Topic: User with valid password is not allowed (sometimes) - please help !
Hello all,
I'm dealing with strange issue for longer time, so I decided describe it here. Maybe you had similiar problem and will help me ..
Scenario:
Chillispot + Freeradius + MySQL on same machine...
All works fine, but sometimes, when user supplied valid password, it's proclaimed as wrong by Freeradius (there is no limit reached). When user repeat login with same password is correctly validated (sometimes after the third try). Passwords are stored in plain text. I completely reinstalled server to new Freeradius (1.x -> 2.x) but still same behaviour. This happens time to time and there is no rule for this. I also changed attribute from User-Password to the Cleartext-Password as suggested dialog within Freeradius debug (freeradius -X), but still same...
I'm sure, that users types valid passwords without any spaces and non printable characters....
Do you have any ideas why this happens ?
Thank you..
#MySQL
select * from radcheck where username like 'testuser';
+--------+-----------------+--------------------+----+------------+
| id | UserName | Attribute | op | Value |
+--------+-----------------+--------------------+----+------------+
| 634393 | testuser | Cleartext-Password | := | testpass |
+--------+-----------------+--------------------+----+------------+
3 rows in set (0.00 sec)
#Failed login:
rad_recv: Access-Request packet from host 127.0.0.1 port 42455, id=0, length=221
User-Name = "testuser"
CHAP-Challenge = 0xeccf148d53f051667a9823e5de873733
CHAP-Password = 0x00d3f4797e4f3259203648b663cf70e1ec
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 172.25.156.18
Calling-Station-Id = "00-1C-B3-C2-8A-F5"
Called-Station-Id = "00-0C-29-58-63-5B"
NAS-Identifier = "nas01"
Acct-Session-Id = "4c93741900000011"
NAS-Port-Type = Wireless-802.11
NAS-Port = 17
Message-Authenticator = 0xe0b1d438223cc799308111bd8151a15b
WISPr-Logoff-URL = "http://172.25.156.1:3990/logoff"
+- entering group authorize
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100917
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100917
expand: %t -> Fri Sep 17 16:00:31 2010
++[auth_log] returns ok
rlm_chap: Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
expand: %{User-Name} -> testuser
rlm_sql (sql): sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 1
expand: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' and Attribute != 'Qos-Rate' ORDER BY id -> SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'testuser' and Attribute != 'Qos-Rate' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'testuser' ORDER BY id
expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='testuser'
expand: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
rlm_sql (sql): User found in group pacienti
expand: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id -> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[weeklycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] returns noop
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
+- entering group CHAP
rlm_chap: login attempt by "testuser" with CHAP password
rlm_chap: Using clear text password "testpass" for user testuser authentication.
rlm_chap: Password check failed
++[chap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_chap: Wrong user password): [testuser/<CHAP-Password>] (from client localhost port 17 cli 00-1C-B3-C2-8A-F5)
Delaying reject of request 50 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed rejec
Sending Access-Reject of id 0 to 127.0.0.1 port 42455
Idle-Timeout := 600
Acct-Interim-Interval := 600
Waking up in 4.9 secondsrad_recv: Access-Request packet from host 127.0.0.1 port 42455, id=0, length=221
User-Name = "testuser"
CHAP-Challenge = 0xeccf148d53f051667a9823e5de873733
CHAP-Password = 0x00d3f4797e4f3259203648b663cf70e1ec
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 172.25.156.18
Calling-Station-Id = "00-1C-B3-C2-8A-F5"
Called-Station-Id = "00-0C-29-58-63-5B"
NAS-Identifier = "nas01"
Acct-Session-Id = "4c93741900000011"
NAS-Port-Type = Wireless-802.11
NAS-Port = 17
Message-Authenticator = 0xe0b1d438223cc799308111bd8151a15b
WISPr-Logoff-URL = "http://172.25.156.1:3990/logoff"
+- entering group authorize
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100917
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100917
expand: %t -> Fri Sep 17 16:00:31 2010
++[auth_log] returns ok
rlm_chap: Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
expand: %{User-Name} -> testuser
rlm_sql (sql): sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 1
expand: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' and Attribute != 'Qos-Rate' ORDER BY id -> SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'testuser' and Attribute != 'Qos-Rate' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'testuser' ORDER BY id
expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='testuser'
expand: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
rlm_sql (sql): User found in group pacienti
expand: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id -> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[weeklycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] returns noop
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
+- entering group CHAP
rlm_chap: login attempt by "testuser" with CHAP password
rlm_chap: Using clear text password "testpass" for user testuser authentication.
rlm_chap: Password check failed
++[chap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_chap: Wrong user password): [testuser/<CHAP-Password>] (from client localhost port 17 cli 00-1C-B3-C2-8A-F5)
Delaying reject of request 50 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 50
Sending Access-Reject of id 0 to 127.0.0.1 port 42455
Idle-Timeout := 600
Acct-Interim-Interval := 600
Waking up in 4.9 seconds..
#Success login:
rad_recv: Access-Request packet from host 127.0.0.1 port 37286, id=0, length=221
User-Name = "testuser"
CHAP-Challenge = 0x3bbd1bb8af26015543db853c2ed4bf57
CHAP-Password = 0x004184904f618b872506a5ff847d774796
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 172.25.156.18
Calling-Station-Id = "00-1C-B3-C2-8A-F5"
Called-Station-Id = "00-0C-29-58-63-5B"
NAS-Identifier = "nas01"
Acct-Session-Id = "4c93741900000011"
NAS-Port-Type = Wireless-802.11
NAS-Port = 17
Message-Authenticator = 0xa77fc5e84182b49504d2574eaf4dd1f4
WISPr-Logoff-URL = "http://172.25.156.1:3990/logoff"
+- entering group authorize
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100917
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100917
expand: %t -> Fri Sep 17 16:00:57 2010
++[auth_log] returns ok
rlm_chap: Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
expand: %{User-Name} -> testuser
rlm_sql (sql): sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 1
expand: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' and Attribute != 'Qos-Rate' ORDER BY id -> SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'testuser' and Attribute != 'Qos-Rate' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'testuser' ORDER BY id
expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='testuser'
expand: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
rlm_sql (sql): User found in group pacienti
expand: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id -> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[weeklycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] returns noop
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
+- entering group CHAP
rlm_chap: login attempt by "testuser" with CHAP password
rlm_chap: Using clear text password "testpass" for user testuser authentication.
rlm_chap: chap user testuser authenticated succesfully
++[chap] returns ok
Login OK: [testuser/<CHAP-Password>] (from client localhost port 17 cli 00-1C-B3-C2-8A-F5)
+- entering group post-auth
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/reply-detail-20100917
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20100917
expand: %t -> Fri Sep 17 16:00:57 2010
++[reply_log] returns ok
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} -> testuser
rlm_sql (sql): sql_set_user escaped user --> 'testuser'
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) -> INSERT into radpostauth (id, user, pass, reply, date) values ('', 'testuser', 'Chap-Password', 'Access-Accept', NOW())
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'testuser', 'Chap-Password', 'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
Sending Access-Accept of id 0 to 127.0.0.1 port 37286
Idle-Timeout := 600
Acct-Interim-Interval := 600
Finished request 53.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 51236, id=43, length=137
Acct-Status-Type = Start
User-Name = "testuser"
Calling-Station-Id = "00-1C-B3-C2-8A-F5"
Called-Station-Id = "00-0C-29-58-63-5B"
NAS-Port-Type = Wireless-802.11
NAS-Port = 17
NAS-Port-Id = "00000017"
NAS-IP-Address = 0.0.0.0
NAS-Identifier = "nas01"
Framed-IP-Address = 172.25.156.18
Acct-Session-Id = "4c93741900000011"
+- entering group preacct
rlm_acct_unique: Hashing 'NAS-Port = 17,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 0.0.0.0,Acct-Session-Id = "4c93741900000011",User-Name = "testuser"'
rlm_acct_unique: Acct-Unique-Session-ID = "7b48c9ff641f78a5".
++[acct_unique] returns ok
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
+- entering group accounting
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/detail-20100917
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/detail-20100917
expand: %t -> Fri Sep 17 16:00:57 2010
++[detail] returns ok
expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp
expand: %{User-Name} -> testuser
++[radutmp] returns ok
++[acct_unique] returns noop
expand: %{User-Name} -> testuser
rlm_sql (sql): sql_set_user escaped user --> 'testuser'
expand: INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0') -> INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('4c93741900000011', '7b48c9ff641f78a5', 'testuser', '', '0.0.0.0', '17', 'Wireless-802.11', '2010-09-17 16:00:57', '0', '0', '', '', '', '0', '0', '00-0C-29-58-63-5B', '00-1C-B3-C2-8A-F5', '', '', '', '172.25.156.18', '', '0')
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
Sending Accounting-Response of id 43 to 127.0.0.1 port 51236
Finished request 54.
Cleaning up request 54 ID 43 with timestamp +1249
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 53 ID 0 with timestamp +1249
Ready to process requests.
#radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = clear
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
}
detail reply_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
sqlcounter noresetcounter {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='%{%k}'"
}
sqlcounter weeklycounter {
driver = "rlm_sqlcounter"
counter-name = Weekly-Session-Time
check-name = Max-Weekly-Session
sqlmod-inst = sqlcca3
key = User-Name
reset = weekly
query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > %b"
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT IFNULL(SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)),0) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > %b"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > %b"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
auth_log
chap
mschap
suffix
eap
sql
noresetcounter
dailycounter
weeklycounter
monthlycounter
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
preacct {
acct_unique
suffix
}
accounting {
detail
radutmp
acct_unique
sql
}
session {
sql
}
post-auth {
reply_log
sql
}
pre-proxy {
}
post-proxy {
eap
}
log {
syslog_facility = daemon
}