davama

freeradius_radiusX_debug_do-not-respond_access_reject

May 2nd, 2018
175
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 35.49 KB | None | 0 0
  1. FreeRADIUS Version 3.0.13
  2. Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
  3. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
  4. PARTICULAR PURPOSE
  5. You may redistribute copies of FreeRADIUS under the terms of the
  6. GNU General Public License
  7. For more information about these matters, see the file named COPYRIGHT
  8. Starting - reading configuration files ...
  9. including dictionary file /usr/share/freeradius/dictionary
  10. including dictionary file /usr/share/freeradius/dictionary.dhcp
  11. including dictionary file /usr/share/freeradius/dictionary.vqp
  12. including dictionary file /etc/raddb/dictionary
  13. including configuration file /etc/raddb/radiusd.conf
  14. including configuration file /etc/raddb/proxy.conf
  15. including configuration file /etc/raddb/clients.conf
  16. including files in directory /etc/raddb/mods-enabled/
  17. including configuration file /etc/raddb/mods-enabled/always
  18. including configuration file /etc/raddb/mods-enabled/attr_filter
  19. including configuration file /etc/raddb/mods-enabled/cache_eap
  20. including configuration file /etc/raddb/mods-enabled/chap
  21. including configuration file /etc/raddb/mods-enabled/date
  22. including configuration file /etc/raddb/mods-enabled/detail
  23. including configuration file /etc/raddb/mods-enabled/detail.log
  24. including configuration file /etc/raddb/mods-enabled/dhcp
  25. including configuration file /etc/raddb/mods-enabled/digest
  26. including configuration file /etc/raddb/mods-enabled/dynamic_clients
  27. including configuration file /etc/raddb/mods-enabled/eap
  28. including configuration file /etc/raddb/mods-enabled/echo
  29. including configuration file /etc/raddb/mods-enabled/exec
  30. including configuration file /etc/raddb/mods-enabled/expiration
  31. including configuration file /etc/raddb/mods-enabled/expr
  32. including configuration file /etc/raddb/mods-enabled/files
  33. including configuration file /etc/raddb/mods-enabled/linelog
  34. including configuration file /etc/raddb/mods-enabled/logintime
  35. including configuration file /etc/raddb/mods-enabled/mschap
  36. including configuration file /etc/raddb/mods-enabled/ntlm_auth
  37. including configuration file /etc/raddb/mods-enabled/pap
  38. including configuration file /etc/raddb/mods-enabled/passwd
  39. including configuration file /etc/raddb/mods-enabled/preprocess
  40. including configuration file /etc/raddb/mods-enabled/radutmp
  41. including configuration file /etc/raddb/mods-enabled/realm
  42. including configuration file /etc/raddb/mods-enabled/replicate
  43. including configuration file /etc/raddb/mods-enabled/soh
  44. including configuration file /etc/raddb/mods-enabled/sradutmp
  45. including configuration file /etc/raddb/mods-enabled/unix
  46. including configuration file /etc/raddb/mods-enabled/unpack
  47. including configuration file /etc/raddb/mods-enabled/utf8
  48. including configuration file /etc/raddb/mods-enabled/ldap
  49. including files in directory /etc/raddb/policy.d/
  50. including configuration file /etc/raddb/policy.d/accounting
  51. including configuration file /etc/raddb/policy.d/canonicalization
  52. including configuration file /etc/raddb/policy.d/control
  53. including configuration file /etc/raddb/policy.d/cui
  54. including configuration file /etc/raddb/policy.d/debug
  55. including configuration file /etc/raddb/policy.d/dhcp
  56. including configuration file /etc/raddb/policy.d/eap
  57. including configuration file /etc/raddb/policy.d/filter
  58. including configuration file /etc/raddb/policy.d/operator-name
  59. including files in directory /etc/raddb/sites-enabled/
  60. including configuration file /etc/raddb/sites-enabled/default
  61. including configuration file /etc/raddb/sites-enabled/inner-tunnel
  62. main {
  63. security {
  64. user = "radiusd"
  65. group = "radiusd"
  66. allow_core_dumps = no
  67. }
  68. name = "radiusd"
  69. prefix = "/usr"
  70. localstatedir = "/var"
  71. logdir = "/var/log/radius"
  72. run_dir = "/var/run/radiusd"
  73. }
  74. main {
  75. name = "radiusd"
  76. prefix = "/usr"
  77. localstatedir = "/var"
  78. sbindir = "/usr/sbin"
  79. logdir = "/var/log/radius"
  80. run_dir = "/var/run/radiusd"
  81. libdir = "/usr/lib64/freeradius"
  82. radacctdir = "/var/log/radius/radacct"
  83. hostname_lookups = no
  84. max_request_time = 11
  85. cleanup_delay = 5
  86. max_requests = 512000
  87. pidfile = "/var/run/radiusd/radiusd.pid"
  88. checkrad = "/usr/sbin/checkrad"
  89. debug_level = 0
  90. proxy_requests = yes
  91. log {
  92. stripped_names = no
  93. auth = no
  94. auth_badpass = no
  95. auth_goodpass = no
  96. colourise = yes
  97. msg_denied = "You are already logged in - access denied"
  98. }
  99. resources {
  100. }
  101. security {
  102. max_attributes = 200
  103. reject_delay = 1.000000
  104. status_server = yes
  105. }
  106. }
  107. radiusd: #### Loading Realms and Home Servers ####
  108. proxy server {
  109. retry_delay = 5
  110. retry_count = 3
  111. default_fallback = no
  112. dead_time = 120
  113. wake_all_if_all_dead = no
  114. }
  115. home_server localhost {
  116. ipaddr = 127.0.0.1
  117. port = 1812
  118. type = "auth"
  119. secret = <<< secret >>>
  120. response_window = 20.000000
  121. response_timeouts = 1
  122. max_outstanding = 65536
  123. zombie_period = 40
  124. status_check = "status-server"
  125. ping_interval = 30
  126. check_interval = 30
  127. check_timeout = 4
  128. num_answers_to_alive = 3
  129. revive_interval = 120
  130. limit {
  131. max_connections = 16
  132. max_requests = 0
  133. lifetime = 0
  134. idle_timeout = 0
  135. }
  136. coa {
  137. irt = 2
  138. mrt = 16
  139. mrc = 5
  140. mrd = 30
  141. }
  142. }
  143. WARNING: Ignoring "response_window = 20.000000", forcing to "response_window = 11.000000"
  144. home_server_pool my_auth_failover {
  145. type = fail-over
  146. home_server = localhost
  147. }
  148. realm example.com {
  149. auth_pool = my_auth_failover
  150. }
  151. realm LOCAL {
  152. }
  153. radiusd: #### Loading Clients ####
  154. client localhost {
  155. ipaddr = 127.0.0.1
  156. require_message_authenticator = no
  157. secret = <<< secret >>>
  158. nas_type = "other"
  159. proto = "*"
  160. limit {
  161. max_connections = 16
  162. lifetime = 0
  163. idle_timeout = 30
  164. }
  165. }
  166. client localhost_ipv6 {
  167. ipv6addr = ::1
  168. require_message_authenticator = no
  169. secret = <<< secret >>>
  170. limit {
  171. max_connections = 16
  172. lifetime = 0
  173. idle_timeout = 30
  174. }
  175. }
  176. client TEST_ipv4 {
  177. ipaddr = 10.0.0.0/8
  178. require_message_authenticator = no
  179. secret = <<< secret >>>
  180. limit {
  181. max_connections = 16
  182. lifetime = 0
  183. idle_timeout = 30
  184. }
  185. }
  186. client TEST_ipv6 {
  187. ipv6addr = 2xxx:xxxx:x:xxxx::/64
  188. require_message_authenticator = no
  189. secret = <<< secret >>>
  190. limit {
  191. max_connections = 16
  192. lifetime = 0
  193. idle_timeout = 30
  194. }
  195. }
  196. Debugger not attached
  197. # Creating Auth-Type = mschap
  198. # Creating Auth-Type = digest
  199. # Creating Auth-Type = eap
  200. # Creating Auth-Type = PAP
  201. # Creating Auth-Type = CHAP
  202. # Creating Auth-Type = MS-CHAP
  203. # Creating Auth-Type = LDAP
  204. radiusd: #### Instantiating modules ####
  205. modules {
  206. # Loaded module rlm_always
  207. # Loading module "reject" from file /etc/raddb/mods-enabled/always
  208. always reject {
  209. rcode = "reject"
  210. simulcount = 0
  211. mpp = no
  212. }
  213. # Loading module "fail" from file /etc/raddb/mods-enabled/always
  214. always fail {
  215. rcode = "fail"
  216. simulcount = 0
  217. mpp = no
  218. }
  219. # Loading module "ok" from file /etc/raddb/mods-enabled/always
  220. always ok {
  221. rcode = "ok"
  222. simulcount = 0
  223. mpp = no
  224. }
  225. # Loading module "handled" from file /etc/raddb/mods-enabled/always
  226. always handled {
  227. rcode = "handled"
  228. simulcount = 0
  229. mpp = no
  230. }
  231. # Loading module "invalid" from file /etc/raddb/mods-enabled/always
  232. always invalid {
  233. rcode = "invalid"
  234. simulcount = 0
  235. mpp = no
  236. }
  237. # Loading module "userlock" from file /etc/raddb/mods-enabled/always
  238. always userlock {
  239. rcode = "userlock"
  240. simulcount = 0
  241. mpp = no
  242. }
  243. # Loading module "notfound" from file /etc/raddb/mods-enabled/always
  244. always notfound {
  245. rcode = "notfound"
  246. simulcount = 0
  247. mpp = no
  248. }
  249. # Loading module "noop" from file /etc/raddb/mods-enabled/always
  250. always noop {
  251. rcode = "noop"
  252. simulcount = 0
  253. mpp = no
  254. }
  255. # Loading module "updated" from file /etc/raddb/mods-enabled/always
  256. always updated {
  257. rcode = "updated"
  258. simulcount = 0
  259. mpp = no
  260. }
  261. # Loaded module rlm_attr_filter
  262. # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
  263. attr_filter attr_filter.post-proxy {
  264. filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
  265. key = "%{Realm}"
  266. relaxed = no
  267. }
  268. # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
  269. attr_filter attr_filter.pre-proxy {
  270. filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
  271. key = "%{Realm}"
  272. relaxed = no
  273. }
  274. # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
  275. attr_filter attr_filter.access_reject {
  276. filename = "/etc/raddb/mods-config/attr_filter/access_reject"
  277. key = "%{User-Name}"
  278. relaxed = no
  279. }
  280. # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
  281. attr_filter attr_filter.access_challenge {
  282. filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
  283. key = "%{User-Name}"
  284. relaxed = no
  285. }
  286. # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
  287. attr_filter attr_filter.accounting_response {
  288. filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
  289. key = "%{User-Name}"
  290. relaxed = no
  291. }
  292. # Loaded module rlm_cache
  293. # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
  294. cache cache_eap {
  295. driver = "rlm_cache_rbtree"
  296. key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
  297. ttl = 15
  298. max_entries = 0
  299. epoch = 0
  300. add_stats = no
  301. }
  302. # Loaded module rlm_chap
  303. # Loading module "chap" from file /etc/raddb/mods-enabled/chap
  304. # Loaded module rlm_date
  305. # Loading module "date" from file /etc/raddb/mods-enabled/date
  306. date {
  307. format = "%b %e %Y %H:%M:%S %Z"
  308. }
  309. # Loaded module rlm_detail
  310. # Loading module "detail" from file /etc/raddb/mods-enabled/detail
  311. detail {
  312. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
  313. header = "%t"
  314. permissions = 384
  315. locking = no
  316. escape_filenames = no
  317. log_packet_header = no
  318. }
  319. # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
  320. detail auth_log {
  321. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
  322. header = "%t"
  323. permissions = 384
  324. locking = no
  325. escape_filenames = no
  326. log_packet_header = no
  327. }
  328. # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
  329. detail reply_log {
  330. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
  331. header = "%t"
  332. permissions = 384
  333. locking = no
  334. escape_filenames = no
  335. log_packet_header = no
  336. }
  337. # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  338. detail pre_proxy_log {
  339. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
  340. header = "%t"
  341. permissions = 384
  342. locking = no
  343. escape_filenames = no
  344. log_packet_header = no
  345. }
  346. # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  347. detail post_proxy_log {
  348. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
  349. header = "%t"
  350. permissions = 384
  351. locking = no
  352. escape_filenames = no
  353. log_packet_header = no
  354. }
  355. # Loaded module rlm_dhcp
  356. # Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
  357. # Loaded module rlm_digest
  358. # Loading module "digest" from file /etc/raddb/mods-enabled/digest
  359. # Loaded module rlm_dynamic_clients
  360. # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
  361. # Loaded module rlm_eap
  362. # Loading module "eap" from file /etc/raddb/mods-enabled/eap
  363. eap {
  364. default_eap_type = "md5"
  365. timer_expire = 60
  366. ignore_unknown_eap_types = no
  367. cisco_accounting_username_bug = no
  368. max_sessions = 512000
  369. }
  370. # Loaded module rlm_exec
  371. # Loading module "echo" from file /etc/raddb/mods-enabled/echo
  372. exec echo {
  373. wait = yes
  374. program = "/bin/echo %{User-Name}"
  375. input_pairs = "request"
  376. output_pairs = "reply"
  377. shell_escape = yes
  378. timeout = 3
  379. }
  380. # Loading module "exec" from file /etc/raddb/mods-enabled/exec
  381. exec {
  382. wait = no
  383. input_pairs = "request"
  384. shell_escape = yes
  385. timeout = 10
  386. }
  387. # Loaded module rlm_expiration
  388. # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
  389. # Loaded module rlm_expr
  390. # Loading module "expr" from file /etc/raddb/mods-enabled/expr
  391. expr {
  392. safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  393. }
  394. # Loaded module rlm_files
  395. # Loading module "files" from file /etc/raddb/mods-enabled/files
  396. files {
  397. filename = "/etc/raddb/mods-config/files/authorize"
  398. acctusersfile = "/etc/raddb/mods-config/files/accounting"
  399. preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
  400. }
  401. # Loaded module rlm_linelog
  402. # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
  403. linelog {
  404. filename = "syslog"
  405. escape_filenames = no
  406. syslog_severity = "info"
  407. permissions = 384
  408. format = "This is a log message for %{User-Name}"
  409. reference = "messages.%{%{reply:Packet-Type}:-default}"
  410. }
  411. # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
  412. linelog log_accounting {
  413. filename = "syslog"
  414. escape_filenames = no
  415. syslog_severity = "info"
  416. permissions = 384
  417. format = ""
  418. reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  419. }
  420. # Loading module "linelog_auth" from file /etc/raddb/mods-enabled/linelog
  421. linelog linelog_auth {
  422. filename = "syslog"
  423. escape_filenames = no
  424. syslog_severity = "info"
  425. permissions = 384
  426. format = "%S, %{User-Name}, %{NAS-Identifier}(%{NAS-IPv6-Address}):%{NAS-Port-Id}, Packet-Type: %{Packet-Type}, Service-Type: %{Service-Type}"
  427. }
  428. # Loading module "linelog_auth_accept" from file /etc/raddb/mods-enabled/linelog
  429. linelog linelog_auth_accept {
  430. filename = "syslog"
  431. escape_filenames = no
  432. syslog_severity = "info"
  433. permissions = 384
  434. format = "%S, %{User-Name}, %{NAS-Identifier}(%{NAS-IPv6-Address}):%{NAS-Port-Id}, Packet-Type: %{Response-Packet-Type}, Auth-Type: %{control:Auth-Type}"
  435. }
  436. # Loading module "linelog_auth_reject" from file /etc/raddb/mods-enabled/linelog
  437. linelog linelog_auth_reject {
  438. filename = "syslog"
  439. escape_filenames = no
  440. syslog_severity = "info"
  441. permissions = 384
  442. format = "%S, %{User-Name}, %{NAS-Identifier}(%{NAS-IPv6-Address}):%{NAS-Port-Id}, Packet-Type: %{Response-Packet-Type}, Message: %{reply:Reply-Message}"
  443. }
  444. # Loaded module rlm_logintime
  445. # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
  446. logintime {
  447. minimum_timeout = 60
  448. }
  449. # Loaded module rlm_mschap
  450. # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
  451. mschap {
  452. use_mppe = yes
  453. require_encryption = no
  454. require_strong = no
  455. with_ntdomain_hack = yes
  456. passchange {
  457. }
  458. allow_retry = yes
  459. winbind_retry_with_normalised_username = no
  460. }
  461. # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
  462. exec ntlm_auth {
  463. wait = yes
  464. program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
  465. shell_escape = yes
  466. }
  467. # Loaded module rlm_pap
  468. # Loading module "pap" from file /etc/raddb/mods-enabled/pap
  469. pap {
  470. normalise = yes
  471. }
  472. # Loaded module rlm_passwd
  473. # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
  474. passwd etc_passwd {
  475. filename = "/etc/passwd"
  476. format = "*User-Name:Crypt-Password:"
  477. delimiter = ":"
  478. ignore_nislike = no
  479. ignore_empty = yes
  480. allow_multiple_keys = no
  481. hash_size = 100
  482. }
  483. # Loaded module rlm_preprocess
  484. # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
  485. preprocess {
  486. huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
  487. hints = "/etc/raddb/mods-config/preprocess/hints"
  488. with_ascend_hack = no
  489. ascend_channels_per_line = 23
  490. with_ntdomain_hack = no
  491. with_specialix_jetstream_hack = no
  492. with_cisco_vsa_hack = no
  493. with_alvarion_vsa_hack = no
  494. }
  495. # Loaded module rlm_radutmp
  496. # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
  497. radutmp {
  498. filename = "/var/log/radius/radutmp"
  499. username = "%{User-Name}"
  500. case_sensitive = yes
  501. check_with_nas = yes
  502. permissions = 384
  503. caller_id = yes
  504. }
  505. # Loaded module rlm_realm
  506. # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
  507. realm IPASS {
  508. format = "prefix"
  509. delimiter = "/"
  510. ignore_default = no
  511. ignore_null = no
  512. }
  513. # Loading module "suffix" from file /etc/raddb/mods-enabled/realm
  514. realm suffix {
  515. format = "suffix"
  516. delimiter = "@"
  517. ignore_default = no
  518. ignore_null = no
  519. }
  520. # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
  521. realm realmpercent {
  522. format = "suffix"
  523. delimiter = "%"
  524. ignore_default = no
  525. ignore_null = no
  526. }
  527. # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
  528. realm ntdomain {
  529. format = "prefix"
  530. delimiter = "\\"
  531. ignore_default = no
  532. ignore_null = no
  533. }
  534. # Loaded module rlm_replicate
  535. # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
  536. # Loaded module rlm_soh
  537. # Loading module "soh" from file /etc/raddb/mods-enabled/soh
  538. soh {
  539. dhcp = yes
  540. }
  541. # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
  542. radutmp sradutmp {
  543. filename = "/var/log/radius/sradutmp"
  544. username = "%{User-Name}"
  545. case_sensitive = yes
  546. check_with_nas = yes
  547. permissions = 420
  548. caller_id = no
  549. }
  550. # Loaded module rlm_unix
  551. # Loading module "unix" from file /etc/raddb/mods-enabled/unix
  552. unix {
  553. radwtmp = "/var/log/radius/radwtmp"
  554. }
  555. Creating attribute Unix-Group
  556. # Loaded module rlm_unpack
  557. # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
  558. # Loaded module rlm_utf8
  559. # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
  560. # Loaded module rlm_ldap
  561. # Loading module "ldap" from file /etc/raddb/mods-enabled/ldap
  562. ldap {
  563. server = "ldap://localhost"
  564. identity = "cn=authuser,dc=datacom,dc=net"
  565. password = <<< secret >>>
  566. sasl {
  567. }
  568. user {
  569. scope = "sub"
  570. access_positive = yes
  571. sasl {
  572. }
  573. }
  574. group {
  575. filter = "(objectClass=posixGroup)"
  576. scope = "sub"
  577. name_attribute = "cn"
  578. membership_attribute = "memberUid"
  579. membership_filter = "(|(&(objectClass=posixGroup)(memberUid=%{User-Name}))(&(objectClass=posixGroup)(uniquemember=%{User-Name})))"
  580. cacheable_name = no
  581. cacheable_dn = no
  582. }
  583. client {
  584. filter = "(objectClass=radiusClient)"
  585. scope = "sub"
  586. base_dn = "dc=datacom,dc=net"
  587. }
  588. profile {
  589. }
  590. options {
  591. ldap_debug = 40
  592. chase_referrals = yes
  593. rebind = yes
  594. net_timeout = 1
  595. res_timeout = 10
  596. srv_timelimit = 3
  597. idle = 60
  598. probes = 3
  599. interval = 3
  600. }
  601. tls {
  602. start_tls = no
  603. }
  604. }
  605. Creating attribute LDAP-Group
  606. instantiate {
  607. }
  608. # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
  609. # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
  610. # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
  611. # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
  612. # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
  613. # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
  614. # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
  615. # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
  616. # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
  617. # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
  618. reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
  619. # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
  620. reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
  621. # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
  622. reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
  623. [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
  624. [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
  625. # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
  626. reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
  627. # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
  628. reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
  629. # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
  630. rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
  631. # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
  632. # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
  633. rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
  634. # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
  635. # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  636. # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  637. # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
  638. # Linked to sub-module rlm_eap_md5
  639. # Linked to sub-module rlm_eap_leap
  640. # Linked to sub-module rlm_eap_gtc
  641. gtc {
  642. challenge = "Password: "
  643. auth_type = "PAP"
  644. }
  645. # Linked to sub-module rlm_eap_tls
  646. tls {
  647. tls = "tls-common"
  648. }
  649. tls-config tls-common {
  650. verify_depth = 0
  651. ca_path = "/etc/raddb/certs"
  652. pem_file_type = yes
  653. private_key_file = "/etc/raddb/certs/server.pem"
  654. certificate_file = "/etc/raddb/certs/server.pem"
  655. ca_file = "/etc/raddb/certs/ca.pem"
  656. private_key_password = <<< secret >>>
  657. dh_file = "/etc/raddb/certs/dh"
  658. fragment_size = 1024
  659. include_length = yes
  660. auto_chain = yes
  661. check_crl = no
  662. check_all_crl = no
  663. cipher_list = "DEFAULT"
  664. cipher_server_preference = no
  665. ecdh_curve = "prime256v1"
  666. cache {
  667. enable = no
  668. lifetime = 24
  669. max_entries = 255
  670. }
  671. verify {
  672. skip_if_ocsp_ok = no
  673. }
  674. ocsp {
  675. enable = no
  676. override_cert_url = yes
  677. url = "http://127.0.0.1/ocsp/"
  678. use_nonce = yes
  679. timeout = 0
  680. softfail = no
  681. }
  682. }
  683. # Linked to sub-module rlm_eap_ttls
  684. ttls {
  685. tls = "tls-common"
  686. default_eap_type = "md5"
  687. copy_request_to_tunnel = no
  688. use_tunneled_reply = no
  689. virtual_server = "inner-tunnel"
  690. include_length = yes
  691. require_client_cert = no
  692. }
  693. tls: Using cached TLS configuration from previous invocation
  694. # Linked to sub-module rlm_eap_peap
  695. peap {
  696. tls = "tls-common"
  697. default_eap_type = "mschapv2"
  698. copy_request_to_tunnel = no
  699. use_tunneled_reply = no
  700. proxy_tunneled_request_as_eap = yes
  701. virtual_server = "inner-tunnel"
  702. soh = no
  703. require_client_cert = no
  704. }
  705. tls: Using cached TLS configuration from previous invocation
  706. # Linked to sub-module rlm_eap_mschapv2
  707. mschapv2 {
  708. with_ntdomain_hack = no
  709. send_error = no
  710. }
  711. # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
  712. # Instantiating module "files" from file /etc/raddb/mods-enabled/files
  713. reading pairlist file /etc/raddb/mods-config/files/authorize
  714. reading pairlist file /etc/raddb/mods-config/files/accounting
  715. reading pairlist file /etc/raddb/mods-config/files/pre-proxy
  716. # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
  717. # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
  718. # Instantiating module "linelog_auth" from file /etc/raddb/mods-enabled/linelog
  719. # Instantiating module "linelog_auth_accept" from file /etc/raddb/mods-enabled/linelog
  720. # Instantiating module "linelog_auth_reject" from file /etc/raddb/mods-enabled/linelog
  721. # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
  722. # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
  723. rlm_mschap (mschap): using internal authentication
  724. # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
  725. # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
  726. rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  727. # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
  728. reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
  729. reading pairlist file /etc/raddb/mods-config/preprocess/hints
  730. # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
  731. # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
  732. # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
  733. # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
  734. # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
  735. rlm_ldap: libldap vendor: OpenLDAP, version: 20444
  736. accounting {
  737. reference = "%{tolower:type.%{Acct-Status-Type}}"
  738. }
  739. post-auth {
  740. reference = "."
  741. }
  742. rlm_ldap (ldap): Initialising connection pool
  743. pool {
  744. start = 5
  745. min = 3
  746. max = 32
  747. spare = 10
  748. uses = 0
  749. lifetime = 0
  750. cleanup_interval = 30
  751. idle_timeout = 60
  752. retry_delay = 30
  753. spread = no
  754. }
  755. rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
  756. rlm_ldap (ldap): Connecting to ldap://localhost:389
  757. rlm_ldap (ldap): Waiting for bind result...
  758. rlm_ldap (ldap): Bind successful
  759. rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
  760. rlm_ldap (ldap): Connecting to ldap://localhost:389
  761. rlm_ldap (ldap): Waiting for bind result...
  762. rlm_ldap (ldap): Bind successful
  763. rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
  764. rlm_ldap (ldap): Connecting to ldap://localhost:389
  765. rlm_ldap (ldap): Waiting for bind result...
  766. rlm_ldap (ldap): Bind successful
  767. rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
  768. rlm_ldap (ldap): Connecting to ldap://localhost:389
  769. rlm_ldap (ldap): Waiting for bind result...
  770. rlm_ldap (ldap): Bind successful
  771. rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
  772. rlm_ldap (ldap): Connecting to ldap://localhost:389
  773. rlm_ldap (ldap): Waiting for bind result...
  774. rlm_ldap (ldap): Bind successful
  775. } # modules
  776. radiusd: #### Loading Virtual Servers ####
  777. server { # from file /etc/raddb/radiusd.conf
  778. } # server
  779. server default { # from file /etc/raddb/sites-enabled/default
  780. # Loading authenticate {...}
  781. # Loading authorize {...}
  782. Ignoring "sql" (see raddb/mods-available/README.rst)
  783. # Loading preacct {...}
  784. # Loading accounting {...}
  785. # Loading post-proxy {...}
  786. # Loading post-auth {...}
  787. } # server default
  788. server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
  789. # Loading authenticate {...}
  790. # Loading authorize {...}
  791. # Loading session {...}
  792. # Loading post-proxy {...}
  793. # Loading post-auth {...}
  794. # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:330
  795. } # server inner-tunnel
  796. radiusd: #### Opening IP addresses and Ports ####
  797. listen {
  798. type = "auth"
  799. ipaddr = 10.x.x.x
  800. port = 0
  801. limit {
  802. max_connections = 16
  803. lifetime = 0
  804. idle_timeout = 30
  805. }
  806. }
  807. listen {
  808. type = "acct"
  809. ipaddr = 10.x.x.x
  810. port = 0
  811. limit {
  812. max_connections = 16
  813. lifetime = 0
  814. idle_timeout = 30
  815. }
  816. }
  817. listen {
  818. type = "auth"
  819. ipv6addr = xxxx:xxxx:xxx:xx::211
  820. port = 0
  821. limit {
  822. max_connections = 16
  823. lifetime = 0
  824. idle_timeout = 30
  825. }
  826. }
  827. listen {
  828. type = "acct"
  829. ipv6addr = xxxx:xxxx:xxx:xx::211
  830. port = 0
  831. limit {
  832. max_connections = 16
  833. lifetime = 0
  834. idle_timeout = 30
  835. }
  836. }
  837. listen {
  838. type = "auth"
  839. ipaddr = 127.0.0.1
  840. port = 18120
  841. }
  842. Listening on auth address 10.x.x.x port 1812 bound to server default
  843. Listening on acct address 10.x.x.x port 1813 bound to server default
  844. Listening on auth address xxxx:xxxx:xxx:xx::211 port 1812 bound to server default
  845. Listening on acct address xxxx:xxxx:xxx:xx::211 port 1813 bound to server default
  846. Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
  847. Listening on proxy address * port 52434
  848. Listening on proxy address :: port 46478
  849. Ready to process requests
  850. (2) Received Access-Request Id 16 from [2xxx:xxxx:x:xxxx::xxxx]:1645 to [xxxx:xxxx:xxx:xx::211]:1812 length 113
  851. (2) User-Name = "dvmacias"
  852. (2) User-Password = "dvmacias"
  853. (2) Cisco-NAS-Port = "tty2"
  854. (2) NAS-Port = 2
  855. (2) NAS-Port-Id = "tty2"
  856. (2) NAS-Port-Type = Virtual
  857. (2) NAS-IPv6-Address = 2xxx:xxxx:x:xxxx::xxxx
  858. (2) NAS-Identifier = "H-TXA-1LAB-AP-1"
  859. (2) # Executing section authorize from file /etc/raddb/sites-enabled/default
  860. (2) authorize {
  861. (2) linelog_auth: EXPAND %S, %{User-Name}, %{NAS-Identifier}(%{NAS-IPv6-Address}):%{NAS-Port-Id}, Packet-Type: %{Packet-Type}, Service-Type: %{Service-Type}
  862. (2) linelog_auth: --> 2018-05-02 13:59:18.936791, dvmacias, H-TXA-1LAB-AP-1(2xxx:xxxx:x:xxxx::xxxx):tty2, Packet-Type: Access-Request, Service-Type:
  863. (2) [linelog_auth] = ok
  864. (2) policy filter_username {
  865. (2) if (&User-Name) {
  866. (2) if (&User-Name) -> TRUE
  867. (2) if (&User-Name) {
  868. (2) if (&User-Name =~ / /) {
  869. (2) if (&User-Name =~ / /) -> FALSE
  870. (2) if (&User-Name =~ /@[^@]*@/ ) {
  871. (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  872. (2) if (&User-Name =~ /\.\./ ) {
  873. (2) if (&User-Name =~ /\.\./ ) -> FALSE
  874. (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  875. (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  876. (2) if (&User-Name =~ /\.$/) {
  877. (2) if (&User-Name =~ /\.$/) -> FALSE
  878. (2) if (&User-Name =~ /@\./) {
  879. (2) if (&User-Name =~ /@\./) -> FALSE
  880. (2) } # if (&User-Name) = ok
  881. (2) } # policy filter_username = ok
  882. (2) [preprocess] = ok
  883. (2) [chap] = noop
  884. (2) [mschap] = noop
  885. (2) [digest] = noop
  886. (2) suffix: Checking for suffix after "@"
  887. (2) suffix: No '@' in User-Name = "dvmacias", looking up realm NULL
  888. (2) suffix: No such realm "NULL"
  889. (2) [suffix] = noop
  890. (2) eap: No EAP-Message, not doing EAP
  891. (2) [eap] = noop
  892. (2) [unix] = notfound
  893. (2) files: Searching for user in group "switch-operator"
  894. rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare"
  895. rlm_ldap (ldap): Last connection attempt failed, waiting 30 seconds before retrying
  896. (2) files: Searching for user in group "switch-manager"
  897. rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare"
  898. rlm_ldap (ldap): Last connection attempt failed, waiting 30 seconds before retrying
  899. (2) files: users: Matched entry DEFAULT at line 270
  900. (2) [files] = ok
  901. rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare"
  902. rlm_ldap (ldap): Last connection attempt failed, waiting 30 seconds before retrying
  903. (2) [ldap] = fail
  904. (2) if (fail) {
  905. (2) if (fail) -> TRUE
  906. (2) if (fail) {
  907. (2) policy do_not_respond {
  908. (2) update control {
  909. (2) &Response-Packet-Type := Do-Not-Respond
  910. (2) } # update control = noop
  911. (2) [handled] = handled
  912. (2) } # policy do_not_respond = handled
  913. (2) } # if (fail) = handled
  914. (2) } # authorize = handled
  915. (2) Not responding to request
  916. (2) # Executing section post-auth from file /etc/raddb/sites-enabled/default
  917. (2) post-auth {
  918. (2) update {
  919. (2) No attributes updated
  920. (2) } # update = noop
  921. (2) [exec] = noop
  922. (2) policy remove_reply_message_if_eap {
  923. (2) if (&reply:EAP-Message && &reply:Reply-Message) {
  924. (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
  925. (2) else {
  926. (2) [noop] = noop
  927. (2) } # else = noop
  928. (2) } # policy remove_reply_message_if_eap = noop
  929. (2) if ((&Huntgroup-Name == 'router') && (LDAP-Group == 'router-manager')) {
  930. (2) if ((&Huntgroup-Name == 'router') && (LDAP-Group == 'router-manager')) -> FALSE
  931. (2) elsif ((&Huntgroup-Name == 'router-n7k') && (LDAP-Group == 'router-manager')) {
  932. (2) elsif ((&Huntgroup-Name == 'router-n7k') && (LDAP-Group == 'router-manager')) -> FALSE
  933. (2) elsif ((&Huntgroup-Name == 'switch') && (LDAP-Group == 'switch-manager')) {
  934. (2) Searching for user in group "switch-manager"
  935. rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare"
  936. rlm_ldap (ldap): Last connection attempt failed, waiting 30 seconds before retrying
  937. (2) elsif ((&Huntgroup-Name == 'switch') && (LDAP-Group == 'switch-manager')) -> FALSE
  938. (2) elsif ((NAS-IPv6-Address =~ /^[[:xdigit:]]+:[[:xdigit:]]+:[[:xdigit:]]+:[[:xdigit:]]+:[[:xdigit:]]+:[[:xdigit:]]{0,2}(?i)ff:(?i)fe[[:xdigit:]]{0,2}:[[:xdigit:]]{0,4}/) && (LDAP-Group == 'switch-manager')) {
  939. (2) Searching for user in group "switch-manager"
  940. rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare"
  941. rlm_ldap (ldap): Last connection attempt failed, waiting 30 seconds before retrying
  942. (2) elsif ((NAS-IPv6-Address =~ /^[[:xdigit:]]+:[[:xdigit:]]+:[[:xdigit:]]+:[[:xdigit:]]+:[[:xdigit:]]+:[[:xdigit:]]{0,2}(?i)ff:(?i)fe[[:xdigit:]]{0,2}:[[:xdigit:]]{0,4}/) && (LDAP-Group == 'switch-manager')) -> FALSE
  943. (2) elsif ((&Huntgroup-Name == 'dsb') && (LDAP-Group == 'config')) {
  944. (2) elsif ((&Huntgroup-Name == 'dsb') && (LDAP-Group == 'config')) -> FALSE
  945. (2) else {
  946. (2) update reply {
  947. (2) Reply-Message = "User does not have access rights"
  948. (2) } # update reply = noop
  949. (2) [reject] = reject
  950. (2) } # else = reject
  951. (2) } # post-auth = reject
  952. (2) Using Post-Auth-Type Reject
  953. (2) # Executing group from file /etc/raddb/sites-enabled/default
  954. (2) Post-Auth-Type REJECT {
  955. (2) update reply {
  956. (2) Reply-Message = "Bad Password or Password Expired"
  957. (2) } # update reply = noop
  958. (2) linelog_auth_reject: EXPAND %S, %{User-Name}, %{NAS-Identifier}(%{NAS-IPv6-Address}):%{NAS-Port-Id}, Packet-Type: %{Response-Packet-Type}, Message: %{reply:Reply-Message}
  959. (2) linelog_auth_reject: --> 2018-05-02 13:59:18.936791, dvmacias, H-TXA-1LAB-AP-1(2xxx:xxxx:x:xxxx::xxxx):tty2, Packet-Type: Access-Reject, Message: User does not have access rights
  960. (2) [linelog_auth_reject] = ok
  961. (2) attr_filter.access_reject: EXPAND %{User-Name}
  962. (2) attr_filter.access_reject: --> dvmacias
  963. (2) attr_filter.access_reject: Matched entry DEFAULT at line 11
  964. (2) [attr_filter.access_reject] = updated
  965. (2) [eap] = noop
  966. (2) policy remove_reply_message_if_eap {
  967. (2) if (&reply:EAP-Message && &reply:Reply-Message) {
  968. (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
  969. (2) else {
  970. (2) [noop] = noop
  971. (2) } # else = noop
  972. (2) } # policy remove_reply_message_if_eap = noop
  973. (2) } # Post-Auth-Type REJECT = updated
  974. (2) Delaying response for 1.000000 seconds
  975. Waking up in 0.3 seconds.
  976. Waking up in 0.6 seconds.
  977. (2) Sending delayed response
  978. (2) Sent Access-Reject Id 16 from [xxxx:xxxx:xxx:xx::211]:1812 to [2xxx:xxxx:x:xxxx::xxxx]:1645 length 54
  979. (2) Reply-Message = "User does not have access rights"
  980. Waking up in 3.9 seconds.
  981. (2) Cleaning up request packet ID 16 with timestamp +395
  982. Ready to process requests
Add Comment
Please, Sign In to add comment