Top-Themen

AppleEntwicklungHardwareInternetLinuxMicrosoftMultimediaNetzwerkeOff TopicSicherheitSonstige SystemeVirtualisierungWeiterbildungZusammenarbeit

Aktuelle Themen

Administrator.de FeedbackApache ServerAppleAssemblerAudioAusbildungAuslandBackupBasicBatch & ShellBenchmarksBibliotheken & ToolkitsBlogsCloud-DiensteClusterCMSCPU, RAM, MainboardsCSSC und C++DatenbankenDatenschutzDebianDigitiales FernsehenDNSDrucker und ScannerDSL, VDSLE-BooksE-BusinessE-MailEntwicklungErkennung und -AbwehrExchange ServerFestplatten, SSD, RaidFirewallFlatratesGoogle AndroidGrafikGrafikkarten & MonitoreGroupwareHardwareHosting & HousingHTMLHumor (lol)Hyper-VIconsIDE & EditorenInformationsdiensteInstallationInstant MessagingInternetInternet DomäneniOSISDN & AnaloganschlüsseiTunesJavaJavaScriptKiXtartKVMLAN, WAN, WirelessLinuxLinux DesktopLinux NetzwerkLinux ToolsLinux UserverwaltungLizenzierungMac OS XMicrosoftMicrosoft OfficeMikroTik RouterOSMonitoringMultimediaMultimedia & ZubehörNetzwerkeNetzwerkgrundlagenNetzwerkmanagementNetzwerkprotokolleNotebook & ZubehörNovell NetwareOff TopicOpenOffice, LibreOfficeOutlook & MailPapierkorbPascal und DelphiPeripheriegerätePerlPHPPythonRechtliche FragenRedHat, CentOS, FedoraRouter & RoutingSambaSAN, NAS, DASSchriftartenSchulung & TrainingSEOServerServer-HardwareSicherheitSicherheits-ToolsSicherheitsgrundlagenSolarisSonstige SystemeSoziale NetzwerkeSpeicherkartenStudentenjobs & PraktikumSuche ProjektpartnerSuseSwitche und HubsTipps & TricksTK-Netze & GeräteUbuntuUMTS, EDGE & GPRSUtilitiesVB for ApplicationsVerschlüsselung & ZertifikateVideo & StreamingViren und TrojanerVirtualisierungVisual StudioVmwareVoice over IPWebbrowserWebentwicklungWeiterbildungWindows 7Windows 8Windows 10Windows InstallationWindows MobileWindows NetzwerkWindows ServerWindows SystemdateienWindows ToolsWindows UpdateWindows UserverwaltungWindows VistaWindows XPXenserverXMLZusammenarbeit
GELÖST

Freeradius mit LDAP verbinden

Frage Linux

Mitglied: pzenz16

pzenz16 (Level 1) - Jetzt verbinden

19.10.2009 um 13:05 Uhr, 5911 Aufrufe, 2 Kommentare

Hallo Liebe Community.

Ich habe erneut ein Problem mit meinem Radius Server.

Ich schaffe es nicht diesen mit LDAP zu verknüpfen.

Bei jedem Debug Versuch schreibt er zwar

01.
Listening on authentication address * port 1812 
02.
Listening on accounting address * port 1813 
03.
Listening on proxy address * port 1814 
04.
Ready to process requests.
Doch weiter oben

01.
Module: Checking authenticate {...} for more modules to load 
02.
 Module: Linked to module rlm_ldap 
03.
 Module: Instantiating ldap 
04.
  ldap { 
05.
	server = "ldap.your.domain" 
06.
	port = 389 
07.
	password = "" 
08.
	identity = "" 
09.
	net_timeout = 1 
10.
	timeout = 4 
11.
	timelimit = 3 
12.
	tls_mode = no 
13.
	start_tls = no 
14.
	tls_require_cert = "allow" 
15.
   tls { 
16.
	start_tls = no 
17.
	require_cert = "allow" 
18.
19.
	basedn = "o=My Org,c=UA" 
20.
	filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" 
21.
	base_filter = "(objectclass=radiusprofile)" 
22.
	auto_header = no 
23.
	access_attr_used_for_allow = yes 
24.
	groupname_attribute = "cn" 
25.
	groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" 
26.
	dictionary_mapping = "/etc/freeradius/ldap.attrmap" 
27.
	ldap_debug = 0 
28.
	ldap_connections_number = 5 
29.
	compare_check_items = no 
30.
	do_xlat = yes 
31.
	edir_account_policy_check = no 
32.
	set_auth_type = yes
Er nimmt meine Einstellungen nicht an.
Ich habe den LDAP server bekannt gegebn aber hier nimmt er es nicht an.


Kennt jemand ein gutes How-to dafür?
Bis jetzt hab ich zwar viele gefunden, nur in jedem steht es anders gg.

Hier die Komplette Debug ausgabe:

01.
root@srvgrp7:~# freeradius -X 
02.
FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Oct 16 2009 at 11:38:05 
03.
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.  
04.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A  
05.
PARTICULAR PURPOSE.  
06.
You may redistribute copies of FreeRADIUS under the terms of the  
07.
GNU General Public License v2.  
08.
Starting - reading configuration files ... 
09.
including configuration file /etc/freeradius/radiusd.conf 
10.
including configuration file /etc/freeradius/proxy.conf 
11.
including configuration file /etc/freeradius/clients.conf 
12.
including files in directory /etc/freeradius/modules/ 
13.
including configuration file /etc/freeradius/modules/etc_group 
14.
including configuration file /etc/freeradius/modules/ldap.save 
15.
including configuration file /etc/freeradius/modules/wimax 
16.
including configuration file /etc/freeradius/modules/policy 
17.
including configuration file /etc/freeradius/modules/unix 
18.
including configuration file /etc/freeradius/modules/linelog 
19.
including configuration file /etc/freeradius/modules/exec 
20.
including configuration file /etc/freeradius/modules/sradutmp 
21.
including configuration file /etc/freeradius/modules/mac2vlan 
22.
including configuration file /etc/freeradius/modules/counter 
23.
including configuration file /etc/freeradius/modules/mschap 
24.
including configuration file /etc/freeradius/modules/digest 
25.
including configuration file /etc/freeradius/modules/ippool 
26.
including configuration file /etc/freeradius/modules/files 
27.
including configuration file /etc/freeradius/modules/attr_rewrite 
28.
including configuration file /etc/freeradius/modules/detail.example.com 
29.
including configuration file /etc/freeradius/modules/mac2ip 
30.
including configuration file /etc/freeradius/modules/pam 
31.
including configuration file /etc/freeradius/modules/realm 
32.
including configuration file /etc/freeradius/modules/inner-eap 
33.
including configuration file /etc/freeradius/modules/preprocess 
34.
including configuration file /etc/freeradius/modules/attr_filter 
35.
including configuration file /etc/freeradius/modules/radutmp 
36.
including configuration file /etc/freeradius/modules/passwd 
37.
including configuration file /etc/freeradius/modules/acct_unique 
38.
including configuration file /etc/freeradius/modules/chap 
39.
including configuration file /etc/freeradius/modules/ldap 
40.
including configuration file /etc/freeradius/modules/expr 
41.
including configuration file /etc/freeradius/modules/echo 
42.
including configuration file /etc/freeradius/modules/krb5 
43.
including configuration file /etc/freeradius/modules/detail.log 
44.
including configuration file /etc/freeradius/modules/pap 
45.
including configuration file /etc/freeradius/modules/expiration 
46.
including configuration file /etc/freeradius/modules/logintime 
47.
including configuration file /etc/freeradius/modules/detail 
48.
including configuration file /etc/freeradius/modules/sql_log 
49.
including configuration file /etc/freeradius/modules/smbpasswd 
50.
including configuration file /etc/freeradius/modules/checkval 
51.
including configuration file /etc/freeradius/modules/always 
52.
including configuration file /etc/freeradius/eap.conf 
53.
including configuration file /etc/freeradius/policy.conf 
54.
including files in directory /etc/freeradius/sites-enabled/ 
55.
including configuration file /etc/freeradius/sites-enabled/inner-tunnel 
56.
including configuration file /etc/freeradius/sites-enabled/default 
57.
including dictionary file /etc/freeradius/dictionary 
58.
main { 
59.
	prefix = "/usr" 
60.
	localstatedir = "/var" 
61.
	logdir = "/var/log/freeradius" 
62.
	libdir = "/usr/lib/freeradius" 
63.
	radacctdir = "/var/log/freeradius/radacct" 
64.
	hostname_lookups = no 
65.
	max_request_time = 30 
66.
	cleanup_delay = 5 
67.
	max_requests = 1024 
68.
	allow_core_dumps = no 
69.
	pidfile = "/var/run/radiusd/radiusd.pid" 
70.
	checkrad = "/usr/sbin/checkrad" 
71.
	debug_level = 0 
72.
	proxy_requests = yes 
73.
 log { 
74.
	stripped_names = no 
75.
	auth = no 
76.
	auth_badpass = no 
77.
	auth_goodpass = no 
78.
79.
 security { 
80.
	max_attributes = 200 
81.
	reject_delay = 1 
82.
	status_server = yes 
83.
84.
85.
 client localhost { 
86.
	ipaddr = 127.0.0.1 
87.
	require_message_authenticator = no 
88.
	secret = "testing123" 
89.
	nastype = "other" 
90.
91.
 client 172.20.140.174 { 
92.
	ipaddr = 172.20.140.174 
93.
	require_message_authenticator = no 
94.
	secret = "1234qwer" 
95.
	shortname = "dd-wrt" 
96.
97.
radiusd: #### Loading Realms and Home Servers #### 
98.
 proxy server { 
99.
	retry_delay = 5 
100.
	retry_count = 3 
101.
	default_fallback = no 
102.
	dead_time = 120 
103.
	wake_all_if_all_dead = no 
104.
105.
 home_server localhost { 
106.
	ipaddr = 127.0.0.1 
107.
	port = 1812 
108.
	type = "auth" 
109.
	secret = "testing123" 
110.
	response_window = 20 
111.
	max_outstanding = 65536 
112.
	zombie_period = 40 
113.
	status_check = "status-server" 
114.
	ping_interval = 30 
115.
	check_interval = 30 
116.
	num_answers_to_alive = 3 
117.
	num_pings_to_alive = 3 
118.
	revive_interval = 120 
119.
	status_check_timeout = 4 
120.
121.
 home_server_pool my_auth_failover { 
122.
	type = fail-over 
123.
	home_server = localhost 
124.
125.
 realm example.com { 
126.
	auth_pool = my_auth_failover 
127.
128.
 realm LOCAL { 
129.
130.
radiusd: #### Instantiating modules #### 
131.
 instantiate { 
132.
 Module: Linked to module rlm_exec 
133.
 Module: Instantiating exec 
134.
  exec { 
135.
	wait = no 
136.
	input_pairs = "request" 
137.
	shell_escape = yes 
138.
139.
 Module: Linked to module rlm_expr 
140.
 Module: Instantiating expr 
141.
 Module: Linked to module rlm_expiration 
142.
 Module: Instantiating expiration 
143.
  expiration { 
144.
	reply-message = "Password Has Expired  " 
145.
146.
 Module: Linked to module rlm_logintime 
147.
 Module: Instantiating logintime 
148.
  logintime { 
149.
	reply-message = "You are calling outside your allowed timespan  " 
150.
	minimum-timeout = 60 
151.
152.
153.
radiusd: #### Loading Virtual Servers #### 
154.
server inner-tunnel { 
155.
 modules { 
156.
 Module: Checking authenticate {...} for more modules to load 
157.
 Module: Linked to module rlm_pap 
158.
 Module: Instantiating pap 
159.
  pap { 
160.
	encryption_scheme = "auto" 
161.
	auto_header = no 
162.
163.
 Module: Linked to module rlm_chap 
164.
 Module: Instantiating chap 
165.
 Module: Linked to module rlm_mschap 
166.
 Module: Instantiating mschap 
167.
  mschap { 
168.
	use_mppe = yes 
169.
	require_encryption = no 
170.
	require_strong = no 
171.
	with_ntdomain_hack = no 
172.
173.
 Module: Linked to module rlm_unix 
174.
 Module: Instantiating unix 
175.
  unix { 
176.
	radwtmp = "/var/log/freeradius/radwtmp" 
177.
178.
 Module: Linked to module rlm_eap 
179.
 Module: Instantiating eap 
180.
  eap { 
181.
	default_eap_type = "peap" 
182.
	timer_expire = 60 
183.
	ignore_unknown_eap_types = no 
184.
	cisco_accounting_username_bug = no 
185.
	max_sessions = 2048 
186.
187.
 Module: Linked to sub-module rlm_eap_md5 
188.
 Module: Instantiating eap-md5 
189.
 Module: Linked to sub-module rlm_eap_leap 
190.
 Module: Instantiating eap-leap 
191.
 Module: Linked to sub-module rlm_eap_gtc 
192.
 Module: Instantiating eap-gtc 
193.
   gtc { 
194.
	challenge = "Password: " 
195.
	auth_type = "PAP" 
196.
197.
 Module: Linked to sub-module rlm_eap_tls 
198.
 Module: Instantiating eap-tls 
199.
   tls { 
200.
	rsa_key_exchange = no 
201.
	dh_key_exchange = yes 
202.
	rsa_key_length = 512 
203.
	dh_key_length = 512 
204.
	verify_depth = 0 
205.
	pem_file_type = yes 
206.
	private_key_file = "/etc/freeradius/certs/cakey.pem" 
207.
	certificate_file = "/etc/freeradius/certs/cacert.pem" 
208.
	CA_file = "/etc/freeradius/certs/cacert.pem" 
209.
	private_key_password = "1234qwer" 
210.
	dh_file = "/etc/freeradius/certs/dh" 
211.
	random_file = "/etc/freeradius/certs/random-data.bin" 
212.
	fragment_size = 1024 
213.
	include_length = yes 
214.
	check_crl = no 
215.
	cipher_list = "DEFAULT" 
216.
	make_cert_command = "/etc/freeradius/certs/bootstrap" 
217.
    cache { 
218.
	enable = no 
219.
	lifetime = 24 
220.
	max_entries = 255 
221.
222.
223.
 Module: Linked to sub-module rlm_eap_ttls 
224.
 Module: Instantiating eap-ttls 
225.
   ttls { 
226.
	default_eap_type = "md5" 
227.
	copy_request_to_tunnel = no 
228.
	use_tunneled_reply = no 
229.
	virtual_server = "inner-tunnel" 
230.
231.
 Module: Linked to sub-module rlm_eap_peap 
232.
 Module: Instantiating eap-peap 
233.
   peap { 
234.
	default_eap_type = "mschapv2" 
235.
	copy_request_to_tunnel = no 
236.
	use_tunneled_reply = no 
237.
	proxy_tunneled_request_as_eap = yes 
238.
	virtual_server = "inner-tunnel" 
239.
240.
 Module: Linked to sub-module rlm_eap_mschapv2 
241.
 Module: Instantiating eap-mschapv2 
242.
   mschapv2 { 
243.
	with_ntdomain_hack = no 
244.
245.
 Module: Checking authorize {...} for more modules to load 
246.
 Module: Linked to module rlm_realm 
247.
 Module: Instantiating suffix 
248.
  realm suffix { 
249.
	format = "suffix" 
250.
	delimiter = "@" 
251.
	ignore_default = no 
252.
	ignore_null = no 
253.
254.
 Module: Linked to module rlm_files 
255.
 Module: Instantiating files 
256.
  files { 
257.
	usersfile = "/etc/freeradius/users" 
258.
	acctusersfile = "/etc/freeradius/acct_users" 
259.
	preproxy_usersfile = "/etc/freeradius/preproxy_users" 
260.
	compat = "no" 
261.
262.
 Module: Checking session {...} for more modules to load 
263.
 Module: Linked to module rlm_radutmp 
264.
 Module: Instantiating radutmp 
265.
  radutmp { 
266.
	filename = "/var/log/freeradius/radutmp" 
267.
	username = "%{User-Name}" 
268.
	case_sensitive = yes 
269.
	check_with_nas = yes 
270.
	perm = 384 
271.
	callerid = yes 
272.
273.
 Module: Checking post-proxy {...} for more modules to load 
274.
 Module: Checking post-auth {...} for more modules to load 
275.
 Module: Linked to module rlm_attr_filter 
276.
 Module: Instantiating attr_filter.access_reject 
277.
  attr_filter attr_filter.access_reject { 
278.
	attrsfile = "/etc/freeradius/attrs.access_reject" 
279.
	key = "%{User-Name}" 
280.
281.
282.
283.
 modules { 
284.
 Module: Checking authenticate {...} for more modules to load 
285.
 Module: Linked to module rlm_ldap 
286.
 Module: Instantiating ldap 
287.
  ldap { 
288.
	server = "ldap.your.domain" 
289.
	port = 389 
290.
	password = "" 
291.
	identity = "" 
292.
	net_timeout = 1 
293.
	timeout = 4 
294.
	timelimit = 3 
295.
	tls_mode = no 
296.
	start_tls = no 
297.
	tls_require_cert = "allow" 
298.
   tls { 
299.
	start_tls = no 
300.
	require_cert = "allow" 
301.
302.
	basedn = "o=My Org,c=UA" 
303.
	filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" 
304.
	base_filter = "(objectclass=radiusprofile)" 
305.
	auto_header = no 
306.
	access_attr_used_for_allow = yes 
307.
	groupname_attribute = "cn" 
308.
	groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" 
309.
	dictionary_mapping = "/etc/freeradius/ldap.attrmap" 
310.
	ldap_debug = 0 
311.
	ldap_connections_number = 5 
312.
	compare_check_items = no 
313.
	do_xlat = yes 
314.
	edir_account_policy_check = no 
315.
	set_auth_type = yes 
316.
317.
rlm_ldap: Registering ldap_groupcmp for Ldap-Group 
318.
rlm_ldap: Registering ldap_xlat with xlat_name ldap 
319.
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap 
320.
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ 
321.
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ 
322.
rlm_ldap: LDAP userPassword mapped to RADIUS User-Password 
323.
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type 
324.
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use 
325.
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id 
326.
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id 
327.
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password 
328.
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password 
329.
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password 
330.
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password 
331.
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password 
332.
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT 
333.
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration 
334.
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address 
335.
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type 
336.
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type 
337.
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Groupe-Id 
338.
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type 
339.
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol 
340.
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address 
341.
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask 
342.
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route 
343.
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing 
344.
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id 
345.
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU 
346.
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression 
347.
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host 
348.
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service 
349.
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port 
350.
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number 
351.
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id 
352.
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network 
353.
rlm_ldap: LDAP radiusClass mapped to RADIUS Class 
354.
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout 
355.
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout 
356.
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action 
357.
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service 
358.
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node 
359.
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group 
360.
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link 
361.
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network 
362.
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone 
363.
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit 
364.
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port 
365.
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message 
366.
conns: 0x8c30d50 
367.
 Module: Checking authorize {...} for more modules to load 
368.
 Module: Linked to module rlm_preprocess 
369.
 Module: Instantiating preprocess 
370.
  preprocess { 
371.
	huntgroups = "/etc/freeradius/huntgroups" 
372.
	hints = "/etc/freeradius/hints" 
373.
	with_ascend_hack = no 
374.
	ascend_channels_per_line = 23 
375.
	with_ntdomain_hack = no 
376.
	with_specialix_jetstream_hack = no 
377.
	with_cisco_vsa_hack = no 
378.
	with_alvarion_vsa_hack = no 
379.
380.
 Module: Checking preacct {...} for more modules to load 
381.
 Module: Linked to module rlm_acct_unique 
382.
 Module: Instantiating acct_unique 
383.
  acct_unique { 
384.
	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" 
385.
386.
 Module: Checking accounting {...} for more modules to load 
387.
 Module: Linked to module rlm_detail 
388.
 Module: Instantiating detail 
389.
  detail { 
390.
	detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" 
391.
	header = "%t" 
392.
	detailperm = 384 
393.
	dirperm = 493 
394.
	locking = no 
395.
	log_packet_header = no 
396.
397.
 Module: Instantiating attr_filter.accounting_response 
398.
  attr_filter attr_filter.accounting_response { 
399.
	attrsfile = "/etc/freeradius/attrs.accounting_response" 
400.
	key = "%{User-Name}" 
401.
402.
 Module: Checking session {...} for more modules to load 
403.
 Module: Checking post-proxy {...} for more modules to load 
404.
 Module: Checking post-auth {...} for more modules to load 
405.
406.
radiusd: #### Opening IP addresses and Ports #### 
407.
listen { 
408.
	type = "auth" 
409.
	ipaddr = * 
410.
	port = 0 
411.
412.
listen { 
413.
	type = "acct" 
414.
	ipaddr = * 
415.
	port = 0 
416.
417.
Listening on authentication address * port 1812 
418.
Listening on accounting address * port 1813 
419.
Listening on proxy address * port 1814 
420.
Ready to process requests.
Hier die radius.conf

01.
# -*- text -*- 
02.
## 
03.
## radiusd.conf	-- FreeRADIUS server configuration file. 
04.
## 
05.
##	http://www.freeradius.org/ 
06.
##	$Id$ 
07.
## 
08.
 
09.
###################################################################### 
10.
11.
#	Read "man radiusd" before editing this file.  See the section 
12.
#	titled DEBUGGING.  It outlines a method where you can quickly 
13.
#	obtain the configuration you want, without running into 
14.
#	trouble. 
15.
16.
#	Run the server in debugging mode, and READ the output. 
17.
18.
#		$ radiusd -X 
19.
20.
#	We cannot emphasize this point strongly enough.  The vast 
21.
#	majority of problems can be solved by carefully reading the 
22.
#	debugging output, which includes warnings about common issues, 
23.
#	and suggestions for how they may be fixed. 
24.
25.
#	There may be a lot of output, but look carefully for words like: 
26.
#	"warning", "error", "reject", or "failure".  The messages there 
27.
#	will usually be enough to guide you to a solution. 
28.
29.
#	If you are going to ask a question on the mailing list, then 
30.
#	explain what you are trying to do, and include the output from 
31.
#	debugging mode (radiusd -X).  Failure to do so means that all 
32.
#	of the responses to your question will be people telling you 
33.
#	to "post the output of radiusd -X". 
34.
 
35.
###################################################################### 
36.
37.
#  	The location of other config files and logfiles are declared 
38.
#  	in this file. 
39.
40.
#  	Also general configuration for modules can be done in this 
41.
#  	file, it is exported through the API to modules that ask for 
42.
#  	it. 
43.
44.
#	See "man radiusd.conf" for documentation on the format of this 
45.
#	file.  Note that the individual configuration items are NOT 
46.
#	documented in that "man" page.  They are only documented here, 
47.
#	in the comments. 
48.
49.
#	As of 2.0.0, FreeRADIUS supports a simple processing language 
50.
#	in the "authorize", "authenticate", "accounting", etc. sections. 
51.
#	See "man unlang" for details. 
52.
53.
 
54.
prefix = /usr 
55.
exec_prefix = /usr 
56.
sysconfdir = /etc 
57.
localstatedir = /var 
58.
sbindir = ${exec_prefix}/sbin 
59.
logdir = /var/log/freeradius 
60.
raddbdir = /etc/freeradius 
61.
radacctdir = ${logdir}/radacct 
62.
 
63.
#  Location of config and logfiles. 
64.
confdir = ${raddbdir} 
65.
run_dir = ${localstatedir}/run/radiusd 
66.
 
67.
# Should likely be ${localstatedir}/lib/radiusd 
68.
db_dir = ${raddbdir} 
69.
 
70.
71.
# libdir: Where to find the rlm_* modules. 
72.
73.
#   This should be automatically set at configuration time. 
74.
75.
#   If the server builds and installs, but fails at execution time 
76.
#   with an 'undefined symbol' error, then you can use the libdir 
77.
#   directive to work around the problem. 
78.
79.
#   The cause is usually that a library has been installed on your 
80.
#   system in a place where the dynamic linker CANNOT find it.  When 
81.
#   executing as root (or another user), your personal environment MAY 
82.
#   be set up to allow the dynamic linker to find the library.  When 
83.
#   executing as a daemon, FreeRADIUS MAY NOT have the same 
84.
#   personalized configuration. 
85.
86.
#   To work around the problem, find out which library contains that symbol, 
87.
#   and add the directory containing that library to the end of 'libdir', 
88.
#   with a colon separating the directory names.  NO spaces are allowed. 
89.
90.
#   e.g. libdir = /usr/local/lib:/opt/package/lib 
91.
92.
#   You can also try setting the LD_LIBRARY_PATH environment variable 
93.
#   in a script which starts the server. 
94.
95.
#   If that does not work, then you can re-configure and re-build the 
96.
#   server to NOT use shared libraries, via: 
97.
98.
#	./configure --disable-shared 
99.
#	make 
100.
#	make install 
101.
102.
libdir = /usr/lib/freeradius 
103.
 
104.
#  pidfile: Where to place the PID of the RADIUS server. 
105.
106.
#  The server may be signalled while it's running by using this 
107.
#  file. 
108.
109.
#  This file is written when ONLY running in daemon mode. 
110.
111.
#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid` 
112.
113.
pidfile = ${run_dir}/radiusd.pid 
114.
 
115.
#  chroot: directory where the server does "chroot". 
116.
117.
#  The chroot is done very early in the process of starting the server. 
118.
#  After the chroot has been performed it switches to the "user" listed 
119.
#  below (which MUST be specified).  If "group" is specified, it switchs 
120.
#  to that group, too.  Any other groups listed for the specified "user" 
121.
#  in "/etc/group" are also added as part of this process. 
122.
123.
#  The current working directory (chdir / cd) is left *outside* of the 
124.
#  chroot until all of the modules have been initialized.  This allows 
125.
#  the "raddb" directory to be left outside of the chroot.  Once the 
126.
#  modules have been initialized, it does a "chdir" to ${logdir}.  This 
127.
#  means that it should be impossible to break out of the chroot. 
128.
129.
#  If you are worried about security issues related to this use of chdir, 
130.
#  then simply ensure that the "raddb" directory is inside of the chroot, 
131.
#  end be sure to do "cd raddb" BEFORE starting the server. 
132.
133.
#  If the server is statically linked, then the only files that have 
134.
#  to exist in the chroot are ${run_dir} and ${logdir}.  If you do the 
135.
#  "cd raddb" as discussed above, then the "raddb" directory has to be 
136.
#  inside of the chroot directory, too. 
137.
138.
#chroot = /path/to/chroot/directory 
139.
 
140.
# user/group: The name (or #number) of the user/group to run radiusd as. 
141.
142.
#   If these are commented out, the server will run as the user/group 
143.
#   that started it.  In order to change to a different user/group, you 
144.
#   MUST be root ( or have root privleges ) to start the server. 
145.
146.
#   We STRONGLY recommend that you run the server with as few permissions 
147.
#   as possible.  That is, if you're not using shadow passwords, the 
148.
#   user and group items below should be set to radius'. 
149.
150.
#  NOTE that some kernels refuse to setgid(group) when the value of 
151.
#  (unsigned)group is above 60000; don't use group nobody on these systems! 
152.
153.
#  On systems with shadow passwords, you might have to set 'group = shadow' 
154.
#  for the server to be able to read the shadow password file.  If you can 
155.
#  authenticate users while in debug mode, but not in daemon mode, it may be 
156.
#  that the debugging mode server is running as a user that can read the 
157.
#  shadow info, and the user listed below can not. 
158.
159.
#  The server will also try to use "initgroups" to read /etc/groups. 
160.
#  It will join all groups where "user" is a member.  This can allow 
161.
#  for some finer-grained access controls. 
162.
163.
#user = radius 
164.
#group = radius 
165.
 
166.
#  max_request_time: The maximum time (in seconds) to handle a request. 
167.
168.
#  Requests which take more time than this to process may be killed, and 
169.
#  a REJECT message is returned. 
170.
171.
#  WARNING: If you notice that requests take a long time to be handled, 
172.
#  then this MAY INDICATE a bug in the server, in one of the modules 
173.
#  used to handle a request, OR in your local configuration. 
174.
175.
#  This problem is most often seen when using an SQL database.  If it takes 
176.
#  more than a second or two to receive an answer from the SQL database, 
177.
#  then it probably means that you haven't indexed the database.  See your 
178.
#  SQL server documentation for more information. 
179.
180.
#  Useful range of values: 5 to 120 
181.
182.
max_request_time = 30 
183.
 
184.
#  cleanup_delay: The time to wait (in seconds) before cleaning up 
185.
#  a reply which was sent to the NAS. 
186.
187.
#  The RADIUS request is normally cached internally for a short period 
188.
#  of time, after the reply is sent to the NAS.  The reply packet may be 
189.
#  lost in the network, and the NAS will not see it.  The NAS will then 
190.
#  re-send the request, and the server will respond quickly with the 
191.
#  cached reply. 
192.
193.
#  If this value is set too low, then duplicate requests from the NAS 
194.
#  MAY NOT be detected, and will instead be handled as seperate requests. 
195.
196.
#  If this value is set too high, then the server will cache too many 
197.
#  requests, and some new requests may get blocked.  (See 'max_requests'.) 
198.
199.
#  Useful range of values: 2 to 10 
200.
201.
cleanup_delay = 5 
202.
 
203.
#  max_requests: The maximum number of requests which the server keeps 
204.
#  track of.  This should be 256 multiplied by the number of clients. 
205.
#  e.g. With 4 clients, this number should be 1024. 
206.
207.
#  If this number is too low, then when the server becomes busy, 
208.
#  it will not respond to any new requests, until the 'cleanup_delay' 
209.
#  time has passed, and it has removed the old requests. 
210.
211.
#  If this number is set too high, then the server will use a bit more 
212.
#  memory for no real benefit. 
213.
214.
#  If you aren't sure what it should be set to, it's better to set it 
215.
#  too high than too low.  Setting it to 1000 per client is probably 
216.
#  the highest it should be. 
217.
218.
#  Useful range of values: 256 to infinity 
219.
220.
max_requests = 1024 
221.
 
222.
#  listen: Make the server listen on a particular IP address, and send 
223.
#  replies out from that address. This directive is most useful for 
224.
#  hosts with multiple IP addresses on one interface. 
225.
226.
#  If you want the server to listen on additional addresses, or on 
227.
#  additionnal ports, you can use multiple "listen" sections. 
228.
229.
#  Each section make the server listen for only one type of packet, 
230.
#  therefore authentication and accounting have to be configured in 
231.
#  different sections. 
232.
233.
#  The server ignore all "listen" section if you are using '-i' and '-p' 
234.
#  on the command line. 
235.
236.
listen { 
237.
	#  Type of packets to listen for. 
238.
	#  Allowed values are: 
239.
	#	auth	listen for authentication packets 
240.
	#	acct	listen for accounting packets 
241.
	#	proxy   IP to use for sending proxied packets 
242.
	#	detail  Read from the detail file.  For examples, see 
243.
	#               raddb/sites-available/copy-acct-to-home-server 
244.
245.
	type = auth 
246.
 
247.
	#  Note: "type = proxy" lets you control the source IP used for 
248.
	#        proxying packets, with some limitations: 
249.
250.
	#    * Only ONE proxy listener can be defined. 
251.
	#    * A proxy listener CANNOT be used in a virtual server section. 
252.
	#    * You should probably set "port = 0". 
253.
	#    * Any "clients" configuration will be ignored. 
254.
 
255.
	#  IP address on which to listen. 
256.
	#  Allowed values are: 
257.
	#	dotted quad (1.2.3.4) 
258.
	#       hostname    (radius.example.com) 
259.
	#       wildcard    (*) 
260.
	ipaddr = * 
261.
 
262.
	#  OR, you can use an IPv6 address, but not both 
263.
	#  at the same time. 
264.
#	ipv6addr = ::	# any.  ::1 == localhost 
265.
 
266.
	#  Port on which to listen. 
267.
	#  Allowed values are: 
268.
	#	integer port number (1812) 
269.
	#	0 means "use /etc/services for the proper port" 
270.
	port = 0 
271.
 
272.
	#  Some systems support binding to an interface, in addition 
273.
	#  to the IP address.  This feature isn't strictly necessary, 
274.
	#  but for sites with many IP addresses on one interface, 
275.
	#  it's useful to say "listen on all addresses for eth0". 
276.
277.
	#  If your system does not support this feature, you will 
278.
	#  get an error if you try to use it. 
279.
280.
#	interface = eth0 
281.
 
282.
	#  Per-socket lists of clients.  This is a very useful feature. 
283.
284.
	#  The name here is a reference to a section elsewhere in 
285.
	#  radiusd.conf, or clients.conf.  Having the name as 
286.
	#  a reference allows multiple sockets to use the same 
287.
	#  set of clients. 
288.
289.
	#  If this configuration is used, then the global list of clients 
290.
	#  is IGNORED for this "listen" section.  Take care configuring 
291.
	#  this feature, to ensure you don't accidentally disable a 
292.
	#  client you need. 
293.
294.
	#  See clients.conf for the configuration of "per_socket_clients". 
295.
296.
#	clients = per_socket_clients 
297.
298.
 
299.
#  This second "listen" section is for listening on the accounting 
300.
#  port, too. 
301.
302.
listen { 
303.
	ipaddr = * 
304.
#	ipv6addr = :: 
305.
	port = 0 
306.
	type = acct 
307.
#	interface = eth0 
308.
#	clients = per_socket_clients 
309.
310.
 
311.
#  hostname_lookups: Log the names of clients or just their IP addresses 
312.
#  e.g., www.freeradius.org (on) or 206.47.27.232 (off). 
313.
314.
#  The default is 'off' because it would be overall better for the net 
315.
#  if people had to knowingly turn this feature on, since enabling it 
316.
#  means that each client request will result in AT LEAST one lookup 
317.
#  request to the nameserver.   Enabling hostname_lookups will also 
318.
#  mean that your server may stop randomly for 30 seconds from time 
319.
#  to time, if the DNS requests take too long. 
320.
321.
#  Turning hostname lookups off also means that the server won't block 
322.
#  for 30 seconds, if it sees an IP address which has no name associated 
323.
#  with it. 
324.
325.
#  allowed values: {no, yes} 
326.
327.
hostname_lookups = no 
328.
 
329.
#  Core dumps are a bad thing.  This should only be set to 'yes' 
330.
#  if you're debugging a problem with the server. 
331.
332.
#  allowed values: {no, yes} 
333.
334.
allow_core_dumps = no 
335.
 
336.
#  Regular expressions 
337.
338.
#  These items are set at configure time.  If they're set to "yes", 
339.
#  then setting them to "no" turns off regular expression support. 
340.
341.
#  If they're set to "no" at configure time, then setting them to "yes" 
342.
#  WILL NOT WORK.  It will give you an error. 
343.
344.
regular_expressions	= yes 
345.
extended_expressions	= yes 
346.
 
347.
348.
#  Logging section.  The various "log_*" configuration items 
349.
#  will eventually be moved here. 
350.
351.
log { 
352.
353.
	#  Destination for log messages.  This can be one of: 
354.
355.
	#	files - log to "file", as defined below. 
356.
	#	syslog - to syslog (see also the "syslog_facility", below. 
357.
	#	stdout - standard output 
358.
	#	stderr - standard error. 
359.
360.
	#  The command-line option "-X" over-rides this option, and forces 
361.
	#  logging to go to stdout. 
362.
363.
	destination = files 
364.
 
365.
366.
	#  The logging messages for the server are appended to the 
367.
	#  tail of this file if destination == "files" 
368.
369.
	#  If the server is running in debugging mode, this file is 
370.
	#  NOT used. 
371.
372.
	file = ${logdir}/radius.log 
373.
 
374.
375.
	#  If this configuration parameter is set, then log messages for 
376.
	#  a *request* go to this file, rather than to radius.log. 
377.
378.
	#  i.e. This is a log file per request, once the server has accepted 
379.
	#  the request as being from a valid client.  Messages that are 
380.
	#  not associated with a request still go to radius.log. 
381.
382.
	#  Not all log messages in the server core have been updated to use 
383.
	#  this new internal API.  As a result, some messages will still 
384.
	#  go to radius.log.  Please submit patches to fix this behavior. 
385.
386.
	#  The file name is expanded dynamically.  You should ONLY user 
387.
	#  server-side attributes for the filename (e.g. things you control). 
388.
	#  Using this feature MAY also slow down the server substantially, 
389.
	#  especially if you do thinks like SQL calls as part of the 
390.
	#  expansion of the filename. 
391.
392.
	#  The name of the log file should use attributes that don't change 
393.
	#  over the lifetime of a request, such as User-Name, 
394.
	#  Virtual-Server or Packet-Src-IP-Address.  Otherwise, the log 
395.
	#  messages will be distributed over multiple files. 
396.
397.
	#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log 
398.
 
399.
400.
	#  Which syslog facility to use, if ${destination} == "syslog" 
401.
402.
	#  The exact values permitted here are OS-dependent.  You probably 
403.
	#  don't want to change this. 
404.
405.
	syslog_facility = daemon 
406.
 
407.
	#  Log the full User-Name attribute, as it was found in the request. 
408.
409.
	# allowed values: {no, yes} 
410.
411.
	stripped_names = no 
412.
 
413.
	#  Log authentication requests to the log file. 
414.
415.
	#  allowed values: {no, yes} 
416.
417.
	auth = no 
418.
 
419.
	#  Log passwords with the authentication requests. 
420.
	#  auth_badpass  - logs password if it's rejected 
421.
	#  auth_goodpass - logs password if it's correct 
422.
423.
	#  allowed values: {no, yes} 
424.
425.
	auth_badpass = no 
426.
	auth_goodpass = no 
427.
428.
 
429.
#  The program to execute to do concurrency checks. 
430.
checkrad = ${sbindir}/checkrad 
431.
 
432.
# SECURITY CONFIGURATION 
433.
434.
#  There may be multiple methods of attacking on the server.  This 
435.
#  section holds the configuration items which minimize the impact 
436.
#  of those attacks 
437.
438.
security { 
439.
440.
	#  max_attributes: The maximum number of attributes 
441.
	#  permitted in a RADIUS packet.  Packets which have MORE 
442.
	#  than this number of attributes in them will be dropped. 
443.
444.
	#  If this number is set too low, then no RADIUS packets 
445.
	#  will be accepted. 
446.
447.
	#  If this number is set too high, then an attacker may be 
448.
	#  able to send a small number of packets which will cause 
449.
	#  the server to use all available memory on the machine. 
450.
451.
	#  Setting this number to 0 means "allow any number of attributes" 
452.
	max_attributes = 200 
453.
 
454.
455.
	#  reject_delay: When sending an Access-Reject, it can be 
456.
	#  delayed for a few seconds.  This may help slow down a DoS 
457.
	#  attack.  It also helps to slow down people trying to brute-force 
458.
	#  crack a users password. 
459.
460.
	#  Setting this number to 0 means "send rejects immediately" 
461.
462.
	#  If this number is set higher than 'cleanup_delay', then the 
463.
	#  rejects will be sent at 'cleanup_delay' time, when the request 
464.
	#  is deleted from the internal cache of requests. 
465.
466.
	#  Useful ranges: 1 to 5 
467.
	reject_delay = 1 
468.
 
469.
470.
	#  status_server: Whether or not the server will respond 
471.
	#  to Status-Server requests. 
472.
473.
	#  When sent a Status-Server message, the server responds with 
474.
	#  an Access-Accept or Accounting-Response packet. 
475.
476.
	#  This is mainly useful for administrators who want to "ping" 
477.
	#  the server, without adding test users, or creating fake 
478.
	#  accounting packets. 
479.
480.
	#  It's also useful when a NAS marks a RADIUS server "dead". 
481.
	#  The NAS can periodically "ping" the server with a Status-Server 
482.
	#  packet.  If the server responds, it must be alive, and the 
483.
	#  NAS can start using it for real requests. 
484.
485.
	status_server = yes 
486.
487.
 
488.
# PROXY CONFIGURATION 
489.
490.
#  proxy_requests: Turns proxying of RADIUS requests on or off. 
491.
492.
#  The server has proxying turned on by default.  If your system is NOT 
493.
#  set up to proxy requests to another server, then you can turn proxying 
494.
#  off here.  This will save a small amount of resources on the server. 
495.
496.
#  If you have proxying turned off, and your configuration files say 
497.
#  to proxy a request, then an error message will be logged. 
498.
499.
#  To disable proxying, change the "yes" to "no", and comment the 
500.
#  $INCLUDE line. 
501.
502.
#  allowed values: {no, yes} 
503.
504.
proxy_requests  = yes 
505.
$INCLUDE proxy.conf 
506.
 
507.
 
508.
# CLIENTS CONFIGURATION 
509.
510.
#  Client configuration is defined in "clients.conf".   
511.
512.
 
513.
#  The 'clients.conf' file contains all of the information from the old 
514.
#  'clients' and 'naslist' configuration files.  We recommend that you 
515.
#  do NOT use 'client's or 'naslist', although they are still 
516.
#  supported. 
517.
518.
#  Anything listed in 'clients.conf' will take precedence over the 
519.
#  information from the old-style configuration files. 
520.
521.
$INCLUDE clients.conf 
522.
 
523.
 
524.
# THREAD POOL CONFIGURATION 
525.
526.
#  The thread pool is a long-lived group of threads which 
527.
#  take turns (round-robin) handling any incoming requests. 
528.
529.
#  You probably want to have a few spare threads around, 
530.
#  so that high-load situations can be handled immediately.  If you 
531.
#  don't have any spare threads, then the request handling will 
532.
#  be delayed while a new thread is created, and added to the pool. 
533.
534.
#  You probably don't want too many spare threads around, 
535.
#  otherwise they'll be sitting there taking up resources, and 
536.
#  not doing anything productive. 
537.
538.
#  The numbers given below should be adequate for most situations. 
539.
540.
thread pool { 
541.
	#  Number of servers to start initially --- should be a reasonable 
542.
	#  ballpark figure. 
543.
	start_servers = 5 
544.
 
545.
	#  Limit on the total number of servers running. 
546.
547.
	#  If this limit is ever reached, clients will be LOCKED OUT, so it 
548.
	#  should NOT BE SET TOO LOW.  It is intended mainly as a brake to 
549.
	#  keep a runaway server from taking the system with it as it spirals 
550.
	#  down... 
551.
552.
	#  You may find that the server is regularly reaching the 
553.
	#  'max_servers' number of threads, and that increasing 
554.
	#  'max_servers' doesn't seem to make much difference. 
555.
556.
	#  If this is the case, then the problem is MOST LIKELY that 
557.
	#  your back-end databases are taking too long to respond, and 
558.
	#  are preventing the server from responding in a timely manner. 
559.
560.
	#  The solution is NOT do keep increasing the 'max_servers' 
561.
	#  value, but instead to fix the underlying cause of the 
562.
	#  problem: slow database, or 'hostname_lookups=yes'. 
563.
564.
	#  For more information, see 'max_request_time', above. 
565.
566.
	max_servers = 32 
567.
 
568.
	#  Server-pool size regulation.  Rather than making you guess 
569.
	#  how many servers you need, FreeRADIUS dynamically adapts to 
570.
	#  the load it sees, that is, it tries to maintain enough 
571.
	#  servers to handle the current load, plus a few spare 
572.
	#  servers to handle transient load spikes. 
573.
574.
	#  It does this by periodically checking how many servers are 
575.
	#  waiting for a request.  If there are fewer than 
576.
	#  min_spare_servers, it creates a new spare.  If there are 
577.
	#  more than max_spare_servers, some of the spares die off. 
578.
	#  The default values are probably OK for most sites. 
579.
580.
	min_spare_servers = 3 
581.
	max_spare_servers = 10 
582.
 
583.
	#  There may be memory leaks or resource allocation problems with 
584.
	#  the server.  If so, set this value to 300 or so, so that the 
585.
	#  resources will be cleaned up periodically. 
586.
587.
	#  This should only be necessary if there are serious bugs in the 
588.
	#  server which have not yet been fixed. 
589.
590.
	#  '0' is a special value meaning 'infinity', or 'the servers never 
591.
	#  exit' 
592.
	max_requests_per_server = 0 
593.
594.
 
595.
# MODULE CONFIGURATION 
596.
597.
#  The names and configuration of each module is located in this section. 
598.
599.
#  After the modules are defined here, they may be referred to by name, 
600.
#  in other sections of this configuration file. 
601.
602.
modules { 
603.
604.
	#  Each module has a configuration as follows: 
605.
606.
	#	name [ instance ] { 
607.
	#		config_item = value 
608.
	#		... 
609.
	#	} 
610.
611.
	#  The 'name' is used to load the 'rlm_name' library 
612.
	#  which implements the functionality of the module. 
613.
614.
	#  The 'instance' is optional.  To have two different instances 
615.
	#  of a module, it first must be referred to by 'name'. 
616.
	#  The different copies of the module are then created by 
617.
	#  inventing two 'instance' names, e.g. 'instance1' and 'instance2' 
618.
619.
	#  The instance names can then be used in later configuration 
620.
	#  INSTEAD of the original 'name'.  See the 'radutmp' configuration 
621.
	#  for an example. 
622.
623.
 
624.
625.
	#  As of 2.0.5, most of the module configurations are in a 
626.
	#  sub-directory.  Files matching the regex /[a-zA-Z0-9_.]+/ 
627.
	#  are loaded.  The modules are initialized ONLY if they are 
628.
	#  referenced in a processing section, such as authorize, 
629.
	#  authenticate, accounting, pre/post-proxy, etc. 
630.
631.
	$INCLUDE ${confdir}/modules/ 
632.
 
633.
	#  Extensible Authentication Protocol 
634.
635.
	#  For all EAP related authentications. 
636.
	#  Now in another file, because it is very large. 
637.
638.
	$INCLUDE eap.conf 
639.
 
640.
	#  Include another file that has the SQL-related configuration. 
641.
	#  This is another file only because it tends to be big. 
642.
643.
	#$INCLUDE sql.conf 
644.
 
645.
646.
	#  This module is an SQL enabled version of the counter module. 
647.
648.
	#  Rather than maintaining seperate (GDBM) databases of 
649.
	#  accounting info for each counter, this module uses the data 
650.
	#  stored in the raddacct table by the sql modules. This 
651.
	#  module NEVER does any database INSERTs or UPDATEs.  It is 
652.
	#  totally dependent on the SQL module to process Accounting 
653.
	#  packets. 
654.
655.
	#$INCLUDE sql/mysql/counter.conf 
656.
	#$INCLUDE sql/postgresql/counter.conf 
657.
 
658.
659.
	#  IP addresses managed in an SQL table. 
660.
661.
	#$INCLUDE sqlippool.conf 
662.
 
663.
	# OTP token support.  Not included by default. 
664.
	# $INCLUDE otp.conf 
665.
666.
	ldap { 
667.
                server = "srvgrp7.local" 
668.
                identity = "cn=admin,dc=grp7,dc=local" 
669.
                password = "1234qwer" 
670.
                basedn = "dc=grp7,dc=local" 
671.
 
672.
                base_filter = "(objectclass=)" 
673.
                start_tls = yes 
674.
                # This is your Certificate Authority (CA) certificate 
675.
                tls_cacertfile = /etc/freeradius/certs/cacert.pem 
676.
                tls_require_cert = "demand" 
677.
                # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" 
678.
                # profile_attribute = "radiusProfileDn" 
679.
                #access_attr = "uid" 
680.
                dictionary_mapping = ${raddbdir}/ldap.attrmap 
681.
                authtype = ldap 
682.
                ldap_connections_number = 5 
683.
                timeout = 4 
684.
                timelimit = 3 
685.
                net_timeout = 1 
686.
687.
 
688.
 
689.
 
690.
# under MODULES, make sure mschap is uncommented! 
691.
    mschap { 
692.
      # authtype value, if present, will be used 
693.
      # to overwrite (or add) Auth-Type during 
694.
      # authorization. Normally, should be MS-CHAP 
695.
      authtype = MS-CHAP 
696.
 
697.
      # if use_mppe is not set to no, mschap will 
698.
      # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and 
699.
      # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 
700.
701.
      use_mppe = yes 
702.
 
703.
      # if mppe is enabled, require_encryption makes 
704.
      # encryption moderate 
705.
706.
      require_encryption = yes 
707.
 
708.
      # require_strong always requires 128 bit key 
709.
      # encryption 
710.
711.
      require_strong = yes 
712.
 
713.
      authtype = MS-CHAP 
714.
      # The module can perform authentication itself, OR 
715.
      # use a Windows Domain Controller. See the radius.conf file 
716.
      # for how to do this. 
717.
718.
 
719.
# Instantiation 
720.
721.
#  This section orders the loading of the modules.  Modules 
722.
#  listed here will get loaded BEFORE the later sections like 
723.
#  authorize, authenticate, etc. get examined. 
724.
725.
#  This section is not strictly needed.  When a section like 
726.
#  authorize refers to a module, it's automatically loaded and 
727.
#  initialized.  However, some modules may not be listed in any 
728.
#  of the following sections, so they can be listed here. 
729.
730.
#  Also, listing modules here ensures that you have control over 
731.
#  the order in which they are initalized.  If one module needs 
732.
#  something defined by another module, you can list them in order 
733.
#  here, and ensure that the configuration will be OK. 
734.
735.
instantiate { 
736.
737.
	#  Allows the execution of external scripts. 
738.
	#  The entire command line (and output) must fit into 253 bytes. 
739.
740.
	#  e.g. Framed-Pool = `%{exec:/bin/echo foo}` 
741.
	exec 
742.
 
743.
744.
	#  The expression module doesn't do authorization, 
745.
	#  authentication, or accounting.  It only does dynamic 
746.
	#  translation, of the form: 
747.
748.
	#	Session-Timeout = `%{expr:2 + 3}` 
749.
750.
	#  So the module needs to be instantiated, but CANNOT be 
751.
	#  listed in any other section.  See 'doc/rlm_expr' for 
752.
	#  more information. 
753.
754.
	expr 
755.
 
756.
757.
	# We add the counter module here so that it registers 
758.
	# the check-name attribute before any module which sets 
759.
	# it 
760.
#	daily 
761.
	expiration 
762.
	logintime 
763.
 
764.
	# subsections here can be thought of as "virtual" modules. 
765.
766.
	# e.g. If you have two redundant SQL servers, and you want to 
767.
	# use them in the authorize and accounting sections, you could 
768.
	# place a "redundant" block in each section, containing the 
769.
	# exact same text.  Or, you could uncomment the following 
770.
	# lines, and list "redundant_sql" in the authorize and 
771.
	# accounting sections. 
772.
773.
	#redundant redundant_sql { 
774.
	#	sql1 
775.
	#	sql2 
776.
	#} 
777.
778.
authorize { 
779.
        preprocess 
780.
        mschap 
781.
	suffix 
782.
	eap 
783.
	files 
784.
	chap 
785.
	ldap 
786.
	 
787.
788.
     
789.
    authenticate { 
790.
          
791.
792.
         #  MSCHAP authentication.     
793.
         Auth-Type MS-CHAP { 
794.
               mschap 
795.
796.
	 Auth-Type ldap { 
797.
      		ldap 
798.
799.
 
800.
	 
801.
802.
         #  Allow EAP authentication. 
803.
         eap 
804.
805.
 
806.
###################################################################### 
807.
808.
#	Policies that can be applied in multiple places are listed 
809.
#	globally.  That way, they can be defined once, and referred 
810.
#	to multiple times. 
811.
812.
###################################################################### 
813.
$INCLUDE policy.conf 
814.
 
815.
###################################################################### 
816.
817.
#	As of 2.0.0, the "authorize", "authenticate", etc. sections 
818.
#	are in separate configuration files, per virtual host. 
819.
820.
###################################################################### 
821.
 
822.
###################################################################### 
823.
824.
#	Include all enabled virtual hosts. 
825.
826.
#	The following directory is searched for files that match 
827.
#	the regex: 
828.
829.
#		/[a-zA-Z0-9_.]+/ 
830.
831.
#	The files are then included here, just as if they were cut 
832.
#	and pasted into this file. 
833.
834.
#	See "sites-enabled/default" for some additional documentation. 
835.
836.
$INCLUDE sites-enabled/
Vlt weiß ja wer was dazu.

Lg
Philipp
Mitglied: aqui
19.10.2009 um 15:24 Uhr
Vielleicht hilft dir DAS hier weiter:
http://www.administrator.de/Dynamische_VLAN-Zuweisung_mit_FreeRADIUS_un ...
Dort steht genau wie es klappt !
Bitte warten ..
Mitglied: pzenz16
21.10.2009 um 18:45 Uhr
Hallo!

Vielen Dank,
hatt mir Leider nicht geholfen aber danke =)

lg
Bitte warten ..
Neuester Wissensbeitrag
Windows 10

Powershell 5 BSOD

(8)

Tipp von agowa338 zum Thema Windows 10 ...

Ähnliche Inhalte
Windows 10
Surface 4 Pro Netzlaufwerk verbinden (4)

Frage von Yannosch zum Thema Windows 10 ...

Windows Server
gelöst Windows Server 2012 mit Fritzbox per VPN verbinden (13)

Frage von StefanT81 zum Thema Windows Server ...

Switche und Hubs
gelöst 2 VLANs, tragged und mit link aggregation oder Verbinden oder einzeln (1)

Frage von ADORSE zum Thema Switche und Hubs ...

LAN, WAN, Wireless
Zwei private Netzwerke (LAN und WLAN) mit SXT Lite5 verbinden (9)

Frage von MWelslau zum Thema LAN, WAN, Wireless ...

Heiß diskutierte Inhalte
Microsoft
Ordner mit LW-Buchstaben versehen und benennen (21)

Frage von Xaero1982 zum Thema Microsoft ...

Netzwerkmanagement
gelöst Anregungen, kleiner Betrieb, IT-Umgebung (18)

Frage von Unwichtig zum Thema Netzwerkmanagement ...

Windows Update
Treiberinstallation durch Windows Update läßt sich nicht verhindern (17)

Frage von liquidbase zum Thema Windows Update ...