Hello
I have changed the configuration files and now have the Radius SLES 11 server (172.16.0.26) binding to the ldap server (172.16.0.7). The debug Radius log now show the LDAP modules loading. The Debug Radius Server Log shows errors in expand of LDAP string and not being able to find the user.
Below is the Radius server Debug log, DSTRACE log from Netware 6.5 LDAP server, LDAP configuration file, Radius conf file.
Please assist.
Radius Server DEBUG log
Imanager:~ # radiusd -X
FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22 2013 at 23:55:29
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files …
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = “/usr”
localstatedir = “/var”
logdir = “/var/log/radius”
libdir = “/usr/lib64/freeradius”
radacctdir = “/var/log/radius/radacct”
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = “/var/run/radiusd/radiusd.pid”
checkrad = “/usr/sbin/checkrad”
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 172.16.0.26
require_message_authenticator = no
secret = “testing123”
shortname = “localhost”
nastype = “other”
}
client 172.16.0.0/16 {
require_message_authenticator = no
secret = “testing123”
shortname = “private-network-1”
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = “auth”
secret = “testing123”
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = “status-server”
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = “request”
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {…} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = “auto”
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = “/var/log/radius/radwtmp”
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = “md5”
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = “PAP”
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = “/etc/raddb/certs/server.pem”
certificate_file = “/etc/raddb/certs/server.pem”
CA_file = “/etc/raddb/certs/ca.pem”
private_key_password = “whatever”
dh_file = “/etc/raddb/certs/dh”
random_file = “/etc/raddb/certs/random”
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = “DEFAULT”
make_cert_command = “/etc/raddb/certs/bootstrap”
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = “md5”
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = “inner-tunnel”
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = “mschapv2”
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = “inner-tunnel”
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {…} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = “suffix”
delimiter = “@”
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = “/etc/raddb/users”
acctusersfile = “/etc/raddb/acct_users”
preproxy_usersfile = “/etc/raddb/preproxy_users”
compat = “no”
}
Module: Checking session {…} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = “/var/log/radius/radutmp”
username = “%{User-Name}”
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {…} for more modules to load
Module: Checking post-auth {…} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = “/etc/raddb/attrs.access_reject”
key = “%{User-Name}”
}
}
}
modules {
Module: Checking authenticate {…} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = “172.16.0.7”
port = 389
password = “laura01”
identity = “cn=admin,o=pukekohe_high”
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = “allow”
tls {
start_tls = yes
cacertfile = “/etc/raddb/certs/sslDNScert.b64”
require_cert = “allow”
}
basedn = “o=pukekohe_high”
filter = “(uid=%{Stripped-User-Name:-%{User-Name}})”
base_filter = “(objectclass=radiusprofile)”
password_attribute = “nspmPassword”
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = “cn”
groupmembership_filter = “(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))”
dictionary_mapping = “/etc/raddb/ldap.attrmap”
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x7ff09516ff60
Module: Checking authorize {…} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = “/etc/raddb/huntgroups”
hints = “/etc/raddb/hints”
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {…} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = “User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port”
}
Module: Checking accounting {…} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = “/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d”
header = “%t”
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = “/etc/raddb/attrs.accounting_response”
key = “%{User-Name}”
}
Module: Checking session {…} for more modules to load
Module: Checking post-proxy {…} for more modules to load
Module: Checking post-auth {…} for more modules to load
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = “auth”
ipaddr = 172.16.0.26
port = 0
}
listen {
type = “acct”
ipaddr = *
port = 0
}
Listening on authentication address 172.16.0.26 port 1812
Listening on accounting address * port 1813
Listening on proxy address 172.16.0.26 port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.3.97 port 61433, id=21, length=62
User-Name = “cn=gav,o=pukekohe_high”
User-Password = “1234501”
± entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No ‘@’ in User-Name = “cn=gav,o=pukekohe_high”, looking up realm NULL
[suffix] No such realm “NULL”
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for cn=gav,o=pukekohe_high
[ldap] WARNING: Deprecated conditional expansion “:-”. See “man unlang” for details
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) → (uid=cn\3dgav\2co\3dpukekohe_high)
[ldap] expand: o=pukekohe_high → o=pukekohe_high
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 172.16.0.7:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/sslDNScert.b64
rlm_ldap: starting TLS
rlm_ldap: bind as cn=admin,o=pukekohe_high/1234501 to 172.16.0.7:389
rlm_ldap: waiting for bind result …
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=pukekohe_high, with filter (uid=cn\3dgav\2co\3dpukekohe_high)
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No “known good” password found for the user. Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Login incorrect (rlm_ldap: User not found): [cn=gav,o=pukekohe_high/laura01] (from client private-network-1 port 0)
Using Post-Auth-Type Reject
± entering group REJECT {…}
++[ldap] returns noop
[attr_filter.access_reject] expand: %{User-Name} → cn=gav,o=pukekohe_high
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
D
Netware 6.5 Server LDAP Trace
New cleartext connection 0xb662e760 from 172.16.0.26:57105, monitor = 0x1d4, index = 5
Implied anonymous bind by operation 0x1:0x77 on connection 0xb662e760
DoExtended on connection 0xb662e760
DoExtended: Extension Request OID: 1.3.6.1.4.1.1466.20037
Start TLS request issued from connection 0xb662e760
Sending operation result 0:"":"" to connection 0xb662e760
Monitor 0x1d4 initiating TLS handshake on connection 0xb662e760
DoTLSHandshake on connection 0xb662e760
BIO ctrl called with unknown cmd 7
Completed TLS handshake on connection 0xb662e760
DoBind on connection 0xb662e760
Bind name:cn=admin,o=pukekohe_high, version:3, authentication:simple
Sending operation result 0:"":"" to connection 0xb662e760
DoSearch on connection 0xb662e760
Search request:
base: “o=pukekohe_high”
scope:2 dereference:0 sizelimit:0 timelimit:3 attrsonly:0
filter: “(uid=cn=gav,o=pukekohe_high)”
attribute: “radiusNASIpAddress”
attribute: “radiusExpiration”
attribute: “acctFlags”
attribute: “dBCSPwd”
attribute: “sambaNtPassword”
attribute: “sambaLmPassword”
attribute: “ntPassword”
attribute: “lmPassword”
attribute: “radiusCallingStationId”
attribute: “radiusCalledStationId”
attribute: “radiusSimultaneousUse”
attribute: “radiusAuthType”
attribute: “radiusCheckItem”
attribute: “radiusReplyMessage”
attribute: “radiusLoginLATPort”
attribute: “radiusPortLimit”
attribute: “radiusFramedAppleTalkZone”
attribute: “radiusFramedAppleTalkNetwork”
attribute: “radiusFramedAppleTalkLink”
attribute: “radiusLoginLATGroup”
attribute: “radiusLoginLATNode”
attribute: “radiusLoginLATService”
attribute: “radiusTerminationAction”
attribute: “radiusIdleTimeout”
attribute: “radiusSessionTimeout”
attribute: “radiusClass”
attribute: “radiusFramedIPXNetwork”
attribute: “radiusCallbackId”
attribute: “radiusCallbackNumber”
attribute: “radiusLoginTCPPort”
attribute: “radiusLoginService”
attribute: “radiusLoginIPHost”
attribute: “radiusFramedCompression”
attribute: “radiusFramedMTU”
attribute: “radiusFilterId”
attribute: “radiusFramedRouting”
attribute: “radiusFramedRoute”
attribute: “radiusFramedIPNetmask”
attribute: “radiusFramedIPAddress”
attribute: “radiusFramedProtocol”
attribute: “radiusServiceType”
attribute: “radiusReplyItem”
attribute: “nspmPassword”
attribute: “sasdefaultloginsequence”
Sending operation result 0:"":"" to connection 0xb662e760
LDAP configuration File
-- text --
$Id$
Lightweight Directory Access Protocol (LDAP)
This module definition allows you to use LDAP for
authorization and authentication.
See raddb/sites-available/default for reference to the
ldap module in the authorize and authenticate sections.
However, LDAP can be used for authentication ONLY when the
Access-Request packet contains a clear-text User-Password
attribute. LDAP authentication will NOT work for any other
authentication method.
This means that LDAP servers don’t understand EAP. If you
force “Auth-Type = LDAP”, and then send the server a
request containing EAP authentication, then authentication
WILL NOT WORK.
The solution is to use the default configuration, which does
work.
Setting “Auth-Type = LDAP” is ALMOST ALWAYS WRONG. We
really can’t emphasize this enough.
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you’re using ldaps.
server = “172.16.0.7”
identity = “cn=admin,o=pukekohe_high”
password = 1234501
basedn = “o=pukekohe_high”
filter = “(uid=%{Stripped-User-Name:-%{User-Name}})”
#base_filter = “(objectclass=radiusprofile)”
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = yes
cacertfile = /etc/raddb/certs/sslDNScert.b64
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
require_cert = "allow"
}
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# See also the following links:
#
# [url]http://www.novell.com/coolsolutions/appnote/16745.html[/url]
# [url]https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html[/url]
#
# Novell may require TLS encrypted sessions before returning
# the user's password.
#
# password_attribute = userPassword
password_attribute = nspmPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
edir_account_policy_check = yes
#
# Group membership checking. Disabled by default.
#
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
# ldap_debug = 0x0028
}
Radius Configuration File
-- text --
radiusd.conf – FreeRADIUS server configuration file.
$Id$
######################################################################
Read “man radiusd” before editing this file. See the section
titled DEBUGGING. It outlines a method where you can quickly
obtain the configuration you want, without running into
trouble.
Run the server in debugging mode, and READ the output.
$ radiusd -X
We cannot emphasize this point strongly enough. The vast
majority of problems can be solved by carefully reading the
debugging output, which includes warnings about common issues,
and suggestions for how they may be fixed.
There may be a lot of output, but look carefully for words like:
“warning”, “error”, “reject”, or “failure”. The messages there
will usually be enough to guide you to a solution.
If you are going to ask a question on the mailing list, then
explain what you are trying to do, and include the output from
debugging mode (radiusd -X). Failure to do so means that all
of the responses to your question will be people telling you
to “post the output of radiusd -X”.
######################################################################
The location of other config files and logfiles are declared
in this file.
Also general configuration for modules can be done in this
file, it is exported through the API to modules that ask for
it.
See “man radiusd.conf” for documentation on the format of this
file. Note that the individual configuration items are NOT
documented in that “man” page. They are only documented here,
in the comments.
As of 2.0.0, FreeRADIUS supports a simple processing language
in the “authorize”, “authenticate”, “accounting”, etc. sections.
See “man unlang” for details.
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = /var/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name of the running server. See also the “-n” command-line option.
name = radiusd
Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}
libdir: Where to find the rlm_* modules.
This should be automatically set at configuration time.
If the server builds and installs, but fails at execution time
with an ‘undefined symbol’ error, then you can use the libdir
directive to work around the problem.
The cause is usually that a library has been installed on your
system in a place where the dynamic linker CANNOT find it. When
executing as root (or another user), your personal environment MAY
be set up to allow the dynamic linker to find the library. When
executing as a daemon, FreeRADIUS MAY NOT have the same
personalized configuration.
To work around the problem, find out which library contains that symbol,
and add the directory containing that library to the end of ‘libdir’,
with a colon separating the directory names. NO spaces are allowed.
e.g. libdir = /usr/local/lib:/opt/package/lib
You can also try setting the LD_LIBRARY_PATH environment variable
in a script which starts the server.
If that does not work, then you can re-configure and re-build the
server to NOT use shared libraries, via:
./configure --disable-shared
make
make install
libdir = /usr/lib64/freeradius
pidfile: Where to place the PID of the RADIUS server.
The server may be signalled while it’s running by using this
file.
This file is written when ONLY running in daemon mode.
e.g.: kill -HUP cat /var/run/radiusd/radiusd.pid
pidfile = ${run_dir}/${name}.pid
chroot: directory where the server does “chroot”.
The chroot is done very early in the process of starting the server.
After the chroot has been performed it switches to the “user” listed
below (which MUST be specified). If “group” is specified, it switchs
to that group, too. Any other groups listed for the specified “user”
in “/etc/group” are also added as part of this process.
The current working directory (chdir / cd) is left outside of the
chroot until all of the modules have been initialized. This allows
the “raddb” directory to be left outside of the chroot. Once the
modules have been initialized, it does a “chdir” to ${logdir}. This
means that it should be impossible to break out of the chroot.
If you are worried about security issues related to this use of chdir,
then simply ensure that the “raddb” directory is inside of the chroot,
end be sure to do “cd raddb” BEFORE starting the server.
If the server is statically linked, then the only files that have
to exist in the chroot are ${run_dir} and ${logdir}. If you do the
“cd raddb” as discussed above, then the “raddb” directory has to be
inside of the chroot directory, too.
#chroot = /path/to/chroot/directory
user/group: The name (or #number) of the user/group to run radiusd as.
If these are commented out, the server will run as the user/group
that started it. In order to change to a different user/group, you
MUST be root ( or have root privleges ) to start the server.
We STRONGLY recommend that you run the server with as few permissions
as possible. That is, if you’re not using shadow passwords, the
user and group items below should be set to radius’.
NOTE that some kernels refuse to setgid(group) when the value of
(unsigned)group is above 60000; don’t use group nobody on these systems!
On systems with shadow passwords, you might have to set ‘group = shadow’
for the server to be able to read the shadow password file. If you can
authenticate users while in debug mode, but not in daemon mode, it may be
that the debugging mode server is running as a user that can read the
shadow info, and the user listed below can not.
The server will also try to use “initgroups” to read /etc/groups.
It will join all groups where “user” is a member. This can allow
for some finer-grained access controls.
user = radiusd
group = radiusd
max_request_time: The maximum time (in seconds) to handle a request.
Requests which take more time than this to process may be killed, and
a REJECT message is returned.
WARNING: If you notice that requests take a long time to be handled,
then this MAY INDICATE a bug in the server, in one of the modules
used to handle a request, OR in your local configuration.
This problem is most often seen when using an SQL database. If it takes
more than a second or two to receive an answer from the SQL database,
then it probably means that you haven’t indexed the database. See your
SQL server documentation for more information.
Useful range of values: 5 to 120
max_request_time = 30
cleanup_delay: The time to wait (in seconds) before cleaning up
a reply which was sent to the NAS.
The RADIUS request is normally cached internally for a short period
of time, after the reply is sent to the NAS. The reply packet may be
lost in the network, and the NAS will not see it. The NAS will then
re-send the request, and the server will respond quickly with the
cached reply.
If this value is set too low, then duplicate requests from the NAS
MAY NOT be detected, and will instead be handled as seperate requests.
If this value is set too high, then the server will cache too many
requests, and some new requests may get blocked. (See ‘max_requests’.)
Useful range of values: 2 to 10
cleanup_delay = 5
max_requests: The maximum number of requests which the server keeps
track of. This should be 256 multiplied by the number of clients.
e.g. With 4 clients, this number should be 1024.
If this number is too low, then when the server becomes busy,
it will not respond to any new requests, until the ‘cleanup_delay’
time has passed, and it has removed the old requests.
If this number is set too high, then the server will use a bit more
memory for no real benefit.
If you aren’t sure what it should be set to, it’s better to set it
too high than too low. Setting it to 1000 per client is probably
the highest it should be.
Useful range of values: 256 to infinity
max_requests = 1024
listen: Make the server listen on a particular IP address, and send
replies out from that address. This directive is most useful for
hosts with multiple IP addresses on one interface.
If you want the server to listen on additional addresses, or on
additionnal ports, you can use multiple “listen” sections.
Each section make the server listen for only one type of packet,
therefore authentication and accounting have to be configured in
different sections.
The server ignore all “listen” section if you are using ‘-i’ and ‘-p’
on the command line.
listen {
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
# proxy IP to use for sending proxied packets
# detail Read from the detail file. For examples, see
# raddb/sites-available/copy-acct-to-home-server
#
type = auth
# Note: "type = proxy" lets you control the source IP used for
# proxying packets, with some limitations:
#
# * Only ONE proxy listener can be defined.
# * A proxy listener CANNOT be used in a virtual server section.
# * You should probably set "port = 0".
# * Any "clients" configuration will be ignored.
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
ipaddr = 172.16.0.26
# OR, you can use an IPv6 address, but not both
# at the same time.
ipv6addr = :: # any. ::1 == localhost
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
port = 0
# Some systems support binding to an interface, in addition
# to the IP address. This feature isn't strictly necessary,
# but for sites with many IP addresses on one interface,
# it's useful to say "listen on all addresses for eth0".
#
# If your system does not support this feature, you will
# get an error if you try to use it.
#
# interface = eth0
# Per-socket lists of clients. This is a very useful feature.
#
# The name here is a reference to a section elsewhere in
# radiusd.conf, or clients.conf. Having the name as
# a reference allows multiple sockets to use the same
# set of clients.
#
# If this configuration is used, then the global list of clients
# is IGNORED for this "listen" section. Take care configuring
# this feature, to ensure you don't accidentally disable a
# client you need.
#
# See clients.conf for the configuration of "per_socket_clients".
#
clients = per_socket_clients
}
This second “listen” section is for listening on the accounting
port, too.
listen {
ipaddr = *
ipv6addr = ::
port = 0
type = acct
interface = eth0
clients = per_socket_clients
}
hostname_lookups: Log the names of clients or just their IP addresses
The default is ‘off’ because it would be overall better for the net
if people had to knowingly turn this feature on, since enabling it
means that each client request will result in AT LEAST one lookup
request to the nameserver. Enabling hostname_lookups will also
mean that your server may stop randomly for 30 seconds from time
to time, if the DNS requests take too long.
Turning hostname lookups off also means that the server won’t block
for 30 seconds, if it sees an IP address which has no name associated
with it.
allowed values: {no, yes}
hostname_lookups = no
Core dumps are a bad thing. This should only be set to ‘yes’
if you’re debugging a problem with the server.
allowed values: {no, yes}
allow_core_dumps = no
Regular expressions
These items are set at configure time. If they’re set to “yes”,
then setting them to “no” turns off regular expression support.
If they’re set to “no” at configure time, then setting them to “yes”
WILL NOT WORK. It will give you an error.
regular_expressions = yes
extended_expressions = yes
Logging section. The various “log_*” configuration items
will eventually be moved here.
log {
#
# Destination for log messages. This can be one of:
#
# files - log to “file”, as defined below.
# syslog - to syslog (see also the “syslog_facility”, below.
# stdout - standard output
# stderr - standard error.
#
# The command-line option “-X” over-rides this option, and forces
# logging to go to stdout.
#
destination = files
#
# The logging messages for the server are appended to the
# tail of this file if destination == "files"
#
# If the server is running in debugging mode, this file is
# NOT used.
#
file = ${logdir}/radius.log
#
# If this configuration parameter is set, then log messages for
# a *request* go to this file, rather than to radius.log.
#
# i.e. This is a log file per request, once the server has accepted
# the request as being from a valid client. Messages that are
# not associated with a request still go to radius.log.
#
# Not all log messages in the server core have been updated to use
# this new internal API. As a result, some messages will still
# go to radius.log. Please submit patches to fix this behavior.
#
# The file name is expanded dynamically. You should ONLY user
# server-side attributes for the filename (e.g. things you control).
# Using this feature MAY also slow down the server substantially,
# especially if you do thinks like SQL calls as part of the
# expansion of the filename.
#
# The name of the log file should use attributes that don't change
# over the lifetime of a request, such as User-Name,
# Virtual-Server or Packet-Src-IP-Address. Otherwise, the log
# messages will be distributed over multiple files.
#
# Logging can be enabled for an individual request by a special
# dynamic expansion macro: %{debug: 1}, where the debug level
# for this request is set to '1' (or 2, 3, etc.). e.g.
#
# ...
# update control {
# Tmp-String-0 = "%{debug:1}"
# }
# ...
#
# The attribute that the value is assigned to is unimportant,
# and should be a "throw-away" attribute with no side effects.
#
#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
#
# Which syslog facility to use, if ${destination} == "syslog"
#
# The exact values permitted here are OS-dependent. You probably
# don't want to change this.
#
syslog_facility = daemon
# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = yes
# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
# auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
auth_badpass = yes
auth_goodpass = yes
}
The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
SECURITY CONFIGURATION
There may be multiple methods of attacking on the server. This
section holds the configuration items which minimize the impact
of those attacks
security {
#
# max_attributes: The maximum number of attributes
# permitted in a RADIUS packet. Packets which have MORE
# than this number of attributes in them will be dropped.
#
# If this number is set too low, then no RADIUS packets
# will be accepted.
#
# If this number is set too high, then an attacker may be
# able to send a small number of packets which will cause
# the server to use all available memory on the machine.
#
# Setting this number to 0 means “allow any number of attributes”
max_attributes = 200
#
# reject_delay: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to brute-force
# crack a users password.
#
# Setting this number to 0 means "send rejects immediately"
#
# If this number is set higher than 'cleanup_delay', then the
# rejects will be sent at 'cleanup_delay' time, when the request
# is deleted from the internal cache of requests.
#
# Useful ranges: 1 to 5
reject_delay = 1
#
# status_server: Whether or not the server will respond
# to Status-Server requests.
#
# When sent a Status-Server message, the server responds with
# an Access-Accept or Accounting-Response packet.
#
# This is mainly useful for administrators who want to "ping"
# the server, without adding test users, or creating fake
# accounting packets.
#
# It's also useful when a NAS marks a RADIUS server "dead".
# The NAS can periodically "ping" the server with a Status-Server
# packet. If the server responds, it must be alive, and the
# NAS can start using it for real requests.
#
status_server = yes
}
PROXY CONFIGURATION
proxy_requests: Turns proxying of RADIUS requests on or off.
The server has proxying turned on by default. If your system is NOT
set up to proxy requests to another server, then you can turn proxying
off here. This will save a small amount of resources on the server.
If you have proxying turned off, and your configuration files say
to proxy a request, then an error message will be logged.
To disable proxying, change the “yes” to “no”, and comment the
$INCLUDE line.
allowed values: {no, yes}
proxy_requests = yes
$INCLUDE proxy.conf
CLIENTS CONFIGURATION
Client configuration is defined in “clients.conf”.
The ‘clients.conf’ file contains all of the information from the old
‘clients’ and ‘naslist’ configuration files. We recommend that you
do NOT use 'client’s or ‘naslist’, although they are still
supported.
Anything listed in ‘clients.conf’ will take precedence over the
information from the old-style configuration files.
$INCLUDE clients.conf
THREAD POOL CONFIGURATION
The thread pool is a long-lived group of threads which
take turns (round-robin) handling any incoming requests.
You probably want to have a few spare threads around,
so that high-load situations can be handled immediately. If you
don’t have any spare threads, then the request handling will
be delayed while a new thread is created, and added to the pool.
You probably don’t want too many spare threads around,
otherwise they’ll be sitting there taking up resources, and
not doing anything productive.
The numbers given below should be adequate for most situations.
thread pool {
# Number of servers to start initially — should be a reasonable
# ballpark figure.
start_servers = 5
# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
#
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
#
max_servers = 32
# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10
# There may be memory leaks or resource allocation problems with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
}
MODULE CONFIGURATION
The names and configuration of each module is located in this section.
After the modules are defined here, they may be referred to by name,
in other sections of this configuration file.
modules {
#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# …
# }
#
# The ‘name’ is used to load the ‘rlm_name’ library
# which implements the functionality of the module.
#
# The ‘instance’ is optional. To have two different instances
# of a module, it first must be referred to by ‘name’.
# The different copies of the module are then created by
# inventing two ‘instance’ names, e.g. ‘instance1’ and ‘instance2’
#
# The instance names can then be used in later configuration
# INSTEAD of the original ‘name’. See the ‘radutmp’ configuration
# for an example.
#
#
# As of 2.0.5, most of the module configurations are in a
# sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/
# are loaded. The modules are initialized ONLY if they are
# referenced in a processing section, such as authorize,
# authenticate, accounting, pre/post-proxy, etc.
#
$INCLUDE ${confdir}/modules/
# Extensible Authentication Protocol
#
# For all EAP related authentications.
# Now in another file, because it is very large.
#
$INCLUDE eap.conf
# Include another file that has the SQL-related configuration.
# This is another file only because it tends to be big.
#
$INCLUDE sql.conf
#
# This module is an SQL enabled version of the counter module.
#
# Rather than maintaining seperate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
# totally dependent on the SQL module to process Accounting
# packets.
#
$INCLUDE sql/mysql/counter.conf
#$INCLUDE sql/postgresql/counter.conf
#
# IP addresses managed in an SQL table.
#
#$INCLUDE sqlippool.conf
# OTP token support. Not included by default.
# $INCLUDE otp.conf
}
Instantiation
This section orders the loading of the modules. Modules
listed here will get loaded BEFORE the later sections like
authorize, authenticate, etc. get examined.
This section is not strictly needed. When a section like
authorize refers to a module, it’s automatically loaded and
initialized. However, some modules may not be listed in any
of the following sections, so they can be listed here.
Also, listing modules here ensures that you have control over
the order in which they are initalized. If one module needs
something defined by another module, you can list them in order
here, and ensure that the configuration will be OK.
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = %{exec:/bin/echo foo}
exec
#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
#
# So the module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc/rlm_expr' for
# more information.
#
expr
#
# We add the counter module here so that it registers
# the check-name attribute before any module which sets
# it
daily
expiration
logintime
# subsections here can be thought of as "virtual" modules.
#
# e.g. If you have two redundant SQL servers, and you want to
# use them in the authorize and accounting sections, you could
# place a "redundant" block in each section, containing the
# exact same text. Or, you could uncomment the following
# lines, and list "redundant_sql" in the authorize and
# accounting sections.
#
#redundant redundant_sql {
# sql1
# sql2
#}
}
######################################################################
Policies that can be applied in multiple places are listed
globally. That way, they can be defined once, and referred
to multiple times.
######################################################################
$INCLUDE policy.conf
######################################################################
As of 2.0.0, the “authorize”, “authenticate”, etc. sections
are in separate configuration files, per virtual host.
######################################################################
######################################################################
Include all enabled virtual hosts.
The following directory is searched for files that match
the regex:
/[a-zA-Z0-9_.]+/
The files are then included here, just as if they were cut
and pasted into this file.
See “sites-enabled/default” for some additional documentation.
$INCLUDE sites-enabled/