Discussion:
Different databases with single freeradius
(too old to reply)
Emrah Yıldırım
2018-02-06 20:47:18 UTC
Permalink
Hi,

http://freeradius.1045715.n5.nabble.com/Reg-Different-databases-with-single-frerradius-td5713985.html

I'm asking for your help with the subject. Would you please provide more
open and more concrete information? I've separated the
databases. I present the same problem... The Radacct table is visible to
everyone. Please help.

Regards
-
List info/subscribe/unsubscribe? See http://www.freeradi
Alan DeKok
2018-02-06 20:57:34 UTC
Permalink
On Feb 6, 2018, at 3:47 PM, Emrah Yıldırım <***@gmail.com> wrote:
>
> http://freeradius.1045715.n5.nabble.com/Reg-Different-databases-with-single-frerradius-td5713985.html
>
> I'm asking for your help with the subject. Would you please provide more
> open and more concrete information? I've separated the
> databases. I present the same problem... The Radacct table is visible to
> everyone.

What does that mean?

If you want to control who can read a table in SQL, consult the documentation for your SQL server.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users
Emrah Yıldırım
2018-02-07 04:56:59 UTC
Permalink
Are you sure
you're looking at Link? This topic is related to Freeradius... I have
separated databases with SQL instance. However, separate hosts in both NAS
tables
Although I do, I see the same data in the RADACCT table of both databases.
Please give me a solution


6 Şub 2018 23:57 tarihinde "Alan DeKok" <***@deployingradius.com> yazdı:

On Feb 6, 2018, at 3:47 PM, Emrah Yıldırım <***@gmail.com> wrote:
>
> http://freeradius.1045715.n5.nabble.com/Reg-Different-
databases-with-single-frerradius-td5713985.html
>
> I'm asking for your help with the subject. Would you please provide more
> open and more concrete information? I've separated the
> databases. I present the same problem... The Radacct table is visible to
> everyone.

What does that mean?

If you want to control who can read a table in SQL, consult the
documentation for your SQL server.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
-
List info/subscribe/unsubscribe? See http://ww
Nathan Ward
2018-02-07 08:42:02 UTC
Permalink
> On 7/02/2018, at 5:56 PM, Emrah Yıldırım <***@gmail.com> wrote:
>
> Are you sure
> you're looking at Link? This topic is related to Freeradius... I have
> separated databases with SQL instance. However, separate hosts in both NAS
> tables
> Although I do, I see the same data in the RADACCT table of both databases.
> Please give me a solution

Almost certainly, you are calling both instances of the SQL module rather than just one. If you want accounting in only one database, you need to call only one module instance, as described in the link you refer to.

Please read this page before going further, it will tell you how to ask for help in a way that someone here can help you: http://wiki.freeradius.org/guide/Users-Mailing-List <http://wiki.freeradius.org/guide/Users-Mailing-List>

Also, read http://wiki.freeradius.org/guide/radiusd-X <http://wiki.freeradius.org/guide/radiusd-X>, and see if you can see where the problem is - I suspect you will be able to.

--
Nathan Ward

-
List info/subscribe/un
Alan DeKok
2018-02-07 14:20:52 UTC
Permalink
On Feb 6, 2018, at 11:56 PM, Emrah Yıldırım <***@gmail.com> wrote:
>
> Are you sure
> you're looking at Link?

You need to learn how to ask good questions. Your first question, and the link, are vague and content-free.

If you ask a bad question, you will get a bad answer.


> This topic is related to Freeradius... I have
> separated databases with SQL instance.

Does this mean you have two SQL instances configured in FreeRADIUS?

> However, separate hosts in both NAS
> tables
> Although I do, I see the same data in the RADACCT table of both databases.

You've configured the server to use both SQL instances for all users. This is wrong.

You need to call the right instance for the right user:

if (user is from system A) {
sql1
}
else {
sql2
}

Of course, that won't work as-is. Because you have given *zero* information about the usernames, SQL instance names, etc

If you give more information, you get better answers.

Alan DeKok.


-
List info/subscribe/unsubscribe? See h
Sergio NNX
2018-02-07 20:09:25 UTC
Permalink
Ciao.

We are upgrading from FR 2.0.x to 3.0.16 slowly and gradually.
We use ODBC to connect M$SQL Server.
We are unsure about how to set it up in v3.0.x.

/etc/raddb/mods-enabled/sql file

sql {
# The sub-module to use to execute queries. This should match
# the database you're attempting to connect to.
#
# * rlm_sql_mysql
# * rlm_sql_mssql
# * rlm_sql_oracle
# * rlm_sql_postgresql
# * rlm_sql_sqlite
# * rlm_sql_null (log queries to disk)
#
driver = "rlm_sql_unixodbc"

...
...
...
# The dialect of SQL you want to use, this should usually match
# the driver you selected above.
#
# If you're using rlm_sql_null, then it should be the type of
# database the logged queries are going to be executed against.
dialect = "unixodbc"

# Connection info:
#
server = "MSSQLTestServer"
# port = 3306
login = "testsqluser"
password = "xxxxxxx"
...
...


Should the dialect be the same as the driver (as suggested in the config file) or ....?

Thanks in advance.


radiusd -X output:

FreeRADIUS Version 3.0.16
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file \freeradius-server-3.0.16\share\freeradius/dictionary
including dictionary file \freeradius-server-3.0.16\share\freeradius/dictionary.dhcp
including dictionary file \freeradius-server-3.0.16\share\freeradius/dictionary.vqp
including configuration file \freeradius-server-3.0.16\etc\raddb/radiusd.conf
including configuration file \freeradius-server-3.0.16\etc\raddb/proxy.conf
including configuration file \freeradius-server-3.0.16\etc\raddb/clients.conf
including files in directory \freeradius-server-3.0.16\etc\raddb/mods-enabled/
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/always
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/attr_filter
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/chap
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/date
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/detail
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/digest
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/eap
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/echo
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/exec
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/expiration
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/expr
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/files
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/logintime
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/mschap
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/pap
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/preprocess
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/radutmp
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/realm
including configuration file \freeradius-server-3.0.16\etc\raddb/mods-enabled/sql
including configuration file \freeradius-server-3.0.16\etc/raddb/mods-config/sql/main/unixodbc/queries.conf
Unable to open file "\freeradius-server-3.0.16\etc/raddb/mods-config/sql/main/unixodbc/queries.conf": No such file or directory
Errors reading or parsing \freeradius-server-3.0.16\etc\raddb/radiusd.conf

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/l
Alan DeKok
2018-02-07 20:21:36 UTC
Permalink
On Feb 7, 2018, at 3:09 PM, Sergio NNX <***@hotmail.com> wrote:
> We are upgrading from FR 2.0.x to 3.0.16 slowly and gradually.
> We use ODBC to connect M$SQL Server.
> We are unsure about how to set it up in v3.0.x.

> Should the dialect be the same as the driver (as suggested in the config file) or ....?

Usually, yes.
>
> including configuration file \freeradius-server-3.0.16\etc/raddb/mods-config/sql/main/unixodbc/queries.conf
> Unable to open file "\freeradius-server-3.0.16\etc/raddb/mods-config/sql/main/unixodbc/queries.conf": No such file or directory
> Errors reading or parsing \freeradius-server-3.0.16\etc\raddb/radiusd.conf

In this case, you should use "dialect = mssql"

Alan DeKok.


-
List info/subscribe/u
Sergio NNX
2018-02-07 20:11:39 UTC
Permalink
Hi.

We have noticed a few sort of modules showing up in the debug log.
However, we are unable to locate them anywhere. They do not appear in any configuration file.
So the question is: are those modules external modules, intrinsic (or core) ones or ...... ?
Are they v3 specific?

- proto_auth
- proto_acct
- proto_status

Thanks in advance.


Debug output

Wed Feb 07 12:00:19 2018 : Debug: Server was built with:
Wed Feb 07 12:00:19 2018 : Debug: accounting : yes
Wed Feb 07 12:00:19 2018 : Debug: authentication : yes
Wed Feb 07 12:00:19 2018 : Debug: ascend-binary-attributes : yes
Wed Feb 07 12:00:19 2018 : Debug: coa : yes
Wed Feb 07 12:00:19 2018 : Debug: control-socket : no
Wed Feb 07 12:00:19 2018 : Debug: detail : yes
Wed Feb 07 12:00:19 2018 : Debug: dhcp : yes
Wed Feb 07 12:00:19 2018 : Debug: dynamic-clients : yes
Wed Feb 07 12:00:19 2018 : Debug: osfc2 : no
Wed Feb 07 12:00:19 2018 : Debug: proxy : yes
Wed Feb 07 12:00:19 2018 : Debug: regex-pcre : yes
Wed Feb 07 12:00:19 2018 : Debug: regex-posix : no
Wed Feb 07 12:00:19 2018 : Debug: regex-posix-extended : no
Wed Feb 07 12:00:19 2018 : Debug: session-management : yes
Wed Feb 07 12:00:19 2018 : Debug: stats : yes
Wed Feb 07 12:00:19 2018 : Debug: tcp : yes
Wed Feb 07 12:00:19 2018 : Debug: threads : yes
Wed Feb 07 12:00:19 2018 : Debug: tls : yes
Wed Feb 07 12:00:19 2018 : Debug: unlang : yes
Wed Feb 07 12:00:19 2018 : Debug: vmps : yes
Wed Feb 07 12:00:19 2018 : Debug: developer : no
Wed Feb 07 12:00:19 2018 : Debug: IPv6 : yes
Wed Feb 07 12:00:19 2018 : Debug: Server core libs:
Wed Feb 07 12:00:19 2018 : Debug: freeradius-server : 3.0.16
Wed Feb 07 12:00:19 2018 : Debug: talloc : 2.1.*
Wed Feb 07 12:00:19 2018 : Debug: ssl : 1.1.1 dev
Wed Feb 07 12:00:19 2018 : Debug: pcre : 8.40 2017-01-11
Wed Feb 07 12:00:19 2018 : Debug: pthreads : 2.10.0
Wed Feb 07 12:00:19 2018 : Debug: odbc : 2.3.4
Wed Feb 07 12:00:19 2018 : Debug: Endianness:
Wed Feb 07 12:00:19 2018 : Debug: little
Wed Feb 07 12:00:19 2018 : Debug: Compilation flags:
Wed Feb 07 12:00:19 2018 : Debug:
Wed Feb 07 12:00:19 2018 : Info: FreeRADIUS Version 3.0.16
Wed Feb 07 12:00:19 2018 : Info: Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
Wed Feb 07 12:00:19 2018 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Wed Feb 07 12:00:19 2018 : Info: PARTICULAR PURPOSE
Wed Feb 07 12:00:19 2018 : Info: You may redistribute copies of FreeRADIUS under the terms of the
Wed Feb 07 12:00:19 2018 : Info: GNU General Public License
Wed Feb 07 12:00:19 2018 : Info: For more information about these matters, see the file named COPYRIGHT
Wed Feb 07 12:00:19 2018 : Info: Starting - reading configuration files ...

<snip>
<snip>

Wed Feb 07 12:00:20 2018 : Debug: } # server status
Wed Feb 07 12:00:20 2018 : Debug: radiusd: #### Opening IP addresses and Ports ####
Wed Feb 07 12:00:20 2018 : Debug: Loading proto_auth with path: \freeradius-server-3.0.16/lib/proto_auth
Wed Feb 07 12:00:20 2018 : Debug: Loading proto_auth failed: "\freeradius-server-3.0.16\lib\proto_auth": The specified module could not be found. - No such file or directory
Wed Feb 07 12:00:20 2018 : Debug: Loading library using linker search path(s)
Wed Feb 07 12:00:20 2018 : Debug: Defaults : \freeradius-server-3.0.16\lib
Wed Feb 07 12:00:20 2018 : Debug: Failed with error: "proto_auth": The specified module could not be found.
Wed Feb 07 12:00:20 2018 : Debug: listen {
Wed Feb 07 12:00:20 2018 : Debug: type = "auth"
Wed Feb 07 12:00:20 2018 : Debug: ipaddr = *
Wed Feb 07 12:00:20 2018 : Debug: port = 0
Wed Feb 07 12:00:20 2018 : Debug: limit {
Wed Feb 07 12:00:20 2018 : Debug: max_connections = 16
Wed Feb 07 12:00:20 2018 : Debug: lifetime = 0
Wed Feb 07 12:00:20 2018 : Debug: idle_timeout = 30
Wed Feb 07 12:00:20 2018 : Debug: }
Wed Feb 07 12:00:20 2018 : Debug: }
Wed Feb 07 12:00:20 2018 : Debug: Loading proto_acct with path: \freeradius-server-3.0.16/lib/proto_acct
Wed Feb 07 12:00:20 2018 : Debug: Loading proto_acct failed: "\freeradius-server-3.0.16\lib\proto_acct": The specified module could not be found. - No such file or directory
Wed Feb 07 12:00:20 2018 : Debug: Loading library using linker search path(s)
Wed Feb 07 12:00:20 2018 : Debug: Defaults : \freeradius-server-3.0.16\lib
Wed Feb 07 12:00:20 2018 : Debug: Failed with error: "proto_acct": The specified module could not be found.
Wed Feb 07 12:00:20 2018 : Debug: listen {
Wed Feb 07 12:00:20 2018 : Debug: type = "acct"
Wed Feb 07 12:00:20 2018 : Debug: ipaddr = *
Wed Feb 07 12:00:20 2018 : Debug: port = 0
Wed Feb 07 12:00:20 2018 : Debug: limit {
Wed Feb 07 12:00:20 2018 : Debug: max_connections = 16
Wed Feb 07 12:00:20 2018 : Debug: lifetime = 0
Wed Feb 07 12:00:20 2018 : Debug: idle_timeout = 30
Wed Feb 07 12:00:20 2018 : Debug: }
Wed Feb 07 12:00:20 2018 : Debug: }
Wed Feb 07 12:00:20 2018 : Debug: Loading proto_auth with path: \freeradius-server-3.0.16/lib/proto_auth
Wed Feb 07 12:00:20 2018 : Debug: Loading proto_auth failed: "\freeradius-server-3.0.16\lib\proto_auth": The specified module could not be found. - No such file or directory
Wed Feb 07 12:00:20 2018 : Debug: Loading library using linker search path(s)
Wed Feb 07 12:00:20 2018 : Debug: Defaults : \freeradius-server-3.0.16\lib
Wed Feb 07 12:00:20 2018 : Debug: Failed with error: "proto_auth": The specified module could not be found.
Wed Feb 07 12:00:20 2018 : Debug: listen {
Wed Feb 07 12:00:20 2018 : Debug: type = "auth"
Wed Feb 07 12:00:20 2018 : Debug: ipv6addr = ::
Wed Feb 07 12:00:20 2018 : Debug: port = 0
Wed Feb 07 12:00:20 2018 : Debug: limit {
Wed Feb 07 12:00:20 2018 : Debug: max_connections = 16
Wed Feb 07 12:00:20 2018 : Debug: lifetime = 0
Wed Feb 07 12:00:20 2018 : Debug: idle_timeout = 30
Wed Feb 07 12:00:20 2018 : Debug: }
Wed Feb 07 12:00:20 2018 : Debug: }
Wed Feb 07 12:00:20 2018 : Debug: Loading proto_acct with path: \freeradius-server-3.0.16/lib/proto_acct
Wed Feb 07 12:00:20 2018 : Debug: Loading proto_acct failed: "\freeradius-server-3.0.16\lib\proto_acct": The specified module could not be found. - No such file or directory
Wed Feb 07 12:00:20 2018 : Debug: Loading library using linker search path(s)
Wed Feb 07 12:00:20 2018 : Debug: Defaults : \freeradius-server-3.0.16\lib
Wed Feb 07 12:00:20 2018 : Debug: Failed with error: "proto_acct": The specified module could not be found.
Wed Feb 07 12:00:20 2018 : Debug: listen {
Wed Feb 07 12:00:20 2018 : Debug: type = "acct"
Wed Feb 07 12:00:20 2018 : Debug: ipv6addr = ::
Wed Feb 07 12:00:20 2018 : Debug: port = 0
Wed Feb 07 12:00:20 2018 : Debug: limit {
Wed Feb 07 12:00:20 2018 : Debug: max_connections = 16
Wed Feb 07 12:00:20 2018 : Debug: lifetime = 0
Wed Feb 07 12:00:20 2018 : Debug: idle_timeout = 30
Wed Feb 07 12:00:20 2018 : Debug: }
Wed Feb 07 12:00:20 2018 : Debug: }
Wed Feb 07 12:00:20 2018 : Debug: Loading proto_auth with path: \freeradius-server-3.0.16/lib/proto_auth
Wed Feb 07 12:00:20 2018 : Debug: Loading proto_auth failed: "\freeradius-server-3.0.16\lib\proto_auth": The specified module could not be found. - No such file or directory
Wed Feb 07 12:00:20 2018 : Debug: Loading library using linker search path(s)
Wed Feb 07 12:00:20 2018 : Debug: Defaults : \freeradius-server-3.0.16\lib
Wed Feb 07 12:00:20 2018 : Debug: Failed with error: "proto_auth": The specified module could not be found.
Wed Feb 07 12:00:20 2018 : Debug: listen {
Wed Feb 07 12:00:20 2018 : Debug: type = "auth"
Wed Feb 07 12:00:20 2018 : Debug: ipaddr = 192.168.1.4
Wed Feb 07 12:00:20 2018 : Debug: port = 1821
Wed Feb 07 12:00:20 2018 : Debug: client 192.0.2.9 {
Wed Feb 07 12:00:20 2018 : Debug: require_message_authenticator = no
Wed Feb 07 12:00:20 2018 : Debug: secret = "testing123"
Wed Feb 07 12:00:20 2018 : Debug: shortname = "example-client"
Wed Feb 07 12:00:20 2018 : Debug: limit {
Wed Feb 07 12:00:20 2018 : Debug: max_connections = 16
Wed Feb 07 12:00:20 2018 : Debug: lifetime = 0
Wed Feb 07 12:00:20 2018 : Debug: idle_timeout = 30
Wed Feb 07 12:00:20 2018 : Debug: }
Wed Feb 07 12:00:20 2018 : Debug: }
Wed Feb 07 12:00:20 2018 : Warning: No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 192.0.2.9. Please fix your configuration
Wed Feb 07 12:00:20 2018 : Warning: Support for old-style clients will be removed in a future release
Wed Feb 07 12:00:20 2018 : Debug: Adding client 192.0.2.9/32 (192.0.2.9) to prefix tree 32
Wed Feb 07 12:00:20 2018 : Debug: }
Wed Feb 07 12:00:20 2018 : Debug: Loading proto_auth with path: \freeradius-server-3.0.16/lib/proto_auth
Wed Feb 07 12:00:20 2018 : Debug: Loading proto_auth failed: "\freeradius-server-3.0.16\lib\proto_auth": The specified module could not be found. - No such file or directory
Wed Feb 07 12:00:20 2018 : Debug: Loading library using linker search path(s)
Wed Feb 07 12:00:20 2018 : Debug: Defaults : \freeradius-server-3.0.16\lib
Wed Feb 07 12:00:20 2018 : Debug: Failed with error: "proto_auth": The specified module could not be found.
Wed Feb 07 12:00:20 2018 : Debug: listen {
Wed Feb 07 12:00:20 2018 : Debug: type = "auth"
Wed Feb 07 12:00:20 2018 : Debug: ipaddr = 127.0.0.1
Wed Feb 07 12:00:20 2018 : Debug: port = 18120
Wed Feb 07 12:00:20 2018 : Debug: }
Wed Feb 07 12:00:20 2018 : Debug: Loading proto_status with path: \freeradius-server-3.0.16/lib/proto_status
Wed Feb 07 12:00:20 2018 : Debug: Loading proto_status failed: "\freeradius-server-3.0.16\lib\proto_status": The specified module could not be found. - No such file or directory
Wed Feb 07 12:00:20 2018 : Debug: Loading library using linker search path(s)
Wed Feb 07 12:00:20 2018 : Debug: Defaults : \freeradius-server-3.0.16\lib
Wed Feb 07 12:00:20 2018 : Debug: Failed with error: "proto_status": The specified module could not be found.
Wed Feb 07 12:00:20 2018 : Debug: listen {
Wed Feb 07 12:00:20 2018 : Debug: type = "status"
Wed Feb 07 12:00:20 2018 : Debug: ipaddr = 127.0.0.1
Wed Feb 07 12:00:20 2018 : Debug: port = 18121
Wed Feb 07 12:00:20 2018 : Debug: client admin {
Wed Feb 07 12:00:20 2018 : Debug: ipaddr = 127.0.0.1
Wed Feb 07 12:00:20 2018 : Debug: require_message_authenticator = no
Wed Feb 07 12:00:20 2018 : Debug: secret = "adminsecret"
Wed Feb 07 12:00:20 2018 : Debug: limit {
Wed Feb 07 12:00:20 2018 : Debug: max_connections = 16
Wed Feb 07 12:00:20 2018 : Debug: lifetime = 0
Wed Feb 07 12:00:20 2018 : Debug: idle_timeout = 30
Wed Feb 07 12:00:20 2018 : Debug: }
Wed Feb 07 12:00:20 2018 : Debug: }
Wed Feb 07 12:00:20 2018 : Debug: Adding client 127.0.0.1/32 (127.0.0.1) to prefix tree 32
Wed Feb 07 12:00:20 2018 : Debug: }
Wed Feb 07 12:00:20 2018 : Debug: Listening on auth address * port 1812 bound to server default
Wed Feb 07 12:00:20 2018 : Debug: Listening on acct address * port 1813 bound to server default
Wed Feb 07 12:00:20 2018 : Debug: Listening on auth address :: port 1812 bound to server default
Wed Feb 07 12:00:20 2018 : Debug: Listening on acct address :: port 1813 bound to server default
Wed Feb 07 12:00:20 2018 : Debug: Listening on auth address 192.168.1.4 port 1821 bound to server example
Wed Feb 07 12:00:20 2018 : Debug: Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Wed Feb 07 12:00:20 2018 : Debug: Listening on status address 127.0.0.1 port 18121 bound to server status
Wed Feb 07 12:00:20 2018 : Debug: Opened new proxy socket 'proxy address * port 64591'
Wed Feb 07 12:00:20 2018 : Debug: Listening on proxy address * port 64591
Wed Feb 07 12:00:20 2018 : Debug: Opened new proxy socket 'proxy address :: port 64592'
Wed Feb 07 12:00:20 2018 : Debug: Listening on proxy address :: port 64592
Wed Feb 07 12:00:20 2018 : Info: Ready to process requests

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.ht
Alan DeKok
2018-02-07 20:20:18 UTC
Permalink
On Feb 7, 2018, at 3:11 PM, Sergio NNX <***@hotmail.com> wrote:
>
>
> We have noticed a few sort of modules showing up in the debug log.
> However, we are unable to locate them anywhere. They do not appear in any configuration file.
> So the question is: are those modules external modules, intrinsic (or core) ones or ...... ?
> Are they v3 specific?

They're already in the server core. We started moving functionality out of the core and into modules. That work wasn't finished in the v3 branch.

It is finished in v4. So there, the server core no longer knows anything about RADIUS. Which makes a number of things much simpler.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.h
Emrah Yıldırım
2018-02-07 21:06:01 UTC
Permalink
First of all, I'm sorry. I sent out the changes I made and the
Freeradius-X output. If I need to share other information, please tell me
to share.

>Of course, that won't work as-is. Because you have given *zero*
information about the usernames, SQL instance names, etc

>If you give more information, you get better answers.

>
> *freeradius -X*


# Instantiating module "echo" from file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from file
/etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file
/etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file
/etc/freeradius/mods-config/attr_filter/accounting_response
# Loaded module rlm_always
# Instantiating module "reject" from file
/etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "fail" from file
/etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file
/etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "invalid" from file
/etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Instantiating module "userlock" from file
/etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file
/etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file
/etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file
/etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_unix
# Instantiating module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
# Loaded module rlm_logintime
# Instantiating module "logintime" from file
/etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_digest
# Instantiating module "digest" from file
/etc/freeradius/mods-enabled/digest
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
server default { # from file /etc/freeradius/sites-enabled/default
# Creating Auth-Type = digest
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 56236
Ready to process requests.
Received Access-Request Id 44 from 192.168.6.1:15001 to 192.168.6.237:1812
length 133
NAS-IP-Address = 192.168.5.53
NAS-Identifier = 'pfSense.localdomain'
User-Name = 'alandekok'
User-Password = '123'
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 2000
Framed-IP-Address = 192.168.6.17
Called-Station-Id = '192.168.5.53'
Calling-Station-Id = '68-5d-43-1d-c6-da'
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0) --> alandekok
(0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) if (User-Name =~ / /)
(0) if (User-Name =~ / /) -> FALSE
(0) if (User-Name =~ /@.*@/ )
(0) if (User-Name =~ /@.*@/ ) -> FALSE
(0) if (User-Name =~ /\\.\\./ )
(0) if (User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) if (User-Name =~ /\\.$/)
(0) if (User-Name =~ /\\.$/) -> FALSE
(0) if (User-Name =~ /@\\./)
(0) if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : No '@' in User-Name = "alandekok", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : No EAP-Message, not doing EAP
(0) [eap] = noop
(0) db1 : EXPAND %{User-Name}
(0) db1 : --> alandekok
(0) db1 : SQL-User-Name set to 'alandekok'
rlm_sql (db1): Reserved connection (4)
(0) db1 : EXPAND SELECT id, username, attribu, value, op FROM rad_checks
WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) db1 : --> SELECT id, username, attribu, value, op FROM rad_checks
WHERE username = 'alandekok' ORDER BY id
rlm_sql (db1): Executing query: 'SELECT id, username, attribu, value, op
FROM rad_checks WHERE username = 'alandekok' ORDER BY id'
(0) db1 : EXPAND SELECT groupname FROM rad_user_groups WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(0) db1 : --> SELECT groupname FROM rad_user_groups WHERE username =
'alandekok' ORDER BY priority
rlm_sql (db1): Executing query: 'SELECT groupname FROM rad_user_groups
WHERE username = 'alandekok' ORDER BY priority'
(0) db1 : User not found in any groups
rlm_sql (db1): Released connection (4)
(0) [db1] = notfound
(0) db2 : EXPAND %{User-Name}
(0) db2 : --> alandekok
(0) db2 : SQL-User-Name set to 'alandekok'
rlm_sql (db2): Reserved connection (4)
(0) db2 : EXPAND SELECT id, username, attribu, value, op FROM rad_checks
WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) db2 : --> SELECT id, username, attribu, value, op FROM rad_checks
WHERE username = 'alandekok' ORDER BY id
rlm_sql (db2): Executing query: 'SELECT id, username, attribu, value, op
FROM rad_checks WHERE username = 'alandekok' ORDER BY id'
(0) db2 : User found in radcheck table
(0) db2 : Check items matched
(0) db2 : EXPAND SELECT id, username, attribu, value, op FROM rad_replies
WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) db2 : --> SELECT id, username, attribu, value, op FROM rad_replies
WHERE username = 'alandekok' ORDER BY id
rlm_sql (db2): Executing query: 'SELECT id, username, attribu, value, op
FROM rad_replies WHERE username = 'alandekok' ORDER BY id'
(0) db2 : EXPAND SELECT groupname FROM rad_user_groups WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(0) db2 : --> SELECT groupname FROM rad_user_groups WHERE username =
'alandekok' ORDER BY priority
rlm_sql (db2): Executing query: 'SELECT groupname FROM rad_user_groups
WHERE username = 'alandekok' ORDER BY priority'
(0) db2 : User found in the group table
(0) db2 : EXPAND SELECT id, groupname, attribu, Value, op FROM
rad_group_checks WHERE groupname = '%{Sql-Group}' ORDER BY id
(0) db2 : --> SELECT id, groupname, attribu, Value, op FROM
rad_group_checks WHERE groupname = 'group6mbit' ORDER BY id
rlm_sql (db2): Executing query: 'SELECT id, groupname, attribu, Value, op
FROM rad_group_checks WHERE groupname = 'group6mbit' ORDER BY id'
(0) db2 : Group "group6mbit" check items matched
(0) db2 : EXPAND SELECT id, groupname, attribu, value, op FROM
rad_group_replies WHERE groupname = '%{Sql-Group}' ORDER BY id
(0) db2 : --> SELECT id, groupname, attribu, value, op FROM
rad_group_replies WHERE groupname = 'group6mbit' ORDER BY id
rlm_sql (db2): Executing query: 'SELECT id, groupname, attribu, value, op
FROM rad_group_replies WHERE groupname = 'group6mbit' ORDER BY id'
(0) db2 : Group "group6mbit" reply items processed
rlm_sql (db2): Released connection (4)
(0) [db2] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: dailycounter : Couldn't find control attribute
'control:Max-Daily-Session'
(0) [dailycounter] = noop
(0) WARNING: noresetcounter : Couldn't find control attribute
'control:Max-All-Session'
(0) [noresetcounter] = noop
(0) WARNING: monthlycounter : Couldn't find control attribute
'control:Max-Monthly-Session'
(0) [monthlycounter] = noop
(0) WARNING: expire_on_login : Couldn't find control attribute
'control:Expire-After'
(0) [expire_on_login] = noop
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Auth-Type PAP {
(0) pap : Login attempt with password
(0) pap : User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
(0) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(0) post-auth {
(0) db1 : EXPAND .query
(0) db1 : --> .query
(0) db1 : Using query template 'query'
rlm_sql (db1): Reserved connection (4)
(0) db1 : EXPAND %{User-Name}
(0) db1 : --> alandekok
(0) db1 : SQL-User-Name set to 'alandekok'
(0) db1 : EXPAND INSERT INTO rad_post_auths (username, pass, reply,
authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) db1 : --> INSERT INTO rad_post_auths (username, pass, reply,
authdate) VALUES ( 'alandekok', '123', 'Access-Accept', '2018-02-07
22:46:21')
rlm_sql (db1): Executing query: 'INSERT INTO rad_post_auths (username,
pass, reply, authdate) VALUES ( 'alandekok', '123', 'Access-Accept',
'2018-02-07 22:46:21')'
rlm_sql (db1): Released connection (4)
(0) [db1] = ok
(0) db2 : EXPAND .query
(0) db2 : --> .query
(0) db2 : Using query template 'query'
rlm_sql (db2): Reserved connection (4)
(0) db2 : EXPAND %{User-Name}
(0) db2 : --> alandekok
(0) db2 : SQL-User-Name set to 'alandekok'
(0) db2 : EXPAND INSERT INTO rad_post_auths (username, pass, reply,
authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) db2 : --> INSERT INTO rad_post_auths (username, pass, reply,
authdate) VALUES ( 'alandekok', '123', 'Access-Accept', '2018-02-07
22:46:21')
rlm_sql (db2): Executing query: 'INSERT INTO rad_post_auths (username,
pass, reply, authdate) VALUES ( 'alandekok', '123', 'Access-Accept',
'2018-02-07 22:46:21')'
rlm_sql (db2): Released connection (4)
(0) [db2] = ok
(0) [exec] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (reply:EAP-Message && reply:Reply-Message)
(0) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # post-auth = ok
Sending Access-Accept Id 44 from 192.168.6.237:1812 to 192.168.6.1:15001
WISPr-Bandwidth-Max-Down = 6291456
(0) Finished request
Waking up in 0.3 seconds.
Received Accounting-Request Id 70 from 192.168.6.1:18746 to
192.168.6.237:1813 length 166
NAS-IP-Address = 192.168.5.53
NAS-Identifier = 'pfSense.localdomain'
User-Name = 'alandekok'
Acct-Status-Type = Start
Acct-Authentic = RADIUS
NAS-IP-Address = 192.168.5.53
NAS-Identifier = 'pfSense.localdomain'
NAS-Port-Type = Ethernet
NAS-Port = 2000
Acct-Session-Id = '51ddb7ae87a6974e'
Framed-IP-Address = 192.168.6.17
Called-Station-Id = '192.168.5.53'
Calling-Station-Id = '68-5d-43-1d-c6-da'
(1) # Executing section preacct from file
/etc/freeradius/sites-enabled/default
(1) preacct {
(1) [preprocess] = ok
(1) acct_unique acct_unique {
(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i)
(1) EXPAND %{string:Class}
(1) -->
(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(1) else else {
(1) update request {
(1) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(1) --> 5f7d981301d43b05adad3019deb5500a
(1) Acct-Unique-Session-Id := '"5f7d981301d43b05adad3019deb5500a"'
(1) } # update request = noop
(1) } # else else = noop
(1) } # acct_unique acct_unique = noop
(1) suffix : No '@' in User-Name = "alandekok", looking up realm NULL
(1) suffix : No such realm "NULL"
(1) [suffix] = noop
(1) [files] = noop
(1) } # preacct = ok
(1) # Executing section accounting from file
/etc/freeradius/sites-enabled/default
(1) accounting {
(1) detail : EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(1) detail : --> /var/log/freeradius/radacct/192.168.6.1/detail-20180207
(1) detail :
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.6.1/detail-20180207
(1) detail : EXPAND %t
(1) detail : --> Wed Feb 7 22:46:21 2018
(1) [detail] = ok
(1) [unix] = ok
(1) db1 : EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(1) db1 : --> type.start.query
(1) db1 : Using query template 'query'
rlm_sql (db1): Reserved connection (4)
(1) db1 : EXPAND %{User-Name}
(1) db1 : --> alandekok
(1) db1 : SQL-User-Name set to 'alandekok'
(1) db1 : EXPAND INSERT INTO rad_accts (acctsessionid, acctuniqueid, username,
realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime,
acctstoptime, acctsessiontime, acctauthentic, connectinfo_start,
connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
FROM_UNIXTIME(%{integer:Event-Timestamp}),
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}')
(1) db1 : --> INSERT INTO rad_accts (acctsessionid, acctuniqueid, username,
realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime,
acctstoptime, acctsessiontime, acctauthentic, connectinfo_start,
connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES
('51ddb7ae87a6974e', '5f7d981301d43b05adad3019deb5500a', 'alandekok', '',
'192.168.5.53', '2000', 'Ethernet', FROM_UNIXTIME(1518036381),
FROM_UNIXTIME(1518036381), NULL, '0', 'RADIUS', '', '', '0', '0',
'192.168.5.53', '68-5d-43-1d-c6-da', '', '', '', '192.168.6.17')
rlm_sql (db1): Executing query: 'INSERT INTO rad_accts (acctsessionid,
acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,
acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype, framedprotocol,
framedipaddress) VALUES ('51ddb7ae87a6974e',
'5f7d981301d43b05adad3019deb5500a', 'alandekok', '', '192.168.5.53',
'2000', 'Ethernet', FROM_UNIXTIME(1518036381), FROM_UNIXTIME(1518036381),
NULL, '0', 'RADIUS', '', '', '0', '0', '192.168.5.53', '68-5d-43-1d-c6-da',
'', '', '', '192.168.6.17')'
rlm_sql (db1): Released connection (4)
(1) [db1] = ok
(1) db2 : EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(1) db2 : --> type.start.query
(1) db2 : Using query template 'query'
rlm_sql (db2): Reserved connection (4)
(1) db2 : EXPAND %{User-Name}
(1) db2 : --> alandekok
(1) db2 : SQL-User-Name set to 'alandekok'
(1) db2 : EXPAND INSERT INTO rad_accts (acctsessionid, acctuniqueid, username,
realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime,
acctstoptime, acctsessiontime, acctauthentic, connectinfo_start,
connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
FROM_UNIXTIME(%{integer:Event-Timestamp}),
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}')
(1) db2 : --> INSERT INTO rad_accts (acctsessionid, acctuniqueid, username,
realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime,
acctstoptime, acctsessiontime, acctauthentic, connectinfo_start,
connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES
('51ddb7ae87a6974e', '5f7d981301d43b05adad3019deb5500a', 'alandekok', '',
'192.168.5.53', '2000', 'Ethernet', FROM_UNIXTIME(1518036381),
FROM_UNIXTIME(1518036381), NULL, '0', 'RADIUS', '', '', '0', '0',
'192.168.5.53', '68-5d-43-1d-c6-da', '', '', '', '192.168.6.17')
rlm_sql (db2): Executing query: 'INSERT INTO rad_accts (acctsessionid,
acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,
acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype, framedprotocol,
framedipaddress) VALUES ('51ddb7ae87a6974e',
'5f7d981301d43b05adad3019deb5500a', 'alandekok', '', '192.168.5.53',
'2000', 'Ethernet', FROM_UNIXTIME(1518036381), FROM_UNIXTIME(1518036381),
NULL, '0', 'RADIUS', '', '', '0', '0', '192.168.5.53', '68-5d-43-1d-c6-da',
'', '', '', '192.168.6.17')'
rlm_sql (db2): Released connection (4)
(1) [db2] = ok
(1) [exec] = noop
(1) attr_filter.accounting_response : EXPAND %{User-Name}
(1) attr_filter.accounting_response : --> alandekok
(1) attr_filter.accounting_response : Matched entry DEFAULT at line 12
(1) [attr_filter.accounting_response] = updated
(1) } # accounting = updated
Sending Accounting-Response Id 70 from 192.168.6.237:1813 to
192.168.6.1:18746
(1) Finished request
Waking up in 0.3 seconds.
(1) Cleaning up request packet ID 70 with timestamp +16
Waking up in 4.6 seconds.
(0) Cleaning up request packet ID 44 with timestamp +16
Ready to process requests.


*/etc/freeradius/mods-available/sql*



sql db1 {
driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
port = 3306
login = "root"
password = "123456"
radius_db = "db1"
acct_table1 = "rad_accts"
acct_table2 = "rad_accts"
postauth_table = "rad_post_auths"
authcheck_table = "rad_checks"
groupcheck_table = "rad_group_checks"
authreply_table = "rad_replies"
groupreply_table = "rad_group_replies"
usergroup_table = "rad_user_groups"
read_groups = no
delete_stale_sessions = yes
pool {
start = 5
min = 4
max = ${thread[pool].max_servers}
spare = 3
uses = 0
lifetime = 0
idle_timeout = 60
}
read_clients = yes
client_table = "nas"
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}

sql db2 {
driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
port = 3306
login = "root"
password = "123456"
radius_db = "db2"
acct_table1 = "rad_accts"
acct_table2 = "rad_accts"
postauth_table = "rad_post_auths"
authcheck_table = "rad_checks"
groupcheck_table = "rad_group_checks"
authreply_table = "rad_replies"
groupreply_table = "rad_group_replies"
usergroup_table = "rad_user_groups"
read_groups = no
delete_stale_sessions = yes
pool {
start = 5
min = 4
max = ${thread[pool].max_servers}
spare = 3
uses = 0
lifetime = 0
idle_timeout = 60
}
read_clients = yes
client_table = "nas"
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}


*etc/freeradius/sites-enabled/inner-tunnel*



# -*- text -*-
######################################################################
#
# This is a virtual server that handles *only* inner tunnel
# requests for EAP-TTLS and PEAP types.
#
# $Id: 11b6c12d845a1e8287888b3f0a0748d810b2c184 $
#
######################################################################

server inner-tunnel {

#
# This next section is here to allow testing of the "inner-tunnel"
# authentication methods, independently from the "default" server.
# It is listening on "localhost", so that it can only be used from
# the same machine.
#
# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
#
# If it works, you have configured the inner tunnel correctly. To check
# if PEAP will work, use:
#
# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
#
# If that works, PEAP should work. If that command doesn't work, then
#
# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
#
# Do NOT do any PEAP tests. It won't help. Instead, concentrate
# on fixing the inner tunnel configuration. DO NOTHING ELSE.
#
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}


# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap

#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap

#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# passwd module, above.
#
# unix

#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS

#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
# Note that proxying the inner tunnel authentication means
# that the user MAY use one identity in the outer session
# (e.g. "anonymous", and a different one here
# (e.g. "***@example.com"). The inner session will then be
# proxied elsewhere for authentication. If you are not
# careful, this means that the user can cause you to forward
# the authentication to another RADIUS server, and have the
# accounting logs *not* sent to the other server. This makes
# it difficult to bill people for their network activity.
#
suffix
# ntdomain

#
# The "suffix" module takes care of stripping the domain
# (e.g. "@example.com") from the User-Name attribute, and the
# next few lines ensure that the request is not proxied.
#
# If you want the inner tunnel request to be proxied, delete
# the next few lines.
#
update control {
Proxy-To-Realm := LOCAL
}

#
# This module takes care of EAP-MSCHAPv2 authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# The example below uses module failover to avoid querying all
# of the following modules if the EAP module returns "ok".
# Therefore, your LDAP and/or SQL servers will not be queried
# for the many packets that go back and forth to set up TTLS
# or PEAP. The load on those servers will therefore be reduced.
#
eap {
ok = return
}

#
# Read the 'users' file
files

#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
-sql

#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd

#
# The ldap module reads passwords from the LDAP database.
-ldap

#
# Enforce daily limits on time spent logged in.
# daily

expiration
logintime
dailycounter
noresetcounter
monthlycounter
expire_on_login
#
# If no other module has claimed responsibility for
# authentication, then try to use PAP. This allows the
# other modules listed above to add a "known good" password
# to the request, and to do nothing else. The PAP module
# will then see that password, and use it to do PAP
# authentication.
#
# This module should be listed last, so that the other modules
# get a chance to set Auth-Type for themselves.
#
pap
}


# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the appropriate module from the list below.
#

# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}

#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}

#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}

#
# Pluggable Authentication Modules.
# pam

# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
#
# We do NOT recommend using this. LDAP servers are databases.
# They are NOT authentication servers. FreeRADIUS is an
# authentication server, and knows what to do with authentication.
# LDAP servers do not.
#
# Auth-Type LDAP {
# ldap
# }

#
# Allow EAP authentication.
eap
}

######################################################################
#
# There are no accounting requests inside of EAP-TTLS or PEAP
# tunnels.
#
######################################################################


# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp

#
# See "Simultaneous Use Checking Queries" in sql.conf
#sql
db1
db2
}


# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# If you want privacy to remain, see the
# Chargeable-User-Identity attribute from RFC 4372.
# If you want to use it just uncomment the line below.
# cui-inner

#
# If you want to have a log of authentication replies,
# un-comment the following line, and enable the
# 'detail reply_log' module.
# reply_log

#
# After authenticating the user, do another SQL query.
#
# See "Authentication Logging Queries" in sql.conf
-sql

#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log

#
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
#
# ldap

#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
# Add the ldap module name (or instance) if you have set
# 'edir_account_policy_check = yes' in the ldap module configuration
#
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
-sql
attr_filter.access_reject
}

#
# The example policy below updates the outer tunnel reply
# (usually Access-Accept) with the User-Name from the inner
# tunnel User-Name. Since this section is processed in the
# context of the inner tunnel, "request" here means "inner
# tunnel request", and "outer.reply" means "outer tunnel
# reply attributes".
#
# This example is most useful when the outer session contains
# a User-Name of "***@....", or a MAC address. If it
# is enabled, the NAS SHOULD use the inner tunnel User-Name
# in subsequent accounting packets. This makes it easier to
# track user sessions, as they will all be based on the real
# name, and not on "anonymous".
#
# The problem with doing this is that it ALSO exposes the
# real user name to any intermediate proxies. People use
# "anonymous" identifiers outside of the tunnel for a very
# good reason: it gives them more privacy. Setting the reply
# to contain the real user name removes ALL privacy from
# their session.
#
# If you still want to use the inner tunnel User-Name then
# uncomment the section below, otherwise you may want
# to use Chargeable-User-Identity attribute from RFC 4372.
# See further on.
#update outer.reply {
# User-Name = "%{request:User-Name}"
#}
#
}

#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files

# Uncomment the following line if you want to filter requests
# sent to remote servers based on the rules defined in the
# 'attrs.pre-proxy' file.
# attr_filter.pre-proxy

# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# pre_proxy_log
}

#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {

# If you want to have a log of replies from a home server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
# post_proxy_log

# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter.post-proxy

#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap

#
# If the server tries to proxy a request and fails, then the
# request is processed through the modules in this section.
#
# The main use of this section is to permit robust proxying
# of accounting packets. The server can be configured to
# proxy accounting packets as part of normal processing.
# Then, if the home server goes down, accounting packets can
# be logged to a local "detail" file, for processing with
# radrelay. When the home server comes back up, radrelay
# will read the detail file, and send the packets to the
# home server.
#
# With this configuration, the server always responds to
# Accounting-Requests from the NAS, but only writes
# accounting packets to disk if the home server is down.
#
# Post-Proxy-Type Fail {
# detail
# }

}

} # inner-tunnel server block


*etc/freeradius/sites-enabled/default*


######################################################################
#
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
# "server" section, and configuration directives.
#
# Virtual hosts should be put into the "sites-available"
# directory. Soft links should be created in the "sites-enabled"
# directory to these files. This is done in a normal installation.
#
# If you are using 802.1X (EAP) authentication, please see also
# the "inner-tunnel" virtual server. You will likely have to edit
# that, too, for authentication to work.
#
# $Id: 3278975e054fab504afda5ba8fc999239cb2fb9d $
#
######################################################################
#
# Read "man radiusd" before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble. See also "man unlang", which documents the format
# of this file.
#
# This configuration is designed to work in the widest possible
# set of circumstances, with the widest possible number of
# authentication methods. This means that in general, you should
# need to make very few changes to this file.
#
# The best way to configure the server for your local system
# is to CAREFULLY edit this file. Most attempts to make large
# edits to this file will BREAK THE SERVER. Any edits should
# be small, and tested by running the server with "radiusd -X".
# Once the edits have been verified to work, save a copy of these
# configuration files somewhere. (e.g. as a "tar" file). Then,
# make more edits, and test, as above.
#
# There are many "commented out" references to modules such
# as ldap, sql, etc. These references serve as place-holders.
# If you need the functionality of that module, then configure
# it in radiusd.conf, and un-comment the references to it in
# this file. In most cases, those small changes will result
# in the server being able to connect to the DB, and to
# authenticate users.
#
######################################################################

server default {
#
# If you want the server to listen on additional addresses, or on
# additional ports, you can use multiple "listen" sections.
#
# Each section make the server listen for only one type of packet,
# therefore authentication and accounting have to be configured in
# different sections.
#
# The server ignore all "listen" section if you are using '-i' and '-p'
# on the command line.
#
listen {
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
# proxy IP to use for sending proxied packets
# detail Read from the detail file. For examples, see
# raddb/sites-available/copy-acct-to-home-server
# status listen for Status-Server packets. For examples,
# see raddb/sites-available/status
# coa listen for CoA-Request and Disconnect-Request
# packets. For examples, see the file
# raddb/sites-available/coa-server
#
type = auth

# Note: "type = proxy" lets you control the source IP used for
# proxying packets, with some limitations:
#
# * A proxy listener CANNOT be used in a virtual server section.
# * You should probably set "port = 0".
# * Any "clients" configuration will be ignored.
#
# See also proxy.conf, and the "src_ipaddr" configuration entry
# in the sample "home_server" section. When you specify the
# source IP address for packets sent to a home server, the
# proxy listeners are automatically created.

# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
ipaddr = *

# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost

# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
port = 0

# Some systems support binding to an interface, in addition
# to the IP address. This feature isn't strictly necessary,
# but for sites with many IP addresses on one interface,
# it's useful to say "listen on all addresses for eth0".
#
# If your system does not support this feature, you will
# get an error if you try to use it.
#
# interface = eth0

# Per-socket lists of clients. This is a very useful feature.
#
# The name here is a reference to a section elsewhere in
# radiusd.conf, or clients.conf. Having the name as
# a reference allows multiple sockets to use the same
# set of clients.
#
# If this configuration is used, then the global list of clients
# is IGNORED for this "listen" section. Take care configuring
# this feature, to ensure you don't accidentally disable a
# client you need.
#
# See clients.conf for the configuration of "per_socket_clients".
#
# clients = per_socket_clients

#
# Connection limiting for sockets with "proto = tcp".
#
# This section is ignored for other kinds of sockets.
#
limit {
#
# Limit the number of simultaneous TCP connections to the socket
#
# The default is 16.
# Setting this to 0 means "no limit"
max_connections = 16

# The per-socket "max_requests" option does not exist.

#
# The lifetime, in seconds, of a TCP connection. After
# this lifetime, the connection will be closed.
#
# Setting this to 0 means "forever".
lifetime = 0

#
# The idle timeout, in seconds, of a TCP connection.
# If no packets have been received over the connection for
# this time, the connection will be closed.
#
# Setting this to 0 means "no timeout".
#
# We STRONGLY RECOMMEND that you set an idle timeout.
#
idle_timeout = 30
}
}

#
# This second "listen" section is for listening on the accounting
# port, too.
#
listen {
ipaddr = *
# ipv6addr = ::
port = 0
type = acct
# interface = eth0
# clients = per_socket_clients

limit {
# The number of packets received can be rate limited via the
# "max_pps" configuration item. When it is set, the server
# tracks the total number of packets received in the previous
# second. If the count is greater than "max_pps", then the
# new packet is silently discarded. This helps the server
# deal with overload situations.
#
# The packets/s counter is tracked in a sliding window. This
# means that the pps calculation is done for the second
# before the current packet was received. NOT for the current
# wall-clock second, and NOT for the previous wall-clock second.
#
# Useful values are 0 (no limit), or 100 to 10000.
# Values lower than 100 will likely cause the server to ignore
# normal traffic. Few systems are capable of handling more than
# 10K packets/s.
#
# It is most useful for accounting systems. Set it to 50%
# more than the normal accounting load, and you can be sure that
# the server will never get overloaded
#
# max_pps = 0

# Only for "proto = tcp". These are ignored for "udp" sockets.
#
# idle_timeout = 0
# lifetime = 0
# max_connections = 0
}
}

# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# Any changes made here should also be made to the "inner-tunnel"
# virtual server.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# Take a User-Name, and perform some checks on it, for spaces and other
# invalid characters. If the User-Name appears invalid, reject the
# request.
#
# See policy.d/filter for the definition of the filter_username policy.
#
filter_username

#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
preprocess

# If you intend to use CUI and you require that the Operator-Name
# be set for CUI generation and you want to generate CUI also
# for your local clients then uncomment the operator-name
# below and set the operator-name for your clients in clients.conf
# operator-name

#
# If you want to generate CUI for some clients that do not
# send proper CUI requests, then uncomment the
# cui below and set "add_cui = yes" for these clients in clients.conf
# cui

#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log

#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap

#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap

#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
digest

#
# The WiMAX specification says that the Calling-Station-Id
# is 6 octets of the MAC. This definition conflicts with
# RFC 3580, and all common RADIUS practices. Un-commenting
# the "wimax" module here means that it will fix the
# Calling-Station-Id attribute to the normal format as
# specified in RFC 3580 Section 3.21
# wimax

#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS

#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
# ntdomain

#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# As of 2.0, the EAP module returns "ok" in the authorize stage
# for TTLS and PEAP. In 1.x, it never returned "ok" here, so
# this change is compatible with older configurations.
#
# The example below uses module failover to avoid querying all
# of the following modules if the EAP module returns "ok".
# Therefore, your LDAP and/or SQL servers will not be queried
# for the many packets that go back and forth to set up TTLS
# or PEAP. The load on those servers will therefore be reduced.
#
eap {
ok = return
}

#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# passwd module in radiusd.conf.
#
# unix

#
# Read the 'users' file
#files

#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
#sql
db1
db2
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'smbpasswd' module.
# smbpasswd

#
# The ldap module reads passwords from the LDAP database.
-ldap

#
# Enforce daily limits on time spent logged in.
# daily

#
expiration
logintime
dailycounter
noresetcounter
monthlycounter
expire_on_login
#
# If no other module has claimed responsibility for
# authentication, then try to use PAP. This allows the
# other modules listed above to add a "known good" password
# to the request, and to do nothing else. The PAP module
# will then see that password, and use it to do PAP
# authentication.
#
# This module should be listed last, so that the other modules
# get a chance to set Auth-Type for themselves.
#
pap

#
# If "status_server = yes", then Status-Server messages are passed
# through the following section, and ONLY the following section.
# This permits you to do DB queries, for example. If the modules
# listed here return "fail", then NO response is sent.
#
# Autz-Type Status-Server {
#
# }
}


# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the appropriate module from the list below.
#

# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user (Auth-Type := Reject),
# or to or forcibly accept the user (Auth-Type := Accept).
#
# Note that Auth-Type := Accept will NOT work with EAP.
#
# Please do not put "unlang" configurations into the "authenticate"
# section. Put them in the "post-auth" section instead. That's what
# the post-auth section is for.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}

#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}

#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}

#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
digest

#
# Pluggable Authentication Modules.
# pam

# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
#
# We do NOT recommend using this. LDAP servers are databases.
# They are NOT authentication servers. FreeRADIUS is an
# authentication server, and knows what to do with authentication.
# LDAP servers do not.
#
# Auth-Type LDAP {
# ldap
# }

#
# Allow EAP authentication.
eap

#
# The older configurations sent a number of attributes in
# Access-Challenge packets, which wasn't strictly correct.
# If you want to filter out these attributes, uncomment
# the following lines.
#
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled && (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the "updated" code from attr_filter
# }
# }
}


#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess

#
# Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
# into a single 64bit counter Acct-[Input|Output]-Octets64.
#
# acct_counters64

#
# Session start times are *implied* in RADIUS.
# The NAS never sends a "start time". Instead, it sends
# a start packet, *possibly* with an Acct-Delay-Time.
# The server is supposed to conclude that the start time
# was "Acct-Delay-Time" seconds in the past.
#
# The code below creates an explicit start time, which can
# then be used in other modules. It will be *mostly* correct.
# Any errors are due to the 1-second resolution of RADIUS,
# and the possibility that the time on the NAS may be off.
#
# The start time is: NOW - delay - session_length
#

# update request {
# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l -
%{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
# }


#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique

#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
# IPASS
suffix
# ntdomain

#
# Read the 'acct_users' file
files
}

#
# Accounting. Log the accounting data.
#
accounting {
# Update accounting packet by adding the CUI attribute
# recorded from the corresponding Access-Accept
# use it only if your NAS boxes do not support CUI themselves
# cui
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
# daily
# dailycounter
# noresetcounter
# Update the wtmp file
#
# If you don't use "radlast", you can delete this line.
unix

#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
# radutmp
# sradutmp

# Return an address to the IP Pool when we see a stop record.
# main_pool

#
# Log traffic to an SQL database.
#
# See "Accounting queries" in sql.conf
#sql
db1
db2

#
# If you receive stop packets with zero session length,
# they will NOT be logged in the database. The SQL module
# will print a message (only in debugging mode), and will
# return "noop".
#
# You can ignore these packets by uncommenting the following
# three lines. Otherwise, the server will not respond to the
# accounting request, and the NAS will retransmit.
#
# if (noop) {
# ok
# }

#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log

# Cisco VoIP specific bulk accounting
# pgsql-voip

# For Exec-Program and Exec-Program-Wait
exec

# Filter attributes from the accounting response.
attr_filter.accounting_response

#
# See "Autz-Type Status-Server" for how this works.
#
# Acct-Type Status-Server {
#
# }
}


# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
# radutmp

#
# See "Simultaneous Use Checking Queries" in sql.conf
#sql
db1
db2
}


# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Get an address from the IP Pool.
# main_pool


# Create the CUI value and add the attribute to Access-Accept.
# Uncomment the line below if *returning* the CUI.
# cui

#
# If you want to have a log of authentication replies,
# un-comment the following line, and enable the
# 'detail reply_log' module.
# reply_log

#
# After authenticating the user, do another SQL query.
#
# See "Authentication Logging Queries" in sql.conf
#sql
db1
db2
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log

#
# Un-comment the following if you want to modify the user's object
# in LDAP after a successful login.
#
# ldap

# For Exec-Program and Exec-Program-Wait
exec

#
# Calculate the various WiMAX keys. In order for this to work,
# you will need to define the WiMAX NAI, usually via
#
# update request {
# WiMAX-MN-NAI = "%{User-Name}"
# }
#
# If you want various keys to be calculated, you will need to
# update the reply with "template" values. The module will see
# this, and replace the template values with the correct ones
# taken from the cryptographic calculations. e.g.
#
# update reply {
# WiMAX-FA-RK-Key = 0x00
# WiMAX-MSK = "%{EAP-MSK}"
# }
#
# You may want to delete the MS-MPPE-*-Keys from the reply,
# as some WiMAX clients behave badly when those attributes
# are included. See "raddb/modules/wimax", configuration
# entry "delete_mppe_keys" for more information.
#
# wimax


# If there is a client certificate (EAP-TLS, sometimes PEAP
# and TTLS), then some attributes are filled out after the
# certificate verification has been performed. These fields
# MAY be available during the authentication, or they may be
# available only in the "post-auth" section.
#
# The first set of attributes contains information about the
# issuing certificate which is being used. The second
# contains information about the client certificate (if
# available).
#
# update reply {
# Reply-Message += "%{TLS-Cert-Serial}"
# Reply-Message += "%{TLS-Cert-Expiration}"
# Reply-Message += "%{TLS-Cert-Subject}"
# Reply-Message += "%{TLS-Cert-Issuer}"
# Reply-Message += "%{TLS-Cert-Common-Name}"
# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
#
# Reply-Message += "%{TLS-Client-Cert-Serial}"
# Reply-Message += "%{TLS-Client-Cert-Expiration}"
# Reply-Message += "%{TLS-Client-Cert-Subject}"
# Reply-Message += "%{TLS-Client-Cert-Issuer}"
# Reply-Message += "%{TLS-Client-Cert-Common-Name}"
# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
# }

# Insert class attribute (with unique value) into response,
# aids matching auth and acct records, and protects against duplicate
# Acct-Session-Id. Note: Only works if the NAS has implemented
# RFC 2865 behaviour for the class attribute, AND if the NAS
# supports long Class attributes. Many older or cheap NASes
# only support 16-octet Class attributes.
# insert_acct_class

# MacSEC requires the use of EAP-Key-Name. However, we don't
# want to send it for all EAP sessions. Therefore, the EAP
# modules put required data into the EAP-Session-Id attribute.
# This attribute is never put into a request or reply packet.
#
# Uncomment the next few lines to copy the required data into
# the EAP-Key-Name attribute
# if (reply:EAP-Session-Id) {
# update reply {
# EAP-Key-Name := "%{reply:EAP-Session-Id}"
# }
# }

# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap

#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
# Add the ldap module name (or instance) if you have set
# 'edir_account_policy_check = yes' in the ldap module configuration
#
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
#sql
db1
db2
attr_filter.access_reject

# Insert EAP-Failure message if the request was
# rejected by policy instead of because of an
# authentication failure
eap

# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
}
}

#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# Before proxing the request add an Operator-Name attribute identifying
# if the operator-name is found for this client.
# No need to uncomment this if you have already enabled this in
# the authorize section.
# operator-name

# The client requests the CUI by sending a CUI attribute
# containing one zero byte.
# Uncomment the line below if *requesting* the CUI.
# cui

# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files

# Uncomment the following line if you want to filter requests
# sent to remote servers based on the rules defined in the
# 'attrs.pre-proxy' file.
# attr_filter.pre-proxy

# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# pre_proxy_log
}

#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {

# If you want to have a log of replies from a home server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
# post_proxy_log

# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter.post-proxy

#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap

#
# If the server tries to proxy a request and fails, then the
# request is processed through the modules in this section.
#
# The main use of this section is to permit robust proxying
# of accounting packets. The server can be configured to
# proxy accounting packets as part of normal processing.
# Then, if the home server goes down, accounting packets can
# be logged to a local "detail" file, for processing with
# radrelay. When the home server comes back up, radrelay
# will read the detail file, and send the packets to the
# home server.
#
# With this configuration, the server always responds to
# Accounting-Requests from the NAS, but only writes
# accounting packets to disk if the home server is down.
#
# Post-Proxy-Type Fail {
# detail
# }
}
}


2018-02-07 17:20 GMT+03:00 Alan DeKok <***@deployingradius.com>:

> On Feb 6, 2018, at 11:56 PM, Emrah Yıldırım <***@gmail.com>
> wrote:
> >
> > Are you sure
> > you're looking at Link?
>
> You need to learn how to ask good questions. Your first question, and
> the link, are vague and content-free.
>
> If you ask a bad question, you will get a bad answer.
>
>
> > This topic is related to Freeradius... I have
> > separated databases with SQL instance.
>
> Does this mean you have two SQL instances configured in FreeRADIUS?
>
> > However, separate hosts in both NAS
> > tables
> > Although I do, I see the same data in the RADACCT table of both
> databases.
>
> You've configured the server to use both SQL instances for all users.
> This is wrong.
>
> You need to call the right instance for the right user:
>
> if (user is from system A) {
> sql1
> }
> else {
> sql2
> }
>
> Of course, that won't work as-is. Because you have given *zero*
> information about the usernames, SQL instance names, etc
>
> If you give more information, you get better answers.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
> /users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.
Alan DeKok
2018-02-07 21:52:44 UTC
Permalink
On Feb 7, 2018, at 4:06 PM, Emrah Yıldırım <***@gmail.com> wrote:
>
> First of all, I'm sorry. I sent out the changes I made and the
> Freeradius-X output. If I need to share other information, please tell me
> to share.

Please describe what you're doing. i.e. is there any way to tell the users apart? Are the different users stored in different "radcheck" databases?

We can't magically understand what you want to do. You have to *tell us*. So far, you're trying *very* hard to give either too little information, or unimportant information.

>> *freeradius -X*
>
> ...
> Ready to process requests.
> Received Access-Request Id 44 from 192.168.6.1:15001 to 192.168.6.237:1812
> length 133
> NAS-IP-Address = 192.168.5.53
> NAS-Identifier = 'pfSense.localdomain'
> User-Name = 'alandekok'
> User-Password = '123'

Hmm... OK...

So you're not going to show how you tell the different users apart. Instead, you create a meaningless test user, and show us debug output from that.

That's not helpful.

> (0) db1 : EXPAND SELECT id, username, attribu, value, op FROM rad_checks
> WHERE username = '%{SQL-User-Name}' ORDER BY id

i.e. you've customized the tables and the queries.

It would be polite to *say that*. i.e. describe what you did.

How do you expect us to help you, if you make it as hard as possible for us to help you?

Before you waste any more time, go read this page:

http://wiki.freeradius.org/list-help


> */etc/freeradius/mods-available/sql*

I didn't ask for that. Why would you post it?

> *etc/freeradius/sites-enabled/inner-tunnel*

And I didn't ask for that.

This shouldn't be difficult. Read the documentation. Follow the instructions.

Alan DeKok.


-
List info/subscribe/unsubscribe? Se
Emrah Yıldırım
2018-02-08 14:19:57 UTC
Permalink
I have entered two separate NAS information for DB1 and DB2 databases. I
hooked up two separate PF-se captive portals to the NAS tables in the DB1
and DB2 databases. Two separate captive portal Internet users will
authenticate and provide access to the Internet. The panel operators who
enter the management panel I have made (the PF sense) will see the users on
their own databases (DB1 or DB2) on the Internet with the captive portal
separately. Panel administrators who don't recognize each other can open
the same user name and password in the Radcheck table. Internet users with
the same user name in separate databases can have separate Internet speeds.
I need to separate the accounting. I may not be able to express myself, but
I'm sure you are a humble and helpful person... Maybe you want to connect
with team Viwer.


I'm writing the panel with Ruby on Rails. The rails attribute and the words
of a team are using their own. He wants me to put an "s" at the end of the
names of the MVC model tables.


> (0) db1 : EXPAND SELECT id, username, attribu, value, op FROM rad_checks
> WHERE username = '%{SQL-User-Name}' ORDER BY id

i.e. you've customized the tables and the queries.

Sincerely


2018-02-08 0:52 GMT+03:00 Alan DeKok <***@deployingradius.com>:

> On Feb 7, 2018, at 4:06 PM, Emrah Yıldırım <***@gmail.com>
> wrote:
> >
> > First of all, I'm sorry. I sent out the changes I made and the
> > Freeradius-X output. If I need to share other information, please tell me
> > to share.
>
> Please describe what you're doing. i.e. is there any way to tell the
> users apart? Are the different users stored in different "radcheck"
> databases?
>
> We can't magically understand what you want to do. You have to *tell
> us*. So far, you're trying *very* hard to give either too little
> information, or unimportant information.
>
> >> *freeradius -X*
> >
> > ...
> > Ready to process requests.
> > Received Access-Request Id 44 from 192.168.6.1:15001 to
> 192.168.6.237:1812
> > length 133
> > NAS-IP-Address = 192.168.5.53
> > NAS-Identifier = 'pfSense.localdomain'
> > User-Name = 'alandekok'
> > User-Password = '123'
>
> Hmm... OK...
>
> So you're not going to show how you tell the different users apart.
> Instead, you create a meaningless test user, and show us debug output from
> that.
>
> That's not helpful.
>
> > (0) db1 : EXPAND SELECT id, username, attribu, value, op FROM rad_checks
> > WHERE username = '%{SQL-User-Name}' ORDER BY id
>
> i.e. you've customized the tables and the queries.
>
> It would be polite to *say that*. i.e. describe what you did.
>
> How do you expect us to help you, if you make it as hard as possible for
> us to help you?
>
> Before you waste any more time, go read this page:
>
> http://wiki.freeradius.org/list-help
>
>
> > */etc/freeradius/mods-available/sql*
>
> I didn't ask for that. Why would you post it?
>
> > *etc/freeradius/sites-enabled/inner-tunnel*
>
> And I didn't ask for that.
>
> This shouldn't be difficult. Read the documentation. Follow the
> instructions.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.free
Alan DeKok
2018-02-08 14:45:35 UTC
Permalink
On Feb 8, 2018, at 9:19 AM, Emrah Yıldırım <***@gmail.com> wrote:
>
> I have entered two separate NAS information for DB1 and DB2 databases. I
> hooked up two separate PF-se captive portals to the NAS tables in the DB1
> and DB2 databases. Two separate captive portal Internet users will
> authenticate and provide access to the Internet. The panel operators who
> enter the management panel I have made (the PF sense) will see the users on
> their own databases (DB1 or DB2) on the Internet with the captive portal
> separately.

OK, that's a good description.

The solution is simple then. Separate the users by NAS-IP-Address. You need to find out which table the NAS is in, and use that. Something like this should work:

if ("%{sql: SELECT nas from table1 where nas_ip = %{NAS-IP-Address}" != "") {
# user is in table 1
sql1
}
else {
# user is in table 2
sql2
}

Put that into both the "authorize" and "accounting" sections. The user information will then be separated.

The only remaining thing is that you must customize the SELECT query yourself.

> Panel administrators who don't recognize each other can open
> the same user name and password in the Radcheck table. Internet users with
> the same user name in separate databases can have separate Internet speeds.
> I need to separate the accounting. I may not be able to express myself, but
> I'm sure you are a humble and helpful person... Maybe you want to connect
> with team Viwer.

That's not going to happen.

> I'm writing the panel with Ruby on Rails. The rails attribute and the words
> of a team are using their own. He wants me to put an "s" at the end of the
> names of the MVC model tables.

You don't have to follow bad requests.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradiu
Alan Buxey
2018-02-07 22:00:55 UTC
Permalink
okay...this is quite easy

so, in the authorise section of the main server, you cre just calling


db1
db2

this means you are checking whether a user is in db1....if so
great...but then you are then falling through to db2 and checking
there okay

1) thats okay if theres unique users in each db...not so great if you
have a match in one and then a clash with same name in the other....
so you may want to
skip db2 if db1 gives an answer

HOWEVER, your problem is that you are then doing the same thing for
the post-auth and the detail log etc etc -

ie you are slapping details into db1....and THEN doing the same with db2

this is why info is going into both databases.

what you need to do is upon getting a value from db1 in the authorise
section, you need to set a local variable eg create a local
dictionary value in dictionary-file eg
MYDATABASEANSWER and then set that value to 1 if the answer was from
db1, or set it to 2 if the answer was from db2

THEN you wrap a protector around your detail/log/post-auth clauses eg

if(&MYDATABASEANSWER=1) {
db1
}
if(&MYDATABASEANSWER=2){
db2
}

(you could use an if/else construct instead....its up to you and how
many databases you are going to end up with)


read the unlang man page for further info on server logic.

http://freeradius.org/radiusd/man/unlang.html

alan
-
List info/subscribe/unsubscribe? See http:/
Emrah Yıldırım
2018-02-08 14:25:19 UTC
Permalink
You've given me a lot of effort. What you say makes a lot of sense, but
where to make changes, which files and lines. Can you elaborate?

Thanks. Regards


2018-02-08 1:00 GMT+03:00 Alan Buxey <***@gmail.com>:

> okay...this is quite easy
>
> so, in the authorise section of the main server, you cre just calling
>
>
> db1
> db2
>
> this means you are checking whether a user is in db1....if so
> great...but then you are then falling through to db2 and checking
> there okay
>
> 1) thats okay if theres unique users in each db...not so great if you
> have a match in one and then a clash with same name in the other....
> so you may want to
> skip db2 if db1 gives an answer
>
> HOWEVER, your problem is that you are then doing the same thing for
> the post-auth and the detail log etc etc -
>
> ie you are slapping details into db1....and THEN doing the same with db2
>
> this is why info is going into both databases.
>
> what you need to do is upon getting a value from db1 in the authorise
> section, you need to set a local variable eg create a local
> dictionary value in dictionary-file eg
> MYDATABASEANSWER and then set that value to 1 if the answer was from
> db1, or set it to 2 if the answer was from db2
>
> THEN you wrap a protector around your detail/log/post-auth clauses eg
>
> if(&MYDATABASEANSWER=1) {
> db1
> }
> if(&MYDATABASEANSWER=2){
> db2
> }
>
> (you could use an if/else construct instead....its up to you and how
> many databases you are going to end up with)
>
>
> read the unlang man page for further info on server logic.
>
> http://freeradius.org/radiusd/man/unlang.html
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freer
Alan Buxey
2018-02-07 22:49:28 UTC
Permalink
You don't need to send all that junk. Just send the output of free radius
daemon run with -X , including an example of when an with is dealt with.
Anyway, I've already given you the required lead in my previous response

alan

On 7 Feb 2018 9:06 pm, "Emrah Yıldırım" <***@gmail.com> wrote:

First of all, I'm sorry. I sent out the changes I made and the
Freeradius-X output. If I need to share other information, please tell me
to share.

>Of course, that won't work as-is. Because you have given *zero*
information about the usernames, SQL instance names, etc

>If you give more information, you get better answers.

>
> *freeradius -X*


# Instantiating module "echo" from file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from file
/etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file
/etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file
/etc/freeradius/mods-config/attr_filter/accounting_response
# Loaded module rlm_always
# Instantiating module "reject" from file
/etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "fail" from file
/etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file
/etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "invalid" from file
/etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Instantiating module "userlock" from file
/etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file
/etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file
/etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file
/etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_unix
# Instantiating module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
# Loaded module rlm_logintime
# Instantiating module "logintime" from file
/etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_digest
# Instantiating module "digest" from file
/etc/freeradius/mods-enabled/digest
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
server default { # from file /etc/freeradius/sites-enabled/default
# Creating Auth-Type = digest
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 56236
Ready to process requests.
Received Access-Request Id 44 from 192.168.6.1:15001 to 192.168.6.237:1812
length 133
NAS-IP-Address = 192.168.5.53
NAS-Identifier = 'pfSense.localdomain'
User-Name = 'alandekok'
User-Password = '123'
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 2000
Framed-IP-Address = 192.168.6.17
Called-Station-Id = '192.168.5.53'
Calling-Station-Id = '68-5d-43-1d-c6-da'
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0) --> alandekok
(0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) if (User-Name =~ / /)
(0) if (User-Name =~ / /) -> FALSE
(0) if (User-Name =~ /@.*@/ )
(0) if (User-Name =~ /@.*@/ ) -> FALSE
(0) if (User-Name =~ /\\.\\./ )
(0) if (User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) if (User-Name =~ /\\.$/)
(0) if (User-Name =~ /\\.$/) -> FALSE
(0) if (User-Name =~ /@\\./)
(0) if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : No '@' in User-Name = "alandekok", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : No EAP-Message, not doing EAP
(0) [eap] = noop
(0) db1 : EXPAND %{User-Name}
(0) db1 : --> alandekok
(0) db1 : SQL-User-Name set to 'alandekok'
rlm_sql (db1): Reserved connection (4)
(0) db1 : EXPAND SELECT id, username, attribu, value, op FROM rad_checks
WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) db1 : --> SELECT id, username, attribu, value, op FROM rad_checks
WHERE username = 'alandekok' ORDER BY id
rlm_sql (db1): Executing query: 'SELECT id, username, attribu, value, op
FROM rad_checks WHERE username = 'alandekok' ORDER BY id'
(0) db1 : EXPAND SELECT groupname FROM rad_user_groups WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(0) db1 : --> SELECT groupname FROM rad_user_groups WHERE username =
'alandekok' ORDER BY priority
rlm_sql (db1): Executing query: 'SELECT groupname FROM rad_user_groups
WHERE username = 'alandekok' ORDER BY priority'
(0) db1 : User not found in any groups
rlm_sql (db1): Released connection (4)
(0) [db1] = notfound
(0) db2 : EXPAND %{User-Name}
(0) db2 : --> alandekok
(0) db2 : SQL-User-Name set to 'alandekok'
rlm_sql (db2): Reserved connection (4)
(0) db2 : EXPAND SELECT id, username, attribu, value, op FROM rad_checks
WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) db2 : --> SELECT id, username, attribu, value, op FROM rad_checks
WHERE username = 'alandekok' ORDER BY id
rlm_sql (db2): Executing query: 'SELECT id, username, attribu, value, op
FROM rad_checks WHERE username = 'alandekok' ORDER BY id'
(0) db2 : User found in radcheck table
(0) db2 : Check items matched
(0) db2 : EXPAND SELECT id, username, attribu, value, op FROM rad_replies
WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) db2 : --> SELECT id, username, attribu, value, op FROM rad_replies
WHERE username = 'alandekok' ORDER BY id
rlm_sql (db2): Executing query: 'SELECT id, username, attribu, value, op
FROM rad_replies WHERE username = 'alandekok' ORDER BY id'
(0) db2 : EXPAND SELECT groupname FROM rad_user_groups WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(0) db2 : --> SELECT groupname FROM rad_user_groups WHERE username =
'alandekok' ORDER BY priority
rlm_sql (db2): Executing query: 'SELECT groupname FROM rad_user_groups
WHERE username = 'alandekok' ORDER BY priority'
(0) db2 : User found in the group table
(0) db2 : EXPAND SELECT id, groupname, attribu, Value, op FROM
rad_group_checks WHERE groupname = '%{Sql-Group}' ORDER BY id
(0) db2 : --> SELECT id, groupname, attribu, Value, op FROM
rad_group_checks WHERE groupname = 'group6mbit' ORDER BY id
rlm_sql (db2): Executing query: 'SELECT id, groupname, attribu, Value, op
FROM rad_group_checks WHERE groupname = 'group6mbit' ORDER BY id'
(0) db2 : Group "group6mbit" check items matched
(0) db2 : EXPAND SELECT id, groupname, attribu, value, op FROM
rad_group_replies WHERE groupname = '%{Sql-Group}' ORDER BY id
(0) db2 : --> SELECT id, groupname, attribu, value, op FROM
rad_group_replies WHERE groupname = 'group6mbit' ORDER BY id
rlm_sql (db2): Executing query: 'SELECT id, groupname, attribu, value, op
FROM rad_group_replies WHERE groupname = 'group6mbit' ORDER BY id'
(0) db2 : Group "group6mbit" reply items processed
rlm_sql (db2): Released connection (4)
(0) [db2] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: dailycounter : Couldn't find control attribute
'control:Max-Daily-Session'
(0) [dailycounter] = noop
(0) WARNING: noresetcounter : Couldn't find control attribute
'control:Max-All-Session'
(0) [noresetcounter] = noop
(0) WARNING: monthlycounter : Couldn't find control attribute
'control:Max-Monthly-Session'
(0) [monthlycounter] = noop
(0) WARNING: expire_on_login : Couldn't find control attribute
'control:Expire-After'
(0) [expire_on_login] = noop
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Auth-Type PAP {
(0) pap : Login attempt with password
(0) pap : User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
(0) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(0) post-auth {
(0) db1 : EXPAND .query
(0) db1 : --> .query
(0) db1 : Using query template 'query'
rlm_sql (db1): Reserved connection (4)
(0) db1 : EXPAND %{User-Name}
(0) db1 : --> alandekok
(0) db1 : SQL-User-Name set to 'alandekok'
(0) db1 : EXPAND INSERT INTO rad_post_auths (username, pass, reply,
authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) db1 : --> INSERT INTO rad_post_auths (username, pass, reply,
authdate) VALUES ( 'alandekok', '123', 'Access-Accept', '2018-02-07
22:46:21')
rlm_sql (db1): Executing query: 'INSERT INTO rad_post_auths (username,
pass, reply, authdate) VALUES ( 'alandekok', '123', 'Access-Accept',
'2018-02-07 22:46:21')'
rlm_sql (db1): Released connection (4)
(0) [db1] = ok
(0) db2 : EXPAND .query
(0) db2 : --> .query
(0) db2 : Using query template 'query'
rlm_sql (db2): Reserved connection (4)
(0) db2 : EXPAND %{User-Name}
(0) db2 : --> alandekok
(0) db2 : SQL-User-Name set to 'alandekok'
(0) db2 : EXPAND INSERT INTO rad_post_auths (username, pass, reply,
authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) db2 : --> INSERT INTO rad_post_auths (username, pass, reply,
authdate) VALUES ( 'alandekok', '123', 'Access-Accept', '2018-02-07
22:46:21')
rlm_sql (db2): Executing query: 'INSERT INTO rad_post_auths (username,
pass, reply, authdate) VALUES ( 'alandekok', '123', 'Access-Accept',
'2018-02-07 22:46:21')'
rlm_sql (db2): Released connection (4)
(0) [db2] = ok
(0) [exec] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (reply:EAP-Message && reply:Reply-Message)
(0) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # post-auth = ok
Sending Access-Accept Id 44 from 192.168.6.237:1812 to 192.168.6.1:15001
WISPr-Bandwidth-Max-Down = 6291456
(0) Finished request
Waking up in 0.3 seconds.
Received Accounting-Request Id 70 from 192.168.6.1:18746 to
192.168.6.237:1813 length 166
NAS-IP-Address = 192.168.5.53
NAS-Identifier = 'pfSense.localdomain'
User-Name = 'alandekok'
Acct-Status-Type = Start
Acct-Authentic = RADIUS
NAS-IP-Address = 192.168.5.53
NAS-Identifier = 'pfSense.localdomain'
NAS-Port-Type = Ethernet
NAS-Port = 2000
Acct-Session-Id = '51ddb7ae87a6974e'
Framed-IP-Address = 192.168.6.17
Called-Station-Id = '192.168.5.53'
Calling-Station-Id = '68-5d-43-1d-c6-da'
(1) # Executing section preacct from file
/etc/freeradius/sites-enabled/default
(1) preacct {
(1) [preprocess] = ok
(1) acct_unique acct_unique {
(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i)
(1) EXPAND %{string:Class}
(1) -->
(1) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(1) else else {
(1) update request {
(1) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-
Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(1) --> 5f7d981301d43b05adad3019deb5500a
(1) Acct-Unique-Session-Id := '"5f7d981301d43b05adad3019deb5500a"'
(1) } # update request = noop
(1) } # else else = noop
(1) } # acct_unique acct_unique = noop
(1) suffix : No '@' in User-Name = "alandekok", looking up realm NULL
(1) suffix : No such realm "NULL"
(1) [suffix] = noop
(1) [files] = noop
(1) } # preacct = ok
(1) # Executing section accounting from file
/etc/freeradius/sites-enabled/default
(1) accounting {
(1) detail : EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{
Packet-Src-IPv6-Address}}/detail-%Y%m%d
(1) detail : --> /var/log/freeradius/radacct/192.168.6.1/detail-20180207
(1) detail :
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{
Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.6.1/detail-20180207
(1) detail : EXPAND %t
(1) detail : --> Wed Feb 7 22:46:21 2018
(1) [detail] = ok
(1) [unix] = ok
(1) db1 : EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(1) db1 : --> type.start.query
(1) db1 : Using query template 'query'
rlm_sql (db1): Reserved connection (4)
(1) db1 : EXPAND %{User-Name}
(1) db1 : --> alandekok
(1) db1 : SQL-User-Name set to 'alandekok'
(1) db1 : EXPAND INSERT INTO rad_accts (acctsessionid, acctuniqueid,
username,
realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime,
acctstoptime, acctsessiontime, acctauthentic, connectinfo_start,
connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
FROM_UNIXTIME(%{integer:Event-Timestamp}),
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}')
(1) db1 : --> INSERT INTO rad_accts (acctsessionid, acctuniqueid,
username,
realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime,
acctstoptime, acctsessiontime, acctauthentic, connectinfo_start,
connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES
('51ddb7ae87a6974e', '5f7d981301d43b05adad3019deb5500a', 'alandekok', '',
'192.168.5.53', '2000', 'Ethernet', FROM_UNIXTIME(1518036381),
FROM_UNIXTIME(1518036381), NULL, '0', 'RADIUS', '', '', '0', '0',
'192.168.5.53', '68-5d-43-1d-c6-da', '', '', '', '192.168.6.17')
rlm_sql (db1): Executing query: 'INSERT INTO rad_accts (acctsessionid,
acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,
acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype, framedprotocol,
framedipaddress) VALUES ('51ddb7ae87a6974e',
'5f7d981301d43b05adad3019deb5500a', 'alandekok', '', '192.168.5.53',
'2000', 'Ethernet', FROM_UNIXTIME(1518036381), FROM_UNIXTIME(1518036381),
NULL, '0', 'RADIUS', '', '', '0', '0', '192.168.5.53', '68-5d-43-1d-c6-da',
'', '', '', '192.168.6.17')'
rlm_sql (db1): Released connection (4)
(1) [db1] = ok
(1) db2 : EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(1) db2 : --> type.start.query
(1) db2 : Using query template 'query'
rlm_sql (db2): Reserved connection (4)
(1) db2 : EXPAND %{User-Name}
(1) db2 : --> alandekok
(1) db2 : SQL-User-Name set to 'alandekok'
(1) db2 : EXPAND INSERT INTO rad_accts (acctsessionid, acctuniqueid,
username,
realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime,
acctstoptime, acctsessiontime, acctauthentic, connectinfo_start,
connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
FROM_UNIXTIME(%{integer:Event-Timestamp}),
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}')
(1) db2 : --> INSERT INTO rad_accts (acctsessionid, acctuniqueid,
username,
realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime,
acctstoptime, acctsessiontime, acctauthentic, connectinfo_start,
connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES
('51ddb7ae87a6974e', '5f7d981301d43b05adad3019deb5500a', 'alandekok', '',
'192.168.5.53', '2000', 'Ethernet', FROM_UNIXTIME(1518036381),
FROM_UNIXTIME(1518036381), NULL, '0', 'RADIUS', '', '', '0', '0',
'192.168.5.53', '68-5d-43-1d-c6-da', '', '', '', '192.168.6.17')
rlm_sql (db2): Executing query: 'INSERT INTO rad_accts (acctsessionid,
acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,
acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype, framedprotocol,
framedipaddress) VALUES ('51ddb7ae87a6974e',
'5f7d981301d43b05adad3019deb5500a', 'alandekok', '', '192.168.5.53',
'2000', 'Ethernet', FROM_UNIXTIME(1518036381), FROM_UNIXTIME(1518036381),
NULL, '0', 'RADIUS', '', '', '0', '0', '192.168.5.53', '68-5d-43-1d-c6-da',
'', '', '', '192.168.6.17')'
rlm_sql (db2): Released connection (4)
(1) [db2] = ok
(1) [exec] = noop
(1) attr_filter.accounting_response : EXPAND %{User-Name}
(1) attr_filter.accounting_response : --> alandekok
(1) attr_filter.accounting_response : Matched entry DEFAULT at line 12
(1) [attr_filter.accounting_response] = updated
(1) } # accounting = updated
Sending Accounting-Response Id 70 from 192.168.6.237:1813 to
192.168.6.1:18746
(1) Finished request
Waking up in 0.3 seconds.
(1) Cleaning up request packet ID 70 with timestamp +16
Waking up in 4.6 seconds.
(0) Cleaning up request packet ID 44 with timestamp +16
Ready to process requests.


*/etc/freeradius/mods-available/sql*



sql db1 {
driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
port = 3306
login = "root"
password = "123456"
radius_db = "db1"
acct_table1 = "rad_accts"
acct_table2 = "rad_accts"
postauth_table = "rad_post_auths"
authcheck_table = "rad_checks"
groupcheck_table = "rad_group_checks"
authreply_table = "rad_replies"
groupreply_table = "rad_group_replies"
usergroup_table = "rad_user_groups"
read_groups = no
delete_stale_sessions = yes
pool {
start = 5
min = 4
max = ${thread[pool].max_servers}
spare = 3
uses = 0
lifetime = 0
idle_timeout = 60
}
read_clients = yes
client_table = "nas"
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}

sql db2 {
driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
port = 3306
login = "root"
password = "123456"
radius_db = "db2"
acct_table1 = "rad_accts"
acct_table2 = "rad_accts"
postauth_table = "rad_post_auths"
authcheck_table = "rad_checks"
groupcheck_table = "rad_group_checks"
authreply_table = "rad_replies"
groupreply_table = "rad_group_replies"
usergroup_table = "rad_user_groups"
read_groups = no
delete_stale_sessions = yes
pool {
start = 5
min = 4
max = ${thread[pool].max_servers}
spare = 3
uses = 0
lifetime = 0
idle_timeout = 60
}
read_clients = yes
client_table = "nas"
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}


*etc/freeradius/sites-enabled/inner-tunnel*



# -*- text -*-
######################################################################
#
# This is a virtual server that handles *only* inner tunnel
# requests for EAP-TTLS and PEAP types.
#
# $Id: 11b6c12d845a1e8287888b3f0a0748d810b2c184 $
#
######################################################################

server inner-tunnel {

#
# This next section is here to allow testing of the "inner-tunnel"
# authentication methods, independently from the "default" server.
# It is listening on "localhost", so that it can only be used from
# the same machine.
#
# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
#
# If it works, you have configured the inner tunnel correctly. To check
# if PEAP will work, use:
#
# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
#
# If that works, PEAP should work. If that command doesn't work, then
#
# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
#
# Do NOT do any PEAP tests. It won't help. Instead, concentrate
# on fixing the inner tunnel configuration. DO NOTHING ELSE.
#
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}


# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap

#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap

#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# passwd module, above.
#
# unix

#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS

#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
# Note that proxying the inner tunnel authentication means
# that the user MAY use one identity in the outer session
# (e.g. "anonymous", and a different one here
# (e.g. "***@example.com"). The inner session will then be
# proxied elsewhere for authentication. If you are not
# careful, this means that the user can cause you to forward
# the authentication to another RADIUS server, and have the
# accounting logs *not* sent to the other server. This makes
# it difficult to bill people for their network activity.
#
suffix
# ntdomain

#
# The "suffix" module takes care of stripping the domain
# (e.g. "@example.com") from the User-Name attribute, and the
# next few lines ensure that the request is not proxied.
#
# If you want the inner tunnel request to be proxied, delete
# the next few lines.
#
update control {
Proxy-To-Realm := LOCAL
}

#
# This module takes care of EAP-MSCHAPv2 authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# The example below uses module failover to avoid querying all
# of the following modules if the EAP module returns "ok".
# Therefore, your LDAP and/or SQL servers will not be queried
# for the many packets that go back and forth to set up TTLS
# or PEAP. The load on those servers will therefore be reduced.
#
eap {
ok = return
}

#
# Read the 'users' file
files

#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
-sql

#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd

#
# The ldap module reads passwords from the LDAP database.
-ldap

#
# Enforce daily limits on time spent logged in.
# daily

expiration
logintime
dailycounter
noresetcounter
monthlycounter
expire_on_login
#
# If no other module has claimed responsibility for
# authentication, then try to use PAP. This allows the
# other modules listed above to add a "known good" password
# to the request, and to do nothing else. The PAP module
# will then see that password, and use it to do PAP
# authentication.
#
# This module should be listed last, so that the other modules
# get a chance to set Auth-Type for themselves.
#
pap
}


# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the appropriate module from the list below.
#

# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}

#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}

#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}

#
# Pluggable Authentication Modules.
# pam

# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
#
# We do NOT recommend using this. LDAP servers are databases.
# They are NOT authentication servers. FreeRADIUS is an
# authentication server, and knows what to do with authentication.
# LDAP servers do not.
#
# Auth-Type LDAP {
# ldap
# }

#
# Allow EAP authentication.
eap
}

######################################################################
#
# There are no accounting requests inside of EAP-TTLS or PEAP
# tunnels.
#
######################################################################


# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp

#
# See "Simultaneous Use Checking Queries" in sql.conf
#sql
db1
db2
}


# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# If you want privacy to remain, see the
# Chargeable-User-Identity attribute from RFC 4372.
# If you want to use it just uncomment the line below.
# cui-inner

#
# If you want to have a log of authentication replies,
# un-comment the following line, and enable the
# 'detail reply_log' module.
# reply_log

#
# After authenticating the user, do another SQL query.
#
# See "Authentication Logging Queries" in sql.conf
-sql

#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log

#
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
#
# ldap

#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
# Add the ldap module name (or instance) if you have set
# 'edir_account_policy_check = yes' in the ldap module configuration
#
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
-sql
attr_filter.access_reject
}

#
# The example policy below updates the outer tunnel reply
# (usually Access-Accept) with the User-Name from the inner
# tunnel User-Name. Since this section is processed in the
# context of the inner tunnel, "request" here means "inner
# tunnel request", and "outer.reply" means "outer tunnel
# reply attributes".
#
# This example is most useful when the outer session contains
# a User-Name of "***@....", or a MAC address. If it
# is enabled, the NAS SHOULD use the inner tunnel User-Name
# in subsequent accounting packets. This makes it easier to
# track user sessions, as they will all be based on the real
# name, and not on "anonymous".
#
# The problem with doing this is that it ALSO exposes the
# real user name to any intermediate proxies. People use
# "anonymous" identifiers outside of the tunnel for a very
# good reason: it gives them more privacy. Setting the reply
# to contain the real user name removes ALL privacy from
# their session.
#
# If you still want to use the inner tunnel User-Name then
# uncomment the section below, otherwise you may want
# to use Chargeable-User-Identity attribute from RFC 4372.
# See further on.
#update outer.reply {
# User-Name = "%{request:User-Name}"
#}
#
}

#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files

# Uncomment the following line if you want to filter requests
# sent to remote servers based on the rules defined in the
# 'attrs.pre-proxy' file.
# attr_filter.pre-proxy

# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# pre_proxy_log
}

#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {

# If you want to have a log of replies from a home server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
# post_proxy_log

# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter.post-proxy

#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap

#
# If the server tries to proxy a request and fails, then the
# request is processed through the modules in this section.
#
# The main use of this section is to permit robust proxying
# of accounting packets. The server can be configured to
# proxy accounting packets as part of normal processing.
# Then, if the home server goes down, accounting packets can
# be logged to a local "detail" file, for processing with
# radrelay. When the home server comes back up, radrelay
# will read the detail file, and send the packets to the
# home server.
#
# With this configuration, the server always responds to
# Accounting-Requests from the NAS, but only writes
# accounting packets to disk if the home server is down.
#
# Post-Proxy-Type Fail {
# detail
# }

}

} # inner-tunnel server block


*etc/freeradius/sites-enabled/default*


######################################################################
#
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
# "server" section, and configuration directives.
#
# Virtual hosts should be put into the "sites-available"
# directory. Soft links should be created in the "sites-enabled"
# directory to these files. This is done in a normal installation.
#
# If you are using 802.1X (EAP) authentication, please see also
# the "inner-tunnel" virtual server. You will likely have to edit
# that, too, for authentication to work.
#
# $Id: 3278975e054fab504afda5ba8fc999239cb2fb9d $
#
######################################################################
#
# Read "man radiusd" before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble. See also "man unlang", which documents the format
# of this file.
#
# This configuration is designed to work in the widest possible
# set of circumstances, with the widest possible number of
# authentication methods. This means that in general, you should
# need to make very few changes to this file.
#
# The best way to configure the server for your local system
# is to CAREFULLY edit this file. Most attempts to make large
# edits to this file will BREAK THE SERVER. Any edits should
# be small, and tested by running the server with "radiusd -X".
# Once the edits have been verified to work, save a copy of these
# configuration files somewhere. (e.g. as a "tar" file). Then,
# make more edits, and test, as above.
#
# There are many "commented out" references to modules such
# as ldap, sql, etc. These references serve as place-holders.
# If you need the functionality of that module, then configure
# it in radiusd.conf, and un-comment the references to it in
# this file. In most cases, those small changes will result
# in the server being able to connect to the DB, and to
# authenticate users.
#
######################################################################

server default {
#
# If you want the server to listen on additional addresses, or on
# additional ports, you can use multiple "listen" sections.
#
# Each section make the server listen for only one type of packet,
# therefore authentication and accounting have to be configured in
# different sections.
#
# The server ignore all "listen" section if you are using '-i' and '-p'
# on the command line.
#
listen {
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
# proxy IP to use for sending proxied packets
# detail Read from the detail file. For examples, see
# raddb/sites-available/copy-acct-to-home-server
# status listen for Status-Server packets. For examples,
# see raddb/sites-available/status
# coa listen for CoA-Request and Disconnect-Request
# packets. For examples, see the file
# raddb/sites-available/coa-server
#
type = auth

# Note: "type = proxy" lets you control the source IP used for
# proxying packets, with some limitations:
#
# * A proxy listener CANNOT be used in a virtual server section.
# * You should probably set "port = 0".
# * Any "clients" configuration will be ignored.
#
# See also proxy.conf, and the "src_ipaddr" configuration entry
# in the sample "home_server" section. When you specify the
# source IP address for packets sent to a home server, the
# proxy listeners are automatically created.

# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
ipaddr = *

# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost

# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
port = 0

# Some systems support binding to an interface, in addition
# to the IP address. This feature isn't strictly necessary,
# but for sites with many IP addresses on one interface,
# it's useful to say "listen on all addresses for eth0".
#
# If your system does not support this feature, you will
# get an error if you try to use it.
#
# interface = eth0

# Per-socket lists of clients. This is a very useful feature.
#
# The name here is a reference to a section elsewhere in
# radiusd.conf, or clients.conf. Having the name as
# a reference allows multiple sockets to use the same
# set of clients.
#
# If this configuration is used, then the global list of clients
# is IGNORED for this "listen" section. Take care configuring
# this feature, to ensure you don't accidentally disable a
# client you need.
#
# See clients.conf for the configuration of "per_socket_clients".
#
# clients = per_socket_clients

#
# Connection limiting for sockets with "proto = tcp".
#
# This section is ignored for other kinds of sockets.
#
limit {
#
# Limit the number of simultaneous TCP connections to the socket
#
# The default is 16.
# Setting this to 0 means "no limit"
max_connections = 16

# The per-socket "max_requests" option does not exist.

#
# The lifetime, in seconds, of a TCP connection. After
# this lifetime, the connection will be closed.
#
# Setting this to 0 means "forever".
lifetime = 0

#
# The idle timeout, in seconds, of a TCP connection.
# If no packets have been received over the connection for
# this time, the connection will be closed.
#
# Setting this to 0 means "no timeout".
#
# We STRONGLY RECOMMEND that you set an idle timeout.
#
idle_timeout = 30
}
}

#
# This second "listen" section is for listening on the accounting
# port, too.
#
listen {
ipaddr = *
# ipv6addr = ::
port = 0
type = acct
# interface = eth0
# clients = per_socket_clients

limit {
# The number of packets received can be rate limited via the
# "max_pps" configuration item. When it is set, the server
# tracks the total number of packets received in the previous
# second. If the count is greater than "max_pps", then the
# new packet is silently discarded. This helps the server
# deal with overload situations.
#
# The packets/s counter is tracked in a sliding window. This
# means that the pps calculation is done for the second
# before the current packet was received. NOT for the current
# wall-clock second, and NOT for the previous wall-clock second.
#
# Useful values are 0 (no limit), or 100 to 10000.
# Values lower than 100 will likely cause the server to ignore
# normal traffic. Few systems are capable of handling more than
# 10K packets/s.
#
# It is most useful for accounting systems. Set it to 50%
# more than the normal accounting load, and you can be sure that
# the server will never get overloaded
#
# max_pps = 0

# Only for "proto = tcp". These are ignored for "udp" sockets.
#
# idle_timeout = 0
# lifetime = 0
# max_connections = 0
}
}

# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# Any changes made here should also be made to the "inner-tunnel"
# virtual server.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# Take a User-Name, and perform some checks on it, for spaces and other
# invalid characters. If the User-Name appears invalid, reject the
# request.
#
# See policy.d/filter for the definition of the filter_username policy.
#
filter_username

#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
preprocess

# If you intend to use CUI and you require that the Operator-Name
# be set for CUI generation and you want to generate CUI also
# for your local clients then uncomment the operator-name
# below and set the operator-name for your clients in clients.conf
# operator-name

#
# If you want to generate CUI for some clients that do not
# send proper CUI requests, then uncomment the
# cui below and set "add_cui = yes" for these clients in clients.conf
# cui

#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log

#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap

#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap

#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
digest

#
# The WiMAX specification says that the Calling-Station-Id
# is 6 octets of the MAC. This definition conflicts with
# RFC 3580, and all common RADIUS practices. Un-commenting
# the "wimax" module here means that it will fix the
# Calling-Station-Id attribute to the normal format as
# specified in RFC 3580 Section 3.21
# wimax

#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS

#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
# ntdomain

#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# As of 2.0, the EAP module returns "ok" in the authorize stage
# for TTLS and PEAP. In 1.x, it never returned "ok" here, so
# this change is compatible with older configurations.
#
# The example below uses module failover to avoid querying all
# of the following modules if the EAP module returns "ok".
# Therefore, your LDAP and/or SQL servers will not be queried
# for the many packets that go back and forth to set up TTLS
# or PEAP. The load on those servers will therefore be reduced.
#
eap {
ok = return
}

#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# passwd module in radiusd.conf.
#
# unix

#
# Read the 'users' file
#files

#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
#sql
db1
db2
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'smbpasswd' module.
# smbpasswd

#
# The ldap module reads passwords from the LDAP database.
-ldap

#
# Enforce daily limits on time spent logged in.
# daily

#
expiration
logintime
dailycounter
noresetcounter
monthlycounter
expire_on_login
#
# If no other module has claimed responsibility for
# authentication, then try to use PAP. This allows the
# other modules listed above to add a "known good" password
# to the request, and to do nothing else. The PAP module
# will then see that password, and use it to do PAP
# authentication.
#
# This module should be listed last, so that the other modules
# get a chance to set Auth-Type for themselves.
#
pap

#
# If "status_server = yes", then Status-Server messages are passed
# through the following section, and ONLY the following section.
# This permits you to do DB queries, for example. If the modules
# listed here return "fail", then NO response is sent.
#
# Autz-Type Status-Server {
#
# }
}


# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the appropriate module from the list below.
#

# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user (Auth-Type := Reject),
# or to or forcibly accept the user (Auth-Type := Accept).
#
# Note that Auth-Type := Accept will NOT work with EAP.
#
# Please do not put "unlang" configurations into the "authenticate"
# section. Put them in the "post-auth" section instead. That's what
# the post-auth section is for.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}

#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}

#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}

#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
digest

#
# Pluggable Authentication Modules.
# pam

# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
#
# We do NOT recommend using this. LDAP servers are databases.
# They are NOT authentication servers. FreeRADIUS is an
# authentication server, and knows what to do with authentication.
# LDAP servers do not.
#
# Auth-Type LDAP {
# ldap
# }

#
# Allow EAP authentication.
eap

#
# The older configurations sent a number of attributes in
# Access-Challenge packets, which wasn't strictly correct.
# If you want to filter out these attributes, uncomment
# the following lines.
#
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled && (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the "updated" code from attr_filter
# }
# }
}


#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess

#
# Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
# into a single 64bit counter Acct-[Input|Output]-Octets64.
#
# acct_counters64

#
# Session start times are *implied* in RADIUS.
# The NAS never sends a "start time". Instead, it sends
# a start packet, *possibly* with an Acct-Delay-Time.
# The server is supposed to conclude that the start time
# was "Acct-Delay-Time" seconds in the past.
#
# The code below creates an explicit start time, which can
# then be used in other modules. It will be *mostly* correct.
# Any errors are due to the 1-second resolution of RADIUS,
# and the possibility that the time on the NAS may be off.
#
# The start time is: NOW - delay - session_length
#

# update request {
# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l -
%{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
# }


#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique

#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
# IPASS
suffix
# ntdomain

#
# Read the 'acct_users' file
files
}

#
# Accounting. Log the accounting data.
#
accounting {
# Update accounting packet by adding the CUI attribute
# recorded from the corresponding Access-Accept
# use it only if your NAS boxes do not support CUI themselves
# cui
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
# daily
# dailycounter
# noresetcounter
# Update the wtmp file
#
# If you don't use "radlast", you can delete this line.
unix

#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
# radutmp
# sradutmp

# Return an address to the IP Pool when we see a stop record.
# main_pool

#
# Log traffic to an SQL database.
#
# See "Accounting queries" in sql.conf
#sql
db1
db2

#
# If you receive stop packets with zero session length,
# they will NOT be logged in the database. The SQL module
# will print a message (only in debugging mode), and will
# return "noop".
#
# You can ignore these packets by uncommenting the following
# three lines. Otherwise, the server will not respond to the
# accounting request, and the NAS will retransmit.
#
# if (noop) {
# ok
# }

#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log

# Cisco VoIP specific bulk accounting
# pgsql-voip

# For Exec-Program and Exec-Program-Wait
exec

# Filter attributes from the accounting response.
attr_filter.accounting_response

#
# See "Autz-Type Status-Server" for how this works.
#
# Acct-Type Status-Server {
#
# }
}


# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
# radutmp

#
# See "Simultaneous Use Checking Queries" in sql.conf
#sql
db1
db2
}


# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Get an address from the IP Pool.
# main_pool


# Create the CUI value and add the attribute to Access-Accept.
# Uncomment the line below if *returning* the CUI.
# cui

#
# If you want to have a log of authentication replies,
# un-comment the following line, and enable the
# 'detail reply_log' module.
# reply_log

#
# After authenticating the user, do another SQL query.
#
# See "Authentication Logging Queries" in sql.conf
#sql
db1
db2
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log

#
# Un-comment the following if you want to modify the user's object
# in LDAP after a successful login.
#
# ldap

# For Exec-Program and Exec-Program-Wait
exec

#
# Calculate the various WiMAX keys. In order for this to work,
# you will need to define the WiMAX NAI, usually via
#
# update request {
# WiMAX-MN-NAI = "%{User-Name}"
# }
#
# If you want various keys to be calculated, you will need to
# update the reply with "template" values. The module will see
# this, and replace the template values with the correct ones
# taken from the cryptographic calculations. e.g.
#
# update reply {
# WiMAX-FA-RK-Key = 0x00
# WiMAX-MSK = "%{EAP-MSK}"
# }
#
# You may want to delete the MS-MPPE-*-Keys from the reply,
# as some WiMAX clients behave badly when those attributes
# are included. See "raddb/modules/wimax", configuration
# entry "delete_mppe_keys" for more information.
#
# wimax


# If there is a client certificate (EAP-TLS, sometimes PEAP
# and TTLS), then some attributes are filled out after the
# certificate verification has been performed. These fields
# MAY be available during the authentication, or they may be
# available only in the "post-auth" section.
#
# The first set of attributes contains information about the
# issuing certificate which is being used. The second
# contains information about the client certificate (if
# available).
#
# update reply {
# Reply-Message += "%{TLS-Cert-Serial}"
# Reply-Message += "%{TLS-Cert-Expiration}"
# Reply-Message += "%{TLS-Cert-Subject}"
# Reply-Message += "%{TLS-Cert-Issuer}"
# Reply-Message += "%{TLS-Cert-Common-Name}"
# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
#
# Reply-Message += "%{TLS-Client-Cert-Serial}"
# Reply-Message += "%{TLS-Client-Cert-Expiration}"
# Reply-Message += "%{TLS-Client-Cert-Subject}"
# Reply-Message += "%{TLS-Client-Cert-Issuer}"
# Reply-Message += "%{TLS-Client-Cert-Common-Name}"
# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
# }

# Insert class attribute (with unique value) into response,
# aids matching auth and acct records, and protects against duplicate
# Acct-Session-Id. Note: Only works if the NAS has implemented
# RFC 2865 behaviour for the class attribute, AND if the NAS
# supports long Class attributes. Many older or cheap NASes
# only support 16-octet Class attributes.
# insert_acct_class

# MacSEC requires the use of EAP-Key-Name. However, we don't
# want to send it for all EAP sessions. Therefore, the EAP
# modules put required data into the EAP-Session-Id attribute.
# This attribute is never put into a request or reply packet.
#
# Uncomment the next few lines to copy the required data into
# the EAP-Key-Name attribute
# if (reply:EAP-Session-Id) {
# update reply {
# EAP-Key-Name := "%{reply:EAP-Session-Id}"
# }
# }

# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap

#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
# Add the ldap module name (or instance) if you have set
# 'edir_account_policy_check = yes' in the ldap module configuration
#
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
#sql
db1
db2
attr_filter.access_reject

# Insert EAP-Failure message if the request was
# rejected by policy instead of because of an
# authentication failure
eap

# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
}
}

#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# Before proxing the request add an Operator-Name attribute identifying
# if the operator-name is found for this client.
# No need to uncomment this if you have already enabled this in
# the authorize section.
# operator-name

# The client requests the CUI by sending a CUI attribute
# containing one zero byte.
# Uncomment the line below if *requesting* the CUI.
# cui

# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files

# Uncomment the following line if you want to filter requests
# sent to remote servers based on the rules defined in the
# 'attrs.pre-proxy' file.
# attr_filter.pre-proxy

# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# pre_proxy_log
}

#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {

# If you want to have a log of replies from a home server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
# post_proxy_log

# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter.post-proxy

#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap

#
# If the server tries to proxy a request and fails, then the
# request is processed through the modules in this section.
#
# The main use of this section is to permit robust proxying
# of accounting packets. The server can be configured to
# proxy accounting packets as part of normal processing.
# Then, if the home server goes down, accounting packets can
# be logged to a local "detail" file, for processing with
# radrelay. When the home server comes back up, radrelay
# will read the detail file, and send the packets to the
# home server.
#
# With this configuration, the server always responds to
# Accounting-Requests from the NAS, but only writes
# accounting packets to disk if the home server is down.
#
# Post-Proxy-Type Fail {
# detail
# }
}
}


2018-02-07 17:20 GMT+03:00 Alan DeKok <***@deployingradius.com>:

> On Feb 6, 2018, at 11:56 PM, Emrah Yıldırım <***@gmail.com>
> wrote:
> >
> > Are you sure
> > you're looking at Link?
>
> You need to learn how to ask good questions. Your first question, and
> the link, are vague and content-free.
>
> If you ask a bad question, you will get a bad answer.
>
>
> > This topic is related to Freeradius... I have
> > separated databases with SQL instance.
>
> Does this mean you have two SQL instances configured in FreeRADIUS?
>
> > However, separate hosts in both NAS
> > tables
> > Although I do, I see the same data in the RADACCT table of both
> databases.
>
> You've configured the server to use both SQL instances for all users.
> This is wrong.
>
> You need to call the right instance for the right user:
>
> if (user is from system A) {
> sql1
> }
> else {
> sql2
> }
>
> Of course, that won't work as-is. Because you have given *zero*
> information about the usernames, SQL instance names, etc
>
> If you give more information, you get better answers.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
> /users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
-
List info/subscribe/unsubsc
Continue reading on narkive:
Loading...