Re: modules instantiation
On 19 February 2010, at 17:35, Latha Krishnamurthi wrote: > Thankyou very much for your prompt reply. I was referring to this > documentation. > > http://wiki.freeradius.org/Modules2 > >>The xxx_instantiate module is called each time a new instance is started. > >>Generally this >>module is used to establish the data for the instance that > >>needs to be retained during the >>life of the instance. For example, > >>reading the configuration variables. cf_section_parse>>(conf, data, > >>module_config) is used to do this function. > > >>Setup struct rlm_xxx_t to hold data that needs to be accessed by all > >>instances of the >>rlm. This data is not necessarily the same for each > >>instance. There is a separate copy >>for each instance. For example, this > >>is the place to store configuration variables that will >>be provided in > >>FreeRADIUS.conf. Well, it sure seemed clear when I wrote it, but now I tend to agree that its a bit misleading. Those words were lifted from the original version 1 document and perhaps something changed with version 2, but I don't recall any such changes. In any case, it does need a revision. > > It is described like I can have the module specific data in the instance and > use it in the life time of the instance. > > So if I need to use a unique socket connection for each thread, I have no > place to store the instance specific data ? I need to have a global pool and > lock it with mutex ?? (looks like rlm_ldap does something similar ?) Alan responded with something I was not aware of. I suspect thats the way you need to go. > > Thanks in advance > LK > > --- On Fri, 2/19/10, Doug Hardie wrote: > > From: Doug Hardie > Subject: Re: modules instantiation > To: "FreeRadius users mailing list" > Date: Friday, February 19, 2010, 3:49 PM > > > On 19 February 2010, at 15:24, Latha Krishnamurthi wrote: > > > > I am using the free radius 2.1.3. I have a module rlm_xxx and have > > initialized it as thread safe. I have configured the start_servers as 3. > > The issue I am having is as follows. > > > > I see that a new instance is getting created when the first one is busy > > handling a request. (I do this this by adding a sleep in the module and > > printing the threadid) I am expecting the xxx_instantiate function to get > > called each time a new instance is created (reading in the documentation). > > This does not happen. I am actually connecting to a server in the > > instantiate function and storing the socket id in the *instance, so that I > > can use it later in the authenticate etc. > > > > But it seems that the socket id is the same for all the instances. > > *instance seems to be shared by all the instances ?? > > > > Am I missing something/configuration, your help is grately appreciated. > > I believe this is an issue of terminology. Instantiation in this case refers > to the configuration process prior to the start of the server accepting > Radius requests. It does not refer to instantiation of new threads. I am > not aware of any hook you can use for instatiation of new threads. In one of > the older version rlm_example files is the following comment: > > * If the module needs to temporarily modify it's instantiation > * data, the type should be changed to RLM_TYPE_THREAD_UNSAFE. > * The server will then take care of ensuring that the module > * is single-threaded. > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: modules instantiation
Latha Krishnamurthi wrote: > I see that a new instance is getting created when the first one is busy > handling a request. (I do this this by adding a sleep in the module and > printing the threadid) I am expecting the xxx_instantiate function to > get called each time a new instance is created (reading in the > documentation). No. The module is NOT having "a new instance created". A module "instance" is defined by a module configuration. One configuration: one instance. The "instance" data is *constant*. The module gets called multiple times simultaneously from multiple threads when multiple requests are received. > This does not happen. I am actually connecting to a > server in the instantiate function and storing the socket id in the > *instance, so that I can use it later in the authenticate etc. Why? Is that connection changing the way the module behaves? > But it seems that the socket id is the same for all the instances. > *instance seems to be shared by all the instances ?? > > Am I missing something/configuration, your help is grately appreciated. If you need to store data that is associated with a particulare *request*, and is valid only for the lifetime of a request, see request_data_add(), and request_data_get(). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: modules instantiation
Thankyou very much for your prompt reply. I was referring to this documentation. http://wiki.freeradius.org/Modules2 >>The xxx_instantiate module is called each time a new instance is started. >>Generally this >>module is used to establish the data for the instance that >>needs to be retained during the >>life of the instance. For example, reading >>the configuration variables. cf_section_parse>>(conf, data, module_config) is >>used to do this function. >>Setup struct rlm_xxx_t to hold data that needs to be accessed by all >>instances of the >>rlm. This data is not necessarily the same for each >>instance. There is a separate copy >>for each instance. For example, this is >>the place to store configuration variables that will >>be provided in >>FreeRADIUS.conf. It is described like I can have the module specific data in the instance and use it in the life time of the instance. So if I need to use a unique socket connection for each thread, I have no place to store the instance specific data ? I need to have a global pool and lock it with mutex ?? (looks like rlm_ldap does something similar ?) Thanks in advance LK --- On Fri, 2/19/10, Doug Hardie wrote: From: Doug Hardie Subject: Re: modules instantiation To: "FreeRadius users mailing list" Date: Friday, February 19, 2010, 3:49 PM On 19 February 2010, at 15:24, Latha Krishnamurthi wrote: > > I am using the free radius 2.1.3. I have a module rlm_xxx and have > initialized it as thread safe. I have configured the start_servers as 3. The > issue I am having is as follows. > > I see that a new instance is getting created when the first one is busy > handling a request. (I do this this by adding a sleep in the module and > printing the threadid) I am expecting the xxx_instantiate function to get > called each time a new instance is created (reading in the documentation). > This does not happen. I am actually connecting to a server in the instantiate > function and storing the socket id in the *instance, so that I can use it > later in the authenticate etc. > > But it seems that the socket id is the same for all the instances. *instance > seems to be shared by all the instances ?? > > Am I missing something/configuration, your help is grately appreciated. I believe this is an issue of terminology. Instantiation in this case refers to the configuration process prior to the start of the server accepting Radius requests. It does not refer to instantiation of new threads. I am not aware of any hook you can use for instatiation of new threads. In one of the older version rlm_example files is the following comment: * If the module needs to temporarily modify it's instantiation * data, the type should be changed to RLM_TYPE_THREAD_UNSAFE. * The server will then take care of ensuring that the module * is single-threaded. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: modules instantiation
On 19 February 2010, at 15:24, Latha Krishnamurthi wrote: > > I am using the free radius 2.1.3. I have a module rlm_xxx and have > initialized it as thread safe. I have configured the start_servers as 3. The > issue I am having is as follows. > > I see that a new instance is getting created when the first one is busy > handling a request. (I do this this by adding a sleep in the module and > printing the threadid) I am expecting the xxx_instantiate function to get > called each time a new instance is created (reading in the documentation). > This does not happen. I am actually connecting to a server in the instantiate > function and storing the socket id in the *instance, so that I can use it > later in the authenticate etc. > > But it seems that the socket id is the same for all the instances. *instance > seems to be shared by all the instances ?? > > Am I missing something/configuration, your help is grately appreciated. I believe this is an issue of terminology. Instantiation in this case refers to the configuration process prior to the start of the server accepting Radius requests. It does not refer to instantiation of new threads. I am not aware of any hook you can use for instatiation of new threads. In one of the older version rlm_example files is the following comment: * If the module needs to temporarily modify it's instantiation * data, the type should be changed to RLM_TYPE_THREAD_UNSAFE. * The server will then take care of ensuring that the module * is single-threaded. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
modules instantiation
Hi, I am using the free radius 2.1.3. I have a module rlm_xxx and have initialized it as thread safe. I have configured the start_servers as 3. The issue I am having is as follows. I see that a new instance is getting created when the first one is busy handling a request. (I do this this by adding a sleep in the module and printing the threadid) I am expecting the xxx_instantiate function to get called each time a new instance is created (reading in the documentation). This does not happen. I am actually connecting to a server in the instantiate function and storing the socket id in the *instance, so that I can use it later in the authenticate etc. But it seems that the socket id is the same for all the instances. *instance seems to be shared by all the instances ?? Am I missing something/configuration, your help is grately appreciated. Thanks in advance for your inputs. Thanks, Latha. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco Parser View
Hi everyone I got my cisco router authentication working OK, i can get access to my cisco router with full privilege sendind "cisco-av-pair = shell:priv-lvl=15" from the freeradius server. I configured the "parser view" configuration in the router, to give some different commands to different kind of users, but i don't know what parameter or variable send from the freeradius server to achieve the parser configuration. Thanks in advice. Cisco Router Parser Configuration: parser view Connectivity secret 5 $1$z4It$J33phdP commands configure include all line commands configure include-exclusive all route-map commands configure include-exclusive all snmp-server commands configure include-exclusive all dialer-list commands configure include all access-list commands configure include-exclusive all ip prefix-list commands configure include all ip route commands configure include all ip access-list commands configure include-exclusive all router commands configure include all interface commands configure include-exclusive all dlsw commands configure include-exclusive all source-bridge commands configure include-exclusive all policy-map commands configure include-exclusive all class-map commands configure include-exclusive all chat-script commands configure include ip commands configure exclude crypto ... parser view Security secret 5 $1$UJcb$JREJYEXQ3Jn commands interface include all crypto commands configure include ip access-list log-update commands configure include ip access-list logging commands configure include ip access-list extended commands configure include ip access-list standard commands configure include ip access-list resequence commands configure include ip access-list commands configure include ip commands configure include all crypto commands configure include no ip access-list log-update commands configure include no ip access-list logging commands configure include no ip access-list extended commands configure include no ip access-list standard commands configure include no ip access-list resequence commands configure include no ip access-list commands configure include no ip commands configure include all no crypto commands configure include no commands exec include all crypto ... _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can't get simultaneous login to work Part 1
J Brandon Polley wrote: > We can't get simultaneous login to work. We are trying to restrict > simultaneous use to allow only one user to be logged at once. OK... you've posted rather a lot of information. Did you read doc/Simultaneous-Use? I don't see any "session" aections being executed. They get run only when you set Simultaneous-Use... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
can't get simultaneous login to work Part 1
Some background on what we have here: - We have a Cisco wireless infrastructure (WLC 4400, a bunch of 1131s) and clients running SecureW2 supplicant. We want to authenticate and authorize them against our directory services. The 802.1x/EAP-TTLS/PAP method was suggested and we went with it. - user's directory is eDirectory and accessed via Novell LDAP v3 interface. (authentication is working and SSL secured [SLDAP]) - Radius server is on separate hardware, OS is Novell SUSE Enterprise Linux (SLES) 10 SP3 and is NOT running eDirectory. - FreeRADIUS 2.1.8 downloaded from FreeRADIUS.org and built from scratch with -eDIR options (compiled perfectly into RPMs and installed into OS perfectly). - Config files and debug output to follow the base email below. - I have my NAS listed in the huntgroups.config - I set correct type of NAS in the file "/etc/raddb/clients.config". I set it to "cisco" (We assume this directs "checkrad.pl" to use that method) - I set the username to SNMP, password is the community string in the clients config - I have accounting turned on my NAS and we see accounting messages coming in when sessions expire.(see debug output below) We can't get simultaneous login to work. We are trying to restrict simultaneous use to allow only one user to be logged at once. (1) Some things that we have picked up on are that the checkrad.pl perl script is not able to access the Cisco 4400 wireless controller's data properly to access the session information. I think this may be partly us not knowing how a session is considered unique and two how the cisco section in the script polls the MIB for session data. We know based on the new Cisco Airespace MIB that sessions are listed by MAC address but from there not sure how to map that onto what FreeRADIUS is looking for. SNMP access to the device is working, we can see the request on the line using Wireshark and snmpwalk returns system data. Perhaps it has something to do with adding Simultaneous-use parameter to the check items first line. I am not sure where to find "check items". Our usernames are coming from eDirectory and we have followed the Novell documentation on what to do there. The data is then presented to FreeRADIUS via LDAP. When I go into Radius users using Novell iManager I can see some options for "check items" but none are set. (2) Another oddity is radwho. When the user logs in the first time they show up in radwho. When I have someone login again using the same username but on a different laptop the newest login overwrites the entry in radwho instead of adding to it. Should that not be a separate unique session and thus two should appear in the listing? I have read the documentation: - I installed the mrtg package (to allow the chekrad.pl to talk SNMP natively and that does work just not polling the right data we think) - I put this line in the "/raddb/users.config" file at the top of the file (the first non commented line): DEFAULT Simultaneous-Use := 1 Fall-Through = 1 We are not doing groups, everyone in our directory is allowed on the wireless so we used "DEFAULT". Here is my debug output when I start radius: radius:~ # radiusd -X FreeRADIUS Version 2.1.8, for host i686-suse-linux-gnu, built on Jan 23 2010 at 01:51:06 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules
Blocking a user before proxy
Hello - I'm new to the list, because I've encountered a question I can't find the answer to in the wiki or the archives. We've had a stable Freeradius implementation for several years, and we love it! Authentication decisions are being made on a group of linux servers; some locally, some handed off via ldap, and more recently some via peap-mschapv2. Now, we are in a position where we'd like to implement proxying with realms, to hand off the 802.11i decision to a Microsoft NPS (IAS) server we don't control, but we want to retain the ability to reject a user on the linux boxes before handing the question to NPS. Up until now we've rejected individual users by an $INCLUDE of a bad-users file into the USERS file. My question is about what step in the sequence is most efficient to get this done, and if there are any implications for which tool works best in the different steps. It makes sense to me (and with what I've seen written on the lists) to make that decision BEFORE proxying, and if possible before even making the decision to DO proxying. If I understand the process correctly... 1) It would be nice to do it during the Authorization phase (so as not to waste time with proxying activities) 2) The existing files in Preprocess (hints, huntgroups) don't seem to be set up for individual user blocking 3) Checkval doesn't take non-matches, so we can't use that. So I guess I'll need to insert some conditional logic evaluating against a list of bad usernames in one of those areas, using the language of radiusd.conf or with Perl or write a custom module. Anyone have any advice about what the best approach would be? Or am I missing something a lot easier? Thanks! Steve Lovaas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
which version well works with digest?
hi Alan, I've seen this one http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg22204.html Also I've tried (1.1.1, 1.1.3 and 2.1.8) freeradius version, but anyway still can't get it working. I'm looking for digest auth for sip protocol, I to testing it by the way... http://freeradius.org/radiusd/man/rlm_digest.html I've got this troubles with 2.1.8.. [digest] Adding Auth-Type = DIGEST ++[digest] returns ok Found Auth-Type = digest +- entering group authenticate {...} [digest] Cleartext-Password or Digest-HA1 is required for authentication. ++[digest] returns invalid Failed to authenticate the user. Login incorrect: [test/test] (from client localhost port 0) Delaying reject of request 0 for 1 seconds 1.1.1 and 1.1.3. A2 = REGISTER:sip:551...@example.com KD = 412325717cf44c1b4a628b2742d096a9:1234abcd:ce566eb71723da08a54d906325db74f6 rlm_digest: FAILED authentication modcall[authenticate]: module "digest" returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 I tries to use libradiusclient-ng and radiusclient from freeradius, anyway I've got this weird things. my configuration.. prefix = /usr/local/freeradius-1.1.1 exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = 127.0.0.1 port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } $INCLUDE ${confdir}/clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { files { usersfile = ${confdir}/users compat = no } digest { } } authorize { digest files } authenticate { digest } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Accounting queries logging just after Acct-Stop packet
Thanks very much Fajar, I didn´t noticed that the radacct has also changed, therefore I got some errors. I´ve already changed it and it work greats now. Thanks again. Luiz Gustavo Scandelari Date: Thu, 18 Feb 2010 19:07:27 +0700 From: "Fajar A. Nugraha" Subject: Re: Accounting queries logging just after Acct-Stop packet To: FreeRadius users mailing list Message-ID: <7207d96f1002180407re3919c6wf8418a11bf1ea...@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 On Thu, Feb 18, 2010 at 6:22 PM, Luiz Gustavo de Villa Scandelari wrote: > compared to the previous version (1.x.x) the accounting queries are not > logging the accounting session at radacct, as it should. > After we receive an > Acct-Stop Packet the sql module logs the accounting session data to the > database, so what can I do in order to have the sql module logging just > after the Acct-Start Packet? Start by comparing the default sql query for acct-start to the one you currently use. Perhaps you're missing something (wrong table name, wrong fields?). Then run FR in debug mode. verify that you got acct-start packet correctly. After that enable sql trace, so you know what queries were executed. That should help you find out which sql query (if any) is causing the problem. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with eap-peap
Trujillo Carmona, Antonio wrote: ... > [mschapv2] +- entering group MS-CHAP {...} > [mschap] Told to do MS-CHAPv2 for gdxtrujo with NT-Password > [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=gdxtrujo > [mschap] expand: --domain=%{mschap:NT-Domain:-HUVN} -> --domain=HUVN > [mschap] mschap2: 10 > [mschap] expand: --challenge=%{mschap:Challenge:-00} -> > --challenge=cacf5023c11e7ea7 > [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> > --nt-response=3e1277f2d4835fc8a8de7dfae71b2890c6ef6d3841140af2 > Exec-Program output: NT_KEY: 2A28DA9AD2160A673F22F87D37D8E9BC > Exec-Program-Wait: plaintext: NT_KEY: 2A28DA9AD2160A673F22F87D37D8E9BC > Exec-Program: returned: 0 ... > Sending Access-Challenge of id 50 to 10.104.16.128 port 45236 > EAP-Message = > 0x0109004a1900170301003f27dd660624182f35234bd9f80b3c7ad5c4ca8c538fc86c6bae1ba3991e4d3fd17f1a934ac2f7453801032ca9894b0d4a8687ceccbb61bb439c4c9fc642d244 > Message-Authenticator = 0x > State = 0x3cd4450c3bdd5c57a4c67a935e13b1f8 > Finished request 7. > Going to the next request > Waking up in 4.8 seconds. > Cleaning up request 0 ID 43 with timestamp +35 It's a bug in Samba. Downgrade Samba versions until it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with eap-peap
Thank in advance and sorry for my english. Realy I have spend several day reading from internet (wiki.freeradius.org, deployingradius.com and google) Itry all the thing, including apply a hotfix from microsoft but I can't make it work. I use a debian backport version of freeradius radius-2:/etc/freeradius# freeradius -v freeradius: FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Jan 3 2010 at 14:14:04 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. my files are: radius-2:/etc/freeradius# cat eap.conf # -*- text -*- ## ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) ## ## $Id$ ### eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no max_sessions = 4096 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = * private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" cache { enable = no lifetime = 24 # hours max_entries = 255 } } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } } --- radius-2:/etc/freeradius# cat modules/mschap # -*- text -*- # # $Id$ # Microsoft CHAP authentication # # This module supports MS-CHAP and MS-CHAPv2 authentication. # It also enforces the SMB-Account-Ctrl attribute. # mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes authtype = MS-CHAP ntlm_auth = "/usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name:-None} \ --domain=%{mschap:NT-Domain:-HUVN} \ --challenge=%{mschap:Challenge:-00} \ --nt-response=%{mschap:NT-Response:-00}" } radius-2:/etc/freeradius# cat sites-enabled/default ## # # As of 2.0.0, FreeRADIUS supports virtual hosts using the # "server" section, and configuration directives. # # Virtual hosts should be put into the "sites-available" # directory. Soft links should be created in the "sites-enabled" # directory to these files. This is done in a normal installation. # # $Id $ # ## authorize { #ntlm_auth preprocess #chap mschap suffix #ntdomain # eap { # ok = return # } eap #unix #files #expiration #logintime #pap } authenticate { Auth-Type MS-CHAP { mschap } eap } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess acct_unique suffix # ntdomain # files } # # Accounting. Log the accounting data. # accounting { detail radutmp # sql attr_filter.accounting_response } session { radutmp # sql } post-auth { exec # Post-Auth-Type REJECT { # attr_filter.access_reject # } } pre-proxy { } post-proxy { eap } --- The output of a debug session: Linux radius-2 2.6.26-2-amd64 #1 SMP Tue Jan 12 22:12:20 UTC 2010 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu Feb 18 09:17:57 2010 from 10.104.24.54 radius-2:~# freeradius -X FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Jan 3 2010 at 14:14:04 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/perl including configuratio