API tools faq
paste
Guest User

freeradius debug output

a guest
Apr 27th, 2021
44
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 35.50 KB | None | 0 0
raw download clone embed print report
  1. test@ubuntu:~$ sudo freeradius -X
  2. [sudo] password for test:
  3. FreeRADIUS Version 3.0.16
  4. Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
  5. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
  6. PARTICULAR PURPOSE
  7. You may redistribute copies of FreeRADIUS under the terms of the
  8. GNU General Public License
  9. For more information about these matters, see the file named COPYRIGHT
  10. Starting - reading configuration files ...
  11. including dictionary file /usr/share/freeradius/dictionary
  12. including dictionary file /usr/share/freeradius/dictionary.dhcp
  13. including dictionary file /usr/share/freeradius/dictionary.vqp
  14. including dictionary file /etc/freeradius/3.0/dictionary
  15. including configuration file /etc/freeradius/3.0/radiusd.conf
  16. including configuration file /etc/freeradius/3.0/proxy.conf
  17. including configuration file /etc/freeradius/3.0/clients.conf
  18. including files in directory /etc/freeradius/3.0/mods-enabled/
  19. including configuration file /etc/freeradius/3.0/mods-enabled/echo
  20. including configuration file /etc/freeradius/3.0/mods-enabled/passwd
  21. including configuration file /etc/freeradius/3.0/mods-enabled/chap
  22. including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
  23. including configuration file /etc/freeradius/3.0/mods-enabled/digest
  24. including configuration file /etc/freeradius/3.0/mods-enabled/utf8
  25. including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
  26. including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
  27. including configuration file /etc/freeradius/3.0/mods-enabled/mschap
  28. including configuration file /etc/freeradius/3.0/mods-enabled/always
  29. including configuration file /etc/freeradius/3.0/mods-enabled/detail
  30. including configuration file /etc/freeradius/3.0/mods-enabled/expr
  31. including configuration file /etc/freeradius/3.0/mods-enabled/pap
  32. including configuration file /etc/freeradius/3.0/mods-enabled/soh
  33. including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
  34. including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
  35. including configuration file /etc/freeradius/3.0/mods-enabled/sql
  36. including configuration file /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf
  37. including configuration file /etc/freeradius/3.0/mods-enabled/realm
  38. including configuration file /etc/freeradius/3.0/mods-enabled/logintime
  39. including configuration file /etc/freeradius/3.0/mods-enabled/unix
  40. including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
  41. including configuration file /etc/freeradius/3.0/mods-enabled/linelog
  42. including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
  43. including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
  44. including configuration file /etc/freeradius/3.0/mods-enabled/eap
  45. including configuration file /etc/freeradius/3.0/mods-enabled/replicate
  46. including configuration file /etc/freeradius/3.0/mods-enabled/expiration
  47. including configuration file /etc/freeradius/3.0/mods-enabled/unpack
  48. including configuration file /etc/freeradius/3.0/mods-enabled/exec
  49. including configuration file /etc/freeradius/3.0/mods-enabled/files
  50. including files in directory /etc/freeradius/3.0/policy.d/
  51. including configuration file /etc/freeradius/3.0/policy.d/cui
  52. including configuration file /etc/freeradius/3.0/policy.d/filter
  53. including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
  54. including configuration file /etc/freeradius/3.0/policy.d/operator-name
  55. including configuration file /etc/freeradius/3.0/policy.d/control
  56. including configuration file /etc/freeradius/3.0/policy.d/debug
  57. including configuration file /etc/freeradius/3.0/policy.d/accounting
  58. including configuration file /etc/freeradius/3.0/policy.d/canonicalization
  59. including configuration file /etc/freeradius/3.0/policy.d/eap
  60. including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
  61. including configuration file /etc/freeradius/3.0/policy.d/dhcp
  62. including files in directory /etc/freeradius/3.0/sites-enabled/
  63. including configuration file /etc/freeradius/3.0/sites-enabled/default
  64. including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
  65. main {
  66. security {
  67. user = "freerad"
  68. group = "freerad"
  69. allow_core_dumps = no
  70. }
  71. name = "freeradius"
  72. prefix = "/usr"
  73. localstatedir = "/var"
  74. logdir = "/var/log/freeradius"
  75. run_dir = "/var/run/freeradius"
  76. }
  77. main {
  78. name = "freeradius"
  79. prefix = "/usr"
  80. localstatedir = "/var"
  81. sbindir = "/usr/sbin"
  82. logdir = "/var/log/freeradius"
  83. run_dir = "/var/run/freeradius"
  84. libdir = "/usr/lib/freeradius"
  85. radacctdir = "/var/log/freeradius/radacct"
  86. hostname_lookups = no
  87. max_request_time = 30
  88. cleanup_delay = 5
  89. max_requests = 16384
  90. pidfile = "/var/run/freeradius/freeradius.pid"
  91. checkrad = "/usr/sbin/checkrad"
  92. debug_level = 0
  93. proxy_requests = yes
  94. log {
  95. stripped_names = no
  96. auth = no
  97. auth_badpass = no
  98. auth_goodpass = no
  99. colourise = yes
  100. msg_denied = "You are already logged in - access denied"
  101. }
  102. resources {
  103. }
  104. security {
  105. max_attributes = 200
  106. reject_delay = 1.000000
  107. status_server = yes
  108. }
  109. }
  110. radiusd: #### Loading Realms and Home Servers ####
  111. proxy server {
  112. retry_delay = 5
  113. retry_count = 3
  114. default_fallback = no
  115. dead_time = 120
  116. wake_all_if_all_dead = no
  117. }
  118. home_server localhost {
  119. ipaddr = 127.0.0.1
  120. port = 1812
  121. type = "auth"
  122. secret = <<< secret >>>
  123. response_window = 20.000000
  124. response_timeouts = 1
  125. max_outstanding = 65536
  126. zombie_period = 40
  127. status_check = "status-server"
  128. ping_interval = 30
  129. check_interval = 30
  130. check_timeout = 4
  131. num_answers_to_alive = 3
  132. revive_interval = 120
  133. limit {
  134. max_connections = 16
  135. max_requests = 0
  136. lifetime = 0
  137. idle_timeout = 0
  138. }
  139. coa {
  140. irt = 2
  141. mrt = 16
  142. mrc = 5
  143. mrd = 30
  144. }
  145. }
  146. home_server_pool my_auth_failover {
  147. type = fail-over
  148. home_server = localhost
  149. }
  150. realm example.com {
  151. auth_pool = my_auth_failover
  152. }
  153. realm LOCAL {
  154. }
  155. radiusd: #### Loading Clients ####
  156. client localhost {
  157. ipaddr = 127.0.0.1
  158. require_message_authenticator = no
  159. secret = <<< secret >>>
  160. nas_type = "other"
  161. proto = "*"
  162. limit {
  163. max_connections = 16
  164. lifetime = 0
  165. idle_timeout = 30
  166. }
  167. }
  168. client localhost_ipv6 {
  169. ipv6addr = ::1
  170. require_message_authenticator = no
  171. secret = <<< secret >>>
  172. limit {
  173. max_connections = 16
  174. lifetime = 0
  175. idle_timeout = 30
  176. }
  177. }
  178. client new {
  179. ipaddr = 192.0.2.4
  180. require_message_authenticator = no
  181. secret = <<< secret >>>
  182. limit {
  183. max_connections = 16
  184. lifetime = 0
  185. idle_timeout = 30
  186. }
  187. }
  188. Debugger not attached
  189. # Creating Auth-Type = mschap
  190. # Creating Auth-Type = digest
  191. # Creating Auth-Type = eap
  192. # Creating Auth-Type = PAP
  193. # Creating Auth-Type = CHAP
  194. # Creating Auth-Type = MS-CHAP
  195. radiusd: #### Instantiating modules ####
  196. modules {
  197. # Loaded module rlm_exec
  198. # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
  199. exec echo {
  200. wait = yes
  201. program = "/bin/echo %{User-Name}"
  202. input_pairs = "request"
  203. output_pairs = "reply"
  204. shell_escape = yes
  205. }
  206. # Loaded module rlm_passwd
  207. # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
  208. passwd etc_passwd {
  209. filename = "/etc/passwd"
  210. format = "*User-Name:Crypt-Password:"
  211. delimiter = ":"
  212. ignore_nislike = no
  213. ignore_empty = yes
  214. allow_multiple_keys = no
  215. hash_size = 100
  216. }
  217. # Loaded module rlm_chap
  218. # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
  219. # Loaded module rlm_preprocess
  220. # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
  221. preprocess {
  222. huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
  223. hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
  224. with_ascend_hack = no
  225. ascend_channels_per_line = 23
  226. with_ntdomain_hack = no
  227. with_specialix_jetstream_hack = no
  228. with_cisco_vsa_hack = no
  229. with_alvarion_vsa_hack = no
  230. }
  231. # Loaded module rlm_digest
  232. # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
  233. # Loaded module rlm_utf8
  234. # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
  235. # Loaded module rlm_detail
  236. # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  237. detail auth_log {
  238. filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
  239. header = "%t"
  240. permissions = 384
  241. locking = no
  242. escape_filenames = no
  243. log_packet_header = no
  244. }
  245. # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  246. detail reply_log {
  247. filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
  248. header = "%t"
  249. permissions = 384
  250. locking = no
  251. escape_filenames = no
  252. log_packet_header = no
  253. }
  254. # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  255. detail pre_proxy_log {
  256. filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
  257. header = "%t"
  258. permissions = 384
  259. locking = no
  260. escape_filenames = no
  261. log_packet_header = no
  262. }
  263. # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  264. detail post_proxy_log {
  265. filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
  266. header = "%t"
  267. permissions = 384
  268. locking = no
  269. escape_filenames = no
  270. log_packet_header = no
  271. }
  272. # Loaded module rlm_cache
  273. # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
  274. cache cache_eap {
  275. driver = "rlm_cache_rbtree"
  276. key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
  277. ttl = 15
  278. max_entries = 0
  279. epoch = 0
  280. add_stats = no
  281. }
  282. # Loaded module rlm_mschap
  283. # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
  284. mschap {
  285. use_mppe = yes
  286. require_encryption = no
  287. require_strong = no
  288. with_ntdomain_hack = yes
  289. passchange {
  290. }
  291. allow_retry = yes
  292. winbind_retry_with_normalised_username = no
  293. }
  294. # Loaded module rlm_always
  295. # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
  296. always reject {
  297. rcode = "reject"
  298. simulcount = 0
  299. mpp = no
  300. }
  301. # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
  302. always fail {
  303. rcode = "fail"
  304. simulcount = 0
  305. mpp = no
  306. }
  307. # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
  308. always ok {
  309. rcode = "ok"
  310. simulcount = 0
  311. mpp = no
  312. }
  313. # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
  314. always handled {
  315. rcode = "handled"
  316. simulcount = 0
  317. mpp = no
  318. }
  319. # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
  320. always invalid {
  321. rcode = "invalid"
  322. simulcount = 0
  323. mpp = no
  324. }
  325. # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
  326. always userlock {
  327. rcode = "userlock"
  328. simulcount = 0
  329. mpp = no
  330. }
  331. # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
  332. always notfound {
  333. rcode = "notfound"
  334. simulcount = 0
  335. mpp = no
  336. }
  337. # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
  338. always noop {
  339. rcode = "noop"
  340. simulcount = 0
  341. mpp = no
  342. }
  343. # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
  344. always updated {
  345. rcode = "updated"
  346. simulcount = 0
  347. mpp = no
  348. }
  349. # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
  350. detail {
  351. filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
  352. header = "%t"
  353. permissions = 384
  354. locking = no
  355. escape_filenames = no
  356. log_packet_header = no
  357. }
  358. # Loaded module rlm_expr
  359. # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
  360. expr {
  361. safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  362. }
  363. # Loaded module rlm_pap
  364. # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
  365. pap {
  366. normalise = yes
  367. }
  368. # Loaded module rlm_soh
  369. # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
  370. soh {
  371. dhcp = yes
  372. }
  373. # Loaded module rlm_attr_filter
  374. # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  375. attr_filter attr_filter.post-proxy {
  376. filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
  377. key = "%{Realm}"
  378. relaxed = no
  379. }
  380. # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  381. attr_filter attr_filter.pre-proxy {
  382. filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
  383. key = "%{Realm}"
  384. relaxed = no
  385. }
  386. # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  387. attr_filter attr_filter.access_reject {
  388. filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
  389. key = "%{User-Name}"
  390. relaxed = no
  391. }
  392. # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  393. attr_filter attr_filter.access_challenge {
  394. filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
  395. key = "%{User-Name}"
  396. relaxed = no
  397. }
  398. # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  399. attr_filter attr_filter.accounting_response {
  400. filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
  401. key = "%{User-Name}"
  402. relaxed = no
  403. }
  404. # Loaded module rlm_radutmp
  405. # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
  406. radutmp sradutmp {
  407. filename = "/var/log/freeradius/sradutmp"
  408. username = "%{User-Name}"
  409. case_sensitive = yes
  410. check_with_nas = yes
  411. permissions = 420
  412. caller_id = no
  413. }
  414. # Loaded module rlm_sql
  415. # Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
  416. sql {
  417. driver = "rlm_sql_null"
  418. server = "localhost"
  419. port = 3306
  420. login = "radius"
  421. password = <<< secret >>>
  422. radius_db = "radius"
  423. read_groups = yes
  424. read_profiles = yes
  425. read_clients = yes
  426. delete_stale_sessions = yes
  427. sql_user_name = "%{User-Name}"
  428. default_user_profile = ""
  429. client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
  430. authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
  431. authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
  432. authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
  433. authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
  434. group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
  435. simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
  436. simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
  437. safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  438. accounting {
  439. reference = "%{tolower:type.%{Acct-Status-Type}.query}"
  440. type {
  441. accounting-on {
  442. query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
  443. }
  444. accounting-off {
  445. query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
  446. }
  447. start {
  448. query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
  449. }
  450. interim-update {
  451. query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
  452. }
  453. stop {
  454. query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
  455. }
  456. }
  457. }
  458. post-auth {
  459. reference = ".query"
  460. query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
  461. }
  462. }
  463. rlm_sql (sql): Driver rlm_sql_null (module rlm_sql_null) loaded and linked
  464. Creating attribute SQL-Group
  465. # Loaded module rlm_realm
  466. # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
  467. realm IPASS {
  468. format = "prefix"
  469. delimiter = "/"
  470. ignore_default = no
  471. ignore_null = no
  472. }
  473. # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
  474. realm suffix {
  475. format = "suffix"
  476. delimiter = "@"
  477. ignore_default = no
  478. ignore_null = no
  479. }
  480. # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
  481. realm realmpercent {
  482. format = "suffix"
  483. delimiter = "%"
  484. ignore_default = no
  485. ignore_null = no
  486. }
  487. # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
  488. realm ntdomain {
  489. format = "prefix"
  490. delimiter = "\\"
  491. ignore_default = no
  492. ignore_null = no
  493. }
  494. # Loaded module rlm_logintime
  495. # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
  496. logintime {
  497. minimum_timeout = 60
  498. }
  499. # Loaded module rlm_unix
  500. # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
  501. unix {
  502. radwtmp = "/var/log/freeradius/radwtmp"
  503. }
  504. Creating attribute Unix-Group
  505. # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
  506. radutmp {
  507. filename = "/var/log/freeradius/radutmp"
  508. username = "%{User-Name}"
  509. case_sensitive = yes
  510. check_with_nas = yes
  511. permissions = 384
  512. caller_id = yes
  513. }
  514. # Loaded module rlm_linelog
  515. # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
  516. linelog {
  517. filename = "/var/log/freeradius/linelog"
  518. escape_filenames = no
  519. syslog_severity = "info"
  520. permissions = 384
  521. format = "This is a log message for %{User-Name}"
  522. reference = "messages.%{%{reply:Packet-Type}:-default}"
  523. }
  524. # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
  525. linelog log_accounting {
  526. filename = "/var/log/freeradius/linelog-accounting"
  527. escape_filenames = no
  528. syslog_severity = "info"
  529. permissions = 384
  530. format = ""
  531. reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  532. }
  533. # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
  534. exec ntlm_auth {
  535. wait = yes
  536. program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
  537. shell_escape = yes
  538. }
  539. # Loaded module rlm_dynamic_clients
  540. # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
  541. # Loaded module rlm_eap
  542. # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
  543. eap {
  544. default_eap_type = "md5"
  545. timer_expire = 60
  546. ignore_unknown_eap_types = no
  547. cisco_accounting_username_bug = no
  548. max_sessions = 16384
  549. }
  550. # Loaded module rlm_replicate
  551. # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
  552. # Loaded module rlm_expiration
  553. # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
  554. # Loaded module rlm_unpack
  555. # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
  556. # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
  557. exec {
  558. wait = no
  559. input_pairs = "request"
  560. shell_escape = yes
  561. timeout = 10
  562. }
  563. # Loaded module rlm_files
  564. # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
  565. files {
  566. filename = "/etc/freeradius/3.0/mods-config/files/authorize"
  567. acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
  568. preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
  569. }
  570. instantiate {
  571. }
  572. # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
  573. rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  574. # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
  575. reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
  576. reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
  577. # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  578. rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
  579. # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  580. # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  581. # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  582. # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
  583. rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
  584. # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
  585. rlm_mschap (mschap): using internal authentication
  586. # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
  587. # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
  588. # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
  589. # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
  590. # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
  591. # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
  592. # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
  593. # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
  594. # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
  595. # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
  596. # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
  597. # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  598. reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
  599. # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  600. reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
  601. # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  602. reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
  603. [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
  604. [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
  605. # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  606. reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
  607. # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  608. reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
  609. # Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
  610. rlm_sql (sql): Attempting to connect to database "radius"
  611. rlm_sql (sql): Initialising connection pool
  612. pool {
  613. start = 5
  614. min = 3
  615. max = 32
  616. spare = 10
  617. uses = 0
  618. lifetime = 0
  619. cleanup_interval = 30
  620. idle_timeout = 60
  621. retry_delay = 30
  622. spread = no
  623. }
  624. rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
  625. rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
  626. rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
  627. rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
  628. rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
  629. rlm_sql (sql): Processing generate_sql_clients
  630. rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
  631. rlm_sql (sql): Reserved connection (0)
  632. rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
  633. rlm_sql (sql): Released connection (0)
  634. Need 5 more connections to reach 10 spares
  635. rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
  636. # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
  637. # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
  638. # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
  639. # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
  640. # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
  641. # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
  642. # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
  643. # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
  644. # Linked to sub-module rlm_eap_md5
  645. # Linked to sub-module rlm_eap_leap
  646. # Linked to sub-module rlm_eap_gtc
  647. gtc {
  648. challenge = "Password: "
  649. auth_type = "PAP"
  650. }
  651. # Linked to sub-module rlm_eap_tls
  652. tls {
  653. tls = "tls-common"
  654. }
  655. tls-config tls-common {
  656. verify_depth = 0
  657. ca_path = "/etc/freeradius/3.0/certs"
  658. pem_file_type = yes
  659. private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
  660. certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
  661. ca_file = "/etc/ssl/certs/ca-certificates.crt"
  662. private_key_password = <<< secret >>>
  663. dh_file = "/etc/freeradius/3.0/certs/dh"
  664. fragment_size = 1024
  665. include_length = yes
  666. auto_chain = yes
  667. check_crl = no
  668. check_all_crl = no
  669. cipher_list = "DEFAULT"
  670. cipher_server_preference = no
  671. ecdh_curve = "prime256v1"
  672. tls_max_version = ""
  673. tls_min_version = "1.0"
  674. cache {
  675. enable = no
  676. lifetime = 24
  677. max_entries = 255
  678. }
  679. verify {
  680. skip_if_ocsp_ok = no
  681. }
  682. ocsp {
  683. enable = no
  684. override_cert_url = yes
  685. url = "http://127.0.0.1/ocsp/"
  686. use_nonce = yes
  687. timeout = 0
  688. softfail = no
  689. }
  690. }
  691. # Linked to sub-module rlm_eap_ttls
  692. ttls {
  693. tls = "tls-common"
  694. default_eap_type = "md5"
  695. copy_request_to_tunnel = no
  696. use_tunneled_reply = no
  697. virtual_server = "inner-tunnel"
  698. include_length = yes
  699. require_client_cert = no
  700. }
  701. tls: Using cached TLS configuration from previous invocation
  702. # Linked to sub-module rlm_eap_peap
  703. peap {
  704. tls = "tls-common"
  705. default_eap_type = "mschapv2"
  706. copy_request_to_tunnel = no
  707. use_tunneled_reply = no
  708. proxy_tunneled_request_as_eap = yes
  709. virtual_server = "inner-tunnel"
  710. soh = no
  711. require_client_cert = no
  712. }
  713. tls: Using cached TLS configuration from previous invocation
  714. # Linked to sub-module rlm_eap_mschapv2
  715. mschapv2 {
  716. with_ntdomain_hack = no
  717. send_error = no
  718. }
  719. # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
  720. # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
  721. reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
  722. reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
  723. reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
  724. } # modules
  725. radiusd: #### Loading Virtual Servers ####
  726. server { # from file /etc/freeradius/3.0/radiusd.conf
  727. } # server
  728. server default { # from file /etc/freeradius/3.0/sites-enabled/default
  729. # Loading authenticate {...}
  730. # Loading authorize {...}
  731. Ignoring "ldap" (see raddb/mods-available/README.rst)
  732. # Loading preacct {...}
  733. # Loading accounting {...}
  734. # Loading session {...}
  735. # Loading post-proxy {...}
  736. # Loading post-auth {...}
  737. } # server default
  738. server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
  739. # Loading authenticate {...}
  740. # Loading authorize {...}
  741. # Loading session {...}
  742. # Loading post-proxy {...}
  743. # Loading post-auth {...}
  744. # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:331
  745. } # server inner-tunnel
  746. radiusd: #### Opening IP addresses and Ports ####
  747. listen {
  748. type = "auth"
  749. ipaddr = *
  750. port = 0
  751. limit {
  752. max_connections = 16
  753. lifetime = 0
  754. idle_timeout = 30
  755. }
  756. }
  757. listen {
  758. type = "acct"
  759. ipaddr = *
  760. port = 0
  761. limit {
  762. max_connections = 16
  763. lifetime = 0
  764. idle_timeout = 30
  765. }
  766. }
  767. listen {
  768. type = "auth"
  769. ipv6addr = ::
  770. port = 0
  771. limit {
  772. max_connections = 16
  773. lifetime = 0
  774. idle_timeout = 30
  775. }
  776. }
  777. listen {
  778. type = "acct"
  779. ipv6addr = ::
  780. port = 0
  781. limit {
  782. max_connections = 16
  783. lifetime = 0
  784. idle_timeout = 30
  785. }
  786. }
  787. listen {
  788. type = "auth"
  789. ipaddr = 127.0.0.1
  790. port = 18120
  791. }
  792. Listening on auth address * port 1812 bound to server default
  793. Listening on acct address * port 1813 bound to server default
  794. Listening on auth address :: port 1812 bound to server default
  795. Listening on acct address :: port 1813 bound to server default
  796. Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
  797. Listening on proxy address * port 40233
  798. Listening on proxy address :: port 38209
  799. Ready to process requests
  800. (0) Received Access-Request Id 207 from 127.0.0.1:38338 to 127.0.0.1:1812 length 77
  801. (0) User-Name = "testing"
  802. (0) User-Password = "password"
  803. (0) NAS-IP-Address = 127.0.1.1
  804. (0) NAS-Port = 0
  805. (0) Message-Authenticator = 0x354c7618ae3f4d33014a6a09e595a097
  806. (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
  807. (0) authorize {
  808. (0) policy filter_username {
  809. (0) if (&User-Name) {
  810. (0) if (&User-Name) -> TRUE
  811. (0) if (&User-Name) {
  812. (0) if (&User-Name =~ / /) {
  813. (0) if (&User-Name =~ / /) -> FALSE
  814. (0) if (&User-Name =~ /@[^@]*@/ ) {
  815. (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  816. (0) if (&User-Name =~ /\.\./ ) {
  817. (0) if (&User-Name =~ /\.\./ ) -> FALSE
  818. (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  819. (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  820. (0) if (&User-Name =~ /\.$/) {
  821. (0) if (&User-Name =~ /\.$/) -> FALSE
  822. (0) if (&User-Name =~ /@\./) {
  823. (0) if (&User-Name =~ /@\./) -> FALSE
  824. (0) } # if (&User-Name) = notfound
  825. (0) } # policy filter_username = notfound
  826. (0) [preprocess] = ok
  827. (0) [chap] = noop
  828. (0) [mschap] = noop
  829. (0) [digest] = noop
  830. (0) suffix: Checking for suffix after "@"
  831. (0) suffix: No '@' in User-Name = "testing", looking up realm NULL
  832. (0) suffix: No such realm "NULL"
  833. (0) [suffix] = noop
  834. (0) eap: No EAP-Message, not doing EAP
  835. (0) [eap] = noop
  836. (0) [expiration] = noop
  837. (0) [logintime] = noop
  838. (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
  839. (0) pap: WARNING: Authentication will fail unless a "known good" password is available
  840. (0) [pap] = noop
  841. (0) } # authorize = ok
  842. (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
  843. (0) Failed to authenticate the user
  844. (0) Using Post-Auth-Type Reject
  845. (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
  846. (0) Post-Auth-Type REJECT {
  847. (0) sql: EXPAND .query
  848. (0) sql: --> .query
  849. (0) sql: Using query template 'query'
  850. rlm_sql (sql): Reserved connection (1)
  851. (0) sql: EXPAND %{User-Name}
  852. (0) sql: --> testing
  853. (0) sql: SQL-User-Name set to 'testing'
  854. (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
  855. (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', 'password', 'Access-Reject', '2021-04-27 12:23:43')
  856. (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', 'password', 'Access-Reject', '2021-04-27 12:23:43')
  857. (0) sql: SQL query returned: success
  858. (0) sql: 1 record(s) updated
  859. rlm_sql (sql): Released connection (1)
  860. Need 4 more connections to reach 10 spares
  861. rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
  862. (0) [sql] = ok
  863. (0) attr_filter.access_reject: EXPAND %{User-Name}
  864. (0) attr_filter.access_reject: --> testing
  865. (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
  866. (0) [attr_filter.access_reject] = updated
  867. (0) [eap] = noop
  868. (0) policy remove_reply_message_if_eap {
  869. (0) if (&reply:EAP-Message && &reply:Reply-Message) {
  870. (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
  871. (0) else {
  872. (0) [noop] = noop
  873. (0) } # else = noop
  874. (0) } # policy remove_reply_message_if_eap = noop
  875. (0) } # Post-Auth-Type REJECT = updated
  876. (0) Delaying response for 1.000000 seconds
  877. Waking up in 0.3 seconds.
  878. Waking up in 0.6 seconds.
  879. (0) Sending delayed response
  880. (0) Sent Access-Reject Id 207 from 127.0.0.1:1812 to 127.0.0.1:38338 length 20
  881. Waking up in 3.9 seconds.
  882. (0) Cleaning up request packet ID 207 with timestamp +5
  883. Ready to process requests
  884. ^C^C
  885.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!