I posted a response to this... Did you look at it? --Mike
On Thu, 2004-04-01 at 02:41, Vasudevan.S wrote: > Dear All, > > I am re sending the mail again Can any one have any idea of what is > wrong with the configuration or what am i doing wrong here ?? > > Thanks, > Vasudevan.S > > > > > > Dear Alan DeKok, > > I am using free-radius 0.9.3 for authentication purpose. I have > configured free radius and cisco 350 AP and I see the below trace when I > start the radius server with debug options on. The Wireless client > connects to the cisco AP and sends the authentication request to the > free radius server and gets a Access Accept return packet but the end > wireless client is getting invalid username/password and the user login > is rejected. > > Please find the trace in the radius server side, I have also given the > hardware components used. I have also attached the radius.conf for your > reference. > > Free Radius Server : Linux 8.0 > AP = Cisco 350 AP > Wireless client card : 3com : driver version 1.0.0.225 : > > Has anyone encountered such problems??, solution to this is greatly > appreciated. > > > Thanks a lot for your Help > Vasudevan.S > > > > rad_recv: Access-Request packet from host 192.168.1.35:1042, id=18, > length=176 > TEST:secretKey kernel TEST:secretKey kernel User-Name = "muthuganeshj" > Cisco-AVPair = "ssid=ciscossid2" > NAS-IP-Address = 192.168.1.35 > Called-Station-Id = "0040965e03cb" > Calling-Station-Id = "000d54aa88db" > NAS-Identifier = "AdventNet Cisco 350 AP" > NAS-Port = 37 > Framed-MTU = 1400 > NAS-Port-Type = Wireless-802.11 > Service-Type = Login-User > EAP-Message = 0x02080011016d7574687567616e6573686a > Message-Authenticator = 0xd3c1ce45286cdd4b940bbb42cc54a2e3 > Wed Mar 31 12:45:51 2004 : Debug: modcall: entering group authorize for > request 5 > Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: calling > preprocess (rlm_preprocess) for request 5 > Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: returned from > preprocess (rlm_preprocess) for request 5 > Wed Mar 31 12:45:51 2004 : Debug: modcall[authorize]: module > "preprocess" returns ok for request 5 > Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: calling chap > (rlm_chap) for request 5 > Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: returned from > chap (rlm_chap) for request 5 > Wed Mar 31 12:45:51 2004 : Debug: modcall[authorize]: module "chap" > returns noop for request 5 > Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: calling suffix > (rlm_realm) for request 5 > Wed Mar 31 12:45:51 2004 : Debug: rlm_realm: No '@' in User-Name = > "muthuganeshj", looking up realm NULL > Wed Mar 31 12:45:51 2004 : Debug: rlm_realm: No such realm "NULL" > Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: returned from > suffix (rlm_realm) for request 5 > Wed Mar 31 12:45:51 2004 : Debug: modcall[authorize]: module "suffix" > returns noop for request 5 > Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: calling files > (rlm_files) for request 5 > Wed Mar 31 12:45:51 2004 : Debug: users: Matched DEFAULT at 151 > Wed Mar 31 12:45:51 2004 : Debug: users: Matched muthuganeshj at 215 > Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: returned from > files (rlm_files) for request 5 > Wed Mar 31 12:45:51 2004 : Debug: modcall[authorize]: module "files" > returns ok for request 5 > Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: calling mschap > (rlm_mschap) for request 5 > Wed Mar 31 12:45:51 2004 : Debug: modsingle[authorize]: returned from > mschap (rlm_mschap) for request 5 > Wed Mar 31 12:45:51 2004 : Debug: modcall[authorize]: module "mschap" > returns noop for request 5 > Wed Mar 31 12:45:51 2004 : Debug: modcall: group authorize returns ok > for request 5 > Wed Mar 31 12:45:51 2004 : Debug: rad_check_password: Found Auth-Type > Accept > Wed Mar 31 12:45:51 2004 : Debug: rad_check_password: Auth-Type = > Accept, accepting the user > Sending Access-Accept of id 18 to 192.168.1.35:1042 > Service-Type = Framed-User > Login-IP-Host = 192.168.112.124 > Callback-Number = "9,5551212" > Login-Service = Telnet > Framed-Protocol = PPP > Login-TCP-Port = Telnet > Wed Mar 31 12:45:51 2004 : Debug: Finished request 5 > Wed Mar 31 12:45:51 2004 : Debug: Going to the next request > Wed Mar 31 12:45:51 2004 : Debug: --- Walking the entire request list --- > Wed Mar 31 12:45:51 2004 : Debug: Waking up in 6 seconds... > Wed Mar 31 12:45:57 2004 : Debug: --- Walking the entire request list --- > Wed Mar 31 12:45:57 2004 : Debug: Cleaning up request 5 ID 18 with > timestamp 406a7027 > Wed Mar 31 12:45:57 2004 : Debug: Nothing to do. Sleeping until we see > a request. > > > > ______________________________________________________________________ > ## > ## radiusd.conf -- FreeRADIUS server configuration file. > ## > ## http://www.freeradius.org/ > ## $Id: radiusd.conf.in,v 1.148.2.3 2003/09/30 19:32:11 phampson Exp $ > ## > > # The location of other config files and > # logfiles are declared in this file > # > # Also general configuration for modules can be done > # in this file, it is exported through the API to > # modules that ask for it. > # > # The configuration variables defined here are of the form ${foo} > # They are local to this file, and do not change from request to > # request. > # > # The per-request variables are of the form %{Attribute-Name}, and > # are taken from the values of the attribute in the incoming > # request. See 'doc/variables.txt' for more information. > > prefix = /usr/local > exec_prefix = ${prefix} > sysconfdir = ${prefix}/etc > localstatedir = ${prefix}/var > sbindir = ${exec_prefix}/sbin > logdir = ${localstatedir}/log/radius > raddbdir = ${sysconfdir}/raddb > radacctdir = ${logdir}/radacct > > # Location of config and logfiles. > confdir = ${raddbdir} > run_dir = ${localstatedir}/run/radiusd > > # > # The logging messages for the server are appended to the > # tail of this file. > # > log_file = ${logdir}/radius.log > > # > # libdir: Where to find the rlm_* modules. > # > # This should be automatically set at configuration time. > # > # If the server builds and installs, but fails at execution time > # with an 'undefined symbol' error, then you can use the libdir > # directive to work around the problem. > # > # The cause is usually that a library has been installed on your > # system in a place where the dynamic linker CANNOT find it. When > # executing as root (or another user), your personal environment MAY > # be set up to allow the dynamic linker to find the library. When > # executing as a daemon, FreeRADIUS MAY NOT have the same > # personalized configuration. > # > # To work around the problem, find out which library contains that symbol, > # and add the directory containing that library to the end of 'libdir', > # with a colon separating the directory names. NO spaces are allowed. > # > # e.g. libdir = /usr/local/lib:/opt/package/lib > # > # You can also try setting the LD_LIBRARY_PATH environment variable > # in a script which starts the server. > # > # If that does not work, then you can re-configure and re-build the > # server to NOT use shared libraries, via: > # > # ./configure --disable-shared > # make > # make install > # > libdir = ${exec_prefix}/lib > > # pidfile: Where to place the PID of the RADIUS server. > # > # The server may be signalled while it's running by using this > # file. > # > # This file is written when ONLY running in daemon mode. > # > # e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` > # > pidfile = ${run_dir}/radiusd.pid > > > # user/group: The name (or #number) of the user/group to run radiusd as. > # > # If these are commented out, the server will run as the user/group > # that started it. In order to change to a different user/group, you > # MUST be root ( or have root privleges ) to start the server. > # > # We STRONGLY recommend that you run the server with as few permissions > # as possible. That is, if you're not using shadow passwords, the > # user and group items below should be set to 'nobody'. > # > # On SCO (ODT 3) use "user = nouser" and "group = nogroup". > # > # NOTE that some kernels refuse to setgid(group) when the value of > # (unsigned)group is above 60000; don't use group nobody on these systems! > # > # On systems with shadow passwords, you might have to set 'group = shadow' > # for the server to be able to read the shadow password file. If you can > # authenticate users while in debug mode, but not in daemon mode, it may be > # that the debugging mode server is running as a user that can read the > # shadow info, and the user listed below can not. > # > #user = nobody > #group = nobody > > # max_request_time: The maximum time (in seconds) to handle a request. > # > # Requests which take more time than this to process may be killed, and > # a REJECT message is returned. > # > # WARNING: If you notice that requests take a long time to be handled, > # then this MAY INDICATE a bug in the server, in one of the modules > # used to handle a request, OR in your local configuration. > # > # This problem is most often seen when using an SQL database. If it takes > # more than a second or two to receive an answer from the SQL database, > # then it probably means that you haven't indexed the database. See your > # SQL server documentation for more information. > # > # Useful range of values: 5 to 120 > # > max_request_time = 30 > > # delete_blocked_requests: If the request takes MORE THAN 'max_request_time' > # to be handled, then maybe the server should delete it. > # > # If you're running in threaded, or thread pool mode, this setting > # should probably be 'no'. Setting it to 'yes' when using a threaded > # server MAY cause the server to crash! > # > delete_blocked_requests = no > > # cleanup_delay: The time to wait (in seconds) before cleaning up > # a reply which was sent to the NAS. > # > # The RADIUS request is normally cached internally for a short period > # of time, after the reply is sent to the NAS. The reply packet may be > # lost in the network, and the NAS will not see it. The NAS will then > # re-send the request, and the server will respond quickly with the > # cached reply. > # > # If this value is set too low, then duplicate requests from the NAS > # MAY NOT be detected, and will instead be handled as seperate requests. > # > # If this value is set too high, then the server will cache too many > # requests, and some new requests may get blocked. (See 'max_requests'.) > # > # Useful range of values: 2 to 10 > # > cleanup_delay = 5 > > # max_requests: The maximum number of requests which the server keeps > # track of. This should be 256 multiplied by the number of clients. > # e.g. With 4 clients, this number should be 1024. > # > # If this number is too low, then when the server becomes busy, > # it will not respond to any new requests, until the 'cleanup_delay' > # time has passed, and it has removed the old requests. > # > # If this number is set too high, then the server will use a bit more > # memory for no real benefit. > # > # If you aren't sure what it should be set to, it's better to set it > # too high than too low. Setting it to 1000 per client is probably > # the highest it should be. > # > # Useful range of values: 256 to infinity > # > max_requests = 1024 > > # bind_address: Make the server listen on a particular IP address, and > # send replies out from that address. This directive is most useful > # for machines with multiple IP addresses on one interface. > # > # It can either contain "*", or an IP address, or a fully qualified > # Internet domain name. The default is "*" > # > bind_address = * > > # port: Allows you to bind FreeRADIUS to a specific port. > # > # The default port that most NAS boxes use is 1645, which is historical. > # RFC 2138 defines 1812 to be the new port. Many new servers and > # NAS boxes use 1812, which can create interoperability problems. > # > # The port is defined here to be 0 so that the server will pick up > # the machine's local configuration for the radius port, as defined > # in /etc/services. > # > # If you want to use the default RADIUS port as defined on your server, > # (usually through 'grep radius /etc/services') set this to 0 (zero). > # > # A port given on the command-line via '-p' over-rides this one. > # > port = 1812 > > # hostname_lookups: Log the names of clients or just their IP addresses > # e.g., www.freeradius.org (on) or 206.47.27.232 (off). > # > # The default is 'off' because it would be overall better for the net > # if people had to knowingly turn this feature on, since enabling it > # means that each client request will result in AT LEAST one lookup > # request to the nameserver. Enabling hostname_lookups will also > # mean that your server may stop randomly for 30 seconds from time > # to time, if the DNS requests take too long. > # > # Turning hostname lookups off also means that the server won't block > # for 30 seconds, if it sees an IP address which has no name associated > # with it. > # > # allowed values: {no, yes} > # > hostname_lookups = no > > # Core dumps are a bad thing. This should only be set to 'yes' > # if you're debugging a problem with the server. > # > # allowed values: {no, yes} > # > allow_core_dumps = no > > # Regular expressions > # > # These items are set at configure time. If they're set to "yes", > # then setting them to "no" turns off regular expression support. > # > # If they're set to "no" at configure time, then setting them to "yes" > # WILL NOT WORK. It will give you an error. > # > regular_expressions = yes > extended_expressions = yes > > # Log the full User-Name attribute, as it was found in the request. > # > # allowed values: {no, yes} > # > log_stripped_names = no > > # Log authentication requests to the log file. > # > # allowed values: {no, yes} > # > log_auth = no > > # Log passwords with the authentication requests. > # log_auth_badpass - logs password if it's rejected > # log_auth_goodpass - logs password if it's correct > # > # allowed values: {no, yes} > # > log_auth_badpass = no > log_auth_goodpass = no > > # usercollide: Turn "username collision" code on and off. See the > # "doc/duplicate-users" file > # > usercollide = no > > # lower_user / lower_pass: > # Lower case the username/password "before" or "after" > # attempting to authenticate. > # > # If "before", the server will first modify the request and then try > # to auth the user. If "after", the server will first auth using the > # values provided by the user. If that fails it will reprocess the > # request after modifying it as you specify below. > # > # This is as close as we can get to case insensitivity. It is the > # admin's job to ensure that the username on the auth db side is > # *also* lowercase to make this work > # > # Default is 'no' (don't lowercase values) > # Valid values = "before" / "after" / "no" > # > lower_user = no > lower_pass = no > > # nospace_user / nospace_pass: > # > # Some users like to enter spaces in their username or password > # incorrectly. To save yourself the tech support call, you can > # eliminate those spaces here: > # > # Default is 'no' (don't remove spaces) > # Valid values = "before" / "after" / "no" (explanation above) > # > nospace_user = no > nospace_pass = no > > # The program to execute to do concurrency checks. > checkrad = ${sbindir}/checkrad > > # SECURITY CONFIGURATION > # > # There may be multiple methods of attacking on the server. This > # section holds the configuration items which minimize the impact > # of those attacks > # > security { > # > # max_attributes: The maximum number of attributes > # permitted in a RADIUS packet. Packets which have MORE > # than this number of attributes in them will be dropped. > # > # If this number is set too low, then no RADIUS packets > # will be accepted. > # > # If this number is set too high, then an attacker may be > # able to send a small number of packets which will cause > # the server to use all available memory on the machine. > # > # Setting this number to 0 means "allow any number of attributes" > max_attributes = 200 > > # > # delayed_reject: When sending an Access-Reject, it can be > # delayed for a few seconds. This may help slow down a DoS > # attack. It also helps to slow down people trying to brute-force > # crack a users password. > # > # Setting this number to 0 means "send rejects immediately" > # > # If this number is set higher than 'cleanup_delay', then the > # rejects will be sent at 'cleanup_delay' time, when the request > # is deleted from the internal cache of requests. > # > # Useful ranges: 1 to 5 > reject_delay = 1 > > # > # status_server: Whether or not the server will respond > # to Status-Server requests. > # > # Normally this should be set to "no", because they're useless. > # See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives > # > # However, certain NAS boxes may require them. > # > # When sent a Status-Server message, the server responds with > # and Access-Accept packet, containing a Reply-Message attribute, > # which is a string describing how long the server has been > # running. > # > status_server = no > } > > # PROXY CONFIGURATION > # > # proxy_requests: Turns proxying of RADIUS requests on or off. > # > # The server has proxying turned on by default. If your system is NOT > # set up to proxy requests to another server, then you can turn proxying > # off here. This will save a small amount of resources on the server. > # > # If you have proxying turned off, and your configuration files say > # to proxy a request, then an error message will be logged. > # > # To disable proxying, change the "yes" to "no", and comment the > # INCLUDE line. > # > # allowed values: {no, yes} > # > proxy_requests = yes > $INCLUDE ${confdir}/proxy.conf > > > # CLIENTS CONFIGURATION > # > # Client configuration is defined in "clients.conf". > # > > # The 'clients.conf' file contains all of the information from the old > # 'clients' and 'naslist' configuration files. We recommend that you > # do NOT use 'client's or 'naslist', although they are still > # supported. > # > # Anything listed in 'clients.conf' will take precedence over the > # information from the old-style configuration files. > # > $INCLUDE ${confdir}/clients.conf > > > # SNMP CONFIGURATION > # > # Snmp configuration is only valid if SNMP support was enabled > # at compile time. > # > # To enable SNMP querying of the server, set the value of the > # 'snmp' attribute to 'yes' > # > snmp = no > $INCLUDE ${confdir}/snmp.conf > > > # THREAD POOL CONFIGURATION > # > # The thread pool is a long-lived group of threads which > # take turns (round-robin) handling any incoming requests. > # > # You probably want to have a few spare threads around, > # so that high-load situations can be handled immediately. If you > # don't have any spare threads, then the request handling will > # be delayed while a new thread is created, and added to the pool. > # > # You probably don't want too many spare threads around, > # otherwise they'll be sitting there taking up resources, and > # not doing anything productive. > # > # The numbers given below should be adequate for most situations. > # > thread pool { > # Number of servers to start initially --- should be a reasonable > # ballpark figure. > start_servers = 5 > > # Limit on the total number of servers running. > # > # If this limit is ever reached, clients will be LOCKED OUT, so it > # should NOT BE SET TOO LOW. It is intended mainly as a brake to > # keep a runaway server from taking the system with it as it spirals > # down... > # > # You may find that the server is regularly reaching the > # 'max_servers' number of threads, and that increasing > # 'max_servers' doesn't seem to make much difference. > # > # If this is the case, then the problem is MOST LIKELY that > # your back-end databases are taking too long to respond, and > # are preventing the server from responding in a timely manner. > # > # The solution is NOT do keep increasing the 'max_servers' > # value, but instead to fix the underlying cause of the > # problem: slow database, or 'hostname_lookups=yes'. > # > # For more information, see 'max_request_time', above. > # > max_servers = 32 > > # Server-pool size regulation. Rather than making you guess > # how many servers you need, FreeRADIUS dynamically adapts to > # the load it sees, that is, it tries to maintain enough > # servers to handle the current load, plus a few spare > # servers to handle transient load spikes. > # > # It does this by periodically checking how many servers are > # waiting for a request. If there are fewer than > # min_spare_servers, it creates a new spare. If there are > # more than max_spare_servers, some of the spares die off. > # The default values are probably OK for most sites. > # > min_spare_servers = 3 > max_spare_servers = 10 > > # There may be memory leaks or resource allocation problems with > # the server. If so, set this value to 300 or so, so that the > # resources will be cleaned up periodically. > # > # This should only be necessary if there are serious bugs in the > # server which have not yet been fixed. > # > # '0' is a special value meaning 'infinity', or 'the servers never > # exit' > max_requests_per_server = 0 > } > > # MODULE CONFIGURATION > # > # The names and configuration of each module is located in this section. > # > # After the modules are defined here, they may be referred to by name, > # in other sections of this configuration file. > # > modules { > # > # Each module has a configuration as follows: > # > # name [ instance ] { > # config_item = value > # ... > # } > # > # The 'name' is used to load the 'rlm_name' library > # which implements the functionality of the module. > # > # The 'instance' is optional. To have two different instances > # of a module, it first must be referred to by 'name'. > # The different copies of the module are then created by > # inventing two 'instance' names, e.g. 'instance1' and 'instance2' > # > # The instance names can then be used in later configuration > # INSTEAD of the original 'name'. See the 'radutmp' configuration > # below for an example. > # > > # PAP module to authenticate users based on their stored password > # > # Supports multiple encryption schemes > # clear: Clear text > # crypt: Unix crypt > # md5: MD5 ecnryption > # sha1: SHA1 encryption. > # DEFAULT: crypt > pap { > encryption_scheme = crypt > } > > # CHAP module > # > # To authenticate requests containing a CHAP-Password attribute. > # > chap { > authtype = CHAP > } > > # Pluggable Authentication Modules > # > # For Linux, see: > # http://www.kernel.org/pub/linux/libs/pam/index.html > # > # WARNING: On many systems, the system PAM libraries have > # memory leaks! We STRONGLY SUGGEST that you do not > # use PAM for authentication, due to those memory leaks. > # > pam { > # > # The name to use for PAM authentication. > # PAM looks in /etc/pam.d/${pam_auth_name} > # for it's configuration. See 'redhat/radiusd-pam' > # for a sample PAM configuration file. > # > # Note that any Pam-Auth attribute set in the 'authorize' > # section will over-ride this one. > # > pam_auth = radiusd > } > > # Unix /etc/passwd style authentication > # > unix { > # > # Cache /etc/passwd, /etc/shadow, and /etc/group > # > # The default is to NOT cache them. > # > # For FreeBSD, you do NOT want to enable the cache, > # as it's password lookups are done via a database, so > # set this value to 'no'. > # > # Some systems (e.g. RedHat Linux with pam_pwbd) can > # take *seconds* to check a password, from a passwd > # file containing 1000's of entries. For those systems, > # you should set the cache value to 'yes', and set > # the locations of the 'passwd', 'shadow', and 'group' > # files, below. > # > # allowed values: {no, yes} > cache = no > > # Reload the cache every 600 seconds (10mins). 0 to disable. > cache_reload = 600 > > # > # Define the locations of the normal passwd, shadow, and > # group files. > # > # 'shadow' is commented out by default, because not all > # systems have shadow passwords. > # > # To force the module to use the system password functions, > # instead of reading the files, leave the following entries > # commented out. > # > # This is required for some systems, like FreeBSD, > # and Mac OSX. > # > # passwd = /etc/passwd > # shadow = /etc/shadow > # group = /etc/group > > > # > # Where the 'wtmp' file is located. > # This should be moved to it's own module soon. > # > # The only use for 'radlast'. If you don't use > # 'radlast', then you can comment out this item. > # > radwtmp = ${logdir}/radwtmp > } > > # Extensible Authentication Protocol > # > # For all EAP related authentications > eap { > # Invoke the default supported EAP type when > # EAP-Identity response is received. > # > # The incoming EAP messages DO NOT specify which EAP > # type they will be using, so it MUST be set here. > # > # For now, only one default EAP type may be used at a time. > # > default_eap_type = md5 > > # Default expiry time to clean the EAP list, It is > # maintained to correlate the EAP-Response for each > # EAP-request sent. > # timer_expire = 60 > > # Supported EAP-types > > # > # We do NOT recommend using EAP-MD5 authentication > # for wireless connections. It is insecure, and does > # not provide for dynamic WEP keys. > # > md5 { > } > > # Cisco LEAP > # > # Cisco LEAP uses the MS-CHAP algorithm (but not > # the MS-CHAP attributes) to perform it's authentication. > # > # As a result, LEAP *requires* access to the plain-text > # User-Password, or the NT-Password attributes. > # 'System' authentication is impossible with LEAP. > # > leap { > } > > ## EAP-TLS is highly experimental EAP-Type at the moment. > # Please give feedback on the mailing list. > #tls { > # private_key_password = password > # private_key_file = /path/filename > > # If Private key & Certificate are located in > # the same file, then private_key_file & > # certificate_file must contain the same file > # name. > # certificate_file = /path/filename > > # Trusted Root CA list > # CA_file = /path/filename > > # dh_file = /path/filename > # random_file = /path/filename > > # > # This can never exceed the size of a RADIUS > # packet (4096 bytes), and is preferably half > # that, to accomodate other attributes in > # RADIUS packet. On most APs the MAX packet > # length is configured between 1500 - 1600 > # In these cases, fragment size should be > # 1024 or less. > # > # fragment_size = 1024 > > # include_length is a flag which is > # by default set to yes If set to > # yes, Total Length of the message is > # included in EVERY packet we send. > # If set to no, Total Length of the > # message is included ONLY in the > # First packet of a fragment series. > # > # include_length = yes > #} > > > } > > # Microsoft CHAP authentication > # > # This module supports MS-CHAP and MS-CHAPv2 authentication. > # It also enforces the SMB-Account-Ctrl attribute. > # > mschap { > # > # As of 0.9, the mschap module does NOT support > # reading from /etc/smbpasswd. > # > # If you are using /etc/smbpasswd, see the 'passwd' > # module for an example of how to use /etc/smbpasswd > > # authtype value, if present, will be used > # to overwrite (or add) Auth-Type during > # authorization. Normally should be MS-CHAP > authtype = MS-CHAP > > # if use_mppe is not set to no mschap will > # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and > # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 > # use_mppe = no > > # if mppe is enabled require_encryption makes > # encryption moderate > # require_encryption = yes > > # require_strong always requires 128 bit key > # encryption > # require_strong = yes > } > > # Lightweight Directory Access Protocol (LDAP) > # > # This module definition allows you to use LDAP for > # authorization and authentication (Auth-Type := LDAP) > # > # See doc/rlm_ldap for description of configuration options > # and sample authorize{} and authenticate{} blocks > ldap { > server = "ldap.your.domain" > # identity = "cn=admin,o=My Org,c=UA" > # password = mypass > basedn = "o=My Org,c=UA" > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > > # set this to 'yes' to use TLS encrypted connections > # to the LDAP database by using the StartTLS extended > # operation. > # The StartTLS operation is supposed to be used with normal > # ldap connections instead of using ldaps (port 689) connections > start_tls = no > > # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" > # profile_attribute = "radiusProfileDn" > access_attr = "dialupAccess" > > # Mapping of RADIUS dictionary attributes to LDAP > # directory attributes. > dictionary_mapping = ${raddbdir}/ldap.attrmap > > ldap_connections_number = 5 > # password_header = "{clear}" > # password_attribute = userPassword > # groupname_attribute = cn > # groupmembership_filter = > "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" > # groupmembership_attribute = radiusGroupName > timeout = 4 > timelimit = 3 > net_timeout = 1 > # compare_check_items = yes > # access_attr_used_for_allow = yes > } > > # passwd module allows to do authorization via any passwd-like > # file and to extract any attributes from these modules > # > # parameters are: > # filename - path to filename > # format - format for filename record. This parameters > # correlates record in the passwd file and RADIUS > # attributes. > # > # Field marked as '*' is key field. That is, the parameter > # with this name from the request is used to search for > # the record from passwd file > # Attribute marked as '=' is added to reply_itmes instead > # of default configure_itmes > # Attribute marked as '~' is added to request_items > # > # Field marked as ',' may contain a comma separated list > # of attributes. > # authtype - if record found this Auth-Type is used to authenticate > # user > # hashsize - hashtable size. If 0 or not specified records are not > # stored in memory and file is red on every request. > # allowmultiplekeys - if few records for every key are allowed > # ignorenislike - ignore NIS-related records > # delimiter - symbol to use as a field separator in passwd file, > # for format ':' symbol is always used. '\0', '\n' are > # not allowed > # > > # An example configuration for using /etc/smbpasswd. > # > #passwd etc_smbpasswd { > # filename = /etc/smbpasswd > # format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" > # authtype = MS-CHAP > # hashsize = 100 > # ignorenislike = no > # allowmultiplekeys = no > #} > > # Similar configuration, for the /etc/group file. Adds a Group-Name > # attribute for every group that the user is member of. > # > #passwd etc_group { > # filename = /etc/group > # format = "=Group-Name:::*,User-Name" > # hashsize = 50 > # ignorenislike = yes > # allowmultiplekeys = yes > # delimiter = ":" > #} > > # Realm module, for proxying. > # > # You can have multiple instances of the realm module to > # support multiple realm syntaxs at the same time. The > # search order is defined the order in the authorize and > # preacct blocks after the module config block. > # > # Two config options: > # format - must be 'prefix' or 'suffix' > # delimiter - must be a single character > > # 'realm/username' > # > # Using this entry, IPASS users have their realm set to "IPASS". > realm realmslash { > format = prefix > delimiter = "/" > } > > # '[EMAIL PROTECTED]' > # > realm suffix { > format = suffix > delimiter = "@" > } > > # 'username%realm' > # > realm realmpercent { > format = suffix > delimiter = "%" > } > > # rewrite arbitrary packets. Useful in accounting and authorization. > # > ## This module is highly experimental at the moment. Please give > ## feedback to the mailing list. > # > # The module can also use the Rewrite-Rule attribute. If it > # is set and matches the name of the module instance, then > # that module instance will be the only one which runs. > # > # Also if new_attribute is set to yes then a new attribute > # will be created containing the value replacewith and it > # will be added to searchin (packet, reply or config). > # searchfor,ignore_case and max_matches will be ignored in that case. > > # > #attr_rewrite sanecallerid { > # attribute = Called-Station-Id > # may be "packet", "reply", or "config" > # searchin = packet > # searchfor = "[+ ]" > # replacewith = "" > # ignore_case = no > # new_attribute = no > # max_matches = 10 > # ## If set to yes then the replace string will be appended to the > original string > # append = no > #} > > # Preprocess the incoming RADIUS request, before handing it off > # to other modules. > # > # This module processes the 'huntgroups' and 'hints' files. > # In addition, it re-writes some weird attributes created > # by some NASes, and converts the attributes into a form which > # is a little more standard. > # > preprocess { > huntgroups = ${confdir}/huntgroups > hints = ${confdir}/hints > > # This hack changes Ascend's wierd port numberings > # to standard 0-??? port numbers so that the "+" works > # for IP address assignments. > with_ascend_hack = no > ascend_channels_per_line = 23 > > # Windows NT machines often authenticate themselves as > # NT_DOMAIN\username > # > # If this is set to 'yes', then the NT_DOMAIN portion > # of the user-name is silently discarded. > with_ntdomain_hack = no > > # Specialix Jetstream 8500 24 port access server. > # > # If the user name is 10 characters or longer, a "/" > # and the excess characters after the 10th are > # appended to the user name. > # > # If you're not running that NAS, you don't need > # this hack. > with_specialix_jetstream_hack = no > > # Cisco sends it's VSA attributes with the attribute > # name *again* in the string, like: > # > # H323-Attribute = "h323-attribute=value". > # > # If this configuration item is set to 'yes', then > # the redundant data in the the attribute text is stripped > # out. The result is: > # > # H323-Attribute = "value" > # > # If you're not running a Cisco NAS, you don't need > # this hack. > with_cisco_vsa_hack = no > } > > # Livingston-style 'users' file > # > files { > usersfile = ${confdir}/users > # acctusersfile = ${confdir}/acct_users > > # If you want to use the old Cistron 'users' file > # with FreeRADIUS, you should change the next line > # to 'compat = cistron'. You can the copy your 'users' > # file from Cistron. > compat = no > } > > # Write a detailed log of all accounting records received. > # > detail { > # Note that we do NOT use NAS-IP-Address here, as > # that attribute MAY BE from the originating NAS, and > # NOT from the proxy which actually sent us the > # request. The Client-IP-Address attribute is ALWAYS > # the address of the client which sent us the > # request. > # > # The following line creates a new detail file for > # every radius client (by IP address or hostname). > # In addition, a new detail file is created every > # day, so that the detail file doesn't have to go > # through a 'log rotation' > # > # If your detail files are large, you may also want > # to add a ':%H' (see doc/variables.txt) to the end > # of it, to create a new detail file every hour, e.g.: > # > # ..../detail-%Y%m%d:%H > # > # This will create a new detail file for every hour. > # > detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d > > # > # The Unix-style permissions on the 'detail' file. > # > # The detail file often contains secret or private > # information about users. So by keeping the file > # permissions restrictive, we can prevent unwanted > # people from seeing that information. > detailperm = 0600 > } > > # > # Many people want to log authentication requests. > # Rather than modifying the server core to print out more > # messages, we can use a different instance of the 'detail' > # module, to log the authentication requests to a file. > # > # You will also need to un-comment the 'auth_log' line > # in the 'authorize' section, below. > # > # detail auth_log { > # detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d > > # > # This MUST be 0600, otherwise anyone can read > # the users passwords! > # detailperm = 0600 > # } > > # > # This module logs authentication reply packets sent > # to a NAS. Both Access-Accept and Access-Reject packets > # are logged. > # > # You will also need to un-comment the 'reply_log' line > # in the 'post-auth' section, below. > # > # detail reply_log { > # detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d > > > # This MUST be 0600, otherwise anyone can read > # the users passwords! > # detailperm = 0600 > # } > > # Create a unique accounting session Id. Many NASes re-use or > # repeat values for Acct-Session-Id, causing no end of > # confusion. > # > # This module will add a (probably) unique session id > # to an accounting packet based on the attributes listed > # below found in the packet. See doc/rlm_acct_unique for > # more information. > # > acct_unique { > key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, > NAS-Port-Id,Acct-Authentic" > } > > > # Include another file that has the SQL-related configuration. > # This is another file only because it tends to be big. > # > # The following configuration file is for use with MySQL. > # > # For Postgresql, use: ${confdir}/postgresql.conf > # For MS-SQL, use: ${confdir}/mssql.conf > # For Oracle, use: ${confdir}/oraclesql.conf > # > $INCLUDE ${confdir}/sql.conf > > # Write a 'utmp' style file, of which users are currently > # logged in, and where they've logged in from. > # > # This file is used mainly for Simultaneous-Use checking, > # and also 'radwho', to see who's currently logged in. > # > radutmp { > # Where the file is stored. It's not a log file, > # so it doesn't need rotating. > # > filename = ${logdir}/radutmp > > # The field in the packet to key on for the > # 'user' name, If you have other fields which you want > # to use to key on to control Simultaneous-Use, > # then you can use them here. > # > # Note, however, that the size of the field in the > # 'utmp' data structure is small, around 32 > # characters, so that will limit the possible choices > # of keys. > # > username = %{User-Name} > > # Whether or not we want to treat "user" the same > # as "USER", or "User". Some systems have problems > # with case sensitivity, so this should be set to > # 'no' to enable the comparisons of the key attribute > # to be case insensitive. > # > case_sensitive = yes > > # Accounting information may be lost, so the user MAY > # have logged off of the NAS, but we haven't noticed. > # If so, we can verify this information with the NAS, > # > # If we want to believe the 'utmp' file, then this > # configuration entry can be set to 'no'. > # > check_with_nas = yes > > # Set the file permissions, as the contents of this file > # are usually private. > perm = 0600 > > callerid = "yes" > } > > # "Safe" radutmp - does not contain caller ID, so it can be > # world-readable, and radwho can work for normal users, without > # exposing any information that isn't already exposed by who(1). > # > # This is another 'instance' of the radutmp module, but it is given > # then name "sradutmp" to identify it later in the "accounting" > # section. > radutmp sradutmp { > filename = ${logdir}/sradutmp > perm = 0644 > callerid = "no" > } > > # attr_filter - filters the attributes received in replies from > # proxied servers, to make sure we send back to our RADIUS client > # only allowed attributes. > attr_filter { > attrsfile = ${confdir}/attrs > } > > # counter module: > # This module takes an attribute (count-attribute). > # It also takes a key, and creates a counter for each unique > # key. The count is incremented when accounting packets are > # received by the server. The value of the increment depends > # on the attribute type. > # If the attribute is Acct-Session-Time or of an integer type we add the > # value of the attribute. If it is anything else we increase the > # counter by one. > # > # The 'reset' parameter defines when the counters are all reset to > # zero. It can be hourly, daily, weekly, monthly or never. > # > # hourly: Reset on 00:00 of every hour > # daily: Reset on 00:00:00 every day > # weekly: Reset on 00:00:00 on sunday > # monthly: Reset on 00:00:00 of the first day of each month > # > # It can also be user defined. It should be of the form: > # num[hdwm] where: > # h: hours, d: days, w: weeks, m: months > # If the letter is ommited days will be assumed. In example: > # reset = 10h (reset every 10 hours) > # reset = 12 (reset every 12 days) > # > # > # The check-name attribute defines an attribute which will be > # registered by the counter module and can be used to set the > # maximum allowed value for the counter after which the user > # is rejected. > # Something like: > # > # DEFAULT Max-Daily-Session := 36000 > # Fall-Through = 1 > # > # You should add the counter module in the instantiate > # section so that it registers check-name before the files > # module reads the users file. > # > # If check-name is set and the user is to be rejected then we > # send back a Reply-Message and we log a Failure-Message in > # the radius.log > # If the count attribute is Acct-Session-Time then on each login > # we send back the remaining online time as a Session-Timeout attribute > # > # The counter-name can also be used instead of using the check-name > # like below: > # > # DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject > # Reply-Message = "You've used up more than one hour today" > # > # The allowed-servicetype attribute can be used to only take > # into account specific sessions. For example if a user first > # logs in through a login menu and then selects ppp there will > # be two sessions. One for Login-User and one for Framed-User > # service type. We only need to take into account the second one. > # > # The module should be added in the instantiate, authorize and > # accounting sections. Make sure that in the authorize > # section it comes after any module which sets the > # 'check-name' attribute. > # > counter daily { > filename = ${raddbdir}/db.daily > key = User-Name > count-attribute = Acct-Session-Time > reset = daily > counter-name = Daily-Session-Time > check-name = Max-Daily-Session > allowed-servicetype = Framed-User > cache-size = 5000 > } > > # The "always" module is here for debugging purposes. Each > # instance simply returns the same result, always, without > # doing anything. > always fail { > rcode = fail > } > always reject { > rcode = reject > } > always ok { > rcode = ok > simulcount = 0 > mpp = no > } > > # > # The 'expression' module currently has no configuration. > expr { > } > > # > # The 'digest' module currently has no configuration. > # > # "Digest" authentication against a Cisco SIP server. > # See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details > # on performing digest authentication for Cisco SIP servers. > # > digest { > } > > # > # Execute external programs > # > # The first example is useful only for 'xlat'. To use it, > # put 'exec' into the 'instantiate' section. You can then > # do dynamic translation of attributes like: > # > # Attribute-Name = `{%exec:/path/to/program args}` > # > # The value of the attribute will be replaced with the output > # of the program which is executed. Due to RADIUS protocol > # limitations, any output over 253 bytes will be ignored. > # > # The RADIUS attributes from the user request will be placed > # into environment variables of the executed program, as > # described in 'doc/variables.txt' > # > exec { > wait = yes > input_pairs = request > } > > # > # This is a more general example of the execute module. > # > # If you wish to execute an external program in more than > # one section (e.g. 'authorize', 'pre_proxy', etc), then it > # is probably best to define a different instance of the > # 'exec' module for every section. > # > exec echo { > # > # Wait for the program to finish. > # > # If we do NOT wait, then the program is "fire and > # forget", and any output attributes from it are ignored. > # > # If we are looking for the program to output > # attributes, and want to add those attributes to the > # request, then we MUST wait for the program to > # finish, and therefore set 'wait=yes' > # > # allowed values: {no, yes} > wait = yes > > # > # The name of the program to execute, and it's > # arguments. Dynamic translation is done on this > # field, so things like the following example will > # work. > # > program = "/bin/echo %{User-Name}" > > # > # The attributes which are placed into the > # environment variables for the program. > # > # Allowed values are: > # > # request attributes from the request > # config attributes from the configuration items list > # reply attributes from the reply > # proxy-request attributes from the proxy request > # proxy-reply attributes from the proxy reply > # > # Note that some attributes may not exist at some > # stages. e.g. There may be no proxy-reply > # attributes if this module is used in the > # 'authorize' section. > # > input_pairs = request > > # > # Where to place the output attributes (if any) from > # the executed program. The values allowed, and the > # restrictions as to availability, are the same as > # for the input_pairs. > # > output_pairs = reply > > # > # When to execute the program. If the packet > # type does NOT match what's listed here, then > # the module does NOT execute the program. > # > # For a list of allowed packet types, see > # the 'dictionary' file, and look for VALUEs > # of the Packet-Type attribute. > # > # By default, the module executes on ANY packet. > # Un-comment out the following line to tell the > # module to execute only if an Access-Accept is > # being sent to the NAS. > # > #packet_type = Access-Accept > } > > # Do server side ip pool management. Should be added in post-auth and > # accounting sections. > # > # The module also requires the existance of the Pool-Name > # attribute. That way the administrator can add the Pool-Name > # attribute in the user profiles and use different pools > # for different users. The Pool-Name attribute is a *check* item not > # a reply item. > # > # Example: > # radiusd.conf: ippool students { [...] } > # users file : DEFAULT Group == students, Pool-Name := "students" > # > # ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST THEN ERASE THE DB > FILES ******* > # > ippool main_pool { > > # range-start,range-stop: The start and end ip > # addresses for the ip pool > range-start = 192.168.1.1 > range-stop = 192.168.3.254 > > # netmask: The network mask used for the ip's > netmask = 255.255.255.0 > > # cache-size: The gdbm cache size for the db > # files. Should be equal to the number of ip's > # available in the ip pool > cache-size = 800 > > # session-db: The main db file used to allocate ip's to clients > session-db = ${raddbdir}/db.ippool > > # ip-index: Helper db index file used in multilink > ip-index = ${raddbdir}/db.ipindex > > # override: Will this ippool override a Framed-IP-Address already set > override = no > } > > # ANSI X9.9 token support. Not included by default. > # $INCLUDE ${confdir}/x99.conf > > } > > # Instantiation > # > # This section orders the loading of the modules. Modules > # listed here will get loaded BEFORE the later sections like > # authorize, authenticate, etc. get examined. > # > # This section is not strictly needed. When a section like > # authorize refers to a module, it's automatically loaded and > # initialized. However, some modules may not be listed in any > # of the following sections, so they can be listed here. > # > # Also, listing modules here ensures that you have control over > # the order in which they are initalized. If one module needs > # something defined by another module, you can list them in order > # here, and ensure that the configuration will be OK. > # > instantiate { > # > # The expression module doesn't do authorization, > # authentication, or accounting. It only does dynamic > # translation, of the form: > # > # Session-Timeout = `%{expr:2 + 3}` > # > # So the module needs to be instantiated, but CANNOT be > # listed in any other section. See 'doc/rlm_expr' for > # more information. > # > expr > > # > # We add the counter module here so that it registers > # the check-name attribute before any module which sets > # it > # daily > } > > # Authorization. First preprocess (hints and huntgroups files), > # then realms, and finally look in the "users" file. > # > # The order of the realm modules will determine the order that > # we try to find a matching realm. > # > # Make *sure* that 'preprocess' comes before any realm if you > # need to setup hints for the remote radius server > authorize { > > # > # The preprocess module takes care of sanitizing some bizarre > # attributes in the request, and turning them into attributes > # which are more standard. > # > # It takes care of processing the 'raddb/hints' and the > # 'raddb/huntgroups' files. > # > # It also adds a Client-IP-Address attribute to the request. > > preprocess > > # > # If you want to have a log of authentication requests, > # un-comment the following line, and the 'detail auth_log' > # section, above. > # auth_log > > # > # The chap module will set 'Auth-Type := CHAP' if we are > # handling a CHAP request and Auth-Type has not already been set > chap > > # attr_filter > > # > # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP > # authentication. > #eap > > # > # If you have a Cisco SIP server authenticating against > # FreeRADIUS, uncomment the following line. > # digest > > # > # Look for IPASS style 'realm/', and if not found, look for > # '@realm', and decide whether or not to proxy, based on > # that. > # realmslash > suffix > #sql > # > # Read the 'users' file > files > > # > # If you are using /etc/smbpasswd, and are also doing > # mschap authentication, the un-comment this line, and > # configure the 'etc_smbpasswd' module, above. > # etc_smbpasswd > > # > # If the users are logging in with an MS-CHAP-Challenge > # attribute for authentication, the mschap module will find > # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' > # to the request, which will cause the server to then use > # the mschap module for authentication. > mschap > > > # The ldap module will set Auth-Type to LDAP if it has not already been set > # ldap > # daily > } > > > # Authentication. > # > # This section lists which modules are available for authentication. > # Note that it does NOT mean 'try each module in order'. It means > # that you have to have a module from the 'authorize' section add > # a configuration attribute 'Auth-Type := FOO'. That authentication type > # is then used to pick the apropriate module from the list below. > # > # The default Auth-Type is Local. That is, whatever is not included inside > # an authtype section will be called only if Auth-Type is set to Local. > # > # So you should do the following: > # - Set Auth-Type to an appropriate value in the authorize modules above. > # For example, the chap module will set Auth-Type to CHAP, ldap to LDAP, etc. > # - After that create corresponding authtype sections in the > # authenticate section below and call the appropriate modules. > authenticate { > # > # PAP authentication, when a back-end database listed > # in the 'authorize' section supplies a password. The > # password can be clear-text, or encrypted. > Auth-Type PAP { > pap > } > > # > # Most people want CHAP authentication > # A back-end database listed in the 'authorize' section > # MUST supply a CLEAR TEXT password. Encrypted passwords > # won't work. > Auth-Type CHAP { > chap > } > > # > # MSCHAP authentication. > Auth-Type MS-CHAP { > mschap > } > > # > # If you have a Cisco SIP server authenticating against > # FreeRADIUS, uncomment the following line. > # digest > > # > # Pluggable Authentication Modules. > # pam > > # > # See 'man getpwent' for information on how the 'unix' > # module checks the users password. Note that packets > # containing CHAP-Password attributes CANNOT be authenticated > # against /etc/passwd! See the FAQ for details. > # > unix > > # Uncomment it if you want to use ldap for authentication > # Auth-Type LDAP { > # ldap > # } > > > # > # Allow EAP authentication. > eap > } > > > # > # Pre-accounting. Decide which accounting type to use. > # > preacct { > preprocess > > # > # Look for IPASS-style 'realm/', and if not found, look for > # '@realm', and decide whether or not to proxy, based on > # that. > # > # Accounting requests are generally proxied to the same > # home server as authentication requests. > # realmslash > suffix > > # > # Read the 'acct_users' file > #files > } > > # > # Accounting. Log the accounting data. > # > accounting { > # > # Ensure that we have a semi-unique identifier for every > # request, and many NAS boxes are broken. > acct_unique > > # > # Create a 'detail'ed log of the packets. > # Note that accounting requests which are proxied > # are also logged in the detail file. > detail > # daily > > unix # wtmp file > > #sql > # > # For Simultaneous-Use tracking. > # > # Due to packet losses in the network, the data here > # may be incorrect. There's little we can do about it. > radutmp > # sradutmp > > # Return an address to the IP Pool when we see a stop record. > # main_pool > } > > > # Session database, used for checking Simultaneous-Use. Either the radutmp > # or rlm_sql module can handle this. > # The rlm_sql module is *much* faster > session { > radutmp > #sql > } > > > # Post-Authentication > # Once we KNOW that the user has been authenticated, there are > # additional steps we can take. > post-auth { > # Get an address from the IP Pool. > # main_pool > > # > # If you want to have a log of authentication replies, > # un-comment the following line, and the 'detail reply_log' > # section, above. > # reply_log > } > > # > # When the server decides to proxy a request to a home server, > # the proxied request is first passed through the pre-proxy > # stage. This stage can re-write the request, or decide to > # cancel the proxy. > # > # Only a few modules currently have this method. > # > pre-proxy { > # attr_rewrite > } > > # > # When the server receives a reply to a request it proxied > # to a home server, the request may be massaged here, in the > # post-proxy stage. > # > post-proxy { > # > # attr_rewrite > > # Uncomment the following line if you want to filter replies from > # remote proxies based on the rules defined in the 'attrs' file. > > # attr_filter > > # > # If you are proxing LEAP, you MUST configure the EAP > # module, and you MUST list it here, in the post-proxy > # stage. > # > # You MUST also use the 'nostrip' option in the 'realm' > # configuration. Otherwise, the User-Name attribute > # in the proxied request will not match the user name > # hidden inside of the EAP packet, and the end server will > # reject the EAP request. > # > eap > } > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
