Dear Radius users,
I am having a difficult time setting up freeradius (v0.4) on a Debian
Testing system to work with SQL. Using the test program, radtest, I get
no notification whatsoever that it is making a connection to the server.
However, when I disable the SQL module and just use the 'users' file,
I get authentication messages.
I have attached several of my configuration files. If more are
needed, I would be happy to provide them.
When configured for SQL use, here is the output of 'radiusd -X':
intrepid:~# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: //etc/raddb/clients.conf
Config: including file: //etc/raddb/snmp.conf
Config: including file: //etc/raddb/sql.conf
main: prefix = "/"
main: localstatedir = "//var"
main: logdir = "/var/log/radiusd-freeradius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/radiusd-freeradius/radacct"
main: hostname_lookups = no
read_config_files: reading dictionary
read_config_files: reading clients
read_config_files: reading realms
read_config_files: reading naslist
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "//var/run/radiusd/radiusd.pid"
main: bind_address = 127.0.0.1 IP address [127.0.0.1]
main: user = "root"
main: group = "root"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: proxy_requests = no
main: debug_level = 0
read_config_files: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded System
unix: cache = no
unix: passwd = "/etc/passwd"
unix: shadow = "(null)"
unix: group = "/etc/group"
unix: radwtmp = "/var/log/radiusd-freeradius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded SQL
sql: driver = "rlm_sql_mysql"
sql: server = "localhost"
sql: port = ""
sql: login = "radius"
sql: password = "******"
sql: radius_db = "radius"
sql: acct_table = "radacct"
sql: acct_table2 = "radacct"
sql: authcheck_table = "radcheck"
sql: authreply_table = "radreply"
sql: groupcheck_table = "radgroupcheck"
sql: groupreply_table = "radgroupreply"
sql: usergroup_table = "usergroup"
sql: nas_table = "nas"
sql: dict_table = "dictionary"
sql: sqltrace = off
sql: sqltracefile = "/var/log/radiusd-freeradius/sqltrace.sql"
sql: deletestalesessions = yes
sql: num_sql_socks = 32
sql: sql_user_name = "%{User-Name}"
sql: authorize_check_query = "SELECT id,UserName,Attribute,Value FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_reply_query = "SELECT id,UserName,Attribute,Value FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_group_check_query = "SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value
FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id"
sql: authorize_group_reply_query = "SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value
FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id"
sql: authenticate_query = "SELECT Value,Attribute FROM radcheck WHERE
UserName = '%{User-Name}' AND ( Attribute = 'Password' OR Attribute = 'Crypt-Password'
) ORDER BY Attribute DESC"
sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = %{Acct-Delay-Time} WHERE
AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND
AcctStartTime <= '%S'"
sql: accounting_update_query = "UPDATE radacct SET FramedIPAddress =
'%{Framed-IP-Address}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}'"
sql: accounting_start_query = "INSERT into radacct (RadAcctId, AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop,
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay,
AcctStopDelay) values('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port-Id}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0',
'0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S',
AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE
AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND
NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S',
AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}',
AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause =
'%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop =
'%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_stop_query_alt = "INSERT into radacct (RadAcctId,
AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress,
AcctStartDelay, AcctStopDelay) values('', '%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port-Id}', '%{NAS-Port-Type}', '0', '%S', '%{Acct-Session-Time}',
'%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}',
'%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}',
'%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"
sql: connect_failure_retry_delay = 60
rlm_sql: Driver rlm_sql_mysql loaded and linked
rlm_sql: Attempting to connect to radius@localhost:/radius
rlm_sql: Connected new DB handle, #0
rlm_sql: Connected new DB handle, #1
rlm_sql: Connected new DB handle, #2
rlm_sql: Connected new DB handle, #3
rlm_sql: Connected new DB handle, #4
rlm_sql: Connected new DB handle, #5
rlm_sql: Connected new DB handle, #6
rlm_sql: Connected new DB handle, #7
rlm_sql: Connected new DB handle, #8
rlm_sql: Connected new DB handle, #9
rlm_sql: Connected new DB handle, #10
rlm_sql: Connected new DB handle, #11
rlm_sql: Connected new DB handle, #12
rlm_sql: Connected new DB handle, #13
rlm_sql: Connected new DB handle, #14
rlm_sql: Connected new DB handle, #15
rlm_sql: Connected new DB handle, #16
rlm_sql: Connected new DB handle, #17
rlm_sql: Connected new DB handle, #18
rlm_sql: Connected new DB handle, #19
rlm_sql: Connected new DB handle, #20
rlm_sql: Connected new DB handle, #21
rlm_sql: Connected new DB handle, #22
rlm_sql: Connected new DB handle, #23
rlm_sql: Connected new DB handle, #24
rlm_sql: Connected new DB handle, #25
rlm_sql: Connected new DB handle, #26
rlm_sql: Connected new DB handle, #27
rlm_sql: Connected new DB handle, #28
rlm_sql: Connected new DB handle, #29
rlm_sql: Connected new DB handle, #30
rlm_sql: Connected new DB handle, #31
Module: Instantiated sql (sql)
Module: Loaded preprocess
preprocess: huntgroups = "//etc/raddb/huntgroups"
preprocess: hints = "//etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "//etc/raddb/users"
files: acctusersfile = "//etc/raddb/acct_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile =
"/var/log/radiusd-freeradius/radacct/%{Client-IP-Address}/detail"
detail: detailperm = 384
detail: dirperm = 493
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radiusd-freeradius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
main: smux_password = "public"
main: snmp_write_access = no
SMUX connect try 1
SMUX open oid: 1.3.6.1.4.1.3317.1.3.1
SMUX open progname: radiusd
SMUX open password: public
SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1
SMUX register priority: -1
SMUX register operation: 1
SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1
SMUX register priority: -1
SMUX register operation: 1
Listening on IP address 127.0.0.1, ports 1812/udp and 1813/udp.
Ready to process requests.
MASTER: exit on signal (2)
intrepid:~# exit
exit
Here is the output of using radtest, while the above logging is taking
place:
Sending Access-Request of id 207 to 127.0.0.1:1812
User-Name = "ahank"
Password = "\013\255\270\240\332\247\321\021\257]t\355)\371\033w"
NAS-IP-Address = intrepid
NAS-Port-Id = "10"
Sending Access-Request of id 207 to 127.0.0.1
User-Name = "ahank"
Password = "\013\255\270\240\332\247\321\021\257]t\355)\371\033w"
NAS-IP-Address = intrepid
NAS-Port-Id = "10"
[ ... ]
radclient: no response from server
Thanks for any advice,
hank
--
Adam Henry <[EMAIL PROTECTED]>
Marinar Communications Group
Phn: 440.354.1458 x24
Mob: 440.742.0011
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
##
# The location of other config files and
# logfiles are declared in this file
#
# Also general configuration for modules can be done
# in this file, it is exported through the API to
# modules that ask for it.
# Stuff from autoconf
prefix = /
exec_prefix = /usr
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/radiusd-freeradius
libdir = /usr/lib/freeradius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# e.g.: kill -HUP `cat /var/run/radiusd.pid`
pidfile = ${run_dir}/radiusd.pid
# user/group: The name (or #number) of the user/group to run radiusd as.
#
# We STRONGLY recommend that you run the server with as few permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to 'nobody'.
#
# On SCO (ODT 3) use "user = nouser" and "group = nogroup".
#
# NOTE that some kernels refuse to setgid(group)
# when the value of (unsigned)group is above 60000;
# don't use group nobody on these systems!
#
# On systems with shadow passwords, you might have to set 'group = shadow'
# for the server to be able to read the shadow password file. If you can
# authenticate users while in debug mode, but not in normal use, it may be
# because the debugged server is running as a user that can read the shadow
# info, and the user listed below can not.
user = root
group = root
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, or in one of the modules
# used to handle a request.
#
# Useful range of values: 5 to 120
max_request_time = 30
# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
# to be handled, then maybe the server should delete it.
#
# If you're running in threaded, or thread pool mode, this setting
# should probably be 'no'. Setting it to 'yes' when using a threaded
# server MAY cause the server to crash!
#
delete_blocked_requests = no
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
max_requests = 1024
# bind_address: Make the server listen on a particular IP address, and
# send replies out from that address. This directive is most useful
# for machines with multiple IP addresses on one interface.
#
# It can either contain "*", or an IP address, or a fully qualified
# Internet domain name. The default is "*"
bind_address = 127.0.0.1
# port: Allows you to bind FreeRADIUS to a specific port.
#
# The default port that most NAS boxes use is 1645, which is historical.
# RFC 2138 defines 1812 to be the new port. Many new servers and
# NAS boxes use 1812, which can create interoperability problems.
#
# The port is defined here to be 0 so that the server will pick up
# the machine's local configuration for the radius port, as defined
# in /etc/services.
#
# If you want to use the default RADIUS port as defined on your server,
# (usually through 'grep radius /etc/services') set this to 0 (zero).
#
# A port given on the command-line via '-p' over-rides this one.
port = 0
# Which program to execute check doing concurrency checks.
checkrad = ${sbindir}/checkrad
# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
# Turning hostname lookups off also means that the server won't block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
hostname_lookups = no
# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
#
# allowed values: {no, yes}
allow_core_dumps = no
# Regular expressions
#
# These items are set at configure time. If they're set to "yes",
# then setting them to "no" turns off regular expression support.
#
# If they're set to "no" at configure time, then setting them to "yes"
# WILL NOT WORK. It will give you an error.
regular_expressions = yes
extended_expressions = yes
# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
log_stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
log_auth = no
# Log passwords with the authentication requests.
# log_auth_badpass - logs password if it's rejected
# log_auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
log_auth_badpass = no
log_auth_goodpass = no
# usercollide: Turn "username collision" code on and off. See the
# "duplicate-users" documentation
usercollide = no
# lower_user / lower_pass:
# Lowercase the username/password "before" or "after"
# attempting to authenticate.
#
# If "before", the server will first modify the request
# and then try to auth the user. If "after", the server
# will first auth using the values provided by the
# user. If that fails it will reprocess the request
# after modifying it as you specify below.
#
# This is as close as we can get to case insensitivity. It is
# the admin's job to ensure that the username on the auth
# db side is *also* lowercase to make this work
#
# Default is 'no' (don't lowercase values)
# Valid values = "before" / "after" / "no"
lower_user = no
lower_pass = no
# nospace_user / nospace_pass:
# Some users like to enter spaces in their username or
# password incorrectly. To save yourself the tech support
# call, you can eliminate those spaces here:
#
# Default is 'no' (don't remove spaces)
# Valid values = "before" / "after" / "no" (explanation above)
nospace_user = no
nospace_pass = no
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
proxy_requests = no
#$INCLUDE ${confdir}/proxy.conf
# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf". If you don't
# use the "clients.conf", you can comment the following. The use of
# "clients.conf" is recommended over the old "clients", though both
# are supported.
#
$INCLUDE ${confdir}/clients.conf
# SNMP CONFIGURATION
#
# Snmp configuration is only valid if you enabled SNMP support when
# you compiled radius. To enable SNMP configuration, uncomment the
# following line.
$INCLUDE ${confdir}/snmp.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5
# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
max_servers = 32
# Server-pool size regulation. Rather than making you guess how many
# servers you need, FreeRADIUS dynamically adapts to the load it sees
# --- that is, it tries to maintain enough servers to handle the
# current load, plus a few spare servers to handle transient load
# spikes.
#
# It does this by periodically checking how many servers are waiting
# for a request. If there are fewer than min_spare_servers, it
# creates a new spare. If there are more than max_spare_servers, some
# of the spares die off. The default values are probably OK for most
# sites.
min_spare_servers = 3
max_spare_servers = 10
# There may be memory leaks or resource allocation problems with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
}
modules {
pam {
#
# The name to use for PAM authentication.
# PAM looks in /etc/pam.d/${pam_auth_name}
# for it's configuration.
#
# Note that any Pam-Auth attribute set in the 'users'
# file over-rides this one.
#
pam_auth = radiusd
}
unix {
#
# Cache /etc/passwd, /etc/shadow, and /etc/group
#
# The default is to NOT cache them. However, caching them can
# speed up system authentications by a substantial amount.
#
# allowed values: {no, yes}
cache = no
# Reload the cache every 600 seconds (10mins). 0 to disable.
cache_reload = 600
#
# Define the locations of the normal passwd, shadow, and
# group files.
#
# 'shadow' is commented out by default, because not all
# systems have shadow passwords.
#
passwd = /etc/passwd
# shadow = /etc/shadow
group = /etc/group
#
# Where the 'wtmp' file is located.
# This will be moved to it's own module soon..
#
radwtmp = ${logdir}/radwtmp
}
# EAP module for all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
# default_eap_type = md5
# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
# timer_expire = 60
# Supported EAP-types
md5 {
}
}
# This module supports SAMBA passwd file authorization
# and MS-CHAP, MS-CHAPv2 authentication
mschap {
# if given passwd shows location of
# SAMBA passwd file
# passwd = /etc/smbpasswd
# authtype value, if present, will be used
# to overwrite (or add) Auth-Type during
# authorization. Normally should be MS-CHAP
authtype = MS-CHAP
# if ignore_password set to yes mschap will
# ignore password set by any other module during
# authorization and will always use password file
# ignore_password = yes
}
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type = LDAP)
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap {
server = "ldap.your.domain"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "o=My Org,c=UA"
filter = "(uid=%u)"
start_tls = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_group = "cn=clients,ou=dialup,o=My Org,c=UA"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
# password_header = "{clear}"
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
timeout = 4
timelimit = 3
net_timeout = 1
}
# You can have multiple instances of the realm module to
# support multiple realm syntaxs at the same time. The
# search order is defined the order in the authorize and
# preacct blocks after the module config block.
#
# Two config options:
# format - must be 'prefix' or 'suffix'
# delimiter - must be a single character
#
# 'username@realm'
#
realm suffix {
format = suffix
delimiter = "@"
}
# 'realm/username'
#
# Using this entry, IPASS users have their realm set to "IPASS".
realm realmslash {
format = prefix
delimiter = "/"
}
# 'username%realm'
realm realmpercent {
format = suffix
delimiter = "%"
}
# rewrite arbitrary packets. Useful in accounting and authorization.
## FIXME: This is highly experimental at the moment. Please give
## feedback.
#attr_rewrite sanecallerid {
# attribute = Called-Station-Id
# may be "packet", "reply", or "config"
# searchin = packet
# searchfor = "[+ ]"
# replacewith = ""
# ignore_case = no
# max_matches = 10
#}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
with_ntdomain_hack = no
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no
# Cisco sends it's VSA attributes with the attribute
# name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco NAS, you don't need
# this hack.
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
# See README.rlm_fastusers before using this
# module or changing these values.
fastusers {
usersfile = ${confdir}/users_fast
hashsize = 1000
compat = no
# Reload the hash every 600 seconds (10mins)
hash_reload = 600
}
detail {
# Note that we do NOT use NAS-IP-Address here, as that
# attribute MAY BE from the originating NAS, and NOT
# from the proxy which actually sent us the request.
# The Client-IP-Address attribute is ALWAYS the address
# of the client which sent us the request.
#
detailfile = ${radacctdir}/%{Client-IP-Address}/detail
detailperm = 0600
}
# This module will add a (probably) unique session id
# to an accounting packet based on the attributes listed
# below found in the packet. see doc/README.rlm_acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port-Id"
}
# Include another file that has SQL-related stuff in it.
# This is another file solely because it tends to be big.
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
perm = 0600
callerid = "yes"
}
# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another instance of the radutmp module, but it is given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter {
attrsfile = ${confdir}/attrs
}
# This module takes an attribute (count-attribute), which MUST
# be an 'integer' or 'time' attribute. It also takes a key,
# and creates a counter for each unique key. The count is
# incremented when accounting packets are received by the
# server. The value of the increment is the value of the
# count-attribute.
#
# The 'reset' parameter defines when the counters are all reset to
# zero. It can be hourly, daily, weekly, or monthly.
#
# The counter-name is the name of the attribute in the 'users'
# file used to access that counter. e.g.
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
counter {
filename = ${raddbdir}/db.counter
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
# The "always" module is here for debugging purposes. Each instance simply
# returns the same result, always, without doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
# ANSI X9.9 token support. Not included by default.
# $INCLUDE ${confdir}/x99.conf
# Configuration for the example module. Uncommenting it will cause it
# to get loaded and initialized, but should have no real effect as long
# it is not referencened in one of the autz/auth/preacct/acct sections
# example {
# # Boolean variable.
# # allowed values: {no, yes}
# boolean = yes
#
# # An integer, of any value.
# integer = 16
#
# # A string.
# string = "This is an example configuration string"
#
# # An IP address, either in dotted quad (1.2.3.4) or hostname
# # (example.com)
# ipaddr = 127.0.0.1
#
# # A subsection
# mysubsection {
# anotherinteger = 1000
# # They nest
# deeply nested {
# string = "This is a different string"
# }
# }
# }
}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
# The order of the realm modules will determine the order that
# we try to find a matching realm.
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
preprocess
# counter
# attr_filter
# eap
suffix
sql
files
# mschap
}
# Authentication.
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that you have to have a module from the 'authorize' section add
# a configuration attribute 'Auth-Type := FOO'. That authentication type
# is then used to pick the apropriate module from the list below.
authenticate {
# pam
unix
sql
# By grouping modules together in an authtype block, that authtype will be
# tried on each module in sequence until one returns REJECT or OK. This
# allows authentication failover if the first SQL server has crashed, for
# example.
# authtype SQL {
# sql
# sql2
# }
# ldap
# mschap
# eap
}
# Pre-accounting. Look for proxy realm in order of realms, then
# acct_users file, then preprocess (hints file).
preacct {
suffix
files
preprocess
}
# Accounting. Log to detail file, and to the radwtmp file, and maintain
# radutmp.
accounting {
# acct_unique
detail
# counter
unix
sql
radutmp
# sradutmp
}
# Session database, used for checking Simultaneous-Use. The radutmp module
# handles this
session {
radutmp
}
#
# Configuration for the SQL module.
#
sql {
# Database type
# Current supported are: rlm_sql_mysql, rlm_sql_postgresql, rlm_sql_iodbc,
rlm_sql_oracle
driver = "rlm_sql_mysql"
# Connect info
server = "localhost"
login = "radius"
password = "******"
# Database table configuration
radius_db = "radius"
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = "radacct"
acct_table2 = "radacct"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "usergroup"
# Remove stale session if checkrad does not see a double login
deletestalesessions = yes
# Print all SQL statements when in debug mode (-x)
sqltrace = off
sqltracefile = ${logdir}/sqltrace.sql
# number of sql connections to make to server
num_sql_socks = 32
########################################################################
# Query config: Username
########################################################################
# This is the username that will get substituted, escaped, and added
# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below
# everywhere a username substitution is needed so you you can be sure
# the username passed from the client is escaped properly.
#
#sql_user_name = "%{Stripped-User-Name}:-%{User-Name}}"
# ^^^ --That doesn't work because someone screwed up decode_attribute()
#sql_user_name = "%{Stripped-User-Name}";
sql_user_name = "%{User-Name}"
########################################################################
# Authorization Queries
########################################################################
# These queries compare the check items for the user
# in ${authcheck_table} and setup the reply items in
# ${authreply_table}. You can use any query/tables
# you want, but the return data for each row MUST
# be in the following order:
#
# 0. Row ID (currently unused)
# 1. UserName/GroupName
# 2. Item Attr Name
# 3. Item Attr Value
########################################################################
# Use these for case sensitive usernames. WARNING: Slower queries!
# authorize_check_query = "SELECT id,UserName,Attribute,Value FROM
${authcheck_table} WHERE STRCMP(Username, '%{SQL-User-Name}') = 0 ORDER BY id"
# authorize_reply_query = "SELECT id,UserName,Attribute,Value FROM
${authreply_table} WHERE STRCMP(Username, '%{SQL-User-Name}') = 0 ORDER BY id"
authorize_check_query = "SELECT id,UserName,Attribute,Value FROM
${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id,UserName,Attribute,Value FROM
${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"
# Use these for case sensitive usernames. WANRING: Slower queries!
# authorize_group_check_query = "SELECT
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value
FROM ${groupcheck_table},${usergroup_table} WHERE STRCMP(${usergroup_table}.Username,
'%{SQL-User-Name}') = 0 AND ${usergroup_table}.GroupName =
${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id"
# authorize_group_reply_query = "SELECT
${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value
FROM ${groupreply_table},${usergroup_table} WHERE STRCMP(${usergroup_table}.Username,
'%{SQL-User-Name}') = 0 AND ${usergroup_table}.GroupName =
${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id"
authorize_group_check_query = "SELECT
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value
FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username =
'%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName
ORDER BY ${groupcheck_table}.id"
authorize_group_reply_query = "SELECT
${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value
FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username =
'%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName
ORDER BY ${groupreply_table}.id"
########################################################################
# Authentication Query
########################################################################
# This query is used only to get the Password for the
# user we want to authenticate. The password MUST
# be the first field in the return row data.
########################################################################
authenticate_query = "SELECT Value,Attribute FROM ${authcheck_table} WHERE
UserName = '%{User-Name}' AND ( Attribute = 'Password' OR Attribute = 'Crypt-Password'
) ORDER BY Attribute DESC"
########################################################################
# Accounting Queries
########################################################################
# accounting_onoff_query - query for Accounting On/Off packets
# accounting_update_query - query for Accounting update packets
# accounting_start_query - query for Accounting start packets
# accounting_start_query_alt - query for Accounting start packets
# (alternate in case first query fails)
# accounting_stop_query - query for Accounting stop packets
# accounting_stop_query_alt - query for Accounting start packets
# (alternate in case first query doesn't
# affect any existing rows in the table)
########################################################################
accounting_onoff_query = "UPDATE ${acct_table1} SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = %{Acct-Delay-Time} WHERE
AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND
AcctStartTime <= '%S'"
accounting_update_query = "UPDATE ${acct_table1} SET FramedIPAddress =
'%{Framed-IP-Address}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}'"
accounting_start_query = "INSERT into radacct (RadAcctId, AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop,
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay,
AcctStopDelay) values('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port-Id}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0',
'0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
accounting_start_query_alt = "UPDATE ${acct_table1} SET AcctStartTime = '%S',
AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE
AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND
NASIPAddress = '%{NAS-IP-Address}'"
accounting_stop_query = "UPDATE ${acct_table1} SET AcctStopTime = '%S',
AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}',
AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause =
'%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop =
'%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
accounting_stop_query_alt = "INSERT into radacct (RadAcctId, AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop,
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay,
AcctStopDelay) values('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port-Id}',
'%{NAS-Port-Type}', '0', '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0',
'%{Acct-Delay-Time}')"
}
