a new session,
1704. # use the alternate query to update an existing session.
1705. #
1706. query = "\
1707. UPDATE ${....acct_table1} SET \
1708. acctstarttime = ${....event_timestamp}, \
1709. acctupdatetime = ${....event_timestamp}, \
1710. connectinfo_start = '%{Connect-Info}' \
1711. WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
1712.  
1713. }
1714.  
1715. interim-update {
1716. #
1717. # Update an existing session and calculate the interval
1718. # between the last data we received for the session and this
1719. # update. This can be used to find stale sessions.
1720. #
1721. query = "\
1722. UPDATE ${....acct_table1} \
1723. SET \
1724. acctupdatetime = (@acctupdatetime_old:=acctupdatetime), \
1725. acctupdatetime = ${....event_timestamp}, \
1726. acctinterval = ${....event_timestamp_epoch} - \
1727. UNIX_TIMESTAMP(@acctupdatetime_old), \
1728. framedipaddress = '%{Framed-IP-Address}', \
1729. framedipv6address = '%{Framed-IPv6-Address}', \
1730. framedipv6prefix = '%{Framed-IPv6-Prefix}', \
1731. framedinterfaceid = '%{Framed-Interface-Id}', \
1732. delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \
1733. acctsessiontime = %{%{Acct-Session-Time}:-NULL}, \
1734. acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' \
1735. << 32 | '%{%{Acct-Input-Octets}:-0}', \
1736. acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' \
1737. << 32 | '%{%{Acct-Output-Octets}:-0}' \
1738. WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
1739.  
1740. #
1741. # The update condition matched no existing sessions. Use
1742. # the values provided in the update to create a new session.
1743. #
1744. query = "\
1745. INSERT INTO ${....acct_table1} \
1746. (${...column_list}) \
1747. VALUES \
1748. ('%{Acct-Session-Id}', \
1749. '%{Acct-Unique-Session-Id}', \
1750. '%{SQL-User-Name}', \
1751. '%{Realm}', \
1752. '%{NAS-IP-Address}', \
1753. '%{%{NAS-Port-ID}:-%{NAS-Port}}', \
1754. '%{NAS-Port-Type}', \
1755. FROM_UNIXTIME(${....event_timestamp_epoch} - %{%{Acct-Session-Time}:-0}), \
1756. ${....event_timestamp}, \
1757. NULL, \
1758. %{%{Acct-Session-Time}:-NULL}, \
1759. '%{Acct-Authentic}', \
1760. '%{Connect-Info}', \
1761. '', \
1762. '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', \
1763. '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', \
1764. '%{Called-Station-Id}', \
1765. '%{Calling-Station-Id}', \
1766. '', \
1767. '%{Service-Type}', \
1768. '%{Framed-Protocol}', \
1769. '%{Framed-IP-Address}', \
1770. '%{Framed-IPv6-Address}', \
1771. '%{Framed-IPv6-Prefix}', \
1772. '%{Framed-Interface-Id}', \
1773. '%{Delegated-IPv6-Prefix}')"
1774.  
1775. #
1776. # When using "sql_session_start", you should comment out
1777. # the previous query, and enable this one.
1778. #
1779. # Just change the previous query to "-query",
1780. # and this one to "query". The previous one
1781. # will be ignored, and this one will be
1782. # enabled.
1783. #
1784. -query = "\
1785. UPDATE ${....acct_table1} \
1786. SET \
1787. AcctSessionId = '%{Acct-Session-Id}', \
1788. AcctUniqueId = '%{Acct-Unique-Session-Id}', \
1789. AcctAuthentic = '%{Acct-Authentic}', \
1790. ConnectInfo_start = '%{Connect-Info}', \
1791. ServiceType = '%{Service-Type}', \
1792. FramedProtocol = '%{Framed-Protocol}', \
1793. framedipaddress = '%{Framed-IP-Address}', \
1794. framedipv6address = '%{Framed-IPv6-Address}', \
1795. framedipv6prefix = '%{Framed-IPv6-Prefix}', \
1796. framedinterfaceid = '%{Framed-Interface-Id}', \
1797. delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \
1798. AcctUpdateTime = ${....event_timestamp}, \
1799. AcctSessionTime = %{%{Acct-Session-Time}:-NULL}, \
1800. AcctInputOctets = '%{%{Acct-Input-Gigawords}:-0}' \
1801. << 32 | '%{%{Acct-Input-Octets}:-0}', \
1802. AcctOutputOctets = '%{%{Acct-Output-Gigawords}:-0}' \
1803. << 32 | '%{%{Acct-Output-Octets}:-0}' \
1804. WHERE UserName = '%{SQL-User-Name}' \
1805. AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \
1806. AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \
1807. AND NASPortType = '%{NAS-Port-Type}' \
1808. AND AcctStopTime IS NULL"
1809.  
1810. }
1811.  
1812. stop {
1813. #
1814. # Session has terminated, update the stop time and statistics.
1815. #
1816. query = "\
1817. UPDATE ${....acct_table2} SET \
1818. acctstoptime = ${....event_timestamp}, \
1819. acctsessiontime = %{%{Acct-Session-Time}:-NULL}, \
1820. acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' \
1821. << 32 | '%{%{Acct-Input-Octets}:-0}', \
1822. acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' \
1823. << 32 | '%{%{Acct-Output-Octets}:-0}', \
1824. acctterminatecause = '%{Acct-Terminate-Cause}', \
1825. connectinfo_stop = '%{Connect-Info}' \
1826. WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
1827.  
1828. #
1829. # The update condition matched no existing sessions. Use
1830. # the values provided in the update to create a new session.
1831. #
1832. query = "\
1833. INSERT INTO ${....acct_table2} \
1834. (${...column_list}) \
1835. VALUES \
1836. ('%{Acct-Session-Id}', \
1837. '%{Acct-Unique-Session-Id}', \
1838. '%{SQL-User-Name}', \
1839. '%{Realm}', \
1840. '%{NAS-IP-Address}', \
1841. '%{%{NAS-Port-ID}:-%{NAS-Port}}', \
1842. '%{NAS-Port-Type}', \
1843. FROM_UNIXTIME(${....event_timestamp_epoch} - %{%{Acct-Session-Time}:-0}), \
1844. ${....event_timestamp}, \
1845. ${....event_timestamp}, \
1846. %{%{Acct-Session-Time}:-NULL}, \
1847. '%{Acct-Authentic}', \
1848. '', \
1849. '%{Connect-Info}', \
1850. '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', \
1851. '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', \
1852. '%{Called-Station-Id}', \
1853. '%{Calling-Station-Id}', \
1854. '%{Acct-Terminate-Cause}', \
1855. '%{Service-Type}', \
1856. '%{Framed-Protocol}', \
1857. '%{Framed-IP-Address}', \
1858. '%{Framed-IPv6-Address}', \
1859. '%{Framed-IPv6-Prefix}', \
1860. '%{Framed-Interface-Id}', \
1861. '%{Delegated-IPv6-Prefix}')"
1862.  
1863. #
1864. # When using "sql_session_start", you should comment out
1865. # the previous query, and enable this one.
1866. #
1867. # Just change the previous query to "-query",
1868. # and this one to "query". The previous one
1869. # will be ignored, and this one will be
1870. # enabled.
1871. #
1872. -query = "\
1873. UPDATE ${....acct_table1} \
1874. SET \
1875. AcctSessionId = '%{Acct-Session-Id}', \
1876. AcctUniqueId = '%{Acct-Unique-Session-Id}', \
1877. AcctAuthentic = '%{Acct-Authentic}', \
1878. ConnectInfo_start = '%{Connect-Info}', \
1879. ServiceType = '%{Service-Type}', \
1880. FramedProtocol = '%{Framed-Protocol}', \
1881. framedipaddress = '%{Framed-IP-Address}', \
1882. framedipv6address = '%{Framed-IPv6-Address}', \
1883. framedipv6prefix = '%{Framed-IPv6-Prefix}', \
1884. framedinterfaceid = '%{Framed-Interface-Id}', \
1885. delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \
1886. AcctStopTime = ${....event_timestamp}, \
1887. AcctUpdateTime = ${....event_timestamp}, \
1888. AcctSessionTime = %{Acct-Session-Time}, \
1889. AcctInputOctets = '%{%{Acct-Input-Gigawords}:-0}' \
1890. << 32 | '%{%{Acct-Input-Octets}:-0}', \
1891. AcctOutputOctets = '%{%{Acct-Output-Gigawords}:-0}' \
1892. << 32 | '%{%{Acct-Output-Octets}:-0}', \
1893. AcctTerminateCause = '%{Acct-Terminate-Cause}', \
1894. ConnectInfo_stop = '%{Connect-Info}' \
1895. WHERE UserName = '%{SQL-User-Name}' \
1896. AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \
1897. AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \
1898. AND NASPortType = '%{NAS-Port-Type}' \
1899. AND AcctStopTime IS NULL"
1900.  
1901. }
1902.  
1903. #
1904. # No Acct-Status-Type == ignore the packet
1905. #
1906. accounting {
1907. query = "SELECT true"
1908. }
1909. }
1910. }
1911.  
1912.  
1913. #######################################################################
1914. # Authentication Logging Queries
1915. #######################################################################
1916. # postauth_query - Insert some info after authentication
1917. #######################################################################
1918.  
1919. post-auth {
1920. # Write SQL queries to a logfile. This is potentially useful for bulk inserts
1921. # when used with the rlm_sql_null driver.
1922. # logfile = ${logdir}/post-auth.sql
1923.  
1924. query = "\
1925. INSERT INTO ${..postauth_table} \
1926. (username, pass, reply, authdate) \
1927. VALUES ( \
1928. '%{SQL-User-Name}', \
1929. '%{%{User-Password}:-%{Chap-Password}}', \
1930. '%{reply:Packet-Type}', \
1931. '%S.%M')"
1932. }
1933. </code>
1934.  
1935. /etc/freeradius/3.0/mods-config/sql/main/sqlite/schema.sql
1936. <code>-----------------------------------------------------------------------------
1937. -- $Id: 919687de64f6074868eeff31cdfbfb01b3dbeda2 $ --
1938. -- --
1939. -- schema.sql rlm_sql - FreeRADIUS SQLite Module --
1940. -- --
1941. -- Database schema for SQLite rlm_sql module --
1942. -- --
1943. -----------------------------------------------------------------------------
1944.  
1945. --
1946. -- Table structure for table 'radacct'
1947. --
1948. CREATE TABLE IF NOT EXISTS radacct (
1949. radacctid INTEGER PRIMARY KEY AUTOINCREMENT,
1950. acctsessionid varchar(64) NOT NULL default '',
1951. acctuniqueid varchar(32) NOT NULL default '',
1952. username varchar(64) NOT NULL default '',
1953. realm varchar(64) default '',
1954. nasipaddress varchar(15) NOT NULL default '',
1955. nasportid varchar(32) default NULL,
1956. nasporttype varchar(32) default NULL,
1957. acctstarttime datetime NULL default NULL,
1958. acctupdatetime datetime NULL default NULL,
1959. acctstoptime datetime NULL default NULL,
1960. acctinterval int(12) default NULL,
1961. acctsessiontime int(12) default NULL,
1962. acctauthentic varchar(32) default NULL,
1963. connectinfo_start varchar(50) default NULL,
1964. connectinfo_stop varchar(50) default NULL,
1965. acctinputoctets bigint(20) default NULL,
1966. acctoutputoctets bigint(20) default NULL,
1967. calledstationid varchar(50) NOT NULL default '',
1968. callingstationid varchar(50) NOT NULL default '',
1969. acctterminatecause varchar(32) NOT NULL default '',
1970. servicetype varchar(32) default NULL,
1971. framedprotocol varchar(32) default NULL,
1972. framedipaddress varchar(15) NOT NULL default '',
1973. framedipv6address varchar(45) NOT NULL default '',
1974. framedipv6prefix varchar(45) NOT NULL default '',
1975. framedinterfaceid varchar(44) NOT NULL default '',
1976. delegatedipv6prefix varchar(45) NOT NULL default ''
1977. );
1978.  
1979. CREATE UNIQUE INDEX acctuniqueid ON radacct(acctuniqueid);
1980. CREATE INDEX username ON radacct(username);
1981. CREATE INDEX framedipaddress ON radacct (framedipaddress);
1982. CREATE INDEX framedipv6address ON radacct (framedipv6address);
1983. CREATE INDEX framedipv6prefix ON radacct (framedipv6prefix);
1984. CREATE INDEX framedinterfaceid ON radacct (framedinterfaceid);
1985. CREATE INDEX delegatedipv6prefix ON radacct (delegatedipv6prefix);
1986. CREATE INDEX acctsessionid ON radacct(acctsessionid);
1987. CREATE INDEX acctsessiontime ON radacct(acctsessiontime);
1988. CREATE INDEX acctstarttime ON radacct(acctstarttime);
1989. CREATE INDEX acctinterval ON radacct(acctinterval);
1990. CREATE INDEX acctstoptime ON radacct(acctstoptime);
1991. CREATE INDEX nasipaddress ON radacct(nasipaddress);
1992.  
1993. --
1994. -- Table structure for table 'radcheck'
1995. --
1996. CREATE TABLE IF NOT EXISTS radcheck (
1997. id INTEGER PRIMARY KEY AUTOINCREMENT,
1998. username varchar(64) NOT NULL default '',
1999. attribute varchar(64) NOT NULL default '',
2000. op char(2) NOT NULL DEFAULT '==',
2001. value varchar(253) NOT NULL default ''
2002. );
2003. CREATE INDEX check_username ON radcheck(username);
2004.  
2005. --
2006. -- Table structure for table 'radgroupcheck'
2007. --
2008. CREATE TABLE IF NOT EXISTS radgroupcheck (
2009. id INTEGER PRIMARY KEY AUTOINCREMENT,
2010. groupname varchar(64) NOT NULL default '',
2011. attribute varchar(64) NOT NULL default '',
2012. op char(2) NOT NULL DEFAULT '==',
2013. value varchar(253) NOT NULL default ''
2014. );
2015. CREATE INDEX check_groupname ON radgroupcheck(groupname);
2016.  
2017. --
2018. -- Table structure for table 'radgroupreply'
2019. --
2020. CREATE TABLE IF NOT EXISTS radgroupreply (
2021. id INTEGER PRIMARY KEY AUTOINCREMENT,
2022. groupname varchar(64) NOT NULL default '',
2023. attribute varchar(64) NOT NULL default '',
2024. op char(2) NOT NULL DEFAULT '=',
2025. value varchar(253) NOT NULL default ''
2026. );
2027. CREATE INDEX reply_groupname ON radgroupreply(groupname);
2028.  
2029. --
2030. -- Table structure for table 'radreply'
2031. --
2032. CREATE TABLE IF NOT EXISTS radreply (
2033. id INTEGER PRIMARY KEY AUTOINCREMENT,
2034. username varchar(64) NOT NULL default '',
2035. attribute varchar(64) NOT NULL default '',
2036. op char(2) NOT NULL DEFAULT '=',
2037. value varchar(253) NOT NULL default ''
2038. );
2039. CREATE INDEX reply_username ON radreply(username);
2040.  
2041. --
2042. -- Table structure for table 'radusergroup'
2043. --
2044. CREATE TABLE IF NOT EXISTS radusergroup (
2045. id INTEGER PRIMARY KEY AUTOINCREMENT,
2046. username varchar(64) NOT NULL default '',
2047. groupname varchar(64) NOT NULL default '',
2048. priority int(11) NOT NULL default '1'
2049. );
2050. CREATE INDEX usergroup_username ON radusergroup(username);
2051.  
2052. --
2053. -- Table structure for table 'radpostauth'
2054. --
2055. CREATE TABLE IF NOT EXISTS radpostauth (
2056. id INTEGER PRIMARY KEY AUTOINCREMENT,
2057. username varchar(64) NOT NULL default '',
2058. pass varchar(64) NOT NULL default '',
2059. reply varchar(32) NOT NULL default '',
2060. authdate timestamp NOT NULL
2061. );
2062.  
2063. --
2064. -- Table structure for table 'nas'
2065. --
2066. CREATE TABLE IF NOT EXISTS nas (
2067. id INTEGER PRIMARY KEY AUTOINCREMENT,
2068. nasname varchar(128) NOT NULL,
2069. shortname varchar(32),
2070. type varchar(30) DEFAULT 'other',
2071. ports int(5),
2072. secret varchar(60) DEFAULT 'secret' NOT NULL,
2073. server varchar(64),
2074. community varchar(50),
2075. description varchar(200) DEFAULT 'RADIUS Client'
2076. );
2077. CREATE INDEX nasname ON nas(nasname);
2078. </code>
2079.  
2080. /etc/freeradius/3.0/sites-enabled/default
2081. <code>######################################################################
2082. #
2083. # As of 2.0.0, FreeRADIUS supports virtual hosts using the
2084. # "server" section, and configuration directives.
2085. #
2086. # Virtual hosts should be put into the "sites-available"
2087. # directory. Soft links should be created in the "sites-enabled"
2088. # directory to these files. This is done in a normal installation.
2089. #
2090. # If you are using 802.1X (EAP) authentication, please see also
2091. # the "inner-tunnel" virtual server. You will likely have to edit
2092. # that, too, for authentication to work.
2093. #
2094. # $Id: c60c0ba4c8728fac10b190dbb3b752f9df317c07 $
2095. #
2096. ######################################################################
2097. #
2098. # Read "man radiusd" before editing this file. See the section
2099. # titled DEBUGGING. It outlines a method where you can quickly
2100. # obtain the configuration you want, without running into
2101. # trouble. See also "man unlang", which documents the format
2102. # of this file.
2103. #
2104. # This configuration is designed to work in the widest possible
2105. # set of circumstances, with the widest possible number of
2106. # authentication methods. This means that in general, you should
2107. # need to make very few changes to this file.
2108. #
2109. # The best way to configure the server for your local system
2110. # is to CAREFULLY edit this file. Most attempts to make large
2111. # edits to this file will BREAK THE SERVER. Any edits should
2112. # be small, and tested by running the server with "radiusd -X".
2113. # Once the edits have been verified to work, save a copy of these
2114. # configuration files somewhere. (e.g. as a "tar" file). Then,
2115. # make more edits, and test, as above.
2116. #
2117. # There are many "commented out" references to modules such
2118. # as ldap, sql, etc. These references serve as place-holders.
2119. # If you need the functionality of that module, then configure
2120. # it in radiusd.conf, and un-comment the references to it in
2121. # this file. In most cases, those small changes will result
2122. # in the server being able to connect to the DB, and to
2123. # authenticate users.
2124. #
2125. ######################################################################
2126.  
2127. server default {
2128. #
2129. # If you want the server to listen on additional addresses, or on
2130. # additional ports, you can use multiple "listen" sections.
2131. #
2132. # Each section make the server listen for only one type of packet,
2133. # therefore authentication and accounting have to be configured in
2134. # different sections.
2135. #
2136. # The server ignore all "listen" section if you are using '-i' and '-p'
2137. # on the command line.
2138. #
2139. listen {
2140. # Type of packets to listen for.
2141. # Allowed values are:
2142. # auth listen for authentication packets
2143. # acct listen for accounting packets
2144. # proxy IP to use for sending proxied packets
2145. # detail Read from the detail file. For examples, see
2146. # raddb/sites-available/copy-acct-to-home-server
2147. # status listen for Status-Server packets. For examples,
2148. # see raddb/sites-available/status
2149. # coa listen for CoA-Request and Disconnect-Request
2150. # packets. For examples, see the file
2151. # raddb/sites-available/coa
2152. #
2153. type = auth
2154.  
2155. # Note: "type = proxy" lets you control the source IP used for
2156. # proxying packets, with some limitations:
2157. #
2158. # * A proxy listener CANNOT be used in a virtual server section.
2159. # * You should probably set "port = 0".
2160. # * Any "clients" configuration will be ignored.
2161. #
2162. # See also proxy.conf, and the "src_ipaddr" configuration entry
2163. # in the sample "home_server" section. When you specify the
2164. # source IP address for packets sent to a home server, the
2165. # proxy listeners are automatically created.
2166.  
2167. # ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
2168. # If multiple ones are listed, only the first one will
2169. # be used, and the others will be ignored.
2170. #
2171. # The configuration options accept the following syntax:
2172. #
2173. # ipv4addr - IPv4 address (e.g.192.0.2.3)
2174. # - wildcard (i.e. *)
2175. # - hostname (radius.example.com)
2176. # Only the A record for the host name is used.
2177. # If there is no A record, an error is returned,
2178. # and the server fails to start.
2179. #
2180. # ipv6addr - IPv6 address (e.g. 2001:db8::1)
2181. # - wildcard (i.e. *)
2182. # - hostname (radius.example.com)
2183. # Only the AAAA record for the host name is used.
2184. # If there is no AAAA record, an error is returned,
2185. # and the server fails to start.
2186. #
2187. # ipaddr - IPv4 address as above
2188. # - IPv6 address as above
2189. # - wildcard (i.e. *), which means IPv4 wildcard.
2190. # - hostname
2191. # If there is only one A or AAAA record returned
2192. # for the host name, it is used.
2193. # If multiple A or AAAA records are returned
2194. # for the host name, only the first one is used.
2195. # If both A and AAAA records are returned
2196. # for the host name, only the A record is used.
2197. #
2198. # ipv4addr = *
2199. # ipv6addr = *
2200. ipaddr = *
2201.  
2202. # Port on which to listen.
2203. # Allowed values are:
2204. # integer port number (1812)
2205. # 0 means "use /etc/services for the proper port"
2206. port = 0
2207.  
2208. # Some systems support binding to an interface, in addition
2209. # to the IP address. This feature isn't strictly necessary,
2210. # but for sites with many IP addresses on one interface,
2211. # it's useful to say "listen on all addresses for eth0".
2212. #
2213. # If your system does not support this feature, you will
2214. # get an error if you try to use it.
2215. #
2216. # interface = eth0
2217.  
2218. # Per-socket lists of clients. This is a very useful feature.
2219. #
2220. # The name here is a reference to a section elsewhere in
2221. # radiusd.conf, or clients.conf. Having the name as
2222. # a reference allows multiple sockets to use the same
2223. # set of clients.
2224. #
2225. # If this configuration is used, then the global list of clients
2226. # is IGNORED for this "listen" section. Take care configuring
2227. # this feature, to ensure you don't accidentally disable a
2228. # client you need.
2229. #
2230. # See clients.conf for the configuration of "per_socket_clients".
2231. #
2232. # clients = per_socket_clients
2233.  
2234. #
2235. # Set the default UDP receive buffer size. In most cases,
2236. # the default values set by the kernel are fine. However, in
2237. # some cases the NASes will send large packets, and many of
2238. # them at a time. It is then possible to overflow the
2239. # buffer, causing the kernel to drop packets before they
2240. # reach FreeRADIUS. Increasing the size of the buffer will
2241. # avoid these packet drops.
2242. #
2243. # recv_buff = 65536
2244.  
2245. #
2246. # Connection limiting for sockets with "proto = tcp".
2247. #
2248. # This section is ignored for other kinds of sockets.
2249. #
2250. limit {
2251. #
2252. # Limit the number of simultaneous TCP connections to the socket
2253. #
2254. # The default is 16.
2255. # Setting this to 0 means "no limit"
2256. max_connections = 16
2257.  
2258. # The per-socket "max_requests" option does not exist.
2259.  
2260. #
2261. # The lifetime, in seconds, of a TCP connection. After
2262. # this lifetime, the connection will be closed.
2263. #
2264. # Setting this to 0 means "forever".
2265. lifetime = 0
2266.  
2267. #
2268. # The idle timeout, in seconds, of a TCP connection.
2269. # If no packets have been received over the connection for
2270. # this time, the connection will be closed.
2271. #
2272. # Setting this to 0 means "no timeout".
2273. #
2274. # We STRONGLY RECOMMEND that you set an idle timeout.
2275. #
2276. idle_timeout = 30
2277. }
2278. }
2279.  
2280. #
2281. # This second "listen" section is for listening on the accounting
2282. # port, too.
2283. #
2284. listen {
2285. ipaddr = *
2286. # ipv6addr = ::
2287. port = 0
2288. type = acct
2289. # interface = eth0
2290. # clients = per_socket_clients
2291.  
2292. limit {
2293. # The number of packets received can be rate limited via the
2294. # "max_pps" configuration item. When it is set, the server
2295. # tracks the total number of packets received in the previous
2296. # second. If the count is greater than "max_pps", then the
2297. # new packet is silently discarded. This helps the server
2298. # deal with overload situations.
2299. #
2300. # The packets/s counter is tracked in a sliding window. This
2301. # means that the pps calculation is done for the second
2302. # before the current packet was received. NOT for the current
2303. # wall-clock second, and NOT for the previous wall-clock second.
2304. #
2305. # Useful values are 0 (no limit), or 100 to 10000.
2306. # Values lower than 100 will likely cause the server to ignore
2307. # normal traffic. Few systems are capable of handling more than
2308. # 10K packets/s.
2309. #
2310. # It is most useful for accounting systems. Set it to 50%
2311. # more than the normal accounting load, and you can be sure that
2312. # the server will never get overloaded
2313. #
2314. # max_pps = 0
2315.  
2316. # Only for "proto = tcp". These are ignored for "udp" sockets.
2317. #
2318. # idle_timeout = 0
2319. # lifetime = 0
2320. # max_connections = 0
2321. }
2322. }
2323.  
2324. # IPv6 versions of the above - read their full config to understand options
2325. listen {
2326. type = auth
2327. ipv6addr = :: # any. ::1 == localhost
2328. port = 0
2329. # interface = eth0
2330. # clients = per_socket_clients
2331. limit {
2332. max_connections = 16
2333. lifetime = 0
2334. idle_timeout = 30
2335. }
2336. }
2337.  
2338. listen {
2339. ipv6addr = ::
2340. port = 0
2341. type = acct
2342. # interface = eth0
2343. # clients = per_socket_clients
2344.  
2345. limit {
2346. # max_pps = 0
2347. # idle_timeout = 0
2348. # lifetime = 0
2349. # max_connections = 0
2350. }
2351. }
2352.  
2353. # Authorization. First preprocess (hints and huntgroups files),
2354. # then realms, and finally look in the "users" file.
2355. #
2356. # Any changes made here should also be made to the "inner-tunnel"
2357. # virtual server.
2358. #
2359. # The order of the realm modules will determine the order that
2360. # we try to find a matching realm.
2361. #
2362. # Make *sure* that 'preprocess' comes before any realm if you
2363. # need to setup hints for the remote radius server
2364. authorize {
2365. #
2366. # Take a User-Name, and perform some checks on it, for spaces and other
2367. # invalid characters. If the User-Name appears invalid, reject the
2368. # request.
2369. #
2370. # See policy.d/filter for the definition of the filter_username policy.
2371. #
2372. filter_username
2373.  
2374. #
2375. # Some broken equipment sends passwords with embedded zeros.
2376. # i.e. the debug output will show
2377. #
2378. # User-Password = "password\000\000"
2379. #
2380. # This policy will fix it to just be "password".
2381. #
2382. # filter_password
2383.  
2384. #
2385. # The preprocess module takes care of sanitizing some bizarre
2386. # attributes in the request, and turning them into attributes
2387. # which are more standard.
2388. #
2389. # It takes care of processing the 'raddb/mods-config/preprocess/hints'
2390. # and the 'raddb/mods-config/preprocess/huntgroups' files.
2391. preprocess
2392.  
2393. # If you intend to use CUI and you require that the Operator-Name
2394. # be set for CUI generation and you want to generate CUI also
2395. # for your local clients then uncomment the operator-name
2396. # below and set the operator-name for your clients in clients.conf
2397. # operator-name
2398.  
2399. #
2400. # If you want to generate CUI for some clients that do not
2401. # send proper CUI requests, then uncomment the
2402. # cui below and set "add_cui = yes" for these clients in clients.conf
2403. # cui
2404.  
2405. #
2406. # If you want to have a log of authentication requests,
2407. # un-comment the following line.
2408. # auth_log
2409.  
2410. #
2411. # The chap module will set 'Auth-Type := CHAP' if we are
2412. # handling a CHAP request and Auth-Type has not already been set
2413. pap
2414.  
2415. #
2416. # If the users are logging in with an MS-CHAP-Challenge
2417. # attribute for authentication, the mschap module will find
2418. # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
2419. # to the request, which will cause the server to then use
2420. # the mschap module for authentication.
2421. mschap
2422.  
2423. #
2424. # If you have a Cisco SIP server authenticating against
2425. # FreeRADIUS, uncomment the following line, and the 'digest'
2426. # line in the 'authenticate' section.
2427. digest
2428.  
2429. #
2430. # The WiMAX specification says that the Calling-Station-Id
2431. # is 6 octets of the MAC. This definition conflicts with
2432. # RFC 3580, and all common RADIUS practices. Un-commenting
2433. # the "wimax" module here means that it will fix the
2434. # Calling-Station-Id attribute to the normal format as
2435. # specified in RFC 3580 Section 3.21
2436. # wimax
2437.  
2438. #
2439. # Look for IPASS style 'realm/', and if not found, look for
2440. # '@realm', and decide whether or not to proxy, based on
2441. # that.
2442. # IPASS
2443.  
2444. #
2445. # Look for realms in user@domain format
2446. suffix
2447. # ntdomain
2448.  
2449. #
2450. # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
2451. # authentication.
2452. #
2453. # It also sets the EAP-Type attribute in the request
2454. # attribute list to the EAP type from the packet.
2455. #
2456. # The EAP module returns "ok" or "updated" if it is not yet ready
2457. # to authenticate the user. The configuration below checks for
2458. # "ok", and stops processing the "authorize" section if so.
2459. #
2460. # Any LDAP and/or SQL servers will not be queried for the
2461. # initial set of packets that go back and forth to set up
2462. # TTLS or PEAP.
2463. #
2464. # The "updated" check is commented out for compatibility with
2465. # previous versions of this configuration, but you may wish to
2466. # uncomment it as well; this will further reduce the number of
2467. # LDAP and/or SQL queries for TTLS or PEAP.
2468. #
2469. eap {
2470. ok = return
2471. # updated = return
2472. }
2473.  
2474. #
2475. # Pull crypt'd passwords from /etc/passwd or /etc/shadow,
2476. # using the system API's to get the password. If you want
2477. # to read /etc/passwd or /etc/shadow directly, see the
2478. # mods-available/passwd module.
2479. #
2480. # unix
2481.  
2482. #
2483. # Read the 'users' file. In v3, this is located in
2484. # raddb/mods-config/files/authorize
2485. files
2486.  
2487. #
2488. # Look in an SQL database. The schema of the database
2489. # is meant to mirror the "users" file.
2490. #
2491. # See "Authorization Queries" in mods-available/sql
2492. -sql
2493.  
2494. #
2495. # If you are using /etc/smbpasswd, and are also doing
2496. # mschap authentication, the un-comment this line, and
2497. # configure the 'smbpasswd' module.
2498. # smbpasswd
2499.  
2500. #
2501. # The ldap module reads passwords from the LDAP database.
2502. -ldap
2503.  
2504. #
2505. # Enforce daily limits on time spent logged in.
2506. # daily
2507.  
2508. #
2509. expiration
2510. logintime
2511.  
2512. #
2513. # If no other module has claimed responsibility for
2514. # authentication, then try to use PAP. This allows the
2515. # other modules listed above to add a "known good" password
2516. # to the request, and to do nothing else. The PAP module
2517. # will then see that password, and use it to do PAP
2518. # authentication.
2519. #
2520. # This module should be listed last, so that the other modules
2521. # get a chance to set Auth-Type for themselves.
2522. #
2523. pap
2524.  
2525. #
2526. # If "status_server = yes", then Status-Server messages are passed
2527. # through the following section, and ONLY the following section.
2528. # This permits you to do DB queries, for example. If the modules
2529. # listed here return "fail", then NO response is sent.
2530. #
2531. # Autz-Type Status-Server {
2532. #
2533. # }
2534. }
2535.  
2536.  
2537. # Authentication.
2538. #
2539. #
2540. # This section lists which modules are available for authentication.
2541. # Note that it does NOT mean 'try each module in order'. It means
2542. # that a module from the 'authorize' section adds a configuration
2543. # attribute 'Auth-Type := FOO'. That authentication type is then
2544. # used to pick the appropriate module from the list below.
2545. #
2546.  
2547. # In general, you SHOULD NOT set the Auth-Type attribute. The server
2548. # will figure it out on its own, and will do the right thing. The
2549. # most common side effect of erroneously setting the Auth-Type
2550. # attribute is that one authentication method will work, but the
2551. # others will not.
2552. #
2553. # The common reasons to set the Auth-Type attribute by hand
2554. # is to either forcibly reject the user (Auth-Type := Reject),
2555. # or to or forcibly accept the user (Auth-Type := Accept).
2556. #
2557. # Note that Auth-Type := Accept will NOT work with EAP.
2558. #
2559. # Please do not put "unlang" configurations into the "authenticate"
2560. # section. Put them in the "post-auth" section instead. That's what
2561. # the post-auth section is for.
2562. #
2563. authenticate {
2564. #
2565. # PAP authentication, when a back-end database listed
2566. # in the 'authorize' section supplies a password. The
2567. # password can be clear-text, or encrypted.
2568. Auth-Type PAP {
2569. pap
2570. }
2571.  
2572. #
2573. # Most people want CHAP authentication
2574. # A back-end database listed in the 'authorize' section
2575. # MUST supply a CLEAR TEXT password. Encrypted passwords
2576. # won't work.
2577. Auth-Type CHAP {
2578. chap
2579. }
2580.  
2581. #
2582. # MSCHAP authentication.
2583. Auth-Type MS-CHAP {
2584. mschap
2585. }
2586.  
2587. #
2588. # For old names, too.
2589. #
2590. mschap
2591.  
2592. #
2593. # If you have a Cisco SIP server authenticating against
2594. # FreeRADIUS, uncomment the following line, and the 'digest'
2595. # line in the 'authorize' section.
2596. digest
2597.  
2598. #
2599. # Pluggable Authentication Modules.
2600. # pam
2601.  
2602. # Uncomment it if you want to use ldap for authentication
2603. #
2604. # Note that this means "check plain-text password against
2605. # the ldap database", which means that EAP won't work,
2606. # as it does not supply a plain-text password.
2607. #
2608. # We do NOT recommend using this. LDAP servers are databases.
2609. # They are NOT authentication servers. FreeRADIUS is an
2610. # authentication server, and knows what to do with authentication.
2611. # LDAP servers do not.
2612. #
2613. # Auth-Type LDAP {
2614. # ldap
2615. # }
2616.  
2617. #
2618. # Allow EAP authentication.
2619. eap
2620.  
2621. #
2622. # The older configurations sent a number of attributes in
2623. # Access-Challenge packets, which wasn't strictly correct.
2624. # If you want to filter out these attributes, uncomment
2625. # the following lines.
2626. #
2627. # Auth-Type eap {
2628. # eap {
2629. # handled = 1
2630. # }
2631. # if (handled && (Response-Packet-Type == Access-Challenge)) {
2632. # attr_filter.access_challenge.post-auth
2633. # handled # override the "updated" code from attr_filter
2634. # }
2635. # }
2636. }
2637.  
2638.  
2639. #
2640. # Pre-accounting. Decide which accounting type to use.
2641. #
2642. preacct {
2643. preprocess
2644.  
2645. #
2646. # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
2647. # into a single 64bit counter Acct-[Input|Output]-Octets64.
2648. #
2649. # acct_counters64
2650.  
2651. #
2652. # Session start times are *implied* in RADIUS.
2653. # The NAS never sends a "start time". Instead, it sends
2654. # a start packet, *possibly* with an Acct-Delay-Time.
2655. # The server is supposed to conclude that the start time
2656. # was "Acct-Delay-Time" seconds in the past.
2657. #
2658. # The code below creates an explicit start time, which can
2659. # then be used in other modules. It will be *mostly* correct.
2660. # Any errors are due to the 1-second resolution of RADIUS,
2661. # and the possibility that the time on the NAS may be off.
2662. #
2663. # The start time is: NOW - delay - session_length
2664. #
2665.  
2666. # update request {
2667. # &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
2668. # }
2669.  
2670.  
2671. #
2672. # Ensure that we have a semi-unique identifier for every
2673. # request, and many NAS boxes are broken.
2674. acct_unique
2675.  
2676. #
2677. # Look for IPASS-style 'realm/', and if not found, look for
2678. # '@realm', and decide whether or not to proxy, based on
2679. # that.
2680. #
2681. # Accounting requests are generally proxied to the same
2682. # home server as authentication requests.
2683. # IPASS
2684. suffix
2685. # ntdomain
2686.  
2687. #
2688. # Read the 'acct_users' file
2689. files
2690. }
2691.  
2692. #
2693. # Accounting. Log the accounting data.
2694. #
2695. accounting {
2696. # Update accounting packet by adding the CUI attribute
2697. # recorded from the corresponding Access-Accept
2698. # use it only if your NAS boxes do not support CUI themselves
2699. # cui
2700. #
2701. # Create a 'detail'ed log of the packets.
2702. # Note that accounting requests which are proxied
2703. # are also logged in the detail file.
2704. detail
2705. # daily
2706.  
2707. # Update the wtmp file
2708. #
2709. # If you don't use "radlast", you can delete this line.
2710. unix
2711.  
2712. #
2713. # For Simultaneous-Use tracking.
2714. #
2715. # Due to packet losses in the network, the data here
2716. # may be incorrect. There is little we can do about it.
2717. radutmp
2718. # sradutmp
2719.  
2720. # Return an address to the IP Pool when we see a stop record.
2721. # sqlippool
2722.  
2723. #
2724. # Log traffic to an SQL database.
2725. #
2726. # See "Accounting queries" in mods-available/sql
2727. -sql
2728.  
2729. #
2730. # If you receive stop packets with zero session length,
2731. # they will NOT be logged in the database. The SQL module
2732. # will print a message (only in debugging mode), and will
2733. # return "noop".
2734. #
2735. # You can ignore these packets by uncommenting the following
2736. # three lines. Otherwise, the server will not respond to the
2737. # accounting request, and the NAS will retransmit.
2738. #
2739. # if (noop) {
2740. # ok
2741. # }
2742.  
2743. # Cisco VoIP specific bulk accounting
2744. # pgsql-voip
2745.  
2746. # For Exec-Program and Exec-Program-Wait
2747. exec
2748.  
2749. # Filter attributes from the accounting response.
2750. attr_filter.accounting_response
2751.  
2752. #
2753. # See "Autz-Type Status-Server" for how this works.
2754. #
2755. # Acct-Type Status-Server {
2756. #
2757. # }
2758. }
2759.  
2760.  
2761. # Session database, used for checking Simultaneous-Use. Either the radutmp
2762. # or rlm_sql module can handle this.
2763. # The rlm_sql module is *much* faster
2764. session {
2765. # radutmp
2766.  
2767. #
2768. # See "Simultaneous Use Checking Queries" in mods-available/sql
2769. sql
2770. }
2771.  
2772.  
2773. # Post-Authentication
2774. # Once we KNOW that the user has been authenticated, there are
2775. # additional steps we can take.
2776. post-auth {
2777. #
2778. # If you need to have a State attribute, you can
2779. # add it here. e.g. for later CoA-Request with
2780. # State, and Service-Type = Authorize-Only.
2781. #
2782. # if (!&reply:State) {
2783. # update reply {
2784. # State := "0x%{randstr:16h}"
2785. # }
2786. # }
2787.  
2788. #
2789. # For EAP-TTLS and PEAP, add the cached attributes to the reply.
2790. # The "session-state" attributes are automatically cached when
2791. # an Access-Challenge is sent, and automatically retrieved
2792. # when an Access-Request is received.
2793. #
2794. # The session-state attributes are automatically deleted after
2795. # an Access-Reject or Access-Accept is sent.
2796. #
2797. # If both session-state and reply contain a User-Name attribute, remove
2798. # the one in the reply if it is just a copy of the one in the request, so
2799. # we don't end up with two User-Name attributes.
2800.  
2801. if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
2802. update reply {
2803. &User-Name !* ANY
2804. }
2805. }
2806. update {
2807. &reply: += &session-state:
2808. }
2809.  
2810. # Refresh leases when we see a start or alive. Return an address to
2811. # the IP Pool when we see a stop record.
2812. # sqlippool
2813.  
2814.  
2815. # Create the CUI value and add the attribute to Access-Accept.
2816. # Uncomment the line below if *returning* the CUI.
2817. # cui
2818.  
2819. # Create empty accounting session to make simultaneous check
2820. # more robust. See the accounting queries configuration in
2821. # raddb/mods-config/sql/main/*/queries.conf for details.
2822. #
2823. # The "sql_session_start" policy is defined in
2824. # raddb/policy.d/accounting. See that file for more details.
2825. # sql_session_start
2826.  
2827. #
2828. # If you want to have a log of authentication replies,
2829. # un-comment the following line, and enable the
2830. # 'detail reply_log' module.
2831. # reply_log
2832.  
2833. #
2834. # After authenticating the user, do another SQL query.
2835. #
2836. # See "Authentication Logging Queries" in mods-available/sql
2837. -sql
2838.  
2839. #
2840. # Un-comment the following if you want to modify the user's object
2841. # in LDAP after a successful login.
2842. #
2843. # ldap
2844.  
2845. # For Exec-Program and Exec-Program-Wait
2846. exec
2847.  
2848. #
2849. # Calculate the various WiMAX keys. In order for this to work,
2850. # you will need to define the WiMAX NAI, usually via
2851. #
2852. # update request {
2853. # &WiMAX-MN-NAI = "%{User-Name}"
2854. # }
2855. #
2856. # If you want various keys to be calculated, you will need to
2857. # update the reply with "template" values. The module will see
2858. # this, and replace the template values with the correct ones
2859. # taken from the cryptographic calculations. e.g.
2860. #
2861. # update reply {
2862. # &WiMAX-FA-RK-Key = 0x00
2863. # &WiMAX-MSK = "%{reply:EAP-MSK}"
2864. # }
2865. #
2866. # You may want to delete the MS-MPPE-*-Keys from the reply,
2867. # as some WiMAX clients behave badly when those attributes
2868. # are included. See "raddb/modules/wimax", configuration
2869. # entry "delete_mppe_keys" for more information.
2870. #
2871. # wimax
2872.  
2873.  
2874. # If there is a client certificate (EAP-TLS, sometimes PEAP
2875. # and TTLS), then some attributes are filled out after the
2876. # certificate verification has been performed. These fields
2877. # MAY be available during the authentication, or they may be
2878. # available only in the "post-auth" section.
2879. #
2880. # The first set of attributes contains information about the
2881. # issuing certificate which is being used. The second
2882. # contains information about the client certificate (if
2883. # available).
2884. #
2885. # update reply {
2886. # Reply-Message += "%{TLS-Cert-Serial}"
2887. # Reply-Message += "%{TLS-Cert-Expiration}"
2888. # Reply-Message += "%{TLS-Cert-Subject}"
2889. # Reply-Message += "%{TLS-Cert-Issuer}"
2890. # Reply-Message += "%{TLS-Cert-Common-Name}"
2891. # Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
2892. #
2893. # Reply-Message += "%{TLS-Client-Cert-Serial}"
2894. # Reply-Message += "%{TLS-Client-Cert-Expiration}"
2895. # Reply-Message += "%{TLS-Client-Cert-Subject}"
2896. # Reply-Message += "%{TLS-Client-Cert-Issuer}"
2897. # Reply-Message += "%{TLS-Client-Cert-Common-Name}"
2898. # Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
2899. # }
2900.  
2901. # Insert class attribute (with unique value) into response,
2902. # aids matching auth and acct records, and protects against duplicate
2903. # Acct-Session-Id. Note: Only works if the NAS has implemented
2904. # RFC 2865 behaviour for the class attribute, AND if the NAS
2905. # supports long Class attributes. Many older or cheap NASes
2906. # only support 16-octet Class attributes.
2907. # insert_acct_class
2908.  
2909. # MacSEC requires the use of EAP-Key-Name. However, we don't
2910. # want to send it for all EAP sessions. Therefore, the EAP
2911. # modules put required data into the EAP-Session-Id attribute.
2912. # This attribute is never put into a request or reply packet.
2913. #
2914. # Uncomment the next few lines to copy the required data into
2915. # the EAP-Key-Name attribute
2916. # if (&reply:EAP-Session-Id) {
2917. # update reply {
2918. # EAP-Key-Name := &reply:EAP-Session-Id
2919. # }
2920. # }
2921.  
2922. # Remove reply message if the response contains an EAP-Message
2923. remove_reply_message_if_eap
2924.  
2925. #
2926. # Access-Reject packets are sent through the REJECT sub-section of the
2927. # post-auth section.
2928. #
2929. # Add the ldap module name (or instance) if you have set
2930. # 'edir = yes' in the ldap module configuration
2931. #
2932. # The "session-state" attributes are not available here.
2933. #
2934. Post-Auth-Type REJECT {
2935. # log failed authentications in SQL, too.
2936. -sql
2937. attr_filter.access_reject
2938.  
2939. # Insert EAP-Failure message if the request was
2940. # rejected by policy instead of because of an
2941. # authentication failure
2942. eap
2943.  
2944. # Remove reply message if the response contains an EAP-Message
2945. remove_reply_message_if_eap
2946. }
2947.  
2948. #
2949. # Filter access challenges.
2950. #
2951. Post-Auth-Type Challenge {
2952. # remove_reply_message_if_eap
2953. # attr_filter.access_challenge.post-auth
2954. }
2955.  
2956. }
2957.  
2958. #
2959. # When the server decides to proxy a request to a home server,
2960. # the proxied request is first passed through the pre-proxy
2961. # stage. This stage can re-write the request, or decide to
2962. # cancel the proxy.
2963. #
2964. # Only a few modules currently have this method.
2965. #
2966. pre-proxy {
2967. # Before proxing the request add an Operator-Name attribute identifying
2968. # if the operator-name is found for this client.
2969. # No need to uncomment this if you have already enabled this in
2970. # the authorize section.
2971. # operator-name
2972.  
2973. # The client requests the CUI by sending a CUI attribute
2974. # containing one zero byte.
2975. # Uncomment the line below if *requesting* the CUI.
2976. # cui
2977.  
2978. # Uncomment the following line if you want to change attributes
2979. # as defined in the preproxy_users file.
2980. # files
2981.  
2982. # Uncomment the following line if you want to filter requests
2983. # sent to remote servers based on the rules defined in the
2984. # 'attrs.pre-proxy' file.
2985. # attr_filter.pre-proxy
2986.  
2987. # If you want to have a log of packets proxied to a home
2988. # server, un-comment the following line, and the
2989. # 'detail pre_proxy_log' section, above.
2990. # pre_proxy_log
2991. }
2992.  
2993. #
2994. # When the server receives a reply to a request it proxied
2995. # to a home server, the request may be massaged here, in the
2996. # post-proxy stage.
2997. #
2998. post-proxy {
2999.  
3000. # If you want to have a log of replies from a home server,
3001. # un-comment the following line, and the 'detail post_proxy_log'
3002. # section, above.
3003. # post_proxy_log
3004.  
3005. # Uncomment the following line if you want to filter replies from
3006. # remote proxies based on the rules defined in the 'attrs' file.
3007. # attr_filter.post-proxy
3008.  
3009. #
3010. # If you are proxying LEAP, you MUST configure the EAP
3011. # module, and you MUST list it here, in the post-proxy
3012. # stage.
3013. #
3014. # You MUST also use the 'nostrip' option in the 'realm'
3015. # configuration. Otherwise, the User-Name attribute
3016. # in the proxied request will not match the user name
3017. # hidden inside of the EAP packet, and the end server will
3018. # reject the EAP request.
3019. #
3020. eap
3021.  
3022. #
3023. # If the server tries to proxy a request and fails, then the
3024. # request is processed through the modules in this section.
3025. #
3026. # The main use of this section is to permit robust proxying
3027. # of accounting packets. The server can be configured to
3028. # proxy accounting packets as part of normal processing.
3029. # Then, if the home server goes down, accounting packets can
3030. # be logged to a local "detail" file, for processing with
3031. # radrelay. When the home server comes back up, radrelay
3032. # will read the detail file, and send the packets to the
3033. # home server.
3034. #
3035. # See the "mods-available/detail.example.com" file for more
3036. # details on writing a detail file specifically for one
3037. # destination.
3038. #
3039. # See the "sites-available/robust-proxy-accounting" virtual
3040. # server for more details on reading this "detail" file.
3041. #
3042. # With this configuration, the server always responds to
3043. # Accounting-Requests from the NAS, but only writes
3044. # accounting packets to disk if the home server is down.
3045. #
3046. # Post-Proxy-Type Fail-Accounting {
3047. # detail.example.com
3048. # }
3049. }
3050. }
3051. </code>
3052.  
3053. freeradius -X
3054. <code> # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
3055. # Loaded module rlm_cache
3056. # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
3057. cache cache_eap {
3058. driver = "rlm_cache_rbtree"
3059. key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
3060. ttl = 15
3061. max_entries = 0
3062. epoch = 0
3063. add_stats = no
3064. }
3065. # Loaded module rlm_preprocess
3066. # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
3067. preprocess {
3068. huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
3069. hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
3070. with_ascend_hack = no
3071. ascend_channels_per_line = 23
3072. with_ntdomain_hack = no
3073. with_specialix_jetstream_hack = no
3074. with_cisco_vsa_hack = no
3075. with_alvarion_vsa_hack = no
3076. }
3077. # Loaded module rlm_replicate
3078. # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
3079. # Loaded module rlm_passwd
3080. # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
3081. passwd etc_passwd {
3082. filename = "/etc/passwd"
3083. format = "*User-Name:Crypt-Password:"
3084. delimiter = ":"
3085. ignore_nislike = no
3086. ignore_empty = yes
3087. allow_multiple_keys = no
3088. hash_size = 100
3089. }
3090. # Loaded module rlm_expiration
3091. # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
3092. # Loaded module rlm_files
3093. # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
3094. files {
3095. filename = "/etc/freeradius/3.0/mods-config/files/authorize"
3096. acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
3097. preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
3098. }
3099. # Loaded module rlm_unpack
3100. # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
3101. # Loaded module rlm_pap
3102. # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
3103. pap {
3104. normalise = yes
3105. }
3106. instantiate {
3107. }
3108. # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
3109. # Linked to sub-module rlm_eap_md5
3110. # Linked to sub-module rlm_eap_leap
3111. # Linked to sub-module rlm_eap_gtc
3112. gtc {
3113. challenge = "Password: "
3114. auth_type = "PAP"
3115. }
3116. # Linked to sub-module rlm_eap_tls
3117. tls {
3118. tls = "tls-common"
3119. }
3120. tls-config tls-common {
3121. verify_depth = 0
3122. ca_path = "/etc/freeradius/3.0/certs"
3123. pem_file_type = yes
3124. private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
3125. certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
3126. ca_file = "/etc/ssl/certs/ca-certificates.crt"
3127. private_key_password = <<< secret >>>
3128. dh_file = "/etc/freeradius/3.0/certs/dh"
3129. fragment_size = 1024
3130. include_length = yes
3131. auto_chain = yes
3132. check_crl = no
3133. check_all_crl = no
3134. cipher_list = "DEFAULT"
3135. cipher_server_preference = no
3136. ecdh_curve = "prime256v1"
3137. disable_tlsv1 = yes
3138. disable_tlsv1_1 = yes
3139. tls_max_version = "1.2"
3140. tls_min_version = "1.2"
3141. cache {
3142. enable = no
3143. lifetime = 24
3144. max_entries = 255
3145. }
3146. verify {
3147. skip_if_ocsp_ok = no
3148. }
3149. ocsp {
3150. enable = no
3151. override_cert_url = yes
3152. url = "http://127.0.0.1/ocsp/"
3153. use_nonce = yes
3154. timeout = 0
3155. softfail = no
3156. }
3157. }
3158. Please use tls_min_version and tls_max_version instead of disable_tlsv1
3159. Please use tls_min_version and tls_max_version instead of disable_tlsv1_2
3160. # Linked to sub-module rlm_eap_ttls
3161. ttls {
3162. tls = "tls-common"
3163. default_eap_type = "md5"
3164. copy_request_to_tunnel = no
3165. use_tunneled_reply = no
3166. virtual_server = "inner-tunnel"
3167. include_length = yes
3168. require_client_cert = no
3169. }
3170. tls: Using cached TLS configuration from previous invocation
3171. # Linked to sub-module rlm_eap_peap
3172. peap {
3173. tls = "tls-common"
3174. default_eap_type = "mschapv2"
3175. copy_request_to_tunnel = no
3176. use_tunneled_reply = no
3177. proxy_tunneled_request_as_eap = yes
3178. virtual_server = "inner-tunnel"
3179. soh = no
3180. require_client_cert = no
3181. }
3182. tls: Using cached TLS configuration from previous invocation
3183. # Linked to sub-module rlm_eap_mschapv2
3184. mschapv2 {
3185. with_ntdomain_hack = no
3186. send_error = no
3187. }
3188. # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
3189. rlm_mschap (mschap): using internal authentication
3190. # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
3191. # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
3192. # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
3193. # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
3194. # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
3195. # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
3196. # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
3197. # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
3198. # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
3199. # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
3200. # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
3201. rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
3202. # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
3203. # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
3204. # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
3205. # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
3206. # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
3207. reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
3208. # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
3209. reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
3210. # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
3211. reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
3212. # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
3213. reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
3214. # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
3215. reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
3216. # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
3217. # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
3218. # Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
3219. rlm_sql_mysql: libmysql version: 8.0.25
3220. mysql {
3221. tls {
3222. tls_required = no
3223. check_cert = no
3224. check_cert_cn = no
3225. }
3226. warnings = "auto"
3227. }
3228. rlm_sql (sql): Attempting to connect to database "radius"
3229. rlm_sql (sql): Initialising connection pool
3230. pool {
3231. start = 5
3232. min = 3
3233. max = 32
3234. spare = 10
3235. uses = 0
3236. lifetime = 0
3237. cleanup_interval = 30
3238. idle_timeout = 60
3239. retry_delay = 30
3240. spread = no
3241. }
3242. rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
3243. rlm_sql_mysql: Starting connect to MySQL server
3244. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.25-0ubuntu0.21.04.1, protocol version 10
3245. rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
3246. rlm_sql_mysql: Starting connect to MySQL server
3247. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.25-0ubuntu0.21.04.1, protocol version 10
3248. rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
3249. rlm_sql_mysql: Starting connect to MySQL server
3250. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.25-0ubuntu0.21.04.1, protocol version 10
3251. rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
3252. rlm_sql_mysql: Starting connect to MySQL server
3253. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.25-0ubuntu0.21.04.1, protocol version 10
3254. rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
3255. rlm_sql_mysql: Starting connect to MySQL server
3256. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.25-0ubuntu0.21.04.1, protocol version 10
3257. rlm_sql (sql): Processing generate_sql_clients
3258. rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
3259. rlm_sql (sql): Reserved connection (0)
3260. rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
3261. rlm_sql (sql): Adding client 192.168.1.250 (M2) to global clients list
3262. rlm_sql (192.168.1.250): Client "M2" (sql) added
3263. rlm_sql (sql): Adding client 192.168.1.66 (Pc) to global clients list
3264. rlm_sql (192.168.1.66): Client "Pc" (sql) added
3265. rlm_sql (sql): Released connection (0)
3266. Need 5 more connections to reach 10 spares
3267. rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
3268. rlm_sql_mysql: Starting connect to MySQL server
3269. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.25-0ubuntu0.21.04.1, protocol version 10
3270. # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
3271. # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
3272. # Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
3273. # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
3274. # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
3275. # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
3276. rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
3277. # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
3278. reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
3279. reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
3280. # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
3281. rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
3282. # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
3283. # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
3284. reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
3285. reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
3286. reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
3287. # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
3288. } # modules
3289. radiusd: #### Loading Virtual Servers ####
3290. server { # from file /etc/freeradius/3.0/radiusd.conf
3291. } # server
3292. server default { # from file /etc/freeradius/3.0/sites-enabled/default
3293. # Loading authenticate {...}
3294. # Loading authorize {...}
3295. Ignoring "ldap" (see raddb/mods-available/README.rst)
3296. # Loading preacct {...}
3297. # Loading accounting {...}
3298. # Loading session {...}
3299. # Loading post-proxy {...}
3300. # Loading post-auth {...}
3301. } # server default
3302. server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
3303. # Loading authenticate {...}
3304. # Loading authorize {...}
3305. # Loading session {...}
3306. # Loading post-proxy {...}
3307. # Loading post-auth {...}
3308. # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:336
3309. } # server inner-tunnel
3310. radiusd: #### Opening IP addresses and Ports ####
3311. listen {
3312. type = "auth"
3313. ipaddr = *
3314. port = 0
3315. limit {
3316. max_connections = 16
3317. lifetime = 0
3318. idle_timeout = 30
3319. }
3320. }
3321. listen {
3322. type = "acct"
3323. ipaddr = *
3324. port = 0
3325. limit {
3326. max_connections = 16
3327. lifetime = 0
3328. idle_timeout = 30
3329. }
3330. }
3331. listen {
3332. type = "auth"
3333. ipv6addr = ::
3334. port = 0
3335. limit {
3336. max_connections = 16
3337. lifetime = 0
3338. idle_timeout = 30
3339. }
3340. }
3341. listen {
3342. type = "acct"
3343. ipv6addr = ::
3344. port = 0
3345. limit {
3346. max_connections = 16
3347. lifetime = 0
3348. idle_timeout = 30
3349. }
3350. }
3351. listen {
3352. type = "auth"
3353. ipaddr = 127.0.0.1
3354. port = 18120
3355. }
3356. Listening on auth address * port 1812 bound to server default
3357. Listening on acct address * port 1813 bound to server default
3358. Listening on auth address :: port 1812 bound to server default
3359. Listening on acct address :: port 1813 bound to server default
3360. Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
3361. Listening on proxy address * port 56862
3362. Listening on proxy address :: port 47912
3363. Ready to process requests
3364. (0) Received Accounting-Request Id 0 from 192.168.1.250:33371 to 192.168.1.77:1813 length 91
3365. (0) Acct-Status-Type = Accounting-On
3366. (0) Acct-Authentic = RADIUS
3367. (0) NAS-Identifier = "NanoStation M2"
3368. (0) Called-Station-Id = "E0-63-DA-62-16-A5:test-free-T"
3369. (0) NAS-Port-Type = Wireless-802.11
3370. (0) Acct-Terminate-Cause = NAS-Reboot
3371. (0) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
3372. (0) preacct {
3373. (0) [preprocess] = ok
3374. (0) policy acct_unique {
3375. (0) update request {
3376. (0) &Tmp-String-9 := "ai:"
3377. (0) } # update request = noop
3378. (0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
3379. (0) EXPAND %{hex:&Class}
3380. (0) -->
3381. (0) EXPAND ^%{hex:&Tmp-String-9}
3382. (0) --> ^61693a
3383. (0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
3384. (0) else {
3385. (0) update request {
3386. (0) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
3387. (0) --> e7ab440349e59649733a04748cea8efd
3388. (0) &Acct-Unique-Session-Id := e7ab440349e59649733a04748cea8efd
3389. (0) } # update request = noop
3390. (0) } # else = noop
3391. (0) } # policy acct_unique = noop
3392. (0) [suffix] = noop
3393. (0) [files] = noop
3394. (0) } # preacct = ok
3395. (0) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
3396. (0) accounting {
3397. (0) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
3398. (0) detail: --> /var/log/freeradius/radacct/192.168.1.250/detail-20210710
3399. (0) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.1.250/detail-20210710
3400. (0) detail: EXPAND %t
3401. (0) detail: --> Sat Jul 10 05:53:28 2021
3402. (0) [detail] = ok
3403. (0) [unix] = noop
3404. (0) radutmp: EXPAND /var/log/freeradius/radutmp
3405. (0) radutmp: --> /var/log/freeradius/radutmp
3406. (0) radutmp: NAS M2 restarted (Accounting-On packet seen)
3407. (0) radutmp: ERROR: Error accessing file /var/log/freeradius/radutmp: No such file or directory
3408. (0) [radutmp] = fail
3409. (0) } # accounting = fail
3410. (0) Not sending reply to client.
3411. (0) Finished request
3412. (0) Cleaning up request packet ID 0 with timestamp +225
3413. Ready to process requests
3414. (1) Received Access-Request Id 1 from 192.168.1.250:39211 to 192.168.1.77:1812 length 177
3415. (1) User-Name = "tt"
3416. (1) NAS-Identifier = "NanoStation M2"
3417. (1) Called-Station-Id = "E0-63-DA-62-16-A5:test-free-T"
3418. (1) NAS-Port-Type = Wireless-802.11
3419. (1) NAS-Port = 0
3420. (1) Calling-Station-Id = "24-EE-9A-1C-64-FC"
3421. (1) Connect-Info = "CONNECT 0Mbps 802.11b"
3422. (1) Acct-Session-Id = "60E9357A-00000000"
3423. (1) Framed-MTU = 1400
3424. (1) EAP-Message = 0x02690007017474
3425. (1) Message-Authenticator = 0xcb54df109b0a9ce2e84f32176614693e
3426. (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
3427. (1) authorize {
3428. (1) policy filter_username {
3429. (1) if (&User-Name) {
3430. (1) if (&User-Name) -> TRUE
3431. (1) if (&User-Name) {
3432. (1) if (&User-Name =~ / /) {
3433. (1) if (&User-Name =~ / /) -> FALSE
3434. (1) if (&User-Name =~ /@[^@]*@/ ) {
3435. (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
3436. (1) if (&User-Name =~ /\.\./ ) {
3437. (1) if (&User-Name =~ /\.\./ ) -> FALSE
3438. (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
3439. (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
3440. (1) if (&User-Name =~ /\.$/) {
3441. (1) if (&User-Name =~ /\.$/) -> FALSE
3442. (1) if (&User-Name =~ /@\./) {
3443. (1) if (&User-Name =~ /@\./) -> FALSE
3444. (1) } # if (&User-Name) = notfound
3445. (1) } # policy filter_username = notfound
3446. (1) [preprocess] = ok
3447. (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
3448. (1) pap: WARNING: Authentication will fail unless a "known good" password is available
3449. (1) [pap] = noop
3450. (1) [mschap] = noop
3451. (1) [digest] = noop
3452. (1) suffix: Checking for suffix after "@"
3453. (1) suffix: No '@' in User-Name = "tt", looking up realm NULL
3454. (1) suffix: No such realm "NULL"
3455. (1) [suffix] = noop
3456. (1) eap: Peer sent EAP Response (code 2) ID 105 length 7
3457. (1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
3458. (1) [eap] = ok
3459. (1) } # authorize = ok
3460. (1) Found Auth-Type = eap
3461. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
3462. (1) authenticate {
3463. (1) eap: Peer sent packet with method EAP Identity (1)
3464. (1) eap: Calling submodule eap_md5 to process data
3465. (1) eap_md5: Issuing MD5 Challenge
3466. (1) eap: Sending EAP Request (code 1) ID 106 length 22
3467. (1) eap: EAP session adding &reply:State = 0x6842883268288c18
3468. (1) [eap] = handled
3469. (1) } # authenticate = handled
3470. (1) Using Post-Auth-Type Challenge
3471. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
3472. (1) Challenge { ... } # empty sub-section is ignored
3473. (1) Sent Access-Challenge Id 1 from 192.168.1.77:1812 to 192.168.1.250:39211 length 0
3474. (1) EAP-Message = 0x016a0016041097fba8824cf013df6ac6a85398b7ac83
3475. (1) Message-Authenticator = 0x00000000000000000000000000000000
3476. (1) State = 0x6842883268288c1823d78676bb1324f8
3477. (1) Finished request
3478. Waking up in 4.9 seconds.
3479. (2) Received Access-Request Id 2 from 192.168.1.250:39211 to 192.168.1.77:1812 length 194
3480. (2) User-Name = "tt"
3481. (2) NAS-Identifier = "NanoStation M2"
3482. (2) Called-Station-Id = "E0-63-DA-62-16-A5:test-free-T"
3483. (2) NAS-Port-Type = Wireless-802.11
3484. (2) NAS-Port = 0
3485. (2) Calling-Station-Id = "24-EE-9A-1C-64-FC"
3486. (2) Connect-Info = "CONNECT 0Mbps 802.11b"
3487. (2) Acct-Session-Id = "60E9357A-00000000"
3488. (2) Framed-MTU = 1400
3489. (2) EAP-Message = 0x026a00060319
3490. (2) State = 0x6842883268288c1823d78676bb1324f8
3491. (2) Message-Authenticator = 0x5ca2159f25122d6415bcf21103e1b496
3492. (2) session-state: No cached attributes
3493. (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
3494. (2) authorize {
3495. (2) policy filter_username {
3496. (2) if (&User-Name) {
3497. (2) if (&User-Name) -> TRUE
3498. (2) if (&User-Name) {
3499. (2) if (&User-Name =~ / /) {
3500. (2) if (&User-Name =~ / /) -> FALSE
3501. (2) if (&User-Name =~ /@[^@]*@/ ) {
3502. (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
3503. (2) if (&User-Name =~ /\.\./ ) {
3504. (2) if (&User-Name =~ /\.\./ ) -> FALSE
3505. (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
3506. (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
3507. (2) if (&User-Name =~ /\.$/) {
3508. (2) if (&User-Name =~ /\.$/) -> FALSE
3509. (2) if (&User-Name =~ /@\./) {
3510. (2) if (&User-Name =~ /@\./) -> FALSE
3511. (2) } # if (&User-Name) = notfound
3512. (2) } # policy filter_username = notfound
3513. (2) [preprocess] = ok
3514. (2) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
3515. (2) pap: WARNING: Authentication will fail unless a "known good" password is available
3516. (2) [pap] = noop
3517. (2) [mschap] = noop
3518. (2) [digest] = noop
3519. (2) suffix: Checking for suffix after "@"
3520. (2) suffix: No '@' in User-Name = "tt", looking up realm NULL
3521. (2) suffix: No such realm "NULL"
3522. (2) [suffix] = noop
3523. (2) eap: Peer sent EAP Response (code 2) ID 106 length 6
3524. (2) eap: No EAP Start, assuming it's an on-going EAP conversation
3525. (2) [eap] = updated
3526. (2) files: users: Matched entry DEFAULT at line 1
3527. (2) [files] = ok
3528. (2) sql: EXPAND %{User-Name}
3529. (2) sql: --> tt
3530. (2) sql: SQL-User-Name set to 'tt'
3531. rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 225 seconds
3532. rlm_sql_mysql: Socket destructor called, closing socket
3533. rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 225 seconds
3534. rlm_sql_mysql: Socket destructor called, closing socket
3535. rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 225 seconds
3536. rlm_sql_mysql: Socket destructor called, closing socket
3537. rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 225 seconds
3538. rlm_sql (sql): You probably need to lower "min"
3539. rlm_sql_mysql: Socket destructor called, closing socket
3540. rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 225 seconds
3541. rlm_sql (sql): You probably need to lower "min"
3542. rlm_sql_mysql: Socket destructor called, closing socket
3543. rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 225 seconds
3544. rlm_sql (sql): You probably need to lower "min"
3545. rlm_sql_mysql: Socket destructor called, closing socket
3546. rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
3547. rlm_sql (sql): Opening additional connection (6), 1 of 32 pending slots used
3548. rlm_sql_mysql: Starting connect to MySQL server
3549. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.25-0ubuntu0.21.04.1, protocol version 10
3550. rlm_sql (sql): Reserved connection (6)
3551. (2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
3552. (2) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tt' ORDER BY id
3553. (2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tt' ORDER BY id
3554. (2) sql: User found in radcheck table
3555. (2) sql: Conditional check items matched, merging assignment check items
3556. (2) sql: Cleartext-Password := "tt"
3557. (2) sql: Simultaneous-Use := 1
3558. (2) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
3559. (2) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'tt' ORDER BY id
3560. (2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'tt' ORDER BY id
3561. rlm_sql (sql): 1 of 1 connections in use. You may need to increase "spare"
3562. rlm_sql (sql): Opening additional connection (7), 1 of 31 pending slots used
3563. rlm_sql_mysql: Starting connect to MySQL server
3564. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.25-0ubuntu0.21.04.1, protocol version 10
3565. rlm_sql (sql): Reserved connection (7)
3566. rlm_sql (sql): Released connection (7)
3567. Need 1 more connections to reach min connections (3)
3568. rlm_sql (sql): Opening additional connection (8), 1 of 30 pending slots used
3569. rlm_sql_mysql: Starting connect to MySQL server
3570. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.25-0ubuntu0.21.04.1, protocol version 10
3571. (2) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
3572. (2) sql: --> SELECT groupname FROM radusergroup WHERE username = 'tt' ORDER BY priority
3573. (2) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'tt' ORDER BY priority
3574. (2) sql: User not found in any groups
3575. (2) sql: Checking profile DEFAULT
3576. (2) sql: EXPAND DEFAULT
3577. (2) sql: --> DEFAULT
3578. (2) sql: SQL-User-Name set to 'DEFAULT'
3579. rlm_sql (sql): Reserved connection (7)
3580. rlm_sql (sql): Released connection (7)
3581. (2) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
3582. (2) sql: --> SELECT groupname FROM radusergroup WHERE username = 'DEFAULT' ORDER BY priority
3583. (2) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'DEFAULT' ORDER BY priority
3584. (2) sql: User found in the group table
3585. (2) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
3586. (2) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'VLAN3010' ORDER BY id
3587. (2) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'VLAN3010' ORDER BY id
3588. (2) sql: Group "VLAN3010": Conditional check items matched
3589. (2) sql: Group "VLAN3010": Merging assignment check items
3590. (2) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
3591. (2) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'VLAN3010' ORDER BY id
3592. (2) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'VLAN3010' ORDER BY id
3593. (2) sql: Group "VLAN3010": Merging reply items
3594. rlm_sql (sql): Released connection (6)
3595. (2) [sql] = ok
3596. (2) [expiration] = noop
3597. (2) [logintime] = noop
3598. (2) pap: WARNING: Auth-Type already set. Not setting to PAP
3599. (2) [pap] = noop
3600. (2) } # authorize = updated
3601. (2) Found Auth-Type = eap
3602. (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
3603. (2) authenticate {
3604. (2) eap: Expiring EAP session with state 0x6842883268288c18
3605. (2) eap: Finished EAP session with state 0x6842883268288c18
3606. (2) eap: Previous EAP request found for state 0x6842883268288c18, released from the list
3607. (2) eap: Peer sent packet with method EAP NAK (3)
3608. (2) eap: Found mutually acceptable type PEAP (25)
3609. (2) eap: Calling submodule eap_peap to process data
3610. (2) eap_peap: Initiating new TLS session
3611. (2) eap_peap: [eaptls start] = request
3612. (2) eap: Sending EAP Request (code 1) ID 107 length 6
3613. (2) eap: EAP session adding &reply:State = 0x6842883269299118
3614. (2) [eap] = handled
3615. (2) } # authenticate = handled
3616. (2) Using Post-Auth-Type Challenge
3617. (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
3618. (2) Challenge { ... } # empty sub-section is ignored
3619. (2) Sent Access-Challenge Id 2 from 192.168.1.77:1812 to 192.168.1.250:39211 length 0
3620. (2) EAP-Message = 0x016b00061920
3621. (2) Message-Authenticator = 0x00000000000000000000000000000000
3622. (2) State = 0x684288326929911823d78676bb1324f8
3623. (2) Finished request
3624. Waking up in 4.9 seconds.
3625. (3) Received Access-Request Id 3 from 192.168.1.250:39211 to 192.168.1.77:1812 length 360
3626. (3) User-Name = "tt"
3627. (3) NAS-Identifier = "NanoStation M2"
3628. (3) Called-Station-Id = "E0-63-DA-62-16-A5:test-free-T"
3629. (3) NAS-Port-Type = Wireless-802.11
3630. (3) NAS-Port = 0
3631. (3) Calling-Station-Id = "24-EE-9A-1C-64-FC"
3632. (3) Connect-Info = "CONNECT 0Mbps 802.11b"
3633. (3) Acct-Session-Id = "60E9357A-00000000"
3634. (3) Framed-MTU = 1400
3635. (3) EAP-Message = 0x026b00ac1980000000a2160303009d01000099030360e935d8a839a6839b5f9645f1a96f487b5d16c191f3f9502bfadae79b9e1be500002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
3636. (3) State = 0x684288326929911823d78676bb1324f8
3637. (3) Message-Authenticator = 0x7b7476565829ef722da3d01fcc94d9e0
3638. (3) session-state: No cached attributes
3639. (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
3640. (3) authorize {
3641. (3) policy filter_username {
3642. (3) if (&User-Name) {
3643. (3) if (&User-Name) -> TRUE
3644. (3) if (&User-Name) {
3645. (3) if (&User-Name =~ / /) {
3646. (3) if (&User-Name =~ / /) -> FALSE
3647. (3) if (&User-Name =~ /@[^@]*@/ ) {
3648. (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
3649. (3) if (&User-Name =~ /\.\./ ) {
3650. (3) if (&User-Name =~ /\.\./ ) -> FALSE
3651. (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
3652. (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
3653. (3) if (&User-Name =~ /\.$/) {
3654. (3) if (&User-Name =~ /\.$/) -> FALSE
3655. (3) if (&User-Name =~ /@\./) {
3656. (3) if (&User-Name =~ /@\./) -> FALSE
3657. (3) } # if (&User-Name) = notfound
3658. (3) } # policy filter_username = notfound
3659. (3) [preprocess] = ok
3660. (3) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
3661. (3) pap: WARNING: Authentication will fail unless a "known good" password is available
3662. (3) [pap] = noop
3663. (3) [mschap] = noop
3664. (3) [digest] = noop
3665. (3) suffix: Checking for suffix after "@"
3666. (3) suffix: No '@' in User-Name = "tt", looking up realm NULL
3667. (3) suffix: No such realm "NULL"
3668. (3) [suffix] = noop
3669. (3) eap: Peer sent EAP Response (code 2) ID 107 length 172
3670. (3) eap: Continuing tunnel setup
3671. (3) [eap] = ok
3672. (3) } # authorize = ok
3673. (3) Found Auth-Type = eap
3674. (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
3675. (3) authenticate {
3676. (3) eap: Expiring EAP session with state 0x6842883269299118
3677. (3) eap: Finished EAP session with state 0x6842883269299118
3678. (3) eap: Previous EAP request found for state 0x6842883269299118, released from the list
3679. (3) eap: Peer sent packet with method EAP PEAP (25)
3680. (3) eap: Calling submodule eap_peap to process data
3681. (3) eap_peap: Continuing EAP-TLS
3682. (3) eap_peap: Peer indicated complete TLS record size will be 162 bytes
3683. (3) eap_peap: Got complete TLS record (162 bytes)
3684. (3) eap_peap: [eaptls verify] = length included
3685. (3) eap_peap: (other): before SSL initialization
3686. (3) eap_peap: TLS_accept: before SSL initialization
3687. (3) eap_peap: TLS_accept: before SSL initialization
3688. (3) eap_peap: <<< recv TLS 1.3 [length 009d]
3689. (3) eap_peap: TLS_accept: SSLv3/TLS read client hello
3690. (3) eap_peap: >>> send TLS 1.2 [length 003d]
3691. (3) eap_peap: TLS_accept: SSLv3/TLS write server hello
3692. (3) eap_peap: >>> send TLS 1.2 [length 02de]
3693. (3) eap_peap: TLS_accept: SSLv3/TLS write certificate
3694. (3) eap_peap: >>> send TLS 1.2 [length 014d]
3695. (3) eap_peap: TLS_accept: SSLv3/TLS write key exchange
3696. (3) eap_peap: >>> send TLS 1.2 [length 0004]
3697. (3) eap_peap: TLS_accept: SSLv3/TLS write server done
3698. (3) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
3699. (3) eap_peap: TLS - In Handshake Phase
3700. (3) eap_peap: TLS - got 1152 bytes of data
3701. (3) eap_peap: [eaptls process] = handled
3702. (3) eap: Sending EAP Request (code 1) ID 108 length 1004
3703. (3) eap: EAP session adding &reply:State = 0x684288326a2e9118
3704. (3) [eap] = handled
3705. (3) } # authenticate = handled
3706. (3) Using Post-Auth-Type Challenge
3707. (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
3708. (3) Challenge { ... } # empty sub-section is ignored
3709. (3) Sent Access-Challenge Id 3 from 192.168.1.77:1812 to 192.168.1.250:39211 length 0
3710. (3) EAP-Message = 0x016c03ec19c000000480160303003d0200003903033a95d108643270a4d0f904335df72ef24874e412d61dbccc304666cd97ed1c7800c030000011ff01000100000b0004030001020017000016030302de0b0002da0002d70002d4308202d0308201b8a00302010202141d31bfd4a0190c08dd84f61bf2f277c9c1599b9c300d06092a864886f70d01010b05003011310f300d06035504030c067562756e7475301e170d3231303730373130343631335a170d3331303730353130343631335a3011310f300d06035504030c067562756e747530820122300d06092a864886f70d01010105000382010f003082010a0282010100ce445ab44e1a200066245d6ffabbe1efd24f0938a19efff06de2d27d5039cb45db0d59bce7d08659a6ab2ae0d4f278a555cc5910bfc7c3ab7f9828c511d192c32d49aa067b91d5f86b03e62fa21fdb0247ae67ec58e34c16cd6694602aac17e10f5c64f1a3726cda172e3f540e0b2a5167f019f14f5d7200ffe8579e81104e3e0c02ff
3711. (3) Message-Authenticator = 0x00000000000000000000000000000000
3712. (3) State = 0x684288326a2e911823d78676bb1324f8
3713. (3) Finished request
3714. Waking up in 4.8 seconds.
3715. (4) Received Access-Request Id 4 from 192.168.1.250:39211 to 192.168.1.77:1812 length 194
3716. (4) User-Name = "tt"
3717. (4) NAS-Identifier = "NanoStation M2"
3718. (4) Called-Station-Id = "E0-63-DA-62-16-A5:test-free-T"
3719. (4) NAS-Port-Type = Wireless-802.11
3720. (4) NAS-Port = 0
3721. (4) Calling-Station-Id = "24-EE-9A-1C-64-FC"
3722. (4) Connect-Info = "CONNECT 0Mbps 802.11b"
3723. (4) Acct-Session-Id = "60E9357A-00000000"
3724. (4) Framed-MTU = 1400
3725. (4) EAP-Message = 0x026c00061900
3726. (4) State = 0x684288326a2e911823d78676bb1324f8
3727. (4) Message-Authenticator = 0x3c290765afd02b4e895da457298f2d2a
3728. (4) session-state: No cached attributes
3729. (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
3730. (4) authorize {
3731. (4) policy filter_username {
3732. (4) if (&User-Name) {
3733. (4) if (&User-Name) -> TRUE
3734. (4) if (&User-Name) {
3735. (4) if (&User-Name =~ / /) {
3736. (4) if (&User-Name =~ / /) -> FALSE
3737. (4) if (&User-Name =~ /@[^@]*@/ ) {
3738. (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
3739. (4) if (&User-Name =~ /\.\./ ) {
3740. (4) if (&User-Name =~ /\.\./ ) -> FALSE
3741. (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
3742. (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
3743. (4) if (&User-Name =~ /\.$/) {
3744. (4) if (&User-Name =~ /\.$/) -> FALSE
3745. (4) if (&User-Name =~ /@\./) {
3746. (4) if (&User-Name =~ /@\./) -> FALSE
3747. (4) } # if (&User-Name) = notfound
3748. (4) } # policy filter_username = notfound
3749. (4) [preprocess] = ok
3750. (4) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
3751. (4) pap: WARNING: Authentication will fail unless a "known good" password is available
3752. (4) [pap] = noop
3753. (4) [mschap] = noop
3754. (4) [digest] = noop
3755. (4) suffix: Checking for suffix after "@"
3756. (4) suffix: No '@' in User-Name = "tt", looking up realm NULL
3757. (4) suffix: No such realm "NULL"
3758. (4) [suffix] = noop
3759. (4) eap: Peer sent EAP Response (code 2) ID 108 length 6
3760. (4) eap: Continuing tunnel setup
3761. (4) [eap] = ok
3762. (4) } # authorize = ok
3763. (4) Found Auth-Type = eap
3764. (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
3765. (4) authenticate {
3766. (4) eap: Expiring EAP session with state 0x684288326a2e9118
3767. (4) eap: Finished EAP session with state 0x684288326a2e9118
3768. (4) eap: Previous EAP request found for state 0x684288326a2e9118, released from the list
3769. (4) eap: Peer sent packet with method EAP PEAP (25)
3770. (4) eap: Calling submodule eap_peap to process data
3771. (4) eap_peap: Continuing EAP-TLS
3772. (4) eap_peap: Peer ACKed our handshake fragment
3773. (4) eap_peap: [eaptls verify] = request
3774. (4) eap_peap: [eaptls process] = handled
3775. (4) eap: Sending EAP Request (code 1) ID 109 length 164
3776. (4) eap: EAP session adding &reply:State = 0x684288326b2f9118
3777. (4) [eap] = handled
3778. (4) } # authenticate = handled
3779. (4) Using Post-Auth-Type Challenge
3780. (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
3781. (4) Challenge { ... } # empty sub-section is ignored
3782. (4) Sent Access-Challenge Id 4 from 192.168.1.77:1812 to 192.168.1.250:39211 length 0
3783. (4) EAP-Message = 0x016d00a419005d2fd06a8cb2a15ec0bcaa6b9945a246332cb8d433e7f69919c220925b757deeacc03ca5877afe5188e2d23568b042caeb081c61deaabba9f7e42fa3701efa4b712f29fd272916220445e5f6c93e6e493c2c5c3a5fc6be62fc9136be3aeadca96961d90a816e6ef0e6e14d85c4014cdcaed8090f74c5294cfa6103d89c9e3813f0b92322f1199cfc643b658f6fb9a5ef6fa3f0c25e16030300040e000000
3784. (4) Message-Authenticator = 0x00000000000000000000000000000000
3785. (4) State = 0x684288326b2f911823d78676bb1324f8
3786. (4) Finished request
3787. Waking up in 4.8 seconds.
3788. (5) Received Access-Request Id 5 from 192.168.1.250:39211 to 192.168.1.77:1812 length 324
3789. (5) User-Name = "tt"
3790. (5) NAS-Identifier = "NanoStation M2"
3791. (5) Called-Station-Id = "E0-63-DA-62-16-A5:test-free-T"
3792. (5) NAS-Port-Type = Wireless-802.11
3793. (5) NAS-Port = 0
3794. (5) Calling-Station-Id = "24-EE-9A-1C-64-FC"
3795. (5) Connect-Info = "CONNECT 0Mbps 802.11b"
3796. (5) Acct-Session-Id = "60E9357A-00000000"
3797. (5) Framed-MTU = 1400
3798. (5) EAP-Message = 0x026d008819800000007e1603030046100000424104473c7f6cf4fd418fa80d39e5ac77e50d9c73e23627da377e4c5731848a77f12ae5916269ca5defc00e94d92239fa921d9af7c1fe2511f553b947bcf4fb4a1b48140303000101160303002800000000000000004c4af1636726227e6b22e95444b8ca7710ad3026978ab5c318367a97b983b755
3799. (5) State = 0x684288326b2f911823d78676bb1324f8
3800. (5) Message-Authenticator = 0x4c236ef1284ad1f146a28512a29ce7db
3801. (5) session-state: No cached attributes
3802. (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
3803. (5) authorize {
3804. (5) policy filter_username {
3805. (5) if (&User-Name) {
3806. (5) if (&User-Name) -> TRUE
3807. (5) if (&User-Name) {
3808. (5) if (&User-Name =~ / /) {
3809. (5) if (&User-Name =~ / /) -> FALSE
3810. (5) if (&User-Name =~ /@[^@]*@/ ) {
3811. (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
3812. (5) if (&User-Name =~ /\.\./ ) {
3813. (5) if (&User-Name =~ /\.\./ ) -> FALSE
3814. (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
3815. (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
3816. (5) if (&User-Name =~ /\.$/) {
3817. (5) if (&User-Name =~ /\.$/) -> FALSE
3818. (5) if (&User-Name =~ /@\./) {
3819. (5) if (&User-Name =~ /@\./) -> FALSE
3820. (5) } # if (&User-Name) = notfound
3821. (5) } # policy filter_username = notfound
3822. (5) [preprocess] = ok
3823. (5) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
3824. (5) pap: WARNING: Authentication will fail unless a "known good" password is available
3825. (5) [pap] = noop
3826. (5) [mschap] = noop
3827. (5) [digest] = noop
3828. (5) suffix: Checking for suffix after "@"
3829. (5) suffix: No '@' in User-Name = "tt", looking up realm NULL
3830. (5) suffix: No such realm "NULL"
3831. (5) [suffix] = noop
3832. (5) eap: Peer sent EAP Response (code 2) ID 109 length 136
3833. (5) eap: Continuing tunnel setup
3834. (5) [eap] = ok
3835. (5) } # authorize = ok
3836. (5) Found Auth-Type = eap
3837. (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
3838. (5) authenticate {
3839. (5) eap: Expiring EAP session with state 0x684288326b2f9118
3840. (5) eap: Finished EAP session with state 0x684288326b2f9118
3841. (5) eap: Previous EAP request found for state 0x684288326b2f9118, released from the list
3842. (5) eap: Peer sent packet with method EAP PEAP (25)
3843. (5) eap: Calling submodule eap_peap to process data
3844. (5) eap_peap: Continuing EAP-TLS
3845. (5) eap_peap: Peer indicated complete TLS record size will be 126 bytes
3846. (5) eap_peap: Got complete TLS record (126 bytes)
3847. (5) eap_peap: [eaptls verify] = length included
3848. (5) eap_peap: TLS_accept: SSLv3/TLS write server done
3849. (5) eap_peap: <<< recv TLS 1.2 [length 0046]
3850. (5) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
3851. (5) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
3852. (5) eap_peap: <<< recv TLS 1.2 [length 0010]
3853. (5) eap_peap: TLS_accept: SSLv3/TLS read finished
3854. (5) eap_peap: >>> send TLS 1.2 [length 0001]
3855. (5) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
3856. (5) eap_peap: >>> send TLS 1.2 [length 0010]
3857. (5) eap_peap: TLS_accept: SSLv3/TLS write finished
3858. (5) eap_peap: (other): SSL negotiation finished successfully
3859. (5) eap_peap: TLS - Connection Established
3860. (5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
3861. (5) eap_peap: TLS-Session-Version = "TLS 1.2"
3862. (5) eap_peap: TLS - got 51 bytes of data
3863. (5) eap_peap: [eaptls process] = handled
3864. (5) eap: Sending EAP Request (code 1) ID 110 length 57
3865. (5) eap: EAP session adding &reply:State = 0x684288326c2c9118
3866. (5) [eap] = handled
3867. (5) } # authenticate = handled
3868. (5) Using Post-Auth-Type Challenge
3869. (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
3870. (5) Challenge { ... } # empty sub-section is ignored
3871. (5) session-state: Saving cached attributes
3872. (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
3873. (5) TLS-Session-Version = "TLS 1.2"
3874. (5) Sent Access-Challenge Id 5 from 192.168.1.77:1812 to 192.168.1.250:39211 length 0
3875. (5) EAP-Message = 0x016e0039190014030300010116030300289bc18678dd17d8ccc6b9b67ce9f77800b06d646399b19bb64c8695b121f2495685a9687f5f2d7c3f
3876. (5) Message-Authenticator = 0x00000000000000000000000000000000
3877. (5) State = 0x684288326c2c911823d78676bb1324f8
3878. (5) Finished request
3879. Waking up in 4.8 seconds.
3880. (6) Received Access-Request Id 6 from 192.168.1.250:39211 to 192.168.1.77:1812 length 194
3881. (6) User-Name = "tt"
3882. (6) NAS-Identifier = "NanoStation M2"
3883. (6) Called-Station-Id = "E0-63-DA-62-16-A5:test-free-T"
3884. (6) NAS-Port-Type = Wireless-802.11
3885. (6) NAS-Port = 0
3886. (6) Calling-Station-Id = "24-EE-9A-1C-64-FC"
3887. (6) Connect-Info = "CONNECT 0Mbps 802.11b"
3888. (6) Acct-Session-Id = "60E9357A-00000000"
3889. (6) Framed-MTU = 1400
3890. (6) EAP-Message = 0x026e00061900
3891. (6) State = 0x684288326c2c911823d78676bb1324f8
3892. (6) Message-Authenticator = 0xce1783465c903de1f0908a153c0053ab
3893. (6) Restoring &session-state
3894. (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
3895. (6) &session-state:TLS-Session-Version = "TLS 1.2"
3896. (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
3897. (6) authorize {
3898. (6) policy filter_username {
3899. (6) if (&User-Name) {
3900. (6) if (&User-Name) -> TRUE
3901. (6) if (&User-Name) {
3902. (6) if (&User-Name =~ / /) {
3903. (6) if (&User-Name =~ / /) -> FALSE
3904. (6) if (&User-Name =~ /@[^@]*@/ ) {
3905. (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
3906. (6) if (&User-Name =~ /\.\./ ) {
3907. (6) if (&User-Name =~ /\.\./ ) -> FALSE
3908. (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
3909. (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
3910. (6) if (&User-Name =~ /\.$/) {
3911. (6) if (&User-Name =~ /\.$/) -> FALSE
3912. (6) if (&User-Name =~ /@\./) {
3913. (6) if (&User-Name =~ /@\./) -> FALSE
3914. (6) } # if (&User-Name) = notfound
3915. (6) } # policy filter_username = notfound
3916. (6) [preprocess] = ok
3917. (6) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
3918. (6) pap: WARNING: Authentication will fail unless a "known good" password is available
3919. (6) [pap] = noop
3920. (6) [mschap] = noop
3921. (6) [digest] = noop
3922. (6) suffix: Checking for suffix after "@"
3923. (6) suffix: No '@' in User-Name = "tt", looking up realm NULL
3924. (6) suffix: No such realm "NULL"
3925. (6) [suffix] = noop
3926. (6) eap: Peer sent EAP Response (code 2) ID 110 length 6
3927. (6) eap: Continuing tunnel setup
3928. (6) [eap] = ok
3929. (6) } # authorize = ok
3930. (6) Found Auth-Type = eap
3931. (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
3932. (6) authenticate {
3933. (6) eap: Expiring EAP session with state 0x684288326c2c9118
3934. (6) eap: Finished EAP session with state 0x684288326c2c9118
3935. (6) eap: Previous EAP request found for state 0x684288326c2c9118, released from the list
3936. (6) eap: Peer sent packet with method EAP PEAP (25)
3937. (6) eap: Calling submodule eap_peap to process data
3938. (6) eap_peap: Continuing EAP-TLS
3939. (6) eap_peap: Peer ACKed our handshake fragment. handshake is finished
3940. (6) eap_peap: [eaptls verify] = success
3941. (6) eap_peap: [eaptls process] = success
3942. (6) eap_peap: Session established. Decoding tunneled attributes
3943. (6) eap_peap: PEAP state TUNNEL ESTABLISHED
3944. (6) eap: Sending EAP Request (code 1) ID 111 length 40
3945. (6) eap: EAP session adding &reply:State = 0x684288326d2d9118
3946. (6) [eap] = handled
3947. (6) } # authenticate = handled
3948. (6) Using Post-Auth-Type Challenge
3949. (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
3950. (6) Challenge { ... } # empty sub-section is ignored
3951. (6) session-state: Saving cached attributes
3952. (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
3953. (6) TLS-Session-Version = "TLS 1.2"
3954. (6) Sent Access-Challenge Id 6 from 192.168.1.77:1812 to 192.168.1.250:39211 length 0
3955. (6) EAP-Message = 0x016f00281900170303001d9bc18678dd17d8cd7bf8ecae7318ae3ffb618704f39d6ed563bf8e2228
3956. (6) Message-Authenticator = 0x00000000000000000000000000000000
3957. (6) State = 0x684288326d2d911823d78676bb1324f8
3958. (6) Finished request
3959. Waking up in 1.2 seconds.
3960. (7) Received Access-Request Id 7 from 192.168.1.250:39211 to 192.168.1.77:1812 length 226
3961. (7) User-Name = "tt"
3962. (7) NAS-Identifier = "NanoStation M2"
3963. (7) Called-Station-Id = "E0-63-DA-62-16-A5:test-free-T"
3964. (7) NAS-Port-Type = Wireless-802.11
3965. (7) NAS-Port = 0
3966. (7) Calling-Station-Id = "24-EE-9A-1C-64-FC"
3967. (7) Connect-Info = "CONNECT 0Mbps 802.11b"
3968. (7) Acct-Session-Id = "60E9357A-00000000"
3969. (7) Framed-MTU = 1400
3970. (7) EAP-Message = 0x026f00261900170303001b000000000000000193be61fa0440a46188bc366b492b8034481bdc
3971. (7) State = 0x684288326d2d911823d78676bb1324f8
3972. (7) Message-Authenticator = 0x95a6f91ac6fe33397d819ea1d0e293ad
3973. (7) Restoring &session-state
3974. (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
3975. (7) &session-state:TLS-Session-Version = "TLS 1.2"
3976. (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
3977. (7) authorize {
3978. (7) policy filter_username {
3979. (7) if (&User-Name) {
3980. (7) if (&User-Name) -> TRUE
3981. (7) if (&User-Name) {
3982. (7) if (&User-Name =~ / /) {
3983. (7) if (&User-Name =~ / /) -> FALSE
3984. (7) if (&User-Name =~ /@[^@]*@/ ) {
3985. (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
3986. (7) if (&User-Name =~ /\.\./ ) {
3987. (7) if (&User-Name =~ /\.\./ ) -> FALSE
3988. (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
3989. (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
3990. (7) if (&User-Name =~ /\.$/) {
3991. (7) if (&User-Name =~ /\.$/) -> FALSE
3992. (7) if (&User-Name =~ /@\./) {
3993. (7) if (&User-Name =~ /@\./) -> FALSE
3994. (7) } # if (&User-Name) = notfound
3995. (7) } # policy filter_username = notfound
3996. (7) [preprocess] = ok
3997. (7) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
3998. (7) pap: WARNING: Authentication will fail unless a "known good" password is available
3999. (7) [pap] = noop
4000. (7) [mschap] = noop
4001. (7) [digest] = noop
4002. (7) suffix: Checking for suffix after "@"
4003. (7) suffix: No '@' in User-Name = "tt", looking up realm NULL
4004. (7) suffix: No such realm "NULL"
4005. (7) [suffix] = noop
4006. (7) eap: Peer sent EAP Response (code 2) ID 111 length 38
4007. (7) eap: Continuing tunnel setup
4008. (7) [eap] = ok
4009. (7) } # authorize = ok
4010. (7) Found Auth-Type = eap
4011. (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
4012. (7) authenticate {
4013. (7) eap: Expiring EAP session with state 0x684288326d2d9118
4014. (7) eap: Finished EAP session with state 0x684288326d2d9118
4015. (7) eap: Previous EAP request found for state 0x684288326d2d9118, released from the list
4016. (7) eap: Peer sent packet with method EAP PEAP (25)
4017. (7) eap: Calling submodule eap_peap to process data
4018. (7) eap_peap: Continuing EAP-TLS
4019. (7) eap_peap: [eaptls verify] = ok
4020. (7) eap_peap: Done initial handshake
4021. (7) eap_peap: [eaptls process] = ok
4022. (7) eap_peap: Session established. Decoding tunneled attributes
4023. (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
4024. (7) eap_peap: Identity - tt
4025. (7) eap_peap: Got inner identity 'tt'
4026. (7) eap_peap: Setting default EAP type for tunneled EAP session
4027. (7) eap_peap: Got tunneled request
4028. (7) eap_peap: EAP-Message = 0x026f0007017474
4029. (7) eap_peap: Setting User-Name to tt
4030. (7) eap_peap: Sending tunneled request to inner-tunnel
4031. (7) eap_peap: EAP-Message = 0x026f0007017474
4032. (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
4033. (7) eap_peap: User-Name = "tt"
4034. (7) Virtual server inner-tunnel received request
4035. (7) EAP-Message = 0x026f0007017474
4036. (7) FreeRADIUS-Proxied-To = 127.0.0.1
4037. (7) User-Name = "tt"
4038. (7) WARNING: Outer and inner identities are the same. User privacy is compromised.
4039. (7) server inner-tunnel {
4040. (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
4041. (7) authorize {
4042. (7) policy filter_username {
4043. (7) if (&User-Name) {
4044. (7) if (&User-Name) -> TRUE
4045. (7) if (&User-Name) {
4046. (7) if (&User-Name =~ / /) {
4047. (7) if (&User-Name =~ / /) -> FALSE
4048. (7) if (&User-Name =~ /@[^@]*@/ ) {
4049. (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
4050. (7) if (&User-Name =~ /\.\./ ) {
4051. (7) if (&User-Name =~ /\.\./ ) -> FALSE
4052. (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
4053. (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
4054. (7) if (&User-Name =~ /\.$/) {
4055. (7) if (&User-Name =~ /\.$/) -> FALSE
4056. (7) if (&User-Name =~ /@\./) {
4057. (7) if (&User-Name =~ /@\./) -> FALSE
4058. (7) } # if (&User-Name) = notfound
4059. (7) } # policy filter_username = notfound
4060. (7) [chap] = noop
4061. (7) [mschap] = noop
4062. (7) suffix: Checking for suffix after "@"
4063. (7) suffix: No '@' in User-Name = "tt", looking up realm NULL
4064. (7) suffix: No such realm "NULL"
4065. (7) [suffix] = noop
4066. (7) update control {
4067. (7) &Proxy-To-Realm := LOCAL
4068. (7) } # update control = noop
4069. (7) eap: Peer sent EAP Response (code 2) ID 111 length 7
4070. (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
4071. (7) [eap] = ok
4072. (7) } # authorize = ok
4073. (7) Found Auth-Type = eap
4074. (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
4075. (7) authenticate {
4076. (7) eap: Peer sent packet with method EAP Identity (1)
4077. (7) eap: Calling submodule eap_mschapv2 to process data
4078. (7) eap_mschapv2: Issuing Challenge
4079. (7) eap: Sending EAP Request (code 1) ID 112 length 43
4080. (7) eap: EAP session adding &reply:State = 0xd74a4af6d73a501b
4081. (7) [eap] = handled
4082. (7) } # authenticate = handled
4083. (7) } # server inner-tunnel
4084. (7) Virtual server sending reply
4085. (7) EAP-Message = 0x0170002b1a0170002610ff4aba44157f3f6daaa78d5d92da2c1b667265657261646975732d332e302e3231
4086. (7) Message-Authenticator = 0x00000000000000000000000000000000
4087. (7) State = 0xd74a4af6d73a501b91bb465120504682
4088. (7) eap_peap: Got tunneled reply code 11
4089. (7) eap_peap: EAP-Message = 0x0170002b1a0170002610ff4aba44157f3f6daaa78d5d92da2c1b667265657261646975732d332e302e3231
4090. (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
4091. (7) eap_peap: State = 0xd74a4af6d73a501b91bb465120504682
4092. (7) eap_peap: Got tunneled reply RADIUS code 11
4093. (7) eap_peap: EAP-Message = 0x0170002b1a0170002610ff4aba44157f3f6daaa78d5d92da2c1b667265657261646975732d332e302e3231
4094. (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
4095. (7) eap_peap: State = 0xd74a4af6d73a501b91bb465120504682
4096. (7) eap_peap: Got tunneled Access-Challenge
4097. (7) eap: Sending EAP Request (code 1) ID 112 length 74
4098. (7) eap: EAP session adding &reply:State = 0x684288326e329118
4099. (7) [eap] = handled
4100. (7) } # authenticate = handled
4101. (7) Using Post-Auth-Type Challenge
4102. (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
4103. (7) Challenge { ... } # empty sub-section is ignored
4104. (7) session-state: Saving cached attributes
4105. (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
4106. (7) TLS-Session-Version = "TLS 1.2"
4107. (7) Sent Access-Challenge Id 7 from 192.168.1.77:1812 to 192.168.1.250:39211 length 0
4108. (7) EAP-Message = 0x0170004a1900170303003f9bc18678dd17d8ce6fdb500f675ed6826caf4dd149cfc2a3254997601a952a88706aee0795dbf7d350e6f206468aac08e49732f333369a323bdce19e037975
4109. (7) Message-Authenticator = 0x00000000000000000000000000000000
4110. (7) State = 0x684288326e32911823d78676bb1324f8
4111. (7) Finished request
4112. Waking up in 1.2 seconds.
4113. (8) Received Access-Request Id 8 from 192.168.1.250:39211 to 192.168.1.77:1812 length 280
4114. (8) User-Name = "tt"
4115. (8) NAS-Identifier = "NanoStation M2"
4116. (8) Called-Station-Id = "E0-63-DA-62-16-A5:test-free-T"
4117. (8) NAS-Port-Type = Wireless-802.11
4118. (8) NAS-Port = 0
4119. (8) Calling-Station-Id = "24-EE-9A-1C-64-FC"
4120. (8) Connect-Info = "CONNECT 0Mbps 802.11b"
4121. (8) Acct-Session-Id = "60E9357A-00000000"
4122. (8) Framed-MTU = 1400
4123. (8) EAP-Message = 0x0270005c19001703030051000000000000000289398a4bcbffc2a90fa7e497598503543419ab0ef74991a53ee2058ae1e5880bea2d4ca409204c63dc820c99d75ae2df573e144d29be051d20d57999f94407f4ee608094966946f26d
4124. (8) State = 0x684288326e32911823d78676bb1324f8
4125. (8) Message-Authenticator = 0x37875e0b782178285fd1e9445e1628f1
4126. (8) Restoring &session-state
4127. (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
4128. (8) &session-state:TLS-Session-Version = "TLS 1.2"
4129. (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
4130. (8) authorize {
4131. (8) policy filter_username {
4132. (8) if (&User-Name) {
4133. (8) if (&User-Name) -> TRUE
4134. (8) if (&User-Name) {
4135. (8) if (&User-Name =~ / /) {
4136. (8) if (&User-Name =~ / /) -> FALSE
4137. (8) if (&User-Name =~ /@[^@]*@/ ) {
4138. (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
4139. (8) if (&User-Name =~ /\.\./ ) {
4140. (8) if (&User-Name =~ /\.\./ ) -> FALSE
4141. (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
4142. (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
4143. (8) if (&User-Name =~ /\.$/) {
4144. (8) if (&User-Name =~ /\.$/) -> FALSE
4145. (8) if (&User-Name =~ /@\./) {
4146. (8) if (&User-Name =~ /@\./) -> FALSE
4147. (8) } # if (&User-Name) = notfound
4148. (8) } # policy filter_username = notfound
4149. (8) [preprocess] = ok
4150. (8) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
4151. (8) pap: WARNING: Authentication will fail unless a "known good" password is available
4152. (8) [pap] = noop
4153. (8) [mschap] = noop
4154. (8) [digest] = noop
4155. (8) suffix: Checking for suffix after "@"
4156. (8) suffix: No '@' in User-Name = "tt", looking up realm NULL
4157. (8) suffix: No such realm "NULL"
4158. (8) [suffix] = noop
4159. (8) eap: Peer sent EAP Response (code 2) ID 112 length 92
4160. (8) eap: Continuing tunnel setup
4161. (8) [eap] = ok
4162. (8) } # authorize = ok
4163. (8) Found Auth-Type = eap
4164. (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
4165. (8) authenticate {
4166. (8) eap: Expiring EAP session with state 0xd74a4af6d73a501b
4167. (8) eap: Finished EAP session with state 0x684288326e329118
4168. (8) eap: Previous EAP request found for state 0x684288326e329118, released from the list
4169. (8) eap: Peer sent packet with method EAP PEAP (25)
4170. (8) eap: Calling submodule eap_peap to process data
4171. (8) eap_peap: Continuing EAP-TLS
4172. (8) eap_peap: [eaptls verify] = ok
4173. (8) eap_peap: Done initial handshake
4174. (8) eap_peap: [eaptls process] = ok
4175. (8) eap_peap: Session established. Decoding tunneled attributes
4176. (8) eap_peap: PEAP state phase2
4177. (8) eap_peap: EAP method MSCHAPv2 (26)
4178. (8) eap_peap: Got tunneled request
4179. (8) eap_peap: EAP-Message = 0x0270003d1a0270003831161a3db5508a6c1728d9c5d7d0a3c4e70000000000000000fae5f579fc7c6fb48510503914b409955786f3f1a44178d1007474
4180. (8) eap_peap: Setting User-Name to tt
4181. (8) eap_peap: Sending tunneled request to inner-tunnel
4182. (8) eap_peap: EAP-Message = 0x0270003d1a0270003831161a3db5508a6c1728d9c5d7d0a3c4e70000000000000000fae5f579fc7c6fb48510503914b409955786f3f1a44178d1007474
4183. (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
4184. (8) eap_peap: User-Name = "tt"
4185. (8) eap_peap: State = 0xd74a4af6d73a501b91bb465120504682
4186. (8) Virtual server inner-tunnel received request
4187. (8) EAP-Message = 0x0270003d1a0270003831161a3db5508a6c1728d9c5d7d0a3c4e70000000000000000fae5f579fc7c6fb48510503914b409955786f3f1a44178d1007474
4188. (8) FreeRADIUS-Proxied-To = 127.0.0.1
4189. (8) User-Name = "tt"
4190. (8) State = 0xd74a4af6d73a501b91bb465120504682
4191. (8) WARNING: Outer and inner identities are the same. User privacy is compromised.
4192. (8) server inner-tunnel {
4193. (8) session-state: No cached attributes
4194. (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
4195. (8) authorize {
4196. (8) policy filter_username {
4197. (8) if (&User-Name) {
4198. (8) if (&User-Name) -> TRUE
4199. (8) if (&User-Name) {
4200. (8) if (&User-Name =~ / /) {
4201. (8) if (&User-Name =~ / /) -> FALSE
4202. (8) if (&User-Name =~ /@[^@]*@/ ) {
4203. (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
4204. (8) if (&User-Name =~ /\.\./ ) {
4205. (8) if (&User-Name =~ /\.\./ ) -> FALSE
4206. (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
4207. (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
4208. (8) if (&User-Name =~ /\.$/) {
4209. (8) if (&User-Name =~ /\.$/) -> FALSE
4210. (8) if (&User-Name =~ /@\./) {
4211. (8) if (&User-Name =~ /@\./) -> FALSE
4212. (8) } # if (&User-Name) = notfound
4213. (8) } # policy filter_username = notfound
4214. (8) [chap] = noop
4215. (8) [mschap] = noop
4216. (8) suffix: Checking for suffix after "@"
4217. (8) suffix: No '@' in User-Name = "tt", looking up realm NULL
4218. (8) suffix: No such realm "NULL"
4219. (8) [suffix] = noop
4220. (8) update control {
4221. (8) &Proxy-To-Realm := LOCAL
4222. (8) } # update control = noop
4223. (8) eap: Peer sent EAP Response (code 2) ID 112 length 61
4224. (8) eap: No EAP Start, assuming it's an on-going EAP conversation
4225. (8) [eap] = updated
4226. (8) files: users: Matched entry DEFAULT at line 1
4227. (8) [files] = ok
4228. (8) sql: EXPAND %{User-Name}
4229. (8) sql: --> tt
4230. (8) sql: SQL-User-Name set to 'tt'
4231. rlm_sql (sql): Reserved connection (6)
4232. (8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
4233. (8) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tt' ORDER BY id
4234. (8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tt' ORDER BY id
4235. (8) sql: User found in radcheck table
4236. (8) sql: Conditional check items matched, merging assignment check items
4237. (8) sql: Cleartext-Password := "tt"
4238. (8) sql: Simultaneous-Use := 1
4239. (8) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
4240. (8) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'tt' ORDER BY id
4241. (8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'tt' ORDER BY id
4242. rlm_sql (sql): Reserved connection (8)
4243. rlm_sql (sql): Released connection (8)
4244. Need 8 more connections to reach 10 spares
4245. rlm_sql (sql): Opening additional connection (9), 1 of 29 pending slots used
4246. rlm_sql_mysql: Starting connect to MySQL server
4247. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.25-0ubuntu0.21.04.1, protocol version 10
4248. (8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
4249. (8) sql: --> SELECT groupname FROM radusergroup WHERE username = 'tt' ORDER BY priority
4250. (8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'tt' ORDER BY priority
4251. (8) sql: User not found in any groups
4252. (8) sql: Checking profile DEFAULT
4253. (8) sql: EXPAND DEFAULT
4254. (8) sql: --> DEFAULT
4255. (8) sql: SQL-User-Name set to 'DEFAULT'
4256. rlm_sql (sql): Reserved connection (7)
4257. rlm_sql (sql): Released connection (7)
4258. (8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
4259. (8) sql: --> SELECT groupname FROM radusergroup WHERE username = 'DEFAULT' ORDER BY priority
4260. (8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'DEFAULT' ORDER BY priority
4261. (8) sql: User found in the group table
4262. (8) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
4263. (8) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'VLAN3010' ORDER BY id
4264. (8) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'VLAN3010' ORDER BY id
4265. (8) sql: Group "VLAN3010": Conditional check items matched
4266. (8) sql: Group "VLAN3010": Merging assignment check items
4267. (8) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
4268. (8) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'VLAN3010' ORDER BY id
4269. (8) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'VLAN3010' ORDER BY id
4270. (8) sql: Group "VLAN3010": Merging reply items
4271. rlm_sql (sql): Released connection (6)
4272. (8) [sql] = ok
4273. (8) [expiration] = noop
4274. (8) [logintime] = noop
4275. (8) pap: WARNING: Auth-Type already set. Not setting to PAP
4276. (8) [pap] = noop
4277. (8) } # authorize = updated
4278. (8) Found Auth-Type = eap
4279. (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
4280. (8) authenticate {
4281. (8) eap: Expiring EAP session with state 0xd74a4af6d73a501b
4282. (8) eap: Finished EAP session with state 0xd74a4af6d73a501b
4283. (8) eap: Previous EAP request found for state 0xd74a4af6d73a501b, released from the list
4284. (8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
4285. (8) eap: Calling submodule eap_mschapv2 to process data
4286. (8) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
4287. (8) eap_mschapv2: authenticate {
4288. (8) mschap: Found Cleartext-Password, hashing to create NT-Password
4289. (8) mschap: Creating challenge hash with username: tt
4290. (8) mschap: Client is using MS-CHAPv2
4291. (8) mschap: Adding MS-CHAPv2 MPPE keys
4292. (8) eap_mschapv2: [mschap] = ok
4293. (8) eap_mschapv2: } # authenticate = ok
4294. (8) eap_mschapv2: MSCHAP Success
4295. (8) eap: Sending EAP Request (code 1) ID 113 length 51
4296. (8) eap: EAP session adding &reply:State = 0xd74a4af6d63b501b
4297. (8) [eap] = handled
4298. (8) } # authenticate = handled
4299. (8) } # server inner-tunnel
4300. (8) Virtual server sending reply
4301. (8) EAP-Message = 0x017100331a0370002e533d33363337413436313345353732444135444133383233363546324530313542303731413742304245
4302. (8) Message-Authenticator = 0x00000000000000000000000000000000
4303. (8) State = 0xd74a4af6d63b501b91bb465120504682
4304. (8) eap_peap: Got tunneled reply code 11
4305. (8) eap_peap: EAP-Message = 0x017100331a0370002e533d33363337413436313345353732444135444133383233363546324530313542303731413742304245
4306. (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
4307. (8) eap_peap: State = 0xd74a4af6d63b501b91bb465120504682
4308. (8) eap_peap: Got tunneled reply RADIUS code 11
4309. (8) eap_peap: EAP-Message = 0x017100331a0370002e533d33363337413436313345353732444135444133383233363546324530313542303731413742304245
4310. (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
4311. (8) eap_peap: State = 0xd74a4af6d63b501b91bb465120504682
4312. (8) eap_peap: Got tunneled Access-Challenge
4313. (8) eap: Sending EAP Request (code 1) ID 113 length 82
4314. (8) eap: EAP session adding &reply:State = 0x684288326f339118
4315. (8) [eap] = handled
4316. (8) } # authenticate = handled
4317. (8) Using Post-Auth-Type Challenge
4318. (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
4319. (8) Challenge { ... } # empty sub-section is ignored
4320. (8) session-state: Saving cached attributes
4321. (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
4322. (8) TLS-Session-Version = "TLS 1.2"
4323. (8) Sent Access-Challenge Id 8 from 192.168.1.77:1812 to 192.168.1.250:39211 length 0
4324. (8) EAP-Message = 0x01710052190017030300479bc18678dd17d8cf7caf8983b73fe2f303a70150d6cbc91d4390b984653df14d812bc544c5e3830f38b582a6068360ad1b88617c7f53271195c5de682a5b12ffeb49e17df5c552
4325. (8) Message-Authenticator = 0x00000000000000000000000000000000
4326. (8) State = 0x684288326f33911823d78676bb1324f8
4327. (8) Finished request
4328. Waking up in 1.2 seconds.
4329. (9) Received Access-Request Id 9 from 192.168.1.250:39211 to 192.168.1.77:1812 length 225
4330. (9) User-Name = "tt"
4331. (9) NAS-Identifier = "NanoStation M2"
4332. (9) Called-Station-Id = "E0-63-DA-62-16-A5:test-free-T"
4333. (9) NAS-Port-Type = Wireless-802.11
4334. (9) NAS-Port = 0
4335. (9) Calling-Station-Id = "24-EE-9A-1C-64-FC"
4336. (9) Connect-Info = "CONNECT 0Mbps 802.11b"
4337. (9) Acct-Session-Id = "60E9357A-00000000"
4338. (9) Framed-MTU = 1400
4339. (9) EAP-Message = 0x027100251900170303001a0000000000000003b22aa380f8f1df3ba84552c849ed6dfa9269
4340. (9) State = 0x684288326f33911823d78676bb1324f8
4341. (9) Message-Authenticator = 0x3c8cf47c0a08093e507caa9e7af0b395
4342. (9) Restoring &session-state
4343. (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
4344. (9) &session-state:TLS-Session-Version = "TLS 1.2"
4345. (9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
4346. (9) authorize {
4347. (9) policy filter_username {
4348. (9) if (&User-Name) {
4349. (9) if (&User-Name) -> TRUE
4350. (9) if (&User-Name) {
4351. (9) if (&User-Name =~ / /) {
4352. (9) if (&User-Name =~ / /) -> FALSE
4353. (9) if (&User-Name =~ /@[^@]*@/ ) {
4354. (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
4355. (9) if (&User-Name =~ /\.\./ ) {
4356. (9) if (&User-Name =~ /\.\./ ) -> FALSE
4357. (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
4358. (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
4359. (9) if (&User-Name =~ /\.$/) {
4360. (9) if (&User-Name =~ /\.$/) -> FALSE
4361. (9) if (&User-Name =~ /@\./) {
4362. (9) if (&User-Name =~ /@\./) -> FALSE
4363. (9) } # if (&User-Name) = notfound
4364. (9) } # policy filter_username = notfound
4365. (9) [preprocess] = ok
4366. (9) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
4367. (9) pap: WARNING: Authentication will fail unless a "known good" password is available
4368. (9) [pap] = noop
4369. (9) [mschap] = noop
4370. (9) [digest] = noop
4371. (9) suffix: Checking for suffix after "@"
4372. (9) suffix: No '@' in User-Name = "tt", looking up realm NULL
4373. (9) suffix: No such realm "NULL"
4374. (9) [suffix] = noop
4375. (9) eap: Peer sent EAP Response (code 2) ID 113 length 37
4376. (9) eap: Continuing tunnel setup
4377. (9) [eap] = ok
4378. (9) } # authorize = ok
4379. (9) Found Auth-Type = eap
4380. (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
4381. (9) authenticate {
4382. (9) eap: Expiring EAP session with state 0xd74a4af6d63b501b
4383. (9) eap: Finished EAP session with state 0x684288326f339118
4384. (9) eap: Previous EAP request found for state 0x684288326f339118, released from the list
4385. (9) eap: Peer sent packet with method EAP PEAP (25)
4386. (9) eap: Calling submodule eap_peap to process data
4387. (9) eap_peap: Continuing EAP-TLS
4388. (9) eap_peap: [eaptls verify] = ok
4389. (9) eap_peap: Done initial handshake
4390. (9) eap_peap: [eaptls process] = ok
4391. (9) eap_peap: Session established. Decoding tunneled attributes
4392. (9) eap_peap: PEAP state phase2
4393. (9) eap_peap: EAP method MSCHAPv2 (26)
4394. (9) eap_peap: Got tunneled request
4395. (9) eap_peap: EAP-Message = 0x027100061a03
4396. (9) eap_peap: Setting User-Name to tt
4397. (9) eap_peap: Sending tunneled request to inner-tunnel
4398. (9) eap_peap: EAP-Message = 0x027100061a03
4399. (9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
4400. (9) eap_peap: User-Name = "tt"
4401. (9) eap_peap: State = 0xd74a4af6d63b501b91bb465120504682
4402. (9) Virtual server inner-tunnel received request
4403. (9) EAP-Message = 0x027100061a03
4404. (9) FreeRADIUS-Proxied-To = 127.0.0.1
4405. (9) User-Name = "tt"
4406. (9) State = 0xd74a4af6d63b501b91bb465120504682
4407. (9) WARNING: Outer and inner identities are the same. User privacy is compromised.
4408. (9) server inner-tunnel {
4409. (9) session-state: No cached attributes
4410. (9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
4411. (9) authorize {
4412. (9) policy filter_username {
4413. (9) if (&User-Name) {
4414. (9) if (&User-Name) -> TRUE
4415. (9) if (&User-Name) {
4416. (9) if (&User-Name =~ / /) {
4417. (9) if (&User-Name =~ / /) -> FALSE
4418. (9) if (&User-Name =~ /@[^@]*@/ ) {
4419. (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
4420. (9) if (&User-Name =~ /\.\./ ) {
4421. (9) if (&User-Name =~ /\.\./ ) -> FALSE
4422. (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
4423. (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
4424. (9) if (&User-Name =~ /\.$/) {
4425. (9) if (&User-Name =~ /\.$/) -> FALSE
4426. (9) if (&User-Name =~ /@\./) {
4427. (9) if (&User-Name =~ /@\./) -> FALSE
4428. (9) } # if (&User-Name) = notfound
4429. (9) } # policy filter_username = notfound
4430. (9) [chap] = noop
4431. (9) [mschap] = noop
4432. (9) suffix: Checking for suffix after "@"
4433. (9) suffix: No '@' in User-Name = "tt", looking up realm NULL
4434. (9) suffix: No such realm "NULL"
4435. (9) [suffix] = noop
4436. (9) update control {
4437. (9) &Proxy-To-Realm := LOCAL
4438. (9) } # update control = noop
4439. (9) eap: Peer sent EAP Response (code 2) ID 113 length 6
4440. (9) eap: No EAP Start, assuming it's an on-going EAP conversation
4441. (9) [eap] = updated
4442. (9) files: users: Matched entry DEFAULT at line 1
4443. (9) [files] = ok
4444. (9) sql: EXPAND %{User-Name}
4445. (9) sql: --> tt
4446. (9) sql: SQL-User-Name set to 'tt'
4447. rlm_sql (sql): Reserved connection (6)
4448. (9) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
4449. (9) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tt' ORDER BY id
4450. (9) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tt' ORDER BY id
4451. (9) sql: User found in radcheck table
4452. (9) sql: Conditional check items matched, merging assignment check items
4453. (9) sql: Cleartext-Password := "tt"
4454. (9) sql: Simultaneous-Use := 1
4455. (9) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
4456. (9) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'tt' ORDER BY id
4457. (9) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'tt' ORDER BY id
4458. rlm_sql (sql): Reserved connection (8)
4459. rlm_sql (sql): Released connection (8)
4460. (9) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
4461. (9) sql: --> SELECT groupname FROM radusergroup WHERE username = 'tt' ORDER BY priority
4462. (9) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'tt' ORDER BY priority
4463. (9) sql: User not found in any groups
4464. (9) sql: Checking profile DEFAULT
4465. (9) sql: EXPAND DEFAULT
4466. (9) sql: --> DEFAULT
4467. (9) sql: SQL-User-Name set to 'DEFAULT'
4468. rlm_sql (sql): Reserved connection (9)
4469. rlm_sql (sql): Released connection (9)
4470. (9) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
4471. (9) sql: --> SELECT groupname FROM radusergroup WHERE username = 'DEFAULT' ORDER BY priority
4472. (9) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'DEFAULT' ORDER BY priority
4473. (9) sql: User found in the group table
4474. (9) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
4475. (9) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'VLAN3010' ORDER BY id
4476. (9) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'VLAN3010' ORDER BY id
4477. (9) sql: Group "VLAN3010": Conditional check items matched
4478. (9) sql: Group "VLAN3010": Merging assignment check items
4479. (9) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
4480. (9) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'VLAN3010' ORDER BY id
4481. (9) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'VLAN3010' ORDER BY id
4482. (9) sql: Group "VLAN3010": Merging reply items
4483. rlm_sql (sql): Released connection (6)
4484. (9) [sql] = ok
4485. (9) [expiration] = noop
4486. (9) [logintime] = noop
4487. (9) pap: WARNING: Auth-Type already set. Not setting to PAP
4488. (9) [pap] = noop
4489. (9) } # authorize = updated
4490. (9) Found Auth-Type = eap
4491. (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
4492. (9) authenticate {
4493. (9) eap: Expiring EAP session with state 0xd74a4af6d63b501b
4494. (9) eap: Finished EAP session with state 0xd74a4af6d63b501b
4495. (9) eap: Previous EAP request found for state 0xd74a4af6d63b501b, released from the list
4496. (9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
4497. (9) eap: Calling submodule eap_mschapv2 to process data
4498. (9) eap: Sending EAP Success (code 3) ID 113 length 4
4499. (9) eap: Freeing handler
4500. (9) [eap] = ok
4501. (9) } # authenticate = ok
4502. (9) # Executing section session from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
4503. (9) session {
4504. (9) radutmp: EXPAND /var/log/freeradius/radutmp
4505. (9) radutmp: --> /var/log/freeradius/radutmp
4506. (9) [radutmp] = ok
4507. (9) } # session = ok
4508. (9) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
4509. (9) post-auth {
4510. (9) sql: EXPAND .query
4511. (9) sql: --> .query
4512. (9) sql: Using query template 'query'
4513. rlm_sql (sql): Reserved connection (7)
4514. (9) sql: EXPAND %{User-Name}
4515. (9) sql: --> tt
4516. (9) sql: SQL-User-Name set to 'tt'
4517. (9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M')
4518. (9) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'tt', '', 'Access-Accept', '2021-07-10 05:53:32.084540')
4519. (9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'tt', '', 'Access-Accept', '2021-07-10 05:53:32.084540')
4520. (9) sql: SQL query returned: success
4521. (9) sql: 1 record(s) updated
4522. rlm_sql (sql): Released connection (7)
4523. (9) [sql] = ok
4524. (9) if (0) {
4525. (9) if (0) -> FALSE
4526. (9) } # post-auth = ok
4527. (9) } # server inner-tunnel
4528. (9) Virtual server sending reply
4529. (9) MS-MPPE-Encryption-Policy = Encryption-Allowed
4530. (9) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
4531. (9) MS-MPPE-Send-Key = 0xe5fe902b3c9e25b0a560687fc4b6ac40
4532. (9) MS-MPPE-Recv-Key = 0x20596bd3cb08534e4b41a667d73b3379
4533. (9) EAP-Message = 0x03710004
4534. (9) Message-Authenticator = 0x00000000000000000000000000000000
4535. (9) User-Name = "tt"
4536. (9) eap_peap: Got tunneled reply code 2
4537. (9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
4538. (9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
4539. (9) eap_peap: MS-MPPE-Send-Key = 0xe5fe902b3c9e25b0a560687fc4b6ac40
4540. (9) eap_peap: MS-MPPE-Recv-Key = 0x20596bd3cb08534e4b41a667d73b3379
4541. (9) eap_peap: EAP-Message = 0x03710004
4542. (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
4543. (9) eap_peap: User-Name = "tt"
4544. (9) eap_peap: Got tunneled reply RADIUS code 2
4545. (9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
4546. (9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
4547. (9) eap_peap: MS-MPPE-Send-Key = 0xe5fe902b3c9e25b0a560687fc4b6ac40
4548. (9) eap_peap: MS-MPPE-Recv-Key = 0x20596bd3cb08534e4b41a667d73b3379
4549. (9) eap_peap: EAP-Message = 0x03710004
4550. (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
4551. (9) eap_peap: User-Name = "tt"
4552. (9) eap_peap: Tunneled authentication was successful
4553. (9) eap_peap: SUCCESS
4554. (9) eap: Sending EAP Request (code 1) ID 114 length 46
4555. (9) eap: EAP session adding &reply:State = 0x6842883260309118
4556. (9) [eap] = handled
4557. (9) } # authenticate = handled
4558. (9) Using Post-Auth-Type Challenge
4559. (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
4560. (9) Challenge { ... } # empty sub-section is ignored
4561. (9) session-state: Saving cached attributes
4562. (9) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
4563. (9) TLS-Session-Version = "TLS 1.2"
4564. (9) Sent Access-Challenge Id 9 from 192.168.1.77:1812 to 192.168.1.250:39211 length 0
4565. (9) EAP-Message = 0x0172002e190017030300239bc18678dd17d8d0a44de1490acf480db021ad2cfdbbacfeae8a59eca3e80035bdbaab
4566. (9) Message-Authenticator = 0x00000000000000000000000000000000
4567. (9) State = 0x684288326030911823d78676bb1324f8
4568. (9) Finished request
4569. Waking up in 1.1 seconds.
4570. (10) Received Access-Request Id 10 from 192.168.1.250:39211 to 192.168.1.77:1812 length 234
4571. (10) User-Name = "tt"
4572. (10) NAS-Identifier = "NanoStation M2"
4573. (10) Called-Station-Id = "E0-63-DA-62-16-A5:test-free-T"
4574. (10) NAS-Port-Type = Wireless-802.11
4575. (10) NAS-Port = 0
4576. (10) Calling-Station-Id = "24-EE-9A-1C-64-FC"
4577. (10) Connect-Info = "CONNECT 0Mbps 802.11b"
4578. (10) Acct-Session-Id = "60E9357A-00000000"
4579. (10) Framed-MTU = 1400
4580. (10) EAP-Message = 0x0272002e1900170303002300000000000000041b14e4976484536fb99c4e210d91208f92e23817ce4dc83383530d
4581. (10) State = 0x684288326030911823d78676bb1324f8
4582. (10) Message-Authenticator = 0xda12c558b40fe5d265a5d854be0220b3
4583. (10) Restoring &session-state
4584. (10) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
4585. (10) &session-state:TLS-Session-Version = "TLS 1.2"
4586. (10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
4587. (10) authorize {
4588. (10) policy filter_username {
4589. (10) if (&User-Name) {
4590. (10) if (&User-Name) -> TRUE
4591. (10) if (&User-Name) {
4592. (10) if (&User-Name =~ / /) {
4593. (10) if (&User-Name =~ / /) -> FALSE
4594. (10) if (&User-Name =~ /@[^@]*@/ ) {
4595. (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
4596. (10) if (&User-Name =~ /\.\./ ) {
4597. (10) if (&User-Name =~ /\.\./ ) -> FALSE
4598. (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
4599. (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
4600. (10) if (&User-Name =~ /\.$/) {
4601. (10) if (&User-Name =~ /\.$/) -> FALSE
4602. (10) if (&User-Name =~ /@\./) {
4603. (10) if (&User-Name =~ /@\./) -> FALSE
4604. (10) } # if (&User-Name) = notfound
4605. (10) } # policy filter_username = notfound
4606. (10) [preprocess] = ok
4607. (10) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
4608. (10) pap: WARNING: Authentication will fail unless a "known good" password is available
4609. (10) [pap] = noop
4610. (10) [mschap] = noop
4611. (10) [digest] = noop
4612. (10) suffix: Checking for suffix after "@"
4613. (10) suffix: No '@' in User-Name = "tt", looking up realm NULL
4614. (10) suffix: No such realm "NULL"
4615. (10) [suffix] = noop
4616. (10) eap: Peer sent EAP Response (code 2) ID 114 length 46
4617. (10) eap: Continuing tunnel setup
4618. (10) [eap] = ok
4619. (10) } # authorize = ok
4620. (10) Found Auth-Type = eap
4621. (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
4622. (10) authenticate {
4623. (10) eap: Expiring EAP session with state 0x6842883260309118
4624. (10) eap: Finished EAP session with state 0x6842883260309118
4625. (10) eap: Previous EAP request found for state 0x6842883260309118, released from the list
4626. (10) eap: Peer sent packet with method EAP PEAP (25)
4627. (10) eap: Calling submodule eap_peap to process data
4628. (10) eap_peap: Continuing EAP-TLS
4629. (10) eap_peap: [eaptls verify] = ok
4630. (10) eap_peap: Done initial handshake
4631. (10) eap_peap: [eaptls process] = ok
4632. (10) eap_peap: Session established. Decoding tunneled attributes
4633. (10) eap_peap: PEAP state send tlv success
4634. (10) eap_peap: Received EAP-TLV response
4635. (10) eap_peap: Success
4636. (10) eap: Sending EAP Success (code 3) ID 114 length 4
4637. (10) eap: Freeing handler
4638. (10) [eap] = ok
4639. (10) } # authenticate = ok
4640. (10) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
4641. (10) post-auth {
4642. (10) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
4643. (10) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
4644. (10) update {
4645. (10) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
4646. (10) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
4647. (10) } # update = noop
4648. (10) sql: EXPAND .query
4649. (10) sql: --> .query
4650. (10) sql: Using query template 'query'
4651. rlm_sql (sql): Reserved connection (6)
4652. (10) sql: EXPAND %{User-Name}
4653. (10) sql: --> tt
4654. (10) sql: SQL-User-Name set to 'tt'
4655. (10) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M')
4656. (10) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'tt', '', 'Access-Accept', '2021-07-10 05:53:32.134762')
4657. (10) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'tt', '', 'Access-Accept', '2021-07-10 05:53:32.134762')
4658. (10) sql: SQL query returned: success
4659. (10) sql: 1 record(s) updated
4660. rlm_sql (sql): Released connection (6)
4661. (10) [sql] = ok
4662. (10) [exec] = noop
4663. (10) policy remove_reply_message_if_eap {
4664. (10) if (&reply:EAP-Message && &reply:Reply-Message) {
4665. (10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
4666. (10) else {
4667. (10) [noop] = noop
4668. (10) } # else = noop
4669. (10) } # policy remove_reply_message_if_eap = noop
4670. (10) } # post-auth = ok
4671. (10) Sent Access-Accept Id 10 from 192.168.1.77:1812 to 192.168.1.250:39211 length 0
4672. (10) MS-MPPE-Recv-Key = 0xbaf20d8e3eca5ac180fe759bac80cd8337e78b31f4f6d8f99568a17dbb089556
4673. (10) MS-MPPE-Send-Key = 0xc48b4be0c86bca4336996aa646e22471a819056983fd43c0dd28e3f447188982
4674. (10) EAP-Message = 0x03720004
4675. (10) Message-Authenticator = 0x00000000000000000000000000000000
4676. (10) User-Name = "tt"
4677. (10) Finished request
4678. Waking up in 1.1 seconds.
4679. (11) Received Accounting-Request Id 11 from 192.168.1.250:33371 to 192.168.1.77:1813 length 156
4680. (11) Acct-Session-Id = "60E9357A-00000000"
4681. (11) Acct-Status-Type = Start
4682. (11) Acct-Authentic = RADIUS
4683. (11) User-Name = "tt"
4684. (11) NAS-Identifier = "NanoStation M2"
4685. (11) Called-Station-Id = "E0-63-DA-62-16-A5:test-free-T"
4686. (11) NAS-Port-Type = Wireless-802.11
4687. (11) NAS-Port = 0
4688. (11) Calling-Station-Id = "24-EE-9A-1C-64-FC"
4689. (11) Connect-Info = "CONNECT 0Mbps 802.11b"
4690. (11) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
4691. (11) preacct {
4692. (11) [preprocess] = ok
4693. (11) policy acct_unique {
4694. (11) update request {
4695. (11) &Tmp-String-9 := "ai:"
4696. (11) } # update request = noop
4697. (11) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
4698. (11) EXPAND %{hex:&Class}
4699. (11) -->
4700. (11) EXPAND ^%{hex:&Tmp-String-9}
4701. (11) --> ^61693a
4702. (11) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
4703. (11) else {
4704. (11) update request {
4705. (11) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
4706. (11) --> 6a47e79243e72db7033f8519919bbbb3
4707. (11) &Acct-Unique-Session-Id := 6a47e79243e72db7033f8519919bbbb3
4708. (11) } # update request = noop
4709. (11) } # else = noop
4710. (11) } # policy acct_unique = noop
4711. (11) suffix: Checking for suffix after "@"
4712. (11) suffix: No '@' in User-Name = "tt", looking up realm NULL
4713. (11) suffix: No such realm "NULL"
4714. (11) [suffix] = noop
4715. (11) [files] = noop
4716. (11) } # preacct = ok
4717. (11) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
4718. (11) accounting {
4719. (11) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
4720. (11) detail: --> /var/log/freeradius/radacct/192.168.1.250/detail-20210710
4721. (11) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.1.250/detail-20210710
4722. (11) detail: EXPAND %t
4723. (11) detail: --> Sat Jul 10 05:53:32 2021
4724. (11) [detail] = ok
4725. (11) [unix] = ok
4726. (11) radutmp: EXPAND /var/log/freeradius/radutmp
4727. (11) radutmp: --> /var/log/freeradius/radutmp
4728. (11) radutmp: EXPAND %{User-Name}
4729. (11) radutmp: --> tt
4730. (11) [radutmp] = ok
4731. (11) sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}
4732. (11) sql: --> type.start.query
4733. (11) sql: Using query template 'query'
4734. rlm_sql (sql): Reserved connection (8)
4735. (11) sql: EXPAND %{User-Name}
4736. (11) sql: --> tt
4737. (11) sql: SQL-User-Name set to 'tt'
4738. (11) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6address, framedipv6prefix, framedinterfaceid, delegatedipv6prefix) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l}), FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Framed-IPv6-Address}', '%{Framed-IPv6-Prefix}', '%{Framed-Interface-Id}', '%{Delegated-IPv6-Prefix}')
4739. (11) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6address, framedipv6prefix, framedinterfaceid, delegatedipv6prefix) VALUES ('60E9357A-00000000', '6a47e79243e72db7033f8519919bbbb3', 'tt', '', '192.168.1.250', '0', 'Wireless-802.11', FROM_UNIXTIME(1625896412), FROM_UNIXTIME(1625896412), NULL, '0', 'RADIUS', 'CONNECT 0Mbps 802.11b', '', '0', '0', 'E0-63-DA-62-16-A5:test-free-T', '24-EE-9A-1C-64-FC', '', '', '', '', '', '', '', '')
4740. (11) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6address, framedipv6prefix, framedinterfaceid, delegatedipv6prefix) VALUES ('60E9357A-00000000', '6a47e79243e72db7033f8519919bbbb3', 'tt', '', '192.168.1.250', '0', 'Wireless-802.11', FROM_UNIXTIME(1625896412), FROM_UNIXTIME(1625896412), NULL, '0', 'RADIUS', 'CONNECT 0Mbps 802.11b', '', '0', '0', 'E0-63-DA-62-16-A5:test-free-T', '24-EE-9A-1C-64-FC', '', '', '', '', '', '', '', '')
4741. (11) sql: SQL query returned: success
4742. (11) sql: 1 record(s) updated
4743. rlm_sql (sql): Released connection (8)
4744. (11) [sql] = ok
4745. (11) [exec] = noop
4746. (11) attr_filter.accounting_response: EXPAND %{User-Name}
4747. (11) attr_filter.accounting_response: --> tt
4748. (11) attr_filter.accounting_response: Matched entry DEFAULT at line 12
4749. (11) [attr_filter.accounting_response] = updated
4750. (11) } # accounting = updated
4751. (11) Sent Accounting-Response Id 11 from 192.168.1.77:1813 to 192.168.1.250:33371 length 0
4752. (11) Finished request
4753. (11) Cleaning up request packet ID 11 with timestamp +229
4754. Waking up in 1.0 seconds.
4755. (1) Cleaning up request packet ID 1 with timestamp +225
4756. (2) Cleaning up request packet ID 2 with timestamp +225
4757. (3) Cleaning up request packet ID 3 with timestamp +225
4758. (4) Cleaning up request packet ID 4 with timestamp +225
4759. (5) Cleaning up request packet ID 5 with timestamp +225
4760. Waking up in 3.5 seconds.
4761. (6) Cleaning up request packet ID 6 with timestamp +229
4762. (7) Cleaning up request packet ID 7 with timestamp +229
4763. (8) Cleaning up request packet ID 8 with timestamp +229
4764. (9) Cleaning up request packet ID 9 with timestamp +229
4765. (10) Cleaning up request packet ID 10 with timestamp +229
4766. Ready to process requests
4767. </code>
4768.