Unifi wifi SSHA passwords freeradius

classic Classic list List threaded Threaded
8 messages Options
| Threaded
Open this post in threaded view
|

Unifi wifi SSHA passwords freeradius

Users mailing list

 
Hi!
 
I have Unifi wifi  — freeradius — ldap
 
In LDAP i have SSHA password for users.
 
This config on github help me to setup normal auth with SSHA passwords (instead plaintext)
https://github.com/hacor/unifi-freeradius-ldap
 
i use ttls + pap
 
All ok, but i have some troubles with timeout (or something else)
 
After a few hours wifi on clients (ios,android,pc) stops working. And users must manually reconnect to the wifi network
 
When we use plaintext password and auth PEAP — all it’s ok. Clients do not stops working
 
 
Logs
 
Info: rlm_ldap (ldap): Closing connection (11428): Hit idle_timeout, was idle for 61 seconds
Info: rlm_ldap (ldap): Closing connection (11433): Hit idle_timeout, was idle for 61 seconds
Info: Need 6 more connections to reach 10 spares
Info: rlm_ldap (ldap): Opening additional connection (11440), 1 of 28 pending slots used
Info: Need 5 more connections to reach 10 spares
Info: rlm_ldap (ldap): Opening additional connection (11441), 1 of 27 pending slots used
Info: Need 4 more connections to reach 10 spares
Info: rlm_ldap (ldap): Opening additional connection (11442), 1 of 26 pending slots used
Info: Need 3 more connections to reach 10 spares
Info: rlm_ldap (ldap): Opening additional connection (11443), 1 of 25 pending slots used
 
Info: rlm_ldap (ldap): Closing connection (11440): Hit idle_timeout, was idle for 116 seconds
Info: rlm_ldap (ldap): Closing connection (11438): Hit idle_timeout, was idle for 116 seconds
Info: rlm_ldap (ldap): Closing connection (11426): Hit idle_timeout, was idle for 116 seconds
Info: rlm_ldap (ldap): Closing connection (11439): Hit idle_timeout, was idle for 116 seconds
Info: rlm_ldap (ldap): Closing connection (11445): Hit idle_timeout, was idle for 105 seconds
Info: rlm_ldap (ldap): Closing connection (11442): Hit idle_timeout, was idle for 105 seconds
Info: rlm_ldap (ldap): Closing connection (11429): Hit idle_timeout, was idle for 105 seconds
Info: rlm_ldap (ldap): Closing connection (11443): Hit idle_timeout, was idle for 105 seconds
 
An here is my config freeradius
 
EAP
 
eap {
    default_eap_type = ttls
    timer_expire     = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    max_sessions = ${max_requests}
    md5 {
    }
    leap {
    }
    gtc {
        auth_type = PAP
    }
    tls-config tls-common {
        private_key_password = XXX
        private_key_file = ${certdir}/server.pem
        certificate_file = ${certdir}/server.pem
        ca_file = ${cadir}/ca.pem
        dh_file = ${certdir}/dh
        ca_path = ${cadir}
        cipher_list = "DEFAULT"
        cipher_server_preference = no
        ecdh_curve = "prime256v1"
        cache {
            enable = no
            lifetime = 24 # hours
        }
        verify {
        }
        ocsp {
            enable = no
            override_cert_url = yes
            url = " http://127.0.0.1/ocsp/ "
        }
    }

    tls {
        tls = tls-common
    }
    ttls {
        tls = tls-common
        default_eap_type = gtc
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
    }
    peap {
        tls = tls-common
        default_eap_type = mschapv2
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
    }
    mschapv2 {
    }
}
 
DEFAULT
 
server default {
listen {
    type = auth
    ipaddr = *
    port = 0
    limit {
          max_connections = 16
          lifetime = 0
          idle_timeout = 30
    }
}
listen {
    ipaddr = *
    port = 0
    type = acct
    limit {
    }
}
authorize {
    filter_username
    preprocess
    digest
    suffix
    eap {
        ok = return
        #updated = return
    }
    files
    -sql
    ldap
    expiration
    logintime
    pap
        if (User-Password) {
            update control {
                   Auth-Type := ldap
            }
        }
}
authenticate {
    Auth-Type PAP {
        #pap
        ldap
    }
    Auth-Type CHAP {
        chap
    }
    Auth-Type MS-CHAP {
        mschap
    }
    mschap
    digest
    #Auth-Type LDAP {
        ldap
    #}
    eap
}
preacct {
    preprocess
    acct_unique
    suffix
    files
}
accounting {
    detail
    unix
    -sql
    exec
    attr_filter.accounting_response
}
session {
}
post-auth {
    if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
        update reply {
            &User-Name !* ANY
        }
    }
    update {
        &reply: += &session-state:
    }
            
        if (LDAP-Group == "vpn") {
        vpn_l2tp_pool
        }
        elsif (LDAP-Group == "vpn-ext") {
        vpn_l2tp_ext_pool
        }
        elsif (LDAP-Group == "vpn-1c") {
        ok
        }
        else {
        reject
        }
    -sql
    exec
    remove_reply_message_if_eap
    Post-Auth-Type REJECT {
        -sql
        attr_filter.access_reject
        eap
        remove_reply_message_if_eap
    }
    Post-Auth-Type Challenge {
    }
}
pre-proxy {
}
post-proxy {
    eap
}
}
 
INNER TUNNEL
 
server inner-tunnel {
listen {
       ipaddr = *
       port = 18120
       type = auth
}
authorize {
    filter_username
    suffix
    update control {
        &Proxy-To-Realm := LOCAL
    }
    eap {
        ok = return
    }
    -sql
    ldap
    expiration
    logintime
    pap
    if (User-Password) {
            update control {
                Auth-Type := ldap
            }
        }
}
authenticate {
    Auth-Type PAP {
        #pap
        ldap
    }
    Auth-Type CHAP {
        chap
    }
    Auth-Type MS-CHAP {
        mschap
    }
    mschap
#    Auth-Type LDAP {
        ldap
#    }
    eap
}
session {
    radutmp
}
post-auth {
    -sql
                if (LDAP-Group == "wifi") {
                noop
                } else {
                reject
                }
    if (0) {
        update reply {
            User-Name !* ANY
            Message-Authenticator !* ANY
            EAP-Message !* ANY
            Proxy-State !* ANY
            MS-MPPE-Encryption-Types !* ANY
            MS-MPPE-Encryption-Policy !* ANY
            MS-MPPE-Send-Key !* ANY
            MS-MPPE-Recv-Key !* ANY
        }
        update {
            &outer.session-state: += &reply:
        }
    }
    Post-Auth-Type REJECT {
        -sql
        attr_filter.access_reject
        update outer.session-state {
            &Module-Failure-Message := &request:Module-Failure-Message
        }
    }
}
pre-proxy {
}
post-proxy {
    eap
}
}
 
LDAP
 
ldap {
    server = 'localhost'
    identity = 'cn=admin,dc=fusioncore,dc=local'
    password = fusioncore
    base_dn = 'ou=people,dc=fusioncore,dc=local'
    sasl {
    }
    update {
        control:Password-With-Header    += 'userPassword'
        control:            += 'radiusControlAttribute'
        request:            += 'radiusRequestAttribute'
        reply:                += 'radiusReplyAttribute'
    }
    user {
        base_dn = "${..base_dn}"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        sasl {
        }
    }
    group {
        base_dn = "ou=groups,dc=fusioncore,dc=local"
        filter = '(objectClass=GroupOfNames)'
        name_attribute = cn
        membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
        membership_attribute = 'memberUid'
    }
    profile {
    }
    client {
        base_dn = "${..base_dn}"
        filter = '(objectClass=radiusClient)'
        template {
        }
        attribute {
            ipaddr                = 'radiusClientIdentifier'
            secret                = 'radiusClientSecret'
        }
    }
    accounting {
        reference = "%{tolower:type.%{Acct-Status-Type}}"
        type {
            start {
                update {
                    description := "Online at %S"
                }
            }
            interim-update {
                update {
                    description := "Last seen at %S"
                }
            }
            stop {
                update {
                    description := "Offline at %S"
                }
            }
        }
    }
    post-auth {
        update {
            description := "Authenticated at %S"
        }
    }
    options {
        chase_referrals = yes
        rebind = yes
        res_timeout = 10
        srv_timelimit = 3
        net_timeout = 1
        idle = 60
        probes = 3
        interval = 3
        ldap_debug = 0x0028
    }
    tls {
        start_tls = no
    }
    ldap_connections_number = 5
    pool {
        start = ${thread[pool].start_servers}
        min = ${thread[pool].min_spare_servers}
        max = ${thread[pool].max_servers}
        spare = ${thread[pool].max_spare_servers}
        uses = 0
        retry_delay = 30
        lifetime = 0
        idle_timeout = 60
    }
}
 
 
 
----------------------------------------------------------------------
 
 
 
----------------------------------------------------------------------
 
 
   
----------------------------------------------------------------------
 
 
   
----------------------------------------------------------------------
 
 
 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Unifi wifi SSHA passwords freeradius

Alan Buxey
hi,

your ldap connection pool is borked. you have horrible values.   start
with the default (in fact, if you have no problem
with long lived connections then disable the auto pool stuff and just
have eg 8 connections.

alan

On Wed, 12 Feb 2020 at 10:59, Сергей Черевко via Freeradius-Users
<[hidden email]> wrote:

>
>
>
> Hi!
>
> I have Unifi wifi  — freeradius — ldap
>
> In LDAP i have SSHA password for users.
>
> This config on github help me to setup normal auth with SSHA passwords (instead plaintext)
> https://github.com/hacor/unifi-freeradius-ldap
>
> i use ttls + pap
>
> All ok, but i have some troubles with timeout (or something else)
>
> After a few hours wifi on clients (ios,android,pc) stops working. And users must manually reconnect to the wifi network
>
> When we use plaintext password and auth PEAP — all it’s ok. Clients do not stops working
>
>
> Logs
>
> Info: rlm_ldap (ldap): Closing connection (11428): Hit idle_timeout, was idle for 61 seconds
> Info: rlm_ldap (ldap): Closing connection (11433): Hit idle_timeout, was idle for 61 seconds
> Info: Need 6 more connections to reach 10 spares
> Info: rlm_ldap (ldap): Opening additional connection (11440), 1 of 28 pending slots used
> Info: Need 5 more connections to reach 10 spares
> Info: rlm_ldap (ldap): Opening additional connection (11441), 1 of 27 pending slots used
> Info: Need 4 more connections to reach 10 spares
> Info: rlm_ldap (ldap): Opening additional connection (11442), 1 of 26 pending slots used
> Info: Need 3 more connections to reach 10 spares
> Info: rlm_ldap (ldap): Opening additional connection (11443), 1 of 25 pending slots used
>
> Info: rlm_ldap (ldap): Closing connection (11440): Hit idle_timeout, was idle for 116 seconds
> Info: rlm_ldap (ldap): Closing connection (11438): Hit idle_timeout, was idle for 116 seconds
> Info: rlm_ldap (ldap): Closing connection (11426): Hit idle_timeout, was idle for 116 seconds
> Info: rlm_ldap (ldap): Closing connection (11439): Hit idle_timeout, was idle for 116 seconds
> Info: rlm_ldap (ldap): Closing connection (11445): Hit idle_timeout, was idle for 105 seconds
> Info: rlm_ldap (ldap): Closing connection (11442): Hit idle_timeout, was idle for 105 seconds
> Info: rlm_ldap (ldap): Closing connection (11429): Hit idle_timeout, was idle for 105 seconds
> Info: rlm_ldap (ldap): Closing connection (11443): Hit idle_timeout, was idle for 105 seconds
>
> An here is my config freeradius
>
> EAP
>
> eap {
>     default_eap_type = ttls
>     timer_expire     = 60
>     ignore_unknown_eap_types = no
>     cisco_accounting_username_bug = no
>     max_sessions = ${max_requests}
>     md5 {
>     }
>     leap {
>     }
>     gtc {
>         auth_type = PAP
>     }
>     tls-config tls-common {
>         private_key_password = XXX
>         private_key_file = ${certdir}/server.pem
>         certificate_file = ${certdir}/server.pem
>         ca_file = ${cadir}/ca.pem
>         dh_file = ${certdir}/dh
>         ca_path = ${cadir}
>         cipher_list = "DEFAULT"
>         cipher_server_preference = no
>         ecdh_curve = "prime256v1"
>         cache {
>             enable = no
>             lifetime = 24 # hours
>         }
>         verify {
>         }
>         ocsp {
>             enable = no
>             override_cert_url = yes
>             url = " http://127.0.0.1/ocsp/ "
>         }
>     }
>
>     tls {
>         tls = tls-common
>     }
>     ttls {
>         tls = tls-common
>         default_eap_type = gtc
>         copy_request_to_tunnel = no
>         use_tunneled_reply = no
>         virtual_server = "inner-tunnel"
>     }
>     peap {
>         tls = tls-common
>         default_eap_type = mschapv2
>         copy_request_to_tunnel = no
>         use_tunneled_reply = no
>         virtual_server = "inner-tunnel"
>     }
>     mschapv2 {
>     }
> }
>
> DEFAULT
>
> server default {
> listen {
>     type = auth
>     ipaddr = *
>     port = 0
>     limit {
>           max_connections = 16
>           lifetime = 0
>           idle_timeout = 30
>     }
> }
> listen {
>     ipaddr = *
>     port = 0
>     type = acct
>     limit {
>     }
> }
> authorize {
>     filter_username
>     preprocess
>     digest
>     suffix
>     eap {
>         ok = return
>         #updated = return
>     }
>     files
>     -sql
>     ldap
>     expiration
>     logintime
>     pap
>         if (User-Password) {
>             update control {
>                    Auth-Type := ldap
>             }
>         }
> }
> authenticate {
>     Auth-Type PAP {
>         #pap
>         ldap
>     }
>     Auth-Type CHAP {
>         chap
>     }
>     Auth-Type MS-CHAP {
>         mschap
>     }
>     mschap
>     digest
>     #Auth-Type LDAP {
>         ldap
>     #}
>     eap
> }
> preacct {
>     preprocess
>     acct_unique
>     suffix
>     files
> }
> accounting {
>     detail
>     unix
>     -sql
>     exec
>     attr_filter.accounting_response
> }
> session {
> }
> post-auth {
>     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
>         update reply {
>             &User-Name !* ANY
>         }
>     }
>     update {
>         &reply: += &session-state:
>     }
>
>         if (LDAP-Group == "vpn") {
>         vpn_l2tp_pool
>         }
>         elsif (LDAP-Group == "vpn-ext") {
>         vpn_l2tp_ext_pool
>         }
>         elsif (LDAP-Group == "vpn-1c") {
>         ok
>         }
>         else {
>         reject
>         }
>     -sql
>     exec
>     remove_reply_message_if_eap
>     Post-Auth-Type REJECT {
>         -sql
>         attr_filter.access_reject
>         eap
>         remove_reply_message_if_eap
>     }
>     Post-Auth-Type Challenge {
>     }
> }
> pre-proxy {
> }
> post-proxy {
>     eap
> }
> }
>
> INNER TUNNEL
>
> server inner-tunnel {
> listen {
>        ipaddr = *
>        port = 18120
>        type = auth
> }
> authorize {
>     filter_username
>     suffix
>     update control {
>         &Proxy-To-Realm := LOCAL
>     }
>     eap {
>         ok = return
>     }
>     -sql
>     ldap
>     expiration
>     logintime
>     pap
>     if (User-Password) {
>             update control {
>                 Auth-Type := ldap
>             }
>         }
> }
> authenticate {
>     Auth-Type PAP {
>         #pap
>         ldap
>     }
>     Auth-Type CHAP {
>         chap
>     }
>     Auth-Type MS-CHAP {
>         mschap
>     }
>     mschap
> #    Auth-Type LDAP {
>         ldap
> #    }
>     eap
> }
> session {
>     radutmp
> }
> post-auth {
>     -sql
>                 if (LDAP-Group == "wifi") {
>                 noop
>                 } else {
>                 reject
>                 }
>     if (0) {
>         update reply {
>             User-Name !* ANY
>             Message-Authenticator !* ANY
>             EAP-Message !* ANY
>             Proxy-State !* ANY
>             MS-MPPE-Encryption-Types !* ANY
>             MS-MPPE-Encryption-Policy !* ANY
>             MS-MPPE-Send-Key !* ANY
>             MS-MPPE-Recv-Key !* ANY
>         }
>         update {
>             &outer.session-state: += &reply:
>         }
>     }
>     Post-Auth-Type REJECT {
>         -sql
>         attr_filter.access_reject
>         update outer.session-state {
>             &Module-Failure-Message := &request:Module-Failure-Message
>         }
>     }
> }
> pre-proxy {
> }
> post-proxy {
>     eap
> }
> }
>
> LDAP
>
> ldap {
>     server = 'localhost'
>     identity = 'cn=admin,dc=fusioncore,dc=local'
>     password = fusioncore
>     base_dn = 'ou=people,dc=fusioncore,dc=local'
>     sasl {
>     }
>     update {
>         control:Password-With-Header    += 'userPassword'
>         control:            += 'radiusControlAttribute'
>         request:            += 'radiusRequestAttribute'
>         reply:                += 'radiusReplyAttribute'
>     }
>     user {
>         base_dn = "${..base_dn}"
>         filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>         sasl {
>         }
>     }
>     group {
>         base_dn = "ou=groups,dc=fusioncore,dc=local"
>         filter = '(objectClass=GroupOfNames)'
>         name_attribute = cn
>         membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
>         membership_attribute = 'memberUid'
>     }
>     profile {
>     }
>     client {
>         base_dn = "${..base_dn}"
>         filter = '(objectClass=radiusClient)'
>         template {
>         }
>         attribute {
>             ipaddr                = 'radiusClientIdentifier'
>             secret                = 'radiusClientSecret'
>         }
>     }
>     accounting {
>         reference = "%{tolower:type.%{Acct-Status-Type}}"
>         type {
>             start {
>                 update {
>                     description := "Online at %S"
>                 }
>             }
>             interim-update {
>                 update {
>                     description := "Last seen at %S"
>                 }
>             }
>             stop {
>                 update {
>                     description := "Offline at %S"
>                 }
>             }
>         }
>     }
>     post-auth {
>         update {
>             description := "Authenticated at %S"
>         }
>     }
>     options {
>         chase_referrals = yes
>         rebind = yes
>         res_timeout = 10
>         srv_timelimit = 3
>         net_timeout = 1
>         idle = 60
>         probes = 3
>         interval = 3
>         ldap_debug = 0x0028
>     }
>     tls {
>         start_tls = no
>     }
>     ldap_connections_number = 5
>     pool {
>         start = ${thread[pool].start_servers}
>         min = ${thread[pool].min_spare_servers}
>         max = ${thread[pool].max_servers}
>         spare = ${thread[pool].max_spare_servers}
>         uses = 0
>         retry_delay = 30
>         lifetime = 0
>         idle_timeout = 60
>     }
> }
>
>
>
> ----------------------------------------------------------------------
>
>
>
> ----------------------------------------------------------------------
>
>
>
> ----------------------------------------------------------------------
>
>
>
> ----------------------------------------------------------------------
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Unifi wifi SSHA passwords freeradius

Users mailing list
In reply to this post by Users mailing list

Hi, sorry but i don’t understand where i shoud write correct values. in the «sites-enabled\default»? Or in ldap?
Sorry  

 

>Среда, 12 февраля 2020, 14:00 +03:00 от Сергей Черевко via Freeradius-Users <[hidden email]>:

>

>Hi!

>I have Unifi wifi  — freeradius — ldap

>In LDAP i have SSHA password for users.

>This config on github help me to setup normal auth with SSHA passwords (instead plaintext)
>https://github.com/hacor/unifi-freeradius-ldap

>i use ttls + pap

>All ok, but i have some troubles with timeout (or something else)

>After a few hours wifi on clients (ios,android,pc) stops working. And users must manually reconnect to the wifi network

>When we use plaintext password and auth PEAP — all it’s ok. Clients do not stops working


>Logs

>Info: rlm_ldap (ldap): Closing connection (11428): Hit idle_timeout, was idle for 61 seconds
>Info: rlm_ldap (ldap): Closing connection (11433): Hit idle_timeout, was idle for 61 seconds
>Info: Need 6 more connections to reach 10 spares
>Info: rlm_ldap (ldap): Opening additional connection (11440), 1 of 28 pending slots used
>Info: Need 5 more connections to reach 10 spares
>Info: rlm_ldap (ldap): Opening additional connection (11441), 1 of 27 pending slots used
>Info: Need 4 more connections to reach 10 spares
>Info: rlm_ldap (ldap): Opening additional connection (11442), 1 of 26 pending slots used
>Info: Need 3 more connections to reach 10 spares
>Info: rlm_ldap (ldap): Opening additional connection (11443), 1 of 25 pending slots used

>Info: rlm_ldap (ldap): Closing connection (11440): Hit idle_timeout, was idle for 116 seconds
>Info: rlm_ldap (ldap): Closing connection (11438): Hit idle_timeout, was idle for 116 seconds
>Info: rlm_ldap (ldap): Closing connection (11426): Hit idle_timeout, was idle for 116 seconds
>Info: rlm_ldap (ldap): Closing connection (11439): Hit idle_timeout, was idle for 116 seconds
>Info: rlm_ldap (ldap): Closing connection (11445): Hit idle_timeout, was idle for 105 seconds
>Info: rlm_ldap (ldap): Closing connection (11442): Hit idle_timeout, was idle for 105 seconds
>Info: rlm_ldap (ldap): Closing connection (11429): Hit idle_timeout, was idle for 105 seconds
>Info: rlm_ldap (ldap): Closing connection (11443): Hit idle_timeout, was idle for 105 seconds

>An here is my config freeradius

>EAP

>eap {
>    default_eap_type = ttls
>    timer_expire     = 60
>    ignore_unknown_eap_types = no
>    cisco_accounting_username_bug = no
>    max_sessions = ${max_requests}
>    md5 {
>    }
>    leap {
>    }
>    gtc {
>        auth_type = PAP
>    }
>    tls-config tls-common {
>        private_key_password = XXX
>        private_key_file = ${certdir}/server.pem
>        certificate_file = ${certdir}/server.pem
>        ca_file = ${cadir}/ca.pem
>        dh_file = ${certdir}/dh
>        ca_path = ${cadir}
>        cipher_list = "DEFAULT"
>        cipher_server_preference = no
>        ecdh_curve = "prime256v1"
>        cache {
>            enable = no
>            lifetime = 24 # hours
>        }
>        verify {
>        }
>        ocsp {
>            enable = no
>            override_cert_url = yes
>            url = "  http://127.0.0.1/ocsp/ "
>        }
>    }
>
>    tls {
>        tls = tls-common
>    }
>    ttls {
>        tls = tls-common
>        default_eap_type = gtc
>        copy_request_to_tunnel = no
>        use_tunneled_reply = no
>        virtual_server = "inner-tunnel"
>    }
>    peap {
>        tls = tls-common
>        default_eap_type = mschapv2
>        copy_request_to_tunnel = no
>        use_tunneled_reply = no
>        virtual_server = "inner-tunnel"
>    }
>    mschapv2 {
>    }
>}

>DEFAULT

>server default {
>listen {
>    type = auth
>    ipaddr = *
>    port = 0
>    limit {
>          max_connections = 16
>          lifetime = 0
>          idle_timeout = 30
>    }
>}
>listen {
>    ipaddr = *
>    port = 0
>    type = acct
>    limit {
>    }
>}
>authorize {
>    filter_username
>    preprocess
>    digest
>    suffix
>    eap {
>        ok = return
>        #updated = return
>    }
>    files
>    -sql
>    ldap
>    expiration
>    logintime
>    pap
>        if (User-Password) {
>            update control {
>                   Auth-Type := ldap
>            }
>        }
>}
>authenticate {
>    Auth-Type PAP {
>        #pap
>        ldap
>    }
>    Auth-Type CHAP {
>        chap
>    }
>    Auth-Type MS-CHAP {
>        mschap
>    }
>    mschap
>    digest
>    #Auth-Type LDAP {
>        ldap
>    #}
>    eap
>}
>preacct {
>    preprocess
>    acct_unique
>    suffix
>    files
>}
>accounting {
>    detail
>    unix
>    -sql
>    exec
>    attr_filter.accounting_response
>}
>session {
>}
>post-auth {
>    if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
>        update reply {
>            &User-Name !* ANY
>        }
>    }
>    update {
>        &reply: += &session-state:
>    }
>            
>        if (LDAP-Group == "vpn") {
>        vpn_l2tp_pool
>        }
>        elsif (LDAP-Group == "vpn-ext") {
>        vpn_l2tp_ext_pool
>        }
>        elsif (LDAP-Group == "vpn-1c") {
>        ok
>        }
>        else {
>        reject
>        }
>    -sql
>    exec
>    remove_reply_message_if_eap
>    Post-Auth-Type REJECT {
>        -sql
>        attr_filter.access_reject
>        eap
>        remove_reply_message_if_eap
>    }
>    Post-Auth-Type Challenge {
>    }
>}
>pre-proxy {
>}
>post-proxy {
>    eap
>}
>}

>INNER TUNNEL

>server inner-tunnel {
>listen {
>       ipaddr = *
>       port = 18120
>       type = auth
>}
>authorize {
>    filter_username
>    suffix
>    update control {
>        &Proxy-To-Realm := LOCAL
>    }
>    eap {
>        ok = return
>    }
>    -sql
>    ldap
>    expiration
>    logintime
>    pap
>    if (User-Password) {
>            update control {
>                Auth-Type := ldap
>            }
>        }
>}
>authenticate {
>    Auth-Type PAP {
>        #pap
>        ldap
>    }
>    Auth-Type CHAP {
>        chap
>    }
>    Auth-Type MS-CHAP {
>        mschap
>    }
>    mschap
>#    Auth-Type LDAP {
>        ldap
>#    }
>    eap
>}
>session {
>    radutmp
>}
>post-auth {
>    -sql
>                if (LDAP-Group == "wifi") {
>                noop
>                } else {
>                reject
>                }
>    if (0) {
>        update reply {
>            User-Name !* ANY
>            Message-Authenticator !* ANY
>            EAP-Message !* ANY
>            Proxy-State !* ANY
>            MS-MPPE-Encryption-Types !* ANY
>            MS-MPPE-Encryption-Policy !* ANY
>            MS-MPPE-Send-Key !* ANY
>            MS-MPPE-Recv-Key !* ANY
>        }
>        update {
>            &outer.session-state: += &reply:
>        }
>    }
>    Post-Auth-Type REJECT {
>        -sql
>        attr_filter.access_reject
>        update outer.session-state {
>            &Module-Failure-Message := &request:Module-Failure-Message
>        }
>    }
>}
>pre-proxy {
>}
>post-proxy {
>    eap
>}
>}

>LDAP

>ldap {
>    server = 'localhost'
>    identity = 'cn=admin,dc=fusioncore,dc=local'
>    password = fusioncore
>    base_dn = 'ou=people,dc=fusioncore,dc=local'
>    sasl {
>    }
>    update {
>        control:Password-With-Header    += 'userPassword'
>        control:            += 'radiusControlAttribute'
>        request:            += 'radiusRequestAttribute'
>        reply:                += 'radiusReplyAttribute'
>    }
>    user {
>        base_dn = "${..base_dn}"
>        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>        sasl {
>        }
>    }
>    group {
>        base_dn = "ou=groups,dc=fusioncore,dc=local"
>        filter = '(objectClass=GroupOfNames)'
>        name_attribute = cn
>        membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
>        membership_attribute = 'memberUid'
>    }
>    profile {
>    }
>    client {
>        base_dn = "${..base_dn}"
>        filter = '(objectClass=radiusClient)'
>        template {
>        }
>        attribute {
>            ipaddr                = 'radiusClientIdentifier'
>            secret                = 'radiusClientSecret'
>        }
>    }
>    accounting {
>        reference = "%{tolower:type.%{Acct-Status-Type}}"
>        type {
>            start {
>                update {
>                    description := "Online at %S"
>                }
>            }
>            interim-update {
>                update {
>                    description := "Last seen at %S"
>                }
>            }
>            stop {
>                update {
>                    description := "Offline at %S"
>                }
>            }
>        }
>    }
>    post-auth {
>        update {
>            description := "Authenticated at %S"
>        }
>    }
>    options {
>        chase_referrals = yes
>        rebind = yes
>        res_timeout = 10
>        srv_timelimit = 3
>        net_timeout = 1
>        idle = 60
>        probes = 3
>        interval = 3
>        ldap_debug = 0x0028
>    }
>    tls {
>        start_tls = no
>    }
>    ldap_connections_number = 5
>    pool {
>        start = ${thread[pool].start_servers}
>        min = ${thread[pool].min_spare_servers}
>        max = ${thread[pool].max_servers}
>        spare = ${thread[pool].max_spare_servers}
>        uses = 0
>        retry_delay = 30
>        lifetime = 0
>        idle_timeout = 60
>    }
>}



>----------------------------------------------------------------------



>----------------------------------------------------------------------


>   
>----------------------------------------------------------------------


>   
>----------------------------------------------------------------------



>-
>List info/subscribe/unsubscribe? See  http://www.freeradius.org/list/users.html 
 
 
 
 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Unifi wifi SSHA passwords freeradius

Alan DeKok-2

On Feb 12, 2020, at 7:00 AM, Сергей Черевко via Freeradius-Users <[hidden email]> wrote:
>
> Hi, sorry but i don’t understand where i shoud write correct values. in the «sites-enabled\default»? Or in ldap?

  The default configuration for the "ldap" module works.  Don't change it unless you understand what you're changing, and why.

  On top of that, if you have issues with the server, RUN IT IN DEBUG MODE.  *Every* piece of documentation says to do this.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re[2]: Unifi wifi SSHA passwords freeradius

Users mailing list

Hi! I start freeradius -X
 
and here is logs
 
users «amohova», «dgalitskov» for example
 
(108138) Received Accounting-Request Id 181 from 10.10.3.232:32811 to 10.10.2.40:1813 length 191
(108138)   Acct-Status-Type = Start                                                                                      
(108138)   Acct-Authentic = RADIUS                                             
(108138)   User-Name = "amohova"                                                                                                                                                     
(108138)   NAS-IP-Address = 10.10.3.232   
(108138)   Framed-IP-Address = 10.10.60.202                                                     
(108138)   NAS-Identifier = "b4fbe4867b30"                             
(108138)   Called-Station-Id = "B4-FB-E4-86-7B-30:FC"
(108138)   NAS-Port-Type = Wireless-802.11
(108138)   Service-Type = Framed-User                        
(108138)   Calling-Station-Id = "F8-4E-73-1B-3F-BD"        
(108138)   Connect-Info = "CONNECT 0Mbps 802.11g"                                          
(108138)   Acct-Session-Id = "1C9CE0FE0511C51C"         
(108138)   WLAN-Pairwise-Cipher = 1027076                                                                                
(108138)   WLAN-Group-Cipher = 1027076                                                     
(108138)   WLAN-AKM-Suite = 1027073                                                                                                                                                  
(108138)   Event-Timestamp = "Feb 12 2020 17:40:08 MSK"          
(108138)   Acct-Delay-Time = 0                  
(108138) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default        
(108138)   preacct {                  
(108138)     [preprocess] = ok     
(108138)     policy acct_unique {                            
(108138)       update request {                         
(108138)         &Tmp-String-9 := "ai:"                                   
(108138)       } # update request = noop                
(108138)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&          ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(108138)       EXPAND %{hex:&Class}                                                        
(108138)          -->                
(108138)       EXPAND ^%{hex:&Tmp-String-9}                      
(108138)          --> ^61693a                    
(108138)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&          ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE
(108138)       else {                                                                   
(108138)         update request {                                
(108138)           EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(108138)              --> da23bf2eae0a20950b70b61b493c3156       
(108138)           &Acct-Unique-Session-Id := da23bf2eae0a20950b70b61b493c3156
(108138)         } # update request = noop                       
(108138)       } # else = noop                                   
(108138)     } # policy acct_unique = noop                                                                                  
(108138) suffix: Checking for suffix after "@"                   
(108138) suffix: No '@' in User-Name = "amohova", looking up realm NULL
(108138) suffix: No such realm "NULL"                                              
(108138)     [suffix] = noop        
(108138)     [files] = noop                                                                                                         
(108138)   } # preacct = ok                        
(108138) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(108138)   accounting {                                                                                                                                
(108138) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(108138) detail:    --> /var/log/freeradius/radacct/10.10.3.232/detail-20200212                                     
(108138) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.10.3.232/detail-20200212
(108138) detail: EXPAND %t                                                                                                  
(108138) detail:    --> Wed Feb 12 17:40:08 2020
(108138)     [detail] = ok                    
(108138)     [unix] = ok                                                  
(108138)     [exec] = noop           
(108138) attr_filter.accounting_response: EXPAND %{User-Name}                                                                       
(108138) attr_filter.accounting_response:    --> amohova
(108138) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(108138)     [attr_filter.accounting_response] = updated                                                                                               
(108138)   } # accounting = updated                                                             
(108138) Sent Accounting-Response Id 181 from 10.10.2.40:1813 to 10.10.3.232:32811 length 0                              
(108138) Finished request                                                      
(108138) Cleaning up request packet ID 181 with timestamp +200672                                                                                                                    
Waking up in 3.0 seconds.                 
(108139) Received Accounting-Request Id 174 from 10.10.3.233:40969 to 10.10.2.40:1813 length 242
(108139)   Acct-Status-Type = Stop                                     
(108139)   Acct-Authentic = RADIUS                   
(108139)   User-Name = "dgalitskov"       
(108139)   NAS-IP-Address = 10.10.3.233                      
(108139)   Framed-IP-Address = 10.10.60.54                 
(108139)   NAS-Identifier = "7483c271f552"                                                 
(108139)   Called-Station-Id = "74-83-C2-71-F5-52:FC"   
(108139)   NAS-Port-Type = Wireless-802.11                                                                               
(108139)   Service-Type = Framed-User                                                      
(108139)   Calling-Station-Id = "E4-B2-FB-44-EF-D6"                                                                                                                                  
(108139)   Connect-Info = "CONNECT 0Mbps 802.11a"                
(108139)   Acct-Session-Id = "B0CE1AA98E2E130C"
(108139)   WLAN-Pairwise-Cipher = 1027076                                                       
(108139)   WLAN-Group-Cipher = 1027076
(108139)   WLAN-AKM-Suite = 1027073
(108139)   Event-Timestamp = "Feb 12 2020 17:40:09 MSK"      
(108139)   Acct-Delay-Time = 0                          
(108139)   Acct-Session-Time = 207                                        
(108139)   Acct-Input-Packets = 22                      
(108139)   Acct-Output-Packets = 22                                                                                         
(108139)   Acct-Input-Octets = 2136                                                        
(108139)   Acct-Input-Gigawords = 0  
(108139)   Acct-Output-Octets = 6010                             
(108139)   Acct-Output-Gigawords = 0             
(108139)   Acct-Terminate-Cause = User-Request                                                                                      
(108139) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(108139)   preacct {                                             
(108139)     [preprocess] = ok                                                                                                                         
(108139)     policy acct_unique {                                
(108139)       update request {                                               
(108139)         &Tmp-String-9 := "ai:"                          
(108139)       } # update request = noop                         
(108139)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&          ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(108139)       EXPAND %{hex:&Class}                              
(108139)          -->                                                  
(108139)       EXPAND ^%{hex:&Tmp-String-9}
(108139)          --> ^61693a       
(108139)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&          ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE
(108139)       else {                              
(108139)         update request {                                                          
(108139)           EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(108139)              --> 116a41339a3b573987c5fd7f78ea55cf                                                               
(108139)           &Acct-Unique-Session-Id := 116a41339a3b573987c5fd7f78ea55cf                                      
(108139)         } # update request = noop                                                                                                                                           
(108139)       } # else = noop                                                                                              
(108139)     } # policy acct_unique = noop      
(108139) suffix: Checking for suffix after "@"
(108139) suffix: No '@' in User-Name = "dgalitskov", looking up realm NULL
(108139) suffix: No such realm "NULL"
(108139)     [suffix] = noop                                                                                                        
(108139)     [files] = noop                             
(108139)   } # preacct = ok                                               
(108139) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default                                                            
(108139)   accounting {                                                                         
(108139) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(108139) detail:    --> /var/log/freeradius/radacct/10.10.3.233/detail-20200212
(108139) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.10.3.233/detail-20200212
(108139) detail: EXPAND %t                
(108139) detail:    --> Wed Feb 12 17:40:09 2020                                                
(108139)     [detail] = ok                                             
(108139)     [unix] = ok                             
(108139)     [exec] = noop                
(108139) attr_filter.accounting_response: EXPAND %{User-Name}
(108139) attr_filter.accounting_response:    --> dgalitskov
(108139) attr_filter.accounting_response: Matched entry DEFAULT at line 12                 
(108139)     [attr_filter.accounting_response] = updated
(108139)   } # accounting = updated                                                                                      
(108139) Sent Accounting-Response Id 174 from 10.10.2.40:1813 to 10.10.3.233:40969 length 0
(108139) Finished request                                                                                                                                                            
(108139) Cleaning up request packet ID 174 with timestamp +200673
Waking up in 2.4 seconds.                       
(108140) Received Accounting-Request Id 182 from 10.10.3.232:32811 to 10.10.2.40:1813 length 233
(108140)   Acct-Status-Type = Stop    
(108140)   Acct-Authentic = RADIUS
(108140)   User-Name = "amohova"                             
(108140)   NAS-IP-Address = 10.10.3.232                 
(108140)   Framed-IP-Address = 10.10.60.202                               
(108140)   NAS-Identifier = "b4fbe4867b30"              
(108140)   Called-Station-Id = "B4-FB-E4-86-7B-30:FC"                                                                       
(108140)   NAS-Port-Type = Wireless-802.11                                                 
(108140)   Service-Type = Framed-User
(108140)   Calling-Station-Id = "F8-4E-73-1B-3F-BD"              
(108140)   Connect-Info = "CONNECT 0Mbps 802.11g"
(108140)   Acct-Session-Id = "1C9CE0FE0511C51C"                                                                                     
(108140)   WLAN-Pairwise-Cipher = 1027076                                               
(108140)   WLAN-Group-Cipher = 1027076                           
(108140)   WLAN-AKM-Suite = 1027073                                                                                                                    
(108140)   Event-Timestamp = "Feb 12 2020 17:40:11 MSK"          
(108140)   Acct-Delay-Time = 0                                                
(108140)   Acct-Session-Time = 2                                 
(108140)   Acct-Input-Packets = 239                              
(108140)   Acct-Output-Packets = 213                                                                                        
(108140)   Acct-Input-Octets = 61174                             
(108140)   Acct-Input-Gigawords = 0                                    
(108140)   Acct-Output-Octets = 54537      
(108140)   Acct-Output-Gigawords = 0
(108140) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default                                            
(108140)   preacct {                               
(108140)     [preprocess] = ok                                                             
(108140)     policy acct_unique {                                                                                                                      
(108140)       update request {                                                                                          
(108140)         &Tmp-String-9 := "ai:"                                                                             
(108140)       } # update request = noop                                                                                                                                             
(108140)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&          ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(108140)       EXPAND %{hex:&Class}             
(108140)          -->                         
(108140)       EXPAND ^%{hex:&Tmp-String-9}                               
(108140)          --> ^61693a        
(108140)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&          ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE
(108140)       else {                                   
(108140)         update request {                                         
(108140)           EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(108140)              --> da23bf2eae0a20950b70b61b493c3156                                      
(108140)           &Acct-Unique-Session-Id := da23bf2eae0a20950b70b61b493c3156                                           
(108140)         } # update request = noop                                     
(108140)       } # else = noop                                                                                                                                                       
(108140)     } # policy acct_unique = noop
(108140) suffix: Checking for suffix after "@"                                                  
(108140) suffix: No '@' in User-Name = "amohova", looking up realm NULL
(108140) suffix: No such realm "NULL"                
(108140)     [suffix] = noop              
(108140)     [files] = noop                                  
(108140)   } # preacct = ok                                
(108140) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(108140)   accounting {                                 
(108140) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(108140) detail:    --> /var/log/freeradius/radacct/10.10.3.232/detail-20200212            
(108140) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.10.3.232/detail-20200212
(108140) detail: EXPAND %t                                       
(108140) detail:    --> Wed Feb 12 17:40:11 2020
(108140)     [detail] = ok                                                                      
(108140)     [unix] = ok              
(108140)     [exec] = noop         
(108140) attr_filter.accounting_response: EXPAND %{User-Name}
(108140) attr_filter.accounting_response:    --> amohova
(108140) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(108140)     [attr_filter.accounting_response] = updated
(108140)   } # accounting = updated                                                                                         
(108140) Sent Accounting-Response Id 182 from 10.10.2.40:1813 to 10.10.3.232:32811 length 0
(108140) Finished request            
(108140) Cleaning up request packet ID 182 with timestamp +200675
 

>Среда, 12 февраля 2020, 16:40 +03:00 от Alan DeKok <[hidden email]>:

>
>On Feb 12, 2020, at 7:00 AM, Сергей Черевко via Freeradius-Users < [hidden email] > wrote:
>>
>> Hi, sorry but i don’t understand where i shoud write correct values. in the «sites-enabled\default»? Or in ldap?
>  The default configuration for the "ldap" module works. Don't change it unless you understand what you're changing, and why.
>
>  On top of that, if you have issues with the server, RUN IT IN DEBUG MODE. *Every* piece of documentation says to do this.
>
>  Alan DeKok.
 
 
 
 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Unifi wifi SSHA passwords freeradius

Alan DeKok-2


> On Feb 12, 2020, at 9:43 AM, Сергей Черевко via Freeradius-Users <[hidden email]> wrote:
>
>
> Hi! I start freeradius -X
>  
> and here is logs
>  
> users «amohova», «dgalitskov» for example

  If the user gets on the network, then FreeRADIUS is no longer responsible for them.  The NAS is in charge.

  So when the server sees an accounting "start" followed immediately by an accounting "stop", it's because their connection is lost.  This has a few reasons:

a) the user disconnects from the NAS

b) the NAS disconnects the user

  Note that in *both* situations, FreeRADIUS is not involved.

  Go fix the NAS.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re[2]: Unifi wifi SSHA passwords freeradius

Users mailing list

log from freeradius whet it starts
first entry "signalled to terminate" mean "service restart freeradius" it's okay
 
May be i must ‘tune’ any settings in the ldap pool? What do you say for this?
Wed Feb 12 20:46:34 2020 : Info: SiFreeRadius users mailing listgnalled to terminate
Wed Feb 12 20:46:34 2020 : Info: Exiting normally
Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (9)
Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (8)
Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (7)
Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (6)
Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (5)
Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (4)
Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (3)
Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (2)
Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (1)
Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Closing connection (0)
Wed Feb 12 20:46:34 2020 : Info: Debugger not attached
Wed Feb 12 20:46:34 2020 : Info: rlm_ldap: libldap vendor: OpenLDAP, version: 20445
Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
Wed Feb 12 20:46:34 2020 : Info: rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
Wed Feb 12 20:46:34 2020 : Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
Wed Feb 12 20:46:34 2020 : Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
Wed Feb 12 20:46:34 2020 : Info: Loaded virtual server <default>
Wed Feb 12 20:46:34 2020 : Warning: Ignoring "sql" (see raddb/mods-available/README.rst)
Wed Feb 12 20:46:34 2020 : Info:  # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:69
Wed Feb 12 20:46:34 2020 : Info: Loaded virtual server inner-tunnel
Wed Feb 12 20:46:34 2020 : Info: Loaded virtual server default
Wed Feb 12 20:46:34 2020 : Info: Ready to process requests
Wed Feb 12 20:46:58 2020 : Info: Need 5 more connections to reach 10 spares
Wed Feb 12 20:46:58 2020 : Info: rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
Wed Feb 12 20:47:14 2020 : Info: Need 4 more connections to reach 10 spares
Wed Feb 12 20:47:14 2020 : Info: rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
Wed Feb 12 20:47:16 2020 : Info: Need 3 more connections to reach 10 spares
Wed Feb 12 20:47:16 2020 : Info: rlm_ldap (ldap): Opening additional connection (7), 1 of 25 pending slots used
Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 71 seconds
Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 71 seconds
Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 71 seconds
Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 69 seconds
Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Closing connection (7): Hit idle_timeout, was idle for 69 seconds
Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 69 seconds
Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 69 seconds
Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Closing connection (6): Hit idle_timeout, was idle for 69 seconds
Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Opening additional connection (8), 1 of 32 pending slots used
Wed Feb 12 20:48:25 2020 : Info: Need 2 more connections to reach min connections (3)
Wed Feb 12 20:48:25 2020 : Info: rlm_ldap (ldap): Opening additional connection (9), 1 of 31 pending slots used


>Среда, 12 февраля 2020, 17:59 +03:00 от Alan DeKok <[hidden email]>:

>
>
>> On Feb 12, 2020, at 9:43 AM, Сергей Черевко via Freeradius-Users < [hidden email] > wrote:
>>
>>
>> Hi! I start freeradius -X
>>
>> and here is logs
>>
>> users «amohova», «dgalitskov» for example
>
>  If the user gets on the network, then FreeRADIUS is no longer responsible for them. The NAS is in charge.
>
>  So when the server sees an accounting "start" followed immediately by an accounting "stop", it's because their connection is lost. This has a few reasons:
>
>a) the user disconnects from the NAS
>
>b) the NAS disconnects the user
>
>  Note that in *both* situations, FreeRADIUS is not involved.
>
>  Go fix the NAS.
>
>  Alan DeKok.
 
 
 
 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Unifi wifi SSHA passwords freeradius

Alan DeKok-2
On Feb 13, 2020, at 2:38 AM, Сергей Черевко <[hidden email]> wrote:
>
> log from freeradius whet it starts

  Why?

> first entry "signalled to terminate" mean "service restart freeradius" it's okay

  So?

> May be i must ‘tune’ any settings in the ldap pool? What do you say for this?

  Read the documentation in mods-available/ldap.  This is all explained in detail.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html