post-auth | ldap-group | huntgroup

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

post-auth | ldap-group | huntgroup

Markus Demmert (BESITEC-DEHAM)
Good day,

I have problems to get this running:
------------------------------------------------------------------------------------------
if (Huntgroup-Name == "cisco-group") {
        if (Ldap-Group == "Group_Network_Device_RW") {
        update reply {
                        cisco-avpair = "shell:priv-lvl=15"
                        }
                }
        }
        else {
                reject
        }
-----------------------------------------------------------------------------------------
I get this debug output:
-----------------------------------------------------------------------------------------
(0)     [ldap] = ok
(0)   } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/ldap-network
(0)   post-auth {
(0)     if (Huntgroup-Name == "cisco-group") {
(0)     ERROR: Failed retrieving values required to evaluate condition
(0)     else {
(0)       [reject] = reject
-----------------------------------------------------------------------------------------
When I remove the huntgroup line it is working and I can authenticate against a network device. But in combination with the huntgroup I get this error.
What I am doing wrong? Can someone point me in the right direction.
Many thanks,
MaDe

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: post-auth | ldap-group | huntgroup

Alan DeKok-2
On Feb 5, 2021, at 3:10 AM, Markus Demmert (BESITEC-DEHAM) <[hidden email]> wrote:

>
> I have problems to get this running:
> ------------------------------------------------------------------------------------------
> if (Huntgroup-Name == "cisco-group") {
> if (Ldap-Group == "Group_Network_Device_RW") {
>         update reply {
> cisco-avpair = "shell:priv-lvl=15"
> }
> }
> }
> else {
> reject
> }
> -----------------------------------------------------------------------------------------
> I get this debug output:
> -----------------------------------------------------------------------------------------
> (0)     [ldap] = ok
> (0)   } # Auth-Type LDAP = ok
> (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/ldap-network
> (0)   post-auth {
> (0)     if (Huntgroup-Name == "cisco-group") {
> (0)     ERROR: Failed retrieving values required to evaluate condition
> (0)     else {
> (0)       [reject] = reject
> -----------------------------------------------------------------------------------------
> When I remove the huntgroup line it is working and I can authenticate against a network device. But in combination with the huntgroup I get this error.

  So... where is the the Huntrgoup-Name coming from?

> What I am doing wrong? Can someone point me in the right direction.

  Posting the *full* debug output as suggested in *all* the documentation would be a good first step.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

post-auth | ldap-group | huntgroup

Markus Demmert (BESITEC-DEHAM)
In reply to this post by Markus Demmert (BESITEC-DEHAM)
Hi,
Thanks for your reply here is the debug output.

FreeRADIUS Version 3.0.20
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/ldap
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/files
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/cui
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/ldap-network
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
main {
 security {
  user = "freerad"
  group = "freerad"
  allow_core_dumps = no
 }
        name = "freeradius"
        prefix = "/usr"
        localstatedir = "/var"
        logdir = "/var/log/freeradius"
        run_dir = "/var/run/freeradius"
}
main {
        name = "freeradius"
        prefix = "/usr"
        localstatedir = "/var"
        sbindir = "/usr/sbin"
        logdir = "/var/log/freeradius"
        run_dir = "/var/run/freeradius"
        libdir = "/usr/lib/freeradius"
        radacctdir = "/var/log/freeradius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 16384
        pidfile = "/var/run/freeradius/freeradius.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log {
  stripped_names = no
  auth = no
  auth_badpass = no
  auth_goodpass = no
  colourise = yes
  msg_denied = "You are already logged in - access denied"
 }
 resources {
 }
 security {
  max_attributes = 200
  reject_delay = 1.000000
  status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
  retry_delay = 5
  retry_count = 3
  default_fallback = no
  dead_time = 120
  wake_all_if_all_dead = no
 }
 home_server localhost {
  ipaddr = 127.0.0.1
  port = 1812
  type = "auth"
  secret = <<< secret >>>
  response_window = 20.000000
  response_timeouts = 1
  max_outstanding = 65536
  zombie_period = 40
  status_check = "status-server"
  ping_interval = 30
  check_interval = 30
  check_timeout = 4
  num_answers_to_alive = 3
  revive_interval = 120
  limit {
  max_connections = 16
  max_requests = 0
  lifetime = 0
  idle_timeout = 0
  }
  coa {
  irt = 2
  mrt = 16
  mrc = 5
  mrd = 30
  }
 }
 home_server_pool my_auth_failover {
        type = fail-over
        home_server = localhost
 }
 realm example.com {
        auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
  ipaddr = 10.3.3.10
  require_message_authenticator = no
  secret = <<< secret >>>
  nas_type = "other"
  proto = "*"
  limit {
  max_connections = 16
  lifetime = 0
  idle_timeout = 30
  }
 }
 client cisco {
  ipaddr = 10.3.10.10/24
  require_message_authenticator = no
  secret = <<< secret >>>
  virtual_server = "ldap-network"
  limit {
  max_connections = 16
  lifetime = 0
  idle_timeout = 30
  }
 }
Debugger not attached
systemd watchdog is disabled
 # Creating Auth-Type = LDAP
 # Creating Auth-Type = mschap
 # Creating Auth-Type = eap
 # Creating Auth-Type = PAP
 # Creating Auth-Type = CHAP
 # Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
 modules {
  # Loaded module rlm_replicate
  # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
  # Loaded module rlm_ldap
  # Loading module "ldap" from file /etc/freeradius/3.0/mods-enabled/ldap
  ldap {
  server = "ldaps://bg-deham-dc"
  identity = "cn=service.network.ldap,ou=service,ou=infrastructure,ou=user,dc=fhbertling,dc=local"
  password = <<< secret >>>
   sasl {
   }
  user_dn = "LDAP-UserDn"
   user {
    scope = "sub"
    access_positive = yes
    sasl {
    }
   }
   group {
    filter = "(objectClass=group)"
    scope = "sub"
    name_attribute = "cn"
    membership_attribute = "memberOf"
    cacheable_name = no
    cacheable_dn = no
    allow_dangling_group_ref = no
   }
   client {
    filter = "(objectClass=radiusClient)"
    scope = "sub"
    base_dn = "ou=user,dc=fhbertling,dc=local"
   }
   profile {
   }
   options {
    ldap_debug = 40
    chase_referrals = yes
    rebind = yes
    net_timeout = 1
    res_timeout = 10
    srv_timelimit = 3
    idle = 60
    probes = 3
    interval = 3
   }
   tls {
    ca_file = "/etc/ssl/certs/fhbertling_root.pem"
    start_tls = no
    require_cert = "never"
   }
  }
Creating attribute LDAP-Group
  # Loaded module rlm_passwd
  # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
  passwd etc_passwd {
  filename = "/etc/passwd"
  format = "*User-Name:Crypt-Password:"
  delimiter = ":"
  ignore_nislike = no
  ignore_empty = yes
  allow_multiple_keys = no
  hash_size = 100
  }
  # Loaded module rlm_always
  # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
  always reject {
  rcode = "reject"
  simulcount = 0
  mpp = no
  }
  # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
  always fail {
  rcode = "fail"
  simulcount = 0
  mpp = no
  }
  # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
  always ok {
  rcode = "ok"
  simulcount = 0
  mpp = no
  }
  # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
  always handled {
  rcode = "handled"
  simulcount = 0
  mpp = no
  }
  # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
  always invalid {
  rcode = "invalid"
  simulcount = 0
  mpp = no
  }
  # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
  always userlock {
  rcode = "userlock"
  simulcount = 0
  mpp = no
  }
  # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
  always notfound {
  rcode = "notfound"
  simulcount = 0
  mpp = no
  }
  # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
  always noop {
  rcode = "noop"
  simulcount = 0
  mpp = no
  }
  # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
  always updated {
  rcode = "updated"
  simulcount = 0
  mpp = no
  }
  # Loaded module rlm_exec
  # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
  exec ntlm_auth {
  wait = yes
  program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
  shell_escape = yes
  }
  # Loaded module rlm_chap
  # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
  # Loaded module rlm_pap
  # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
  pap {
  normalise = yes
  }
  # Loaded module rlm_digest
  # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
  # Loaded module rlm_detail
  # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail auth_log {
  filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail reply_log {
  filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail pre_proxy_log {
  filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail post_proxy_log {
  filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loaded module rlm_linelog
  # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
  linelog {
  filename = "/var/log/freeradius/linelog"
  escape_filenames = no
  syslog_severity = "info"
  permissions = 384
  format = "This is a log message for %{User-Name}"
  reference = "messages.%{%{reply:Packet-Type}:-default}"
  }
  # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
  linelog log_accounting {
  filename = "/var/log/freeradius/linelog-accounting"
  escape_filenames = no
  syslog_severity = "info"
  permissions = 384
  format = ""
  reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  }
  # Loaded module rlm_realm
  # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
  realm IPASS {
  format = "prefix"
  delimiter = "/"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
  realm suffix {
  format = "suffix"
  delimiter = "@"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
  realm bangpath {
  format = "prefix"
  delimiter = "!"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
  realm realmpercent {
  format = "suffix"
  delimiter = "%"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
  realm ntdomain {
  format = "prefix"
  delimiter = "\\"
  ignore_default = no
  ignore_null = no
  }
  # Loaded module rlm_radutmp
  # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
  radutmp sradutmp {
  filename = "/var/log/freeradius/sradutmp"
  username = "%{User-Name}"
  case_sensitive = yes
  check_with_nas = yes
  permissions = 420
  caller_id = no
  }
  # Loaded module rlm_unpack
  # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
  # Loaded module rlm_preprocess
  # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
  preprocess {
  huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
  hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
  with_ascend_hack = no
  ascend_channels_per_line = 23
  with_ntdomain_hack = no
  with_specialix_jetstream_hack = no
  with_cisco_vsa_hack = no
  with_alvarion_vsa_hack = no
  }
  # Loaded module rlm_utf8
  # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
  # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
  exec echo {
  wait = yes
  program = "/bin/echo %{User-Name}"
  input_pairs = "request"
  output_pairs = "reply"
  shell_escape = yes
  }
  # Loaded module rlm_eap
  # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
  eap {
  default_eap_type = "md5"
  timer_expire = 60
  ignore_unknown_eap_types = no
  cisco_accounting_username_bug = no
  max_sessions = 16384
  }
  # Loaded module rlm_dynamic_clients
  # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
  # Loaded module rlm_soh
  # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
  soh {
  dhcp = yes
  }
  # Loaded module rlm_unix
  # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
  unix {
  radwtmp = "/var/log/freeradius/radwtmp"
  }
Creating attribute Unix-Group
  # Loaded module rlm_cache
  # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
  cache cache_eap {
  driver = "rlm_cache_rbtree"
  key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
  ttl = 15
  max_entries = 0
  epoch = 0
  add_stats = no
  }
  # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
  detail {
  filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
  exec {
  wait = no
  input_pairs = "request"
  shell_escape = yes
  timeout = 10
  }
  # Loaded module rlm_expiration
  # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
  # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
  radutmp {
  filename = "/var/log/freeradius/radutmp"
  username = "%{User-Name}"
  case_sensitive = yes
  check_with_nas = yes
  permissions = 384
  caller_id = yes
  }
  # Loaded module rlm_logintime
  # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
  logintime {
  minimum_timeout = 60
  }
  # Loaded module rlm_attr_filter
  # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.post-proxy {
  filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
  key = "%{Realm}"
  relaxed = no
  }
  # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.pre-proxy {
  filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
  key = "%{Realm}"
  relaxed = no
  }
  # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.access_reject {
  filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
  key = "%{User-Name}"
  relaxed = no
  }
  # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.access_challenge {
  filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
  key = "%{User-Name}"
  relaxed = no
  }
  # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.accounting_response {
  filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
  key = "%{User-Name}"
  relaxed = no
  }
  # Loaded module rlm_expr
  # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
  expr {
  safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  }
  # Loaded module rlm_mschap
  # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
  mschap {
  use_mppe = yes
  require_encryption = no
  require_strong = no
  with_ntdomain_hack = yes
   passchange {
   }
  allow_retry = yes
  winbind_retry_with_normalised_username = no
  }
  # Loaded module rlm_files
  # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
  files {
  filename = "/etc/freeradius/3.0/mods-config/files/authorize"
  acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
  preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
  }
  instantiate {
  }
  # Instantiating module "ldap" from file /etc/freeradius/3.0/mods-enabled/ldap
rlm_ldap: libldap vendor: OpenLDAP, version: 20449
   accounting {
    reference = "%{tolower:type.%{Acct-Status-Type}}"
   }
   post-auth {
    reference = "."
   }
rlm_ldap (ldap): Initialising connection pool
   pool {
    start = 5
    min = 3
    max = 32
    spare = 10
    uses = 0
    lifetime = 0
    cleanup_interval = 30
    idle_timeout = 60
    retry_delay = 30
    spread = no
   }
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636 ldaps://bg-deham-dc2:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636 ldaps://bg-deham-dc2:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636 ldaps://bg-deham-dc2:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636 ldaps://bg-deham-dc2:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636 ldaps://bg-deham-dc2:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
  # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
  # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
  # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
  # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
  # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
  # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
   # Linked to sub-module rlm_eap_md5
   # Linked to sub-module rlm_eap_leap
   # Linked to sub-module rlm_eap_gtc
   gtc {
    challenge = "Password: "
    auth_type = "PAP"
   }
   # Linked to sub-module rlm_eap_tls
   tls {
    tls = "tls-common"
   }
   tls-config tls-common {
    verify_depth = 0
    ca_path = "/etc/freeradius/3.0/certs"
    pem_file_type = yes
    private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
    certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
    ca_file = "/etc/ssl/certs/ca-certificates.crt"
    private_key_password = <<< secret >>>
    dh_file = "/etc/freeradius/3.0/certs/dh"
    fragment_size = 1024
    include_length = yes
    auto_chain = yes
    check_crl = no
    check_all_crl = no
    cipher_list = "DEFAULT"
    cipher_server_preference = no
    ecdh_curve = "prime256v1"
    disable_tlsv1 = yes
    disable_tlsv1_1 = yes
    tls_max_version = "1.2"
    tls_min_version = "1.2"
    cache {
    enable = no
    lifetime = 24
    max_entries = 255
    }
    verify {
    skip_if_ocsp_ok = no
    }
    ocsp {
    enable = no
    override_cert_url = yes
    url = "http://127.0.0.1/ocsp/"
    use_nonce = yes
    timeout = 0
    softfail = no
    }
   }
Please use tls_min_version and tls_max_version instead of disable_tlsv1
Please use tls_min_version and tls_max_version instead of disable_tlsv1_2
   # Linked to sub-module rlm_eap_ttls
   ttls {
    tls = "tls-common"
    default_eap_type = "md5"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    virtual_server = "inner-tunnel"
    include_length = yes
    require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_peap
   peap {
    tls = "tls-common"
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    proxy_tunneled_request_as_eap = yes
    virtual_server = "inner-tunnel"
    soh = no
    require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_mschapv2
   mschapv2 {
    with_ntdomain_hack = no
    send_error = no
   }
  # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
  # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
  # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
  # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
  # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
  # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
  # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
  # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
  # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
  # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
  # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
 } # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server ldap-network { # from file /etc/freeradius/3.0/sites-enabled/ldap-network
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading preacct {...}
 # Loading accounting {...}
 # Loading post-auth {...}
} # server ldap-network
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading session {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
 # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:336
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
  type = "auth"
  ipv4addr = 10.3.3.10
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "acct"
  ipaddr = *
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "auth"
  ipv6addr = ::
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "acct"
  ipv6addr = ::
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "auth"
  ipaddr = 127.0.0.1
  port = 18120
}
Listening on auth address 10.3.3.10 port 1812 bound to server ldap-network
Listening on acct address * port 1813 bound to server ldap-network
Listening on auth address :: port 1812 bound to server ldap-network
Listening on acct address :: port 1813 bound to server ldap-network
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 34537
Listening on proxy address :: port 58493

----------------------------------
Ready to process requests
(0) Received Access-Request Id 19 from 10.3.10.10:49205 to 10.3.3.10:1812 length 94
(0)   User-Name = "user.name"
(0)   User-Password = "pass.word"
(0)   Cisco-AVPair = "shell:priv-lvl=1"
(0)   NAS-IP-Address = 0.0.0.0
(0)   Acct-Session-Id = "0500015B"
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/ldap-network
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log:    --> /var/log/freeradius/radacct/10.3.10.10/auth-detail-20210205
(0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.3.10.10/auth-detail-20210205
(0) auth_log: EXPAND %t
(0) auth_log:    --> Fri Feb  5 14:34:58 2021
(0)     [auth_log] = ok
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (samaccountname=user.name)
(0) ldap: Performing search in "ou=XXXX,dc=XXXXXX,dc=local" with filter "(samaccountname=user.name)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "CN=UserName,OU=XXX Systems,OU=XXXX,OU=XXXXX,OU=XXX,DC=XXXXXX,DC=local"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://xx-xxxx-xx:636 ldaps://xx-xxxx-xx2:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0)     if ((ok || updated) && User-Password && !control:Auth-Type) {
(0)     if ((ok || updated) && User-Password && !control:Auth-Type)  -> TRUE
(0)     if ((ok || updated) && User-Password && !control:Auth-Type)  {
(0)       update {
(0)         control:Auth-Type := LDAP
(0)       } # update = noop
(0)     } # if ((ok || updated) && User-Password && !control:Auth-Type)  = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = LDAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/ldap-network
(0)   Auth-Type LDAP {
rlm_ldap (ldap): Reserved connection (1)
(0) ldap: Login attempt by "user.name"
(0) ldap: Using user DN from request "CN=UserName,OU=XXX Systems,OU=XXXX,OU=XXXXX,OU=XXX,DC=XXXXXX,DC=local"
(0) ldap: Waiting for bind result...
(0) ldap: Bind successful
(0) ldap: Bind as user CN=UserName,OU=XXX Systems,OU=XXXX,OU=XXXXX,OU=XXX,DC=XXXXXX,DC=local" was successful
rlm_ldap (ldap): Released connection (1)
(0)     [ldap] = ok
(0)   } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/ldap-network
(0)   post-auth {
(0)     if (Huntgroup-Name == "cisco-group") {
(0)     ERROR: Failed retrieving values required to evaluate condition
(0)     else {
(0)       [reject] = reject
(0)     } # else = reject
(0)   } # post-auth = reject
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/ldap-network
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 19 from 10.3.3.10:1812 to 10.3.10.10:49205 length 20


>Good day,
>
>I have problems to get this running:
>------------------------------------------------------------------------------------------
>if (Huntgroup-Name == "cisco-group") {
> if (Ldap-Group == "Group_Network_Device_RW") {
>       update reply {
> cisco-avpair = "shell:priv-lvl=15"
> }
> }
> }
> else {
> reject
> }
>-----------------------------------------------------------------------------------------
>I get this debug output:
>-----------------------------------------------------------------------------------------
>(0)     [ldap] = ok
>(0)   } # Auth-Type LDAP = ok
>(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/ldap-network
>(0)   post-auth {
>(0)     if (Huntgroup-Name == "cisco-group") {
>(0)     ERROR: Failed retrieving values required to evaluate condition
>(0)     else {
>(0)       [reject] = reject
>-----------------------------------------------------------------------------------------
>When I remove the huntgroup line it is working and I can authenticate against a network device. But in combination with the huntgroup I get this error.
>What I am doing wrong? Can someone point me in the right direction.
>Many thanks,
>MaDe

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

post-auth | ldap-group | huntgroup

Markus Demmert (BESITEC-DEHAM)
Sorry I overread
> So... where is the the Huntrgoup-Name coming from?

I edited the file huntgroup with the following:
cisco-group NAS-IP-Address == 10.3.10.10

Thh,
MaDe



>Hi,
>Thanks for your reply here is the debug output.

>FreeRADIUS Version 3.0.20
>Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>PARTICULAR PURPOSE
>You may redistribute copies of FreeRADIUS under the terms of the
>GNU General Public License
>For more information about these matters, see the file named COPYRIGHT
>Starting - reading configuration files ...
>including dictionary file /usr/share/freeradius/dictionary
>including dictionary file /usr/share/freeradius/dictionary.dhcp
>including dictionary file /usr/share/freeradius/dictionary.vqp
>including dictionary file /etc/freeradius/3.0/dictionary
>including configuration file /etc/freeradius/3.0/radiusd.conf
>including configuration file /etc/freeradius/3.0/proxy.conf
>including configuration file /etc/freeradius/3.0/clients.conf
>including files in directory /etc/freeradius/3.0/mods-enabled/
>including configuration file /etc/freeradius/3.0/mods-enabled/replicate
>including configuration file /etc/freeradius/3.0/mods-enabled/ldap
>including configuration file /etc/freeradius/3.0/mods-enabled/passwd
>including configuration file /etc/freeradius/3.0/mods-enabled/always
>including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
>including configuration file /etc/freeradius/3.0/mods-enabled/chap
>including configuration file /etc/freeradius/3.0/mods-enabled/pap
>including configuration file /etc/freeradius/3.0/mods-enabled/digest
>including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
>including configuration file /etc/freeradius/3.0/mods-enabled/linelog
>including configuration file /etc/freeradius/3.0/mods-enabled/realm
>including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
>including configuration file /etc/freeradius/3.0/mods-enabled/unpack
>including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
>including configuration file /etc/freeradius/3.0/mods-enabled/utf8
>including configuration file /etc/freeradius/3.0/mods-enabled/echo
>including configuration file /etc/freeradius/3.0/mods-enabled/eap
>including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
>including configuration file /etc/freeradius/3.0/mods-enabled/soh
>including configuration file /etc/freeradius/3.0/mods-enabled/unix
>including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
>including configuration file /etc/freeradius/3.0/mods-enabled/detail
>including configuration file /etc/freeradius/3.0/mods-enabled/exec
>including configuration file /etc/freeradius/3.0/mods-enabled/expiration
>including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
>including configuration file /etc/freeradius/3.0/mods-enabled/logintime
>including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
>including configuration file /etc/freeradius/3.0/mods-enabled/expr
>including configuration file /etc/freeradius/3.0/mods-enabled/mschap
>including configuration file /etc/freeradius/3.0/mods-enabled/files
>including files in directory /etc/freeradius/3.0/policy.d/
>including configuration file /etc/freeradius/3.0/policy.d/filter
>including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
>including configuration file /etc/freeradius/3.0/policy.d/rfc7542
>including configuration file /etc/freeradius/3.0/policy.d/accounting
>including configuration file /etc/freeradius/3.0/policy.d/operator-name
>including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
>including configuration file /etc/freeradius/3.0/policy.d/debug
>including configuration file /etc/freeradius/3.0/policy.d/canonicalization
>including configuration file /etc/freeradius/3.0/policy.d/eap
>including configuration file /etc/freeradius/3.0/policy.d/dhcp
>including configuration file /etc/freeradius/3.0/policy.d/control
>including configuration file /etc/freeradius/3.0/policy.d/cui
>including files in directory /etc/freeradius/3.0/sites-enabled/
>including configuration file /etc/freeradius/3.0/sites-enabled/ldap-network
>including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
>main {
> security {
> user = "freerad"
> group = "freerad"
> allow_core_dumps = no
> }
> name = "freeradius"
> prefix = "/usr"
> localstatedir = "/var"
> logdir = "/var/log/freeradius"
> run_dir = "/var/run/freeradius"
>}
>main {
> name = "freeradius"
> prefix = "/usr"
> localstatedir = "/var"
> sbindir = "/usr/sbin"
> logdir = "/var/log/freeradius"
> run_dir = "/var/run/freeradius"
> libdir = "/usr/lib/freeradius"
> radacctdir = "/var/log/freeradius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 16384
> pidfile = "/var/run/freeradius/freeradius.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> colourise = yes
> msg_denied = "You are already logged in - access denied"
> }
> resources {
> }
> security {
> max_attributes = 200
> reject_delay = 1.000000
> status_server = yes
> }
>}
>radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server localhost {
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = <<< secret >>>
> response_window = 20.000000
> response_timeouts = 1
> max_outstanding = 65536
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> check_timeout = 4
> num_answers_to_alive = 3
> revive_interval = 120
>  limit {
>   max_connections = 16
>   max_requests = 0
>   lifetime = 0
>   idle_timeout = 0
>  }
>  coa {
>   irt = 2
>   mrt = 16
>   mrc = 5
>   mrd = 30
>  }
> }
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
> realm example.com {
> auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
>radiusd: #### Loading Clients ####
> client localhost {
> ipaddr = 10.3.3.10
> require_message_authenticator = no
> secret = <<< secret >>>
> nas_type = "other"
> proto = "*"
>  limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 30
>  }
> }
> client cisco {
> ipaddr = 10.3.10.10/24
> require_message_authenticator = no
> secret = <<< secret >>>
> virtual_server = "ldap-network"
>  limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 30
>  }
> }
>Debugger not attached
>systemd watchdog is disabled
> # Creating Auth-Type = LDAP
> # Creating Auth-Type = mschap
> # Creating Auth-Type = eap
> # Creating Auth-Type = PAP
> # Creating Auth-Type = CHAP
> # Creating Auth-Type = MS-CHAP
>radiusd: #### Instantiating modules ####
> modules {
>  # Loaded module rlm_replicate
>  # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
>  # Loaded module rlm_ldap
>  # Loading module "ldap" from file /etc/freeradius/3.0/mods-enabled/ldap
>  ldap {
>   server = "ldaps://bg-deham-dc"
>   identity = "cn=service.network.ldap,ou=service,ou=infrastructure,ou=user,dc=fhbertling,dc=local"
>   password = <<< secret >>>
>   sasl {
>   }
>   user_dn = "LDAP-UserDn"
>   user {
>   scope = "sub"
>   access_positive = yes
>    sasl {
>    }
>   }
>   group {
>   filter = "(objectClass=group)"
>   scope = "sub"
>   name_attribute = "cn"
>   membership_attribute = "memberOf"
>   cacheable_name = no
>   cacheable_dn = no
>   allow_dangling_group_ref = no
>   }
>   client {
>   filter = "(objectClass=radiusClient)"
>   scope = "sub"
>   base_dn = "ou=user,dc=fhbertling,dc=local"
>   }
>   profile {
>   }
>   options {
>   ldap_debug = 40
>   chase_referrals = yes
>   rebind = yes
>   net_timeout = 1
>   res_timeout = 10
>   srv_timelimit = 3
>   idle = 60
>   probes = 3
>   interval = 3
>   }
>   tls {
>   ca_file = "/etc/ssl/certs/fhbertling_root.pem"
>   start_tls = no
>   require_cert = "never"
>   }
>  }
>Creating attribute LDAP-Group
>  # Loaded module rlm_passwd
>  # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
>  passwd etc_passwd {
>   filename = "/etc/passwd"
>   format = "*User-Name:Crypt-Password:"
>   delimiter = ":"
>   ignore_nislike = no
>   ignore_empty = yes
>   allow_multiple_keys = no
>   hash_size = 100
>  }
>  # Loaded module rlm_always
>  # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
>  always reject {
>   rcode = "reject"
>   simulcount = 0
>   mpp = no
>  }
>  # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
>  always fail {
>   rcode = "fail"
>   simulcount = 0
>   mpp = no
>  }
>  # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
>  always ok {
>   rcode = "ok"
>   simulcount = 0
>   mpp = no
>  }
>  # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
>  always handled {
>   rcode = "handled"
>   simulcount = 0
>   mpp = no
>  }
>  # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
>  always invalid {
>   rcode = "invalid"
>   simulcount = 0
>   mpp = no
>  }
>  # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
>  always userlock {
>   rcode = "userlock"
>   simulcount = 0
>   mpp = no
>  }
>  # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
>  always notfound {
>   rcode = "notfound"
>   simulcount = 0
>   mpp = no
>  }
>  # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
>  always noop {
>   rcode = "noop"
>   simulcount = 0
>   mpp = no
>  }
>  # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
>  always updated {
>   rcode = "updated"
>   simulcount = 0
>   mpp = no
>  }
>  # Loaded module rlm_exec
>  # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
>  exec ntlm_auth {
>   wait = yes
>   program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
>   shell_escape = yes
>  }
>  # Loaded module rlm_chap
>  # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
>  # Loaded module rlm_pap
>  # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
>  pap {
>   normalise = yes
>  }
>  # Loaded module rlm_digest
>  # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
>  # Loaded module rlm_detail
>  # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
>  detail auth_log {
>   filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>  }
>  # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
>  detail reply_log {
>   filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>  }
>  # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
>  detail pre_proxy_log {
>   filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>  }
>  # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
>  detail post_proxy_log {
>   filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>  }
>  # Loaded module rlm_linelog
>  # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
>  linelog {
>   filename = "/var/log/freeradius/linelog"
>   escape_filenames = no
>   syslog_severity = "info"
>   permissions = 384
>   format = "This is a log message for %{User-Name}"
>   reference = "messages.%{%{reply:Packet-Type}:-default}"
>  }
>  # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
>  linelog log_accounting {
>   filename = "/var/log/freeradius/linelog-accounting"
>   escape_filenames = no
>   syslog_severity = "info"
>   permissions = 384
>   format = ""
>   reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
>  }
>  # Loaded module rlm_realm
>  # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
>  realm IPASS {
>   format = "prefix"
>   delimiter = "/"
>   ignore_default = no
>   ignore_null = no
>  }
>  # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
>  realm suffix {
>   format = "suffix"
>   delimiter = "@"
>   ignore_default = no
>   ignore_null = no
>  }
>  # Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
>  realm bangpath {
>   format = "prefix"
>   delimiter = "!"
>   ignore_default = no
>   ignore_null = no
>  }
>  # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
>  realm realmpercent {
>   format = "suffix"
>   delimiter = "%"
>   ignore_default = no
>   ignore_null = no
>  }
>  # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
>  realm ntdomain {
>   format = "prefix"
>   delimiter = "\\"
>   ignore_default = no
>   ignore_null = no
>  }
>  # Loaded module rlm_radutmp
>  # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
>  radutmp sradutmp {
>   filename = "/var/log/freeradius/sradutmp"
>   username = "%{User-Name}"
>   case_sensitive = yes
>   check_with_nas = yes
>   permissions = 420
>   caller_id = no
>  }
>  # Loaded module rlm_unpack
>  # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
>  # Loaded module rlm_preprocess
>  # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
>  preprocess {
>   huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
>   hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
>   with_ascend_hack = no
>   ascend_channels_per_line = 23
>   with_ntdomain_hack = no
>   with_specialix_jetstream_hack = no
>   with_cisco_vsa_hack = no
>   with_alvarion_vsa_hack = no
>  }
>  # Loaded module rlm_utf8
>  # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
>  # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
>  exec echo {
>   wait = yes
>   program = "/bin/echo %{User-Name}"
>   input_pairs = "request"
>   output_pairs = "reply"
>   shell_escape = yes
>  }
>  # Loaded module rlm_eap
>  # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
>  eap {
>   default_eap_type = "md5"
>   timer_expire = 60
>   ignore_unknown_eap_types = no
>   cisco_accounting_username_bug = no
>   max_sessions = 16384
>  }
>  # Loaded module rlm_dynamic_clients
>  # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
>  # Loaded module rlm_soh
>  # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
>  soh {
>   dhcp = yes
>  }
>  # Loaded module rlm_unix
>  # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
>  unix {
>   radwtmp = "/var/log/freeradius/radwtmp"
>  }
>Creating attribute Unix-Group
>  # Loaded module rlm_cache
>  # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
>  cache cache_eap {
>   driver = "rlm_cache_rbtree"
>   key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
>   ttl = 15
>   max_entries = 0
>   epoch = 0
>   add_stats = no
>  }
>  # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
>  detail {
>   filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>  }
>  # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
>  exec {
>   wait = no
>   input_pairs = "request"
>   shell_escape = yes
>   timeout = 10
>  }
>  # Loaded module rlm_expiration
>  # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
>  # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
>  radutmp {
>   filename = "/var/log/freeradius/radutmp"
>   username = "%{User-Name}"
>   case_sensitive = yes
>   check_with_nas = yes
>   permissions = 384
>   caller_id = yes
>  }
>  # Loaded module rlm_logintime
>  # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
>  logintime {
>   minimum_timeout = 60
>  }
>  # Loaded module rlm_attr_filter
>  # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
>  attr_filter attr_filter.post-proxy {
>   filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
>   key = "%{Realm}"
>   relaxed = no
>  }
>  # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
>  attr_filter attr_filter.pre-proxy {
>   filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
>   key = "%{Realm}"
>   relaxed = no
>  }
>  # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
>  attr_filter attr_filter.access_reject {
>   filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
>   key = "%{User-Name}"
>   relaxed = no
>  }
>  # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
>  attr_filter attr_filter.access_challenge {
>   filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
>   key = "%{User-Name}"
>   relaxed = no
>  }
>  # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
>  attr_filter attr_filter.accounting_response {
>   filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
>   key = "%{User-Name}"
>   relaxed = no
>  }
>  # Loaded module rlm_expr
>  # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
>  expr {
>   safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
>  }
>  # Loaded module rlm_mschap
>  # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
>  mschap {
>   use_mppe = yes
>   require_encryption = no
>   require_strong = no
>   with_ntdomain_hack = yes
>   passchange {
>   }
>   allow_retry = yes
>   winbind_retry_with_normalised_username = no
>  }
>  # Loaded module rlm_files
>  # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
>  files {
>   filename = "/etc/freeradius/3.0/mods-config/files/authorize"
>   acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
>   preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
>  }
>  instantiate {
>  }
>  # Instantiating module "ldap" from file /etc/freeradius/3.0/mods-enabled/ldap
>rlm_ldap: libldap vendor: OpenLDAP, version: 20449
>   accounting {
>   reference = "%{tolower:type.%{Acct-Status-Type}}"
>   }
>   post-auth {
>   reference = "."
>   }
>rlm_ldap (ldap): Initialising connection pool
>   pool {
>   start = 5
>   min = 3
>   max = 32
>   spare = 10
>   uses = 0
>   lifetime = 0
>   cleanup_interval = 30
>   idle_timeout = 60
>   retry_delay = 30
>   spread = no
>   }
>rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
>rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636 ldaps://bg-deham-dc2:636
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
>rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636 ldaps://bg-deham-dc2:636
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
>rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636 ldaps://bg-deham-dc2:636
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
>rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636 ldaps://bg-deham-dc2:636
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
>rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636 ldaps://bg-deham-dc2:636
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>  # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
>rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
>  # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
>  # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
>rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
>  # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
>  # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
>  # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
>  # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
>  # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
>  # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
>  # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
>  # Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
>  # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
>  # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
>  # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
>reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
>reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
>  # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
>   # Linked to sub-module rlm_eap_md5
>   # Linked to sub-module rlm_eap_leap
>   # Linked to sub-module rlm_eap_gtc
>   gtc {
>   challenge = "Password: "
>   auth_type = "PAP"
>   }
>   # Linked to sub-module rlm_eap_tls
>   tls {
>   tls = "tls-common"
>   }
>   tls-config tls-common {
>   verify_depth = 0
>   ca_path = "/etc/freeradius/3.0/certs"
>   pem_file_type = yes
>   private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
>   certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
>   ca_file = "/etc/ssl/certs/ca-certificates.crt"
>   private_key_password = <<< secret >>>
>   dh_file = "/etc/freeradius/3.0/certs/dh"
>   fragment_size = 1024
>   include_length = yes
>   auto_chain = yes
>   check_crl = no
>   check_all_crl = no
>   cipher_list = "DEFAULT"
>   cipher_server_preference = no
>   ecdh_curve = "prime256v1"
>   disable_tlsv1 = yes
>   disable_tlsv1_1 = yes
>   tls_max_version = "1.2"
>   tls_min_version = "1.2"
>    cache {
>     enable = no
>     lifetime = 24
>     max_entries = 255
>    }
>    verify {
>     skip_if_ocsp_ok = no
>    }
>    ocsp {
>     enable = no
>     override_cert_url = yes
>     url = "http://127.0.0.1/ocsp/"
>     use_nonce = yes
>     timeout = 0
>     softfail = no
>    }
>   }
>Please use tls_min_version and tls_max_version instead of disable_tlsv1
>Please use tls_min_version and tls_max_version instead of disable_tlsv1_2
>   # Linked to sub-module rlm_eap_ttls
>   ttls {
>   tls = "tls-common"
>   default_eap_type = "md5"
>   copy_request_to_tunnel = no
>   use_tunneled_reply = no
>   virtual_server = "inner-tunnel"
>   include_length = yes
>   require_client_cert = no
>   }
>tls: Using cached TLS configuration from previous invocation
>   # Linked to sub-module rlm_eap_peap
>   peap {
>   tls = "tls-common"
>   default_eap_type = "mschapv2"
>   copy_request_to_tunnel = no
>   use_tunneled_reply = no
>   proxy_tunneled_request_as_eap = yes
>   virtual_server = "inner-tunnel"
>   soh = no
>   require_client_cert = no
>   }
>tls: Using cached TLS configuration from previous invocation
>   # Linked to sub-module rlm_eap_mschapv2
>   mschapv2 {
>   with_ntdomain_hack = no
>   send_error = no
>   }
>  # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
>rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
>  # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
>  # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
>  # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
>  # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
>reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
>  # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
>reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
>  # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
>reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
>  # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
>reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
>  # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
>reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
>  # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
>rlm_mschap (mschap): using internal authentication
>  # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
>reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
>reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
>reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
> } # modules
>radiusd: #### Loading Virtual Servers ####
>server { # from file /etc/freeradius/3.0/radiusd.conf
>} # server
>server ldap-network { # from file /etc/freeradius/3.0/sites-enabled/ldap-network
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-auth {...}
>} # server ldap-network
>server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading session {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
>Ignoring "sql" (see raddb/mods-available/README.rst)
> # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:336
>} # server inner-tunnel
>radiusd: #### Opening IP addresses and Ports ####
>listen {
>   type = "auth"
>   ipv4addr = 10.3.3.10
>   port = 0
>   limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 30
>   }
>}
>listen {
>   type = "acct"
>   ipaddr = *
>   port = 0
>   limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 30
>   }
>}
>listen {
>   type = "auth"
>   ipv6addr = ::
>   port = 0
>   limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 30
>   }
>}
>listen {
>   type = "acct"
>   ipv6addr = ::
>   port = 0
>   limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 30
>   }
>}
>listen {
>   type = "auth"
>   ipaddr = 127.0.0.1
>   port = 18120
>}
>Listening on auth address 10.3.3.10 port 1812 bound to server ldap-network
>Listening on acct address * port 1813 bound to server ldap-network
>Listening on auth address :: port 1812 bound to server ldap-network
>Listening on acct address :: port 1813 bound to server ldap-network
>Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
>Listening on proxy address * port 34537
>Listening on proxy address :: port 58493
>
>----------------------------------
>Ready to process requests
>(0) Received Access-Request Id 19 from 10.3.10.10:49205 to 10.3.3.10:1812 length 94
>(0)   User-Name = "user.name"
>(0)   User-Password = "pass.word"
>(0)   Cisco-AVPair = "shell:priv-lvl=1"
>(0)   NAS-IP-Address = 0.0.0.0
>(0)   Acct-Session-Id = "0500015B"
>(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/ldap-network
>(0)   authorize {
>(0)     policy filter_username {
>(0)       if (&User-Name) {
>(0)       if (&User-Name)  -> TRUE
>(0)       if (&User-Name)  {
>(0)         if (&User-Name =~ / /) {
>(0)         if (&User-Name =~ / /)  -> FALSE
>(0)         if (&User-Name =~ /@[^@]*@/ ) {
>(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>(0)         if (&User-Name =~ /\.\./ ) {
>(0)         if (&User-Name =~ /\.\./ )  -> FALSE
>(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
>(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
>(0)         if (&User-Name =~ /\.$/)  {
>(0)         if (&User-Name =~ /\.$/)   -> FALSE
>(0)         if (&User-Name =~ /@\./)  {
>(0)         if (&User-Name =~ /@\./)   -> FALSE
>(0)       } # if (&User-Name)  = notfound
>(0)     } # policy filter_username = notfound
>(0)     [preprocess] = ok
>(0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
>(0) auth_log:    --> /var/log/freeradius/radacct/10.3.10.10/auth-detail-20210205
>(0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.3.10.10/auth-detail-20210205
>(0) auth_log: EXPAND %t
>(0) auth_log:    --> Fri Feb  5 14:34:58 2021
>(0)     [auth_log] = ok
>rlm_ldap (ldap): Reserved connection (0)
>(0) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
>(0) ldap:    --> (samaccountname=user.name)
>(0) ldap: Performing search in "ou=XXXX,dc=XXXXXX,dc=local" with filter "(samaccountname=user.name)", scope "sub"
>(0) ldap: Waiting for search result...
>(0) ldap: User object found at DN "CN=UserName,OU=XXX Systems,OU=XXXX,OU=XXXXX,OU=XXX,DC=XXXXXX,DC=local"
>(0) ldap: Processing user attributes
>(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
>(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
>rlm_ldap (ldap): Released connection (0)
>Need 5 more connections to reach 10 spares
>rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
>rlm_ldap (ldap): Connecting to ldaps://xx-xxxx-xx:636 ldaps://xx-xxxx-xx2:636
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>(0)     [ldap] = ok
>(0)     if ((ok || updated) && User-Password && !control:Auth-Type) {
>(0)     if ((ok || updated) && User-Password && !control:Auth-Type)  -> TRUE
>(0)     if ((ok || updated) && User-Password && !control:Auth-Type)  {
>(0)       update {
>(0)         control:Auth-Type := LDAP
>(0)       } # update = noop
>(0)     } # if ((ok || updated) && User-Password && !control:Auth-Type)  = noop
>(0)     [expiration] = noop
>(0)     [logintime] = noop
>(0)   } # authorize = ok
>(0) Found Auth-Type = LDAP
>(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/ldap-network
>(0)   Auth-Type LDAP {
>rlm_ldap (ldap): Reserved connection (1)
>(0) ldap: Login attempt by "user.name"
>(0) ldap: Using user DN from request "CN=UserName,OU=XXX Systems,OU=XXXX,OU=XXXXX,OU=XXX,DC=XXXXXX,DC=local"
>(0) ldap: Waiting for bind result...
>(0) ldap: Bind successful
>(0) ldap: Bind as user CN=UserName,OU=XXX Systems,OU=XXXX,OU=XXXXX,OU=XXX,DC=XXXXXX,DC=local" was successful
>rlm_ldap (ldap): Released connection (1)
>(0)     [ldap] = ok
>(0)   } # Auth-Type LDAP = ok
>(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/ldap-network
>(0)   post-auth {
>(0)     if (Huntgroup-Name == "cisco-group") {
>(0)     ERROR: Failed retrieving values required to evaluate condition
>(0)     else {
>(0)       [reject] = reject
>(0)     } # else = reject
>(0)   } # post-auth = reject
>(0) Using Post-Auth-Type Reject
>(0) Post-Auth-Type sub-section not found.  Ignoring.
>(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/ldap-network
>(0) Delaying response for 1.000000 seconds
>Waking up in 0.3 seconds.
>Waking up in 0.6 seconds.
>(0) Sending delayed response
>(0) Sent Access-Reject Id 19 from 10.3.3.10:1812 to 10.3.10.10:49205 length 20


>Good day,
>
>I have problems to get this running:
>-----------------------------------------------------------------------
>-------------------
>if (Huntgroup-Name == "cisco-group") {
> if (Ldap-Group == "Group_Network_Device_RW") {
>       update reply {
> cisco-avpair = "shell:priv-lvl=15"
> }
> }
> }
> else {
> reject
> }
>-----------------------------------------------------------------------
>------------------
>I get this debug output:
>-----------------------------------------------------------------------------------------
>(0)     [ldap] = ok
>(0)   } # Auth-Type LDAP = ok
>(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/ldap-network
>(0)   post-auth {
>(0)     if (Huntgroup-Name == "cisco-group") {
>(0)     ERROR: Failed retrieving values required to evaluate condition
>(0)     else {
>(0)       [reject] = reject
>-----------------------------------------------------------------------
>------------------ When I remove the huntgroup line it is working and I
>can authenticate against a network device. But in combination with the huntgroup I get this error.
>What I am doing wrong? Can someone point me in the right direction.
>Many thanks,
>MaDe

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: post-auth | ldap-group | huntgroup

Alan DeKok-2


> On Feb 5, 2021, at 10:37 AM, Markus Demmert (BESITEC-DEHAM) <[hidden email]> wrote:
>
> Sorry I overread
>> So... where is the the Huntrgoup-Name coming from?
>
> I edited the file huntgroup with the following:
> cisco-group NAS-IP-Address == 10.3.10.10

  And the debug output shows that the "preprocess" module doesn't match anything.  Why?  Reading the debug output again shows that the packet contains:

> (0) Received Access-Request Id 19 from 10.3.10.10:49205 to 10.3.3.10:1812 length 94
> (0)   User-Name = "user.name"
> (0)   User-Password = "pass.word"
> (0)   Cisco-AVPair = "shell:priv-lvl=1"
> (0)   NAS-IP-Address = 0.0.0.0
> (0)   Acct-Session-Id = "0500015B"

  Why doesn't this packet match

        NAS-IP-Address == 10.3.10.10

  ?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: post-auth | ldap-group | huntgroup

Markus Demmert (BESITEC-DEHAM)
In reply to this post by Markus Demmert (BESITEC-DEHAM)
Hi,
Thank you that was the right advice.
The switch does not send a NAS IP. Unfortunately there is no option on the switch to enter this manually.
Many thanks for your help!
Brgds,
MaDe

> Sorry I overread
> So... where is the the Huntrgoup-Name coming from?
>
> I edited the file huntgroup with the following:
> cisco-group NAS-IP-Address == 10.3.10.10

> And the debug output shows that the "preprocess" module doesn't match anything.  Why?  Reading the debug output again shows that the packet contains:

> (0) Received Access-Request Id 19 from 10.3.10.10:49205 to 10.3.3.10:1812 length 94
> (0)   User-Name = "user.name"
> (0)   User-Password = "pass.word"
> (0)   Cisco-AVPair = "shell:priv-lvl=1"
> (0)   NAS-IP-Address = 0.0.0.0
> (0)   Acct-Session-Id = "0500015B"

>Why doesn't this packet match
>NAS-IP-Address == 10.3.10.10 ?


> Sorry I overread
> So... where is the the Huntrgoup-Name coming from?

> I edited the file huntgroup with the following:
> cisco-group NAS-IP-Address == 10.3.10.10

> Thh
> MaDe



>Hi,
>Thanks for your reply here is the debug output.

>FreeRADIUS Version 3.0.20
>Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the
>terms of the GNU General Public License For more information about
>these matters, see the file named COPYRIGHT Starting - reading
>configuration files ...
>including dictionary file /usr/share/freeradius/dictionary including
>dictionary file /usr/share/freeradius/dictionary.dhcp
>including dictionary file /usr/share/freeradius/dictionary.vqp
>including dictionary file /etc/freeradius/3.0/dictionary including
>configuration file /etc/freeradius/3.0/radiusd.conf including
>configuration file /etc/freeradius/3.0/proxy.conf including
>configuration file /etc/freeradius/3.0/clients.conf including files in
>directory /etc/freeradius/3.0/mods-enabled/ including configuration
>file /etc/freeradius/3.0/mods-enabled/replicate
>including configuration file /etc/freeradius/3.0/mods-enabled/ldap
>including configuration file /etc/freeradius/3.0/mods-enabled/passwd
>including configuration file /etc/freeradius/3.0/mods-enabled/always
>including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
>including configuration file /etc/freeradius/3.0/mods-enabled/chap
>including configuration file /etc/freeradius/3.0/mods-enabled/pap
>including configuration file /etc/freeradius/3.0/mods-enabled/digest
>including configuration file
>/etc/freeradius/3.0/mods-enabled/detail.log
>including configuration file /etc/freeradius/3.0/mods-enabled/linelog
>including configuration file /etc/freeradius/3.0/mods-enabled/realm
>including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
>including configuration file /etc/freeradius/3.0/mods-enabled/unpack
>including configuration file
>/etc/freeradius/3.0/mods-enabled/preprocess
>including configuration file /etc/freeradius/3.0/mods-enabled/utf8
>including configuration file /etc/freeradius/3.0/mods-enabled/echo
>including configuration file /etc/freeradius/3.0/mods-enabled/eap
>including configuration file
>/etc/freeradius/3.0/mods-enabled/dynamic_clients
>including configuration file /etc/freeradius/3.0/mods-enabled/soh
>including configuration file /etc/freeradius/3.0/mods-enabled/unix
>including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
>including configuration file /etc/freeradius/3.0/mods-enabled/detail
>including configuration file /etc/freeradius/3.0/mods-enabled/exec
>including configuration file
>/etc/freeradius/3.0/mods-enabled/expiration
>including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
>including configuration file /etc/freeradius/3.0/mods-enabled/logintime
>including configuration file
>/etc/freeradius/3.0/mods-enabled/attr_filter
>including configuration file /etc/freeradius/3.0/mods-enabled/expr
>including configuration file /etc/freeradius/3.0/mods-enabled/mschap
>including configuration file /etc/freeradius/3.0/mods-enabled/files
>including files in directory /etc/freeradius/3.0/policy.d/ including
>configuration file /etc/freeradius/3.0/policy.d/filter
>including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
>including configuration file /etc/freeradius/3.0/policy.d/rfc7542
>including configuration file /etc/freeradius/3.0/policy.d/accounting
>including configuration file /etc/freeradius/3.0/policy.d/operator-name
>including configuration file
>/etc/freeradius/3.0/policy.d/moonshot-targeted-ids
>including configuration file /etc/freeradius/3.0/policy.d/debug
>including configuration file
>/etc/freeradius/3.0/policy.d/canonicalization
>including configuration file /etc/freeradius/3.0/policy.d/eap including
>configuration file /etc/freeradius/3.0/policy.d/dhcp including
>configuration file /etc/freeradius/3.0/policy.d/control
>including configuration file /etc/freeradius/3.0/policy.d/cui including
>files in directory /etc/freeradius/3.0/sites-enabled/
>including configuration file
>/etc/freeradius/3.0/sites-enabled/ldap-network
>including configuration file
>/etc/freeradius/3.0/sites-enabled/inner-tunnel
>main {
> security {
> user = "freerad"
> group = "freerad"
> allow_core_dumps = no
> }
> name = "freeradius"
> prefix = "/usr"
> localstatedir = "/var"
> logdir = "/var/log/freeradius"
> run_dir = "/var/run/freeradius"
>}
>main {
> name = "freeradius"
> prefix = "/usr"
> localstatedir = "/var"
> sbindir = "/usr/sbin"
> logdir = "/var/log/freeradius"
> run_dir = "/var/run/freeradius"
> libdir = "/usr/lib/freeradius"
> radacctdir = "/var/log/freeradius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 16384
> pidfile = "/var/run/freeradius/freeradius.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> colourise = yes
> msg_denied = "You are already logged in - access denied"
> }
> resources {
> }
> security {
> max_attributes = 200
> reject_delay = 1.000000
> status_server = yes
> }
>}
>radiusd: #### Loading Realms and Home Servers ####  proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server localhost {
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = <<< secret >>>
> response_window = 20.000000
> response_timeouts = 1
> max_outstanding = 65536
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> check_timeout = 4
> num_answers_to_alive = 3
> revive_interval = 120
>  limit {
>   max_connections = 16
>   max_requests = 0
>   lifetime = 0
>   idle_timeout = 0
>  }
>  coa {
>   irt = 2
>   mrt = 16
>   mrc = 5
>   mrd = 30
>  }
> }
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
> realm example.com {
> auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
>radiusd: #### Loading Clients ####
> client localhost {
> ipaddr = 10.3.3.10
> require_message_authenticator = no
> secret = <<< secret >>>
> nas_type = "other"
> proto = "*"
>  limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 30
>  }
> }
> client cisco {
> ipaddr = 10.3.10.10/24
> require_message_authenticator = no
> secret = <<< secret >>>
> virtual_server = "ldap-network"
>  limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 30
>  }
> }
>Debugger not attached
>systemd watchdog is disabled
> # Creating Auth-Type = LDAP
> # Creating Auth-Type = mschap
> # Creating Auth-Type = eap
> # Creating Auth-Type = PAP
> # Creating Auth-Type = CHAP
> # Creating Auth-Type = MS-CHAP
>radiusd: #### Instantiating modules ####  modules {
>  # Loaded module rlm_replicate
>  # Loading module "replicate" from file
>/etc/freeradius/3.0/mods-enabled/replicate
>  # Loaded module rlm_ldap
>  # Loading module "ldap" from file
>/etc/freeradius/3.0/mods-enabled/ldap
>  ldap {
>   server = "ldaps://bg-deham-dc"
>   identity = "cn=service.network.ldap,ou=service,ou=infrastructure,ou=user,dc=fhbertling,dc=local"
>   password = <<< secret >>>
>   sasl {
>   }
>   user_dn = "LDAP-UserDn"
>   user {
>   scope = "sub"
>   access_positive = yes
>    sasl {
>    }
>   }
>   group {
>   filter = "(objectClass=group)"
>   scope = "sub"
>   name_attribute = "cn"
>   membership_attribute = "memberOf"
>   cacheable_name = no
>   cacheable_dn = no
>   allow_dangling_group_ref = no
>   }
>   client {
>   filter = "(objectClass=radiusClient)"
>   scope = "sub"
>   base_dn = "ou=user,dc=fhbertling,dc=local"
>   }
>   profile {
>   }
>   options {
>   ldap_debug = 40
>   chase_referrals = yes
>   rebind = yes
>   net_timeout = 1
>   res_timeout = 10
>   srv_timelimit = 3
>   idle = 60
>   probes = 3
>   interval = 3
>   }
>   tls {
>   ca_file = "/etc/ssl/certs/fhbertling_root.pem"
>   start_tls = no
>   require_cert = "never"
>   }
>  }
>Creating attribute LDAP-Group
>  # Loaded module rlm_passwd
>  # Loading module "etc_passwd" from file
>/etc/freeradius/3.0/mods-enabled/passwd
>  passwd etc_passwd {
>   filename = "/etc/passwd"
>   format = "*User-Name:Crypt-Password:"
>   delimiter = ":"
>   ignore_nislike = no
>   ignore_empty = yes
>   allow_multiple_keys = no
>   hash_size = 100
>  }
>  # Loaded module rlm_always
>  # Loading module "reject" from file
>/etc/freeradius/3.0/mods-enabled/always
>  always reject {
>   rcode = "reject"
>   simulcount = 0
>   mpp = no
>  }
>  # Loading module "fail" from file
>/etc/freeradius/3.0/mods-enabled/always
>  always fail {
>   rcode = "fail"
>   simulcount = 0
>   mpp = no
>  }
>  # Loading module "ok" from file
>/etc/freeradius/3.0/mods-enabled/always
>  always ok {
>   rcode = "ok"
>   simulcount = 0
>   mpp = no
>  }
>  # Loading module "handled" from file
>/etc/freeradius/3.0/mods-enabled/always
>  always handled {
>   rcode = "handled"
>   simulcount = 0
>   mpp = no
>  }
>  # Loading module "invalid" from file
>/etc/freeradius/3.0/mods-enabled/always
>  always invalid {
>   rcode = "invalid"
>   simulcount = 0
>   mpp = no
>  }
>  # Loading module "userlock" from file
>/etc/freeradius/3.0/mods-enabled/always
>  always userlock {
>   rcode = "userlock"
>   simulcount = 0
>   mpp = no
>  }
>  # Loading module "notfound" from file
>/etc/freeradius/3.0/mods-enabled/always
>  always notfound {
>   rcode = "notfound"
>   simulcount = 0
>   mpp = no
>  }
>  # Loading module "noop" from file
>/etc/freeradius/3.0/mods-enabled/always
>  always noop {
>   rcode = "noop"
>   simulcount = 0
>   mpp = no
>  }
>  # Loading module "updated" from file
>/etc/freeradius/3.0/mods-enabled/always
>  always updated {
>   rcode = "updated"
>   simulcount = 0
>   mpp = no
>  }
>  # Loaded module rlm_exec
>  # Loading module "ntlm_auth" from file
>/etc/freeradius/3.0/mods-enabled/ntlm_auth
>  exec ntlm_auth {
>   wait = yes
>   program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
>   shell_escape = yes
>  }
>  # Loaded module rlm_chap
>  # Loading module "chap" from file
>/etc/freeradius/3.0/mods-enabled/chap
>  # Loaded module rlm_pap
>  # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
>  pap {
>   normalise = yes
>  }
>  # Loaded module rlm_digest
>  # Loading module "digest" from file
>/etc/freeradius/3.0/mods-enabled/digest
>  # Loaded module rlm_detail
>  # Loading module "auth_log" from file
>/etc/freeradius/3.0/mods-enabled/detail.log
>  detail auth_log {
>   filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>  }
>  # Loading module "reply_log" from file
>/etc/freeradius/3.0/mods-enabled/detail.log
>  detail reply_log {
>   filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>  }
>  # Loading module "pre_proxy_log" from file
>/etc/freeradius/3.0/mods-enabled/detail.log
>  detail pre_proxy_log {
>   filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>  }
>  # Loading module "post_proxy_log" from file
>/etc/freeradius/3.0/mods-enabled/detail.log
>  detail post_proxy_log {
>   filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>  }
>  # Loaded module rlm_linelog
>  # Loading module "linelog" from file
>/etc/freeradius/3.0/mods-enabled/linelog
>  linelog {
>   filename = "/var/log/freeradius/linelog"
>   escape_filenames = no
>   syslog_severity = "info"
>   permissions = 384
>   format = "This is a log message for %{User-Name}"
>   reference = "messages.%{%{reply:Packet-Type}:-default}"
>  }
>  # Loading module "log_accounting" from file
>/etc/freeradius/3.0/mods-enabled/linelog
>  linelog log_accounting {
>   filename = "/var/log/freeradius/linelog-accounting"
>   escape_filenames = no
>   syslog_severity = "info"
>   permissions = 384
>   format = ""
>   reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
>  }
>  # Loaded module rlm_realm
>  # Loading module "IPASS" from file
>/etc/freeradius/3.0/mods-enabled/realm
>  realm IPASS {
>   format = "prefix"
>   delimiter = "/"
>   ignore_default = no
>   ignore_null = no
>  }
>  # Loading module "suffix" from file
>/etc/freeradius/3.0/mods-enabled/realm
>  realm suffix {
>   format = "suffix"
>   delimiter = "@"
>   ignore_default = no
>   ignore_null = no
>  }
>  # Loading module "bangpath" from file
>/etc/freeradius/3.0/mods-enabled/realm
>  realm bangpath {
>   format = "prefix"
>   delimiter = "!"
>   ignore_default = no
>   ignore_null = no
>  }
>  # Loading module "realmpercent" from file
>/etc/freeradius/3.0/mods-enabled/realm
>  realm realmpercent {
>   format = "suffix"
>   delimiter = "%"
>   ignore_default = no
>   ignore_null = no
>  }
>  # Loading module "ntdomain" from file
>/etc/freeradius/3.0/mods-enabled/realm
>  realm ntdomain {
>   format = "prefix"
>   delimiter = "\\"
>   ignore_default = no
>   ignore_null = no
>  }
>  # Loaded module rlm_radutmp
>  # Loading module "sradutmp" from file
>/etc/freeradius/3.0/mods-enabled/sradutmp
>  radutmp sradutmp {
>   filename = "/var/log/freeradius/sradutmp"
>   username = "%{User-Name}"
>   case_sensitive = yes
>   check_with_nas = yes
>   permissions = 420
>   caller_id = no
>  }
>  # Loaded module rlm_unpack
>  # Loading module "unpack" from file
>/etc/freeradius/3.0/mods-enabled/unpack
>  # Loaded module rlm_preprocess
>  # Loading module "preprocess" from file
>/etc/freeradius/3.0/mods-enabled/preprocess
>  preprocess {
>   huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
>   hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
>   with_ascend_hack = no
>   ascend_channels_per_line = 23
>   with_ntdomain_hack = no
>   with_specialix_jetstream_hack = no
>   with_cisco_vsa_hack = no
>   with_alvarion_vsa_hack = no
>  }
>  # Loaded module rlm_utf8
>  # Loading module "utf8" from file
>/etc/freeradius/3.0/mods-enabled/utf8
>  # Loading module "echo" from file
>/etc/freeradius/3.0/mods-enabled/echo
>  exec echo {
>   wait = yes
>   program = "/bin/echo %{User-Name}"
>   input_pairs = "request"
>   output_pairs = "reply"
>   shell_escape = yes
>  }
>  # Loaded module rlm_eap
>  # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
>  eap {
>   default_eap_type = "md5"
>   timer_expire = 60
>   ignore_unknown_eap_types = no
>   cisco_accounting_username_bug = no
>   max_sessions = 16384
>  }
>  # Loaded module rlm_dynamic_clients
>  # Loading module "dynamic_clients" from file
>/etc/freeradius/3.0/mods-enabled/dynamic_clients
>  # Loaded module rlm_soh
>  # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
>  soh {
>   dhcp = yes
>  }
>  # Loaded module rlm_unix
>  # Loading module "unix" from file
>/etc/freeradius/3.0/mods-enabled/unix
>  unix {
>   radwtmp = "/var/log/freeradius/radwtmp"
>  }
>Creating attribute Unix-Group
>  # Loaded module rlm_cache
>  # Loading module "cache_eap" from file
>/etc/freeradius/3.0/mods-enabled/cache_eap
>  cache cache_eap {
>   driver = "rlm_cache_rbtree"
>   key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
>   ttl = 15
>   max_entries = 0
>   epoch = 0
>   add_stats = no
>  }
>  # Loading module "detail" from file
>/etc/freeradius/3.0/mods-enabled/detail
>  detail {
>   filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>  }
>  # Loading module "exec" from file
>/etc/freeradius/3.0/mods-enabled/exec
>  exec {
>   wait = no
>   input_pairs = "request"
>   shell_escape = yes
>   timeout = 10
>  }
>  # Loaded module rlm_expiration
>  # Loading module "expiration" from file
>/etc/freeradius/3.0/mods-enabled/expiration
>  # Loading module "radutmp" from file
>/etc/freeradius/3.0/mods-enabled/radutmp
>  radutmp {
>   filename = "/var/log/freeradius/radutmp"
>   username = "%{User-Name}"
>   case_sensitive = yes
>   check_with_nas = yes
>   permissions = 384
>   caller_id = yes
>  }
>  # Loaded module rlm_logintime
>  # Loading module "logintime" from file
>/etc/freeradius/3.0/mods-enabled/logintime
>  logintime {
>   minimum_timeout = 60
>  }
>  # Loaded module rlm_attr_filter
>  # Loading module "attr_filter.post-proxy" from file
>/etc/freeradius/3.0/mods-enabled/attr_filter
>  attr_filter attr_filter.post-proxy {
>   filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
>   key = "%{Realm}"
>   relaxed = no
>  }
>  # Loading module "attr_filter.pre-proxy" from file
>/etc/freeradius/3.0/mods-enabled/attr_filter
>  attr_filter attr_filter.pre-proxy {
>   filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
>   key = "%{Realm}"
>   relaxed = no
>  }
>  # Loading module "attr_filter.access_reject" from file
>/etc/freeradius/3.0/mods-enabled/attr_filter
>  attr_filter attr_filter.access_reject {
>   filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
>   key = "%{User-Name}"
>   relaxed = no
>  }
>  # Loading module "attr_filter.access_challenge" from file
>/etc/freeradius/3.0/mods-enabled/attr_filter
>  attr_filter attr_filter.access_challenge {
>   filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
>   key = "%{User-Name}"
>   relaxed = no
>  }
>  # Loading module "attr_filter.accounting_response" from file
>/etc/freeradius/3.0/mods-enabled/attr_filter
>  attr_filter attr_filter.accounting_response {
>   filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
>   key = "%{User-Name}"
>   relaxed = no
>  }
>  # Loaded module rlm_expr
>  # Loading module "expr" from file
>/etc/freeradius/3.0/mods-enabled/expr
>  expr {
>   safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
>  }
>  # Loaded module rlm_mschap
>  # Loading module "mschap" from file
>/etc/freeradius/3.0/mods-enabled/mschap
>  mschap {
>   use_mppe = yes
>   require_encryption = no
>   require_strong = no
>   with_ntdomain_hack = yes
>   passchange {
>   }
>   allow_retry = yes
>   winbind_retry_with_normalised_username = no
>  }
>  # Loaded module rlm_files
>  # Loading module "files" from file
>/etc/freeradius/3.0/mods-enabled/files
>  files {
>   filename = "/etc/freeradius/3.0/mods-config/files/authorize"
>   acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
>   preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
>  }
>  instantiate {
>  }
>  # Instantiating module "ldap" from file
>/etc/freeradius/3.0/mods-enabled/ldap
>rlm_ldap: libldap vendor: OpenLDAP, version: 20449
>   accounting {
>   reference = "%{tolower:type.%{Acct-Status-Type}}"
>   }
>   post-auth {
>   reference = "."
>   }
>rlm_ldap (ldap): Initialising connection pool
>   pool {
>   start = 5
>   min = 3
>   max = 32
>   spare = 10
>   uses = 0
>   lifetime = 0
>   cleanup_interval = 30
>   idle_timeout = 60
>   retry_delay = 30
>   spread = no
>   }
>rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending
>slots used rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636
>ldaps://bg-deham-dc2:636 rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending
>slots used rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636
>ldaps://bg-deham-dc2:636 rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending
>slots used rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636
>ldaps://bg-deham-dc2:636 rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending
>slots used rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636
>ldaps://bg-deham-dc2:636 rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending
>slots used rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636
>ldaps://bg-deham-dc2:636 rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>  # Instantiating module "etc_passwd" from file
>/etc/freeradius/3.0/mods-enabled/passwd
>rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
>  # Instantiating module "reject" from file
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "fail" from file
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "ok" from file
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "handled" from file
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "invalid" from file
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "userlock" from file
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "notfound" from file
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "noop" from file
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "updated" from file
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "pap" from file
>/etc/freeradius/3.0/mods-enabled/pap
>  # Instantiating module "auth_log" from file
>/etc/freeradius/3.0/mods-enabled/detail.log
>rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
>detail output
>  # Instantiating module "reply_log" from file
>/etc/freeradius/3.0/mods-enabled/detail.log
>  # Instantiating module "pre_proxy_log" from file
>/etc/freeradius/3.0/mods-enabled/detail.log
>  # Instantiating module "post_proxy_log" from file
>/etc/freeradius/3.0/mods-enabled/detail.log
>  # Instantiating module "linelog" from file
>/etc/freeradius/3.0/mods-enabled/linelog
>  # Instantiating module "log_accounting" from file
>/etc/freeradius/3.0/mods-enabled/linelog
>  # Instantiating module "IPASS" from file
>/etc/freeradius/3.0/mods-enabled/realm
>  # Instantiating module "suffix" from file
>/etc/freeradius/3.0/mods-enabled/realm
>  # Instantiating module "bangpath" from file
>/etc/freeradius/3.0/mods-enabled/realm
>  # Instantiating module "realmpercent" from file
>/etc/freeradius/3.0/mods-enabled/realm
>  # Instantiating module "ntdomain" from file
>/etc/freeradius/3.0/mods-enabled/realm
>  # Instantiating module "preprocess" from file
>/etc/freeradius/3.0/mods-enabled/preprocess
>reading pairlist file
>/etc/freeradius/3.0/mods-config/preprocess/huntgroups
>reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
>  # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
>   # Linked to sub-module rlm_eap_md5
>   # Linked to sub-module rlm_eap_leap
>   # Linked to sub-module rlm_eap_gtc
>   gtc {
>   challenge = "Password: "
>   auth_type = "PAP"
>   }
>   # Linked to sub-module rlm_eap_tls
>   tls {
>   tls = "tls-common"
>   }
>   tls-config tls-common {
>   verify_depth = 0
>   ca_path = "/etc/freeradius/3.0/certs"
>   pem_file_type = yes
>   private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
>   certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
>   ca_file = "/etc/ssl/certs/ca-certificates.crt"
>   private_key_password = <<< secret >>>
>   dh_file = "/etc/freeradius/3.0/certs/dh"
>   fragment_size = 1024
>   include_length = yes
>   auto_chain = yes
>   check_crl = no
>   check_all_crl = no
>   cipher_list = "DEFAULT"
>   cipher_server_preference = no
>   ecdh_curve = "prime256v1"
>   disable_tlsv1 = yes
>   disable_tlsv1_1 = yes
>   tls_max_version = "1.2"
>   tls_min_version = "1.2"
>    cache {
>     enable = no
>     lifetime = 24
>     max_entries = 255
>    }
>    verify {
>     skip_if_ocsp_ok = no
>    }
>    ocsp {
>     enable = no
>     override_cert_url = yes
>     url = "http://127.0.0.1/ocsp/"
>     use_nonce = yes
>     timeout = 0
>     softfail = no
>    }
>   }
>Please use tls_min_version and tls_max_version instead of disable_tlsv1
>Please use tls_min_version and tls_max_version instead of disable_tlsv1_2
>   # Linked to sub-module rlm_eap_ttls
>   ttls {
>   tls = "tls-common"
>   default_eap_type = "md5"
>   copy_request_to_tunnel = no
>   use_tunneled_reply = no
>   virtual_server = "inner-tunnel"
>   include_length = yes
>   require_client_cert = no
>   }
>tls: Using cached TLS configuration from previous invocation
>   # Linked to sub-module rlm_eap_peap
>   peap {
>   tls = "tls-common"
>   default_eap_type = "mschapv2"
>   copy_request_to_tunnel = no
>   use_tunneled_reply = no
>   proxy_tunneled_request_as_eap = yes
>   virtual_server = "inner-tunnel"
>   soh = no
>   require_client_cert = no
>   }
>tls: Using cached TLS configuration from previous invocation
>   # Linked to sub-module rlm_eap_mschapv2
>   mschapv2 {
>   with_ntdomain_hack = no
>   send_error = no
>   }
>  # Instantiating module "cache_eap" from file
>/etc/freeradius/3.0/mods-enabled/cache_eap
>rlm_cache (cache_eap): Driver rlm_cache_rbtree (module
>rlm_cache_rbtree) loaded and linked
>  # Instantiating module "detail" from file
>/etc/freeradius/3.0/mods-enabled/detail
>  # Instantiating module "expiration" from file
>/etc/freeradius/3.0/mods-enabled/expiration
>  # Instantiating module "logintime" from file
>/etc/freeradius/3.0/mods-enabled/logintime
>  # Instantiating module "attr_filter.post-proxy" from file
>/etc/freeradius/3.0/mods-enabled/attr_filter
>reading pairlist file
>/etc/freeradius/3.0/mods-config/attr_filter/post-proxy
>  # Instantiating module "attr_filter.pre-proxy" from file
>/etc/freeradius/3.0/mods-enabled/attr_filter
>reading pairlist file
>/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
>  # Instantiating module "attr_filter.access_reject" from file
>/etc/freeradius/3.0/mods-enabled/attr_filter
>reading pairlist file
>/etc/freeradius/3.0/mods-config/attr_filter/access_reject
>  # Instantiating module "attr_filter.access_challenge" from file
>/etc/freeradius/3.0/mods-enabled/attr_filter
>reading pairlist file
>/etc/freeradius/3.0/mods-config/attr_filter/access_challenge
>  # Instantiating module "attr_filter.accounting_response" from file
>/etc/freeradius/3.0/mods-enabled/attr_filter
>reading pairlist file
>/etc/freeradius/3.0/mods-config/attr_filter/accounting_response
>  # Instantiating module "mschap" from file
>/etc/freeradius/3.0/mods-enabled/mschap
>rlm_mschap (mschap): using internal authentication
>  # Instantiating module "files" from file
>/etc/freeradius/3.0/mods-enabled/files
>reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
>reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
>reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
> } # modules
>radiusd: #### Loading Virtual Servers #### server { # from file
>/etc/freeradius/3.0/radiusd.conf } # server server ldap-network { #
>from file /etc/freeradius/3.0/sites-enabled/ldap-network
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-auth {...}
>} # server ldap-network
>server inner-tunnel { # from file
>/etc/freeradius/3.0/sites-enabled/inner-tunnel
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading session {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
>Ignoring "sql" (see raddb/mods-available/README.rst)  # Skipping
>contents of 'if' as it is always 'false' --
>/etc/freeradius/3.0/sites-enabled/inner-tunnel:336
>} # server inner-tunnel
>radiusd: #### Opening IP addresses and Ports #### listen {
>   type = "auth"
>   ipv4addr = 10.3.3.10
>   port = 0
>   limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 30
>   }
>}
>listen {
>   type = "acct"
>   ipaddr = *
>   port = 0
>   limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 30
>   }
>}
>listen {
>   type = "auth"
>   ipv6addr = ::
>   port = 0
>   limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 30
>   }
>}
>listen {
>   type = "acct"
>   ipv6addr = ::
>   port = 0
>   limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 30
>   }
>}
>listen {
>   type = "auth"
>   ipaddr = 127.0.0.1
>   port = 18120
>}
>Listening on auth address 10.3.3.10 port 1812 bound to server
>ldap-network Listening on acct address * port 1813 bound to server
>ldap-network Listening on auth address :: port 1812 bound to server
>ldap-network Listening on acct address :: port 1813 bound to server
>ldap-network Listening on auth address 127.0.0.1 port 18120 bound to
>server inner-tunnel Listening on proxy address * port 34537 Listening
>on proxy address :: port 58493
>
>----------------------------------
>Ready to process requests
>(0) Received Access-Request Id 19 from 10.3.10.10:49205 to 10.3.3.10:1812 length 94
>(0)   User-Name = "user.name"
>(0)   User-Password = "pass.word"
>(0)   Cisco-AVPair = "shell:priv-lvl=1"
>(0)   NAS-IP-Address = 0.0.0.0
>(0)   Acct-Session-Id = "0500015B"
>(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/ldap-network
>(0)   authorize {
>(0)     policy filter_username {
>(0)       if (&User-Name) {
>(0)       if (&User-Name)  -> TRUE
>(0)       if (&User-Name)  {
>(0)         if (&User-Name =~ / /) {
>(0)         if (&User-Name =~ / /)  -> FALSE
>(0)         if (&User-Name =~ /@[^@]*@/ ) {
>(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>(0)         if (&User-Name =~ /\.\./ ) {
>(0)         if (&User-Name =~ /\.\./ )  -> FALSE
>(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
>(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
>(0)         if (&User-Name =~ /\.$/)  {
>(0)         if (&User-Name =~ /\.$/)   -> FALSE
>(0)         if (&User-Name =~ /@\./)  {
>(0)         if (&User-Name =~ /@\./)   -> FALSE
>(0)       } # if (&User-Name)  = notfound
>(0)     } # policy filter_username = notfound
>(0)     [preprocess] = ok
>(0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
>(0) auth_log:    --> /var/log/freeradius/radacct/10.3.10.10/auth-detail-20210205
>(0) auth_log:
>/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IP
>v6-Address}}/auth-detail-%Y%m%d expands to
>/var/log/freeradius/radacct/10.3.10.10/auth-detail-20210205
>(0) auth_log: EXPAND %t
>(0) auth_log:    --> Fri Feb  5 14:34:58 2021
>(0)     [auth_log] = ok
>rlm_ldap (ldap): Reserved connection (0)
>(0) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
>(0) ldap:    --> (samaccountname=user.name)
>(0) ldap: Performing search in "ou=XXXX,dc=XXXXXX,dc=local" with filter "(samaccountname=user.name)", scope "sub"
>(0) ldap: Waiting for search result...
>(0) ldap: User object found at DN "CN=UserName,OU=XXX Systems,OU=XXXX,OU=XXXXX,OU=XXX,DC=XXXXXX,DC=local"
>(0) ldap: Processing user attributes
>(0) ldap: WARNING: No "known good" password added. Ensure the admin
>user has permission to read the password attribute
>(0) ldap: WARNING: PAP authentication will *NOT* work with Active
>Directory (if that is what you were trying to configure) rlm_ldap
>(ldap): Released connection (0) Need 5 more connections to reach 10
>spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27
>pending slots used rlm_ldap (ldap): Connecting to
>ldaps://xx-xxxx-xx:636 ldaps://xx-xxxx-xx2:636 rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>(0)     [ldap] = ok
>(0)     if ((ok || updated) && User-Password && !control:Auth-Type) {
>(0)     if ((ok || updated) && User-Password && !control:Auth-Type)  -> TRUE
>(0)     if ((ok || updated) && User-Password && !control:Auth-Type)  {
>(0)       update {
>(0)         control:Auth-Type := LDAP
>(0)       } # update = noop
>(0)     } # if ((ok || updated) && User-Password && !control:Auth-Type)  = noop
>(0)     [expiration] = noop
>(0)     [logintime] = noop
>(0)   } # authorize = ok
>(0) Found Auth-Type = LDAP
>(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/ldap-network
>(0)   Auth-Type LDAP {
>rlm_ldap (ldap): Reserved connection (1)
>(0) ldap: Login attempt by "user.name"
>(0) ldap: Using user DN from request "CN=UserName,OU=XXX Systems,OU=XXXX,OU=XXXXX,OU=XXX,DC=XXXXXX,DC=local"
>(0) ldap: Waiting for bind result...
>(0) ldap: Bind successful
>(0) ldap: Bind as user CN=UserName,OU=XXX
>Systems,OU=XXXX,OU=XXXXX,OU=XXX,DC=XXXXXX,DC=local" was successful rlm_ldap (ldap): Released connection (1)
>(0)     [ldap] = ok
>(0)   } # Auth-Type LDAP = ok
>(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/ldap-network
>(0)   post-auth {
>(0)     if (Huntgroup-Name == "cisco-group") {
>(0)     ERROR: Failed retrieving values required to evaluate condition
>(0)     else {
>(0)       [reject] = reject
>(0)     } # else = reject
>(0)   } # post-auth = reject
>(0) Using Post-Auth-Type Reject
>(0) Post-Auth-Type sub-section not found.  Ignoring.
>(0) # Executing group from file
>/etc/freeradius/3.0/sites-enabled/ldap-network
>(0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds.
>Waking up in 0.6 seconds.
>(0) Sending delayed response
>(0) Sent Access-Reject Id 19 from 10.3.3.10:1812 to 10.3.10.10:49205
>length 20


>Good day,
>
>I have problems to get this running:
>-----------------------------------------------------------------------
>-------------------
>if (Huntgroup-Name == "cisco-group") {
> if (Ldap-Group == "Group_Network_Device_RW") {
>       update reply {
> cisco-avpair = "shell:priv-lvl=15"
> }
> }
> }
> else {
> reject
> }
>-----------------------------------------------------------------------
>------------------
>I get this debug output:
>-----------------------------------------------------------------------------------------
>(0)     [ldap] = ok
>(0)   } # Auth-Type LDAP = ok
>(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/ldap-network
>(0)   post-auth {
>(0)     if (Huntgroup-Name == "cisco-group") {
>(0)     ERROR: Failed retrieving values required to evaluate condition
>(0)     else {
>(0)       [reject] = reject
>-----------------------------------------------------------------------
>------------------ When I remove the huntgroup line it is working and I
>can authenticate against a network device. But in combination with the huntgroup I get this error.
>What I am doing wrong? Can someone point me in the right direction.
>Many thanks,
>MaDe

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html