Hi, I'm facing this issue in configuring radius: I'm developing a GPLv3 script that will easily setup a whole linux server with lots of usefull services (NTP,DHCP,DNS with DDNS update to DHCP, MIT-Kerberos, OpenLDAP (Kerberized), FreeRadius, MySQL, Apache, ProFTP, SQUID, Samba (kerberized), Appletalk File Protocol, Postfix and Dovecot (also with public and shared folders), roundcube webmail, LDAP Addressbook, PPTP and L2TP over IPSec VPNs, Egroupware. And it works with SeLinux enabled.The script is quite mature (it is named ECK - you can download from sourceforge if you want to). It can install almost everything mentioned above, and they could even work ;O) - I've started the development of a GTKmm-based GUI that will easily administer almost everything (although I have not published the GUI yet - the app is stable, but I've just finished the user manager, so I have a lot of work more to have somthing to publish) And now the trouble with freeradius: I' d like to have most of the services with Radius Based Authentication - I think this will let me have a better logging system, expecially to trace sessions. As about authentication everything works fine. But I want also to do Authorization: I mean that I want to allow services FTP, VPN, Apache userdirs, Squid proxy, ecc. on per user basisI started with proftpd with mod_radius:
the idea is to use checkval module to catch the NAS-Identifier parameter that the proftpd module set as "ftp". here is an example requestrad_recv: Access-Request packet from host 127.0.0.1:9409, id=74, length=93 User-Name = "testuser" User-Password = "test1Test" NAS-Identifier = "ftp" NAS-Port = 21 NAS-Port-Type = Virtual Calling-Station-Id = "::ffff:127.0.0.1" Service-Type = 0x0000000100000000 I inserted the following lines in my radiusd.conf: checkval NAS{ item-name = NAS-Identifier check-name = NAS-Identifier data-type = string notfound-reject=yes } and added "NAS" in the authorize sectionauthorize { ... NAS ... } I also updated ldap.attrmap inserting the following line checkItem NAS-Identifier eckAllowedServices and obviously extended the LDAP schema (eck.schema) attributetype ( 1.3.6.1.4.1.26309.1.1.11 NAME 'eckAllowedServices' DESC 'Services the user is allowed to login' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) objectClass ( 1.3.6.1.4.1.26309.1.1.1 NAME 'eckGenericObject' AUXILIARY DESC 'an ECK generic object' MAY ( locked $ eckPublicKey $ eckPrivateKey $ userPKCS12 $ allowProxy $ eckAllowedServices)) The script creates 2 users: Administrator - that is actually an administrator, and testuser. In my test environment I added 2 attributes eckAllowedServices to testuser (ftp and httpproxy) and left Administrator without eckAllowedServices attributeAnd now the weird issue: checkval is able to realize that testuser has the ftp attribute Processing the authorize section of radiusd.confmodcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0rlm_ldap: - authorizerlm_ldap: performing user authorization for testuserradius_xlat: '(uid=testuser)'radius_xlat: 'DC=marcolinux,DC=local'rlm_ldap: ldap_get_conn: Checking Id: 0rlm_ldap: ldap_get_conn: Got Id: 0rlm_ldap: attempting LDAP reconnectionrlm_ldap: (re)connect to 127.0.0.1:389, authentication 0rlm_ldap: bind as CN=FreeRADIUS,OU=AAA,OU=Services,DC=marcolinux,DC=local/wRtEYnd3sGkEa.Y4 to 127.0.0.1:389rlm_ldap: waiting for bind result ...rlm_ldap: Bind was successfulrlm_ldap: performing search in DC=marcolinux,DC=local, with filter (uid=testuser)rlm_ldap: checking if remote access for testuser is allowed by dialupAccessrlm_ldap: Added password AB39C1761CF4947661DAB7AF9849A61E in check itemsrlm_ldap: looking for check items in directory...rlm_ldap: Adding eckAllowedServices as NAS-Identifier, value ftp & op=21rlm_ldap: Adding eckAllowedServices as NAS-Identifier, value httpProxy & op=21rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [U ] & op=21rlm_ldap: Adding sambaNTPassword as NT-Password, value AB39C1761CF4947661DAB7AF9849A61E & op=21rlm_ldap: Adding radiusAuthType as Auth-Type, value pam & op=21rlm_ldap: looking for reply items in directory...rlm_ldap: Adding FTPQuotaFilesTransferred as ArticaECK-FTP-Quota-Files-Transferred, value 0 & op=11rlm_ldap: Adding FTPQuotaFilesOutgoing as ArticaECK-FTP-Quota-Files-Outgoing, value 0 & op=11rlm_ldap: Adding FTPQuotaFilesIncoming as ArticaECK-FTP-Quota-Files-Incoming, value 50 & op=11rlm_ldap: Adding FTPQuotaBytesTransferred as ArticaECK-FTP-Quota-Bytes-Transferred, value 0 & op=11rlm_ldap: Adding FTPQuotaBytesOutgoing as ArticaECK-FTP-Quota-Bytes-Outgoing, value 0 & op=11rlm_ldap: Adding FTPQuotaBytesIncoming as ArticaECK-FTP-Quota-Bytes-Incoming, value 200 & op=11rlm_ldap: Adding FTPQuotaIsPerSession as ArticaECK-FTP-Quota-Is-Per-Session, value FALSE & op=11rlm_ldap: Adding FTPQuotaLimitType as ArticaECK-FTP-Quota-Limit-Type, value soft & op=11rlm_ldap: Adding loginShell as ArticaECK-FTP-Shell, value /bin/tcsh & op=11rlm_ldap: Adding homeDirectory as ArticaECK-FTP-Home, value /home/testuser & op=11rlm_ldap: Adding gidNumber as ArticaECK-FTP-GID, value 100 & op=11rlm_ldap: Adding uidNumber as ArticaECK-FTP-UID, value 1001 & op=11rlm_ldap: user testuser authorized to use remote accessrlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0rlm_checkval: Item Name: NAS-Identifier, Value: ftprlm_checkval: Value Name: NAS-Identifier, Value: ftp modcall[authorize]: module "NAS" returns ok for request 0modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type pamauth: type "PAM" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 0pam_pass: using pamauth string for pam.conf lookuppam_pass: authentication succeeded for >modcall[authenticate]: module "pam" returns ok for request 0modcall: leaving group authenticate (returns ok) for request 0 Processing the post-auth section of radiusd.conf and that Administrator doesn't rlm_ldap: Adding uidNumber as ArticaECK-FTP-UID, value 1000 & op=11rlm_ldap: user Administrator authorized to use remote accessrlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3rlm_checkval: Item Name: NAS-Identifier, Value: ftprlm_checkval: Could not find attribute named NAS-Identifier in check pairs modcall[authorize]: module "NAS" returns notfound for request 3modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type pamauth: type "PAM" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 3pam_pass: using pamauth string for pam.conf lookuppam_pass: authentication succeeded for modcall[authenticate]: module "pam" returns ok for request 3modcall: leaving group authenticate (returns ok) for request 3 Processing the post-auth section of radiusd.conf but I always got both of them authorized. How is it possible? What I did wrong?Why freeradius goes to the authentication section altought checkval module module "NAS" returned notfound?I'm sure I did some kind of mistake, but I really am not able to find it.Now are days I'm googling around and getting quite crazy - I hope that someone of you may help meThank you very much Marco Carcano Configuration files ########################RADIUSD.CONF############################### prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } $INCLUDE ${confdir}/eap.conf mschap { use_mppe = yes require_encryption = yes require_strong = yes } ldap { server = "127.0.0.1" identity = "CN=FreeRADIUS,OU=AAA,OU=Services,DC=marcolinux,DC=local" password = wRtEYnd3sGkEa.Y4 basedn = "DC=marcolinux,DC=local" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = sambaNTPassword timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\" ignore_default = no ignore_null = no } checkval NAS{ item-name = NAS-Identifier check-name = NAS-Identifier data-type = string notfound-reject=yes } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.150 range-stop = 192.168.1.199 netmask = 255.255.255.0 cache-size = 800 session-db = ${localstatedir}/lib/raddb/db.ippool ip-index = ${localstatedir}/lib/raddb/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess chap mschap suffix eap ldap NAS } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } pam eap } preacct { preprocess acct_unique suffix files } accounting { detail radutmp main_pool sql } session { radutmp } post-auth { main_pool } pre-proxy { } post-proxy { eap } ##########################USERS################################ DEFAULT Auth-Type = pam Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Pool-Name := main_pool Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP ##################radiusd -X -f output ############## Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded Pam pam: pam_auth = "radiusd" Module: Instantiated pam (pam) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded LDAP ldap: server = "127.0.0.1" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "CN=FreeRADIUS,OU=AAA,OU=Services,DC=marcolinux,DC=local" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "wRtEYnd3sGkEa.Y4" ldap: basedn = "DC=marcolinux,DC=local" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "sambaNTPassword" ldap: access_attr = "dialupAccess" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP eckAllowedServices mapped to RADIUS NAS-Identifier rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP uidNumber mapped to RADIUS ArticaECK-FTP-UID rlm_ldap: LDAP gidNumber mapped to RADIUS ArticaECK-FTP-GID rlm_ldap: LDAP homeDirectory mapped to RADIUS ArticaECK-FTP-Home rlm_ldap: LDAP loginShell mapped to RADIUS ArticaECK-FTP-Shell rlm_ldap: LDAP FTPQuotaLimitType mapped to RADIUS ArticaECK-FTP-Quota-Limit-Type rlm_ldap: LDAP FTPQuotaIsPerSession mapped to RADIUS ArticaECK-FTP-Quota-Is-Per-Session rlm_ldap: LDAP FTPQuotaBytesIncoming mapped to RADIUS ArticaECK-FTP-Quota-Bytes-Incoming rlm_ldap: LDAP FTPQuotaBytesOutgoing mapped to RADIUS ArticaECK-FTP-Quota-Bytes-Outgoing rlm_ldap: LDAP FTPQuotaBytesTransferred mapped to RADIUS ArticaECK-FTP-Quota-Bytes-Transferred rlm_ldap: LDAP FTPQuotaFilesIncoming mapped to RADIUS ArticaECK-FTP-Quota-Files-Incoming rlm_ldap: LDAP FTPQuotaFilesOutgoing mapped to RADIUS ArticaECK-FTP-Quota-Files-Outgoing rlm_ldap: LDAP FTPQuotaFilesTransferred mapped to RADIUS ArticaECK-FTP-Quota-Files-Transferred conns: 0x2afd23ec69b0 Module: Instantiated ldap (ldap) Module: Loaded checkval checkval: item-name = "NAS-Identifier" checkval: check-name = "NAS-Identifier" checkval: data-type = "string" checkval: notfound-reject = yes rlm_checkval: Registered name NAS-Identifier for attribute 32 Module: Instantiated checkval (NAS) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Module: Loaded IPPOOL ippool: session-db = "/var/lib/raddb/db.ippool" ippool: ip-index = "/var/lib/raddb/db.ipindex" ippool: range-start = 192.168.1.150 IP address [192.168.1.150] ippool: range-stop = 192.168.1.199 IP address [192.168.1.199] ippool: netmask = 255.255.255.0 IP address [255.255.255.0] ippool: cache-size = 800 ippool: override = no ippool: maximum-timeout = 0 Module: Instantiated ippool (main_pool) Module: Loaded SQL sql: driver = "rlm_sql_mysql" sql: server = "localhost" sql: port = "" sql: login = "FreeRADIUS" sql: password = "wRtEYnd3sGkEa.Y4" sql: radius_db = "radius" sql: nas_table = "nas" sql: sqltrace = no sql: sqltracefile = "/var/log/radius/sqltrace.sql" sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = "%{User-Name}" sql: default_user_profile = "" sql: query_on_not_found = no sql: authorize_check_query = "SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" sql: authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id" sql: authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id" sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'" sql: accounting_update_query = "UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}'" sql: accounting_update_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')" sql: accounting_start_query = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')" sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" sql: accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" sql: accounting_stop_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')" sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'" sql: connect_failure_retry_delay = 60 sql: simul_count_query = "" sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" sql: postauth_query = "INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to freerad...@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html