safe_characters issue

classic Classic list List threaded Threaded
11 messages Options
| Threaded
Open this post in threaded view
|

safe_characters issue

Fabrice Durand
Hello all,

i am trying to set the safe_characters in a sql configuration and it
looks that the safe characters are not working anymore (at least the
extra i add).

I have the following configuration:

```

sql sql_degraded {
         database = "mysql"
         driver = "rlm_sql_${database}"

         server = "127.0.0.1"
         port = 3306
         login = "pf"
         password = "inverse"


         radius_db = "pf"
         acct_table1 = "radacct"
         acct_table2 = "radacct"
         postauth_table = "radpostauth"
         authcheck_table = "password"
         authreply_table = "radreply"
         groupcheck_table = "radgroupcheck"
         groupreply_table = "radgroupreply"
         usergroup_table = "radusergroup"

         delete_stale_sessions = yes
         sqltrace = no
         sqltracefile = ${logdir}/sqltrace.sql

         sql_user_name = "%{User-Name}"

         postauth_query = ""
         group_membership_query = ""
         pool = sql
         client_table = "radius_nas"
         # Read database-specific queries
         $INCLUDE ${modconfdir}/${.:name}/main/mysql/reject.conf
         safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"
}

```

I added (),' as extra char.


Followinf the trace from freeradius 3.0.21 (doesn't work) and from
freeradius-3.0.13 (works) for exactly the same radius request and
exactly the same configuration:


```

FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /usr/local/pf/raddb/dictionary
including configuration file /usr/local/pf/raddb/auth.conf
including configuration file /usr/local/pf/raddb/radiusd.conf
including configuration file /usr/local/pf/raddb/proxy.conf
including configuration file /usr/local/pf/raddb/proxy.conf.inc
including configuration file /usr/local/pf/raddb/clients.conf
including configuration file /usr/local/pf/raddb/clients.conf.inc
including configuration file /usr/local/pf/raddb/clients.eduroam.conf.inc
including files in directory /usr/local/pf/raddb/mods-enabled/
including configuration file /usr/local/pf/raddb/mods-enabled/logintime
including configuration file /usr/local/pf/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/pf/raddb/mods-enabled/pap
including configuration file /usr/local/pf/raddb/mods-enabled/passwd
including configuration file /usr/local/pf/raddb/mods-enabled/perl
including configuration file /usr/local/pf/raddb/mods-enabled/preprocess
including configuration file /usr/local/pf/raddb/mods-enabled/radutmp
including configuration file /usr/local/pf/raddb/mods-enabled/raw
including configuration file /usr/local/pf/raddb/mods-enabled/realm
including configuration file /usr/local/pf/raddb/mods-enabled/redis
including configuration file /usr/local/pf/raddb/mods-enabled/replicate
including configuration file /usr/local/pf/raddb/mods-enabled/soh
including configuration file /usr/local/pf/raddb/mods-enabled/sradutmp
including configuration file /usr/local/pf/raddb/mods-enabled/unix
including configuration file /usr/local/pf/raddb/mods-enabled/unpack
including configuration file /usr/local/pf/raddb/mods-enabled/utf8
including configuration file /usr/local/pf/raddb/mods-enabled/eap
including configuration file /usr/local/pf/raddb/mods-enabled/rest
including configuration file /usr/local/pf/raddb/mods-enabled/sql
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/queries.conf
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/reject.conf
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/reject.conf
including configuration file /usr/local/pf/raddb/mods-enabled/mschap
including configuration file /usr/local/pf/raddb/mods-enabled/go
including configuration file /usr/local/pf/raddb/mods-enabled/always
including configuration file /usr/local/pf/raddb/mods-enabled/attr_filter
including configuration file /usr/local/pf/raddb/mods-enabled/cache_eap
including configuration file /usr/local/pf/raddb/mods-enabled/cache_ntlm
including configuration file /usr/local/pf/raddb/mods-enabled/cache_password
including configuration file /usr/local/pf/raddb/mods-enabled/chap
including configuration file /usr/local/pf/raddb/mods-enabled/detail
including configuration file /usr/local/pf/raddb/mods-enabled/detail.log
including configuration file /usr/local/pf/raddb/mods-enabled/digest
including configuration file
/usr/local/pf/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/pf/raddb/mods-enabled/echo
including configuration file /usr/local/pf/raddb/mods-enabled/exec
including configuration file /usr/local/pf/raddb/mods-enabled/expiration
including configuration file /usr/local/pf/raddb/mods-enabled/expr
including configuration file /usr/local/pf/raddb/mods-enabled/files
including configuration file /usr/local/pf/raddb/mods-enabled/linelog
including files in directory /usr/local/pf/raddb/policy.d/
including configuration file /usr/local/pf/raddb/policy.d/abfab-tr
including configuration file /usr/local/pf/raddb/policy.d/accounting
including configuration file /usr/local/pf/raddb/policy.d/canonicalization
including configuration file /usr/local/pf/raddb/policy.d/control
including configuration file /usr/local/pf/raddb/policy.d/cui
including configuration file /usr/local/pf/raddb/policy.d/debug
including configuration file /usr/local/pf/raddb/policy.d/dhcp
including configuration file /usr/local/pf/raddb/policy.d/eap
including configuration file /usr/local/pf/raddb/policy.d/filter
including configuration file /usr/local/pf/raddb/policy.d/operator-name
including configuration file /usr/local/pf/raddb/policy.d/packetfence.orig
including configuration file /usr/local/pf/raddb/policy.d/packetfence
including files in directory /usr/local/pf/raddb/sites-enabled/
including configuration file /usr/local/pf/raddb/sites-enabled/packetfence
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-cli
including configuration file
/usr/local/pf/raddb/sites-enabled/dynamic-clients
including configuration file /usr/local/pf/raddb/sites-enabled/status
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
main {
  security {
      user = "pf"
      group = "pf"
      allow_core_dumps = no
  }
     name = "radiusd"
     prefix = "/usr"
     localstatedir = "/usr/local/pf/var"
     logdir = "/usr/local/pf/logs"
     run_dir = "/usr/local/pf/var/run"
}
main {
     name = "radiusd"
     prefix = "/usr"
     localstatedir = "/usr/local/pf/var"
     sbindir = "/usr/sbin"
     logdir = "/usr/local/pf/logs"
     run_dir = "/usr/local/pf/var/run"
     libdir = "/usr/lib64/freeradius:/usr/lib/freeradius"
     radacctdir = "/usr/local/pf/logs/radacct"
     hostname_lookups = no
     max_request_time = 10
     cleanup_delay = 5
     max_requests = 20000
     pidfile = "/usr/local/pf/var/run/radiusd.pid"
     checkrad = "/usr/sbin/checkrad"
     debug_level = 0
     proxy_requests = yes
  log {
      stripped_names = no
      auth = yes
      auth_badpass = no
      auth_goodpass = no
      colourise = yes
      msg_denied = "You are already logged in - access denied"
  }
  resources {
  }
  security {
      max_attributes = 200
      reject_delay = 1.000000
      status_server = yes
      allow_vulnerable_openssl = "yes"
  }
}
auth: #### Loading Realms and Home Servers ####
  proxy server {
      retry_delay = 5
      retry_count = 3
      default_fallback = no
      dead_time = 120
      wake_all_if_all_dead = no
  }
  home_server localhost {
      ipaddr = 127.0.0.1
      port = 1812
      type = "auth"
      secret = <<< secret >>>
      response_window = 20.000000
      response_timeouts = 1
      max_outstanding = 65536
      zombie_period = 40
      status_check = "status-server"
      ping_interval = 30
      check_interval = 30
      check_timeout = 4
      num_answers_to_alive = 3
      revive_interval = 120
   limit {
       max_connections = 16
       max_requests = 0
       lifetime = 0
       idle_timeout = 0
   }
   coa {
       irt = 2
       mrt = 16
       mrc = 5
       mrd = 30
   }
  }
Ignoring "response_window = 20.000000", forcing to "response_window =
10.000000"
  home_server pf.remote {
      ipaddr = 172.20.135.10
      port = 1812
      type = "auth+acct"
      secret = <<< secret >>>
      src_ipaddr = "172.20.135.4"
      response_window = 6.000000
      response_timeouts = 1
      max_outstanding = 65536
      zombie_period = 40
      status_check = "status-server"
      ping_interval = 30
      check_interval = 30
      check_timeout = 4
      num_answers_to_alive = 3
      revive_interval = 120
   limit {
       max_connections = 16
       max_requests = 0
       lifetime = 0
       idle_timeout = 0
   }
   coa {
       irt = 2
       mrt = 16
       mrc = 5
       mrd = 30
   }
  }
  home_server degraded {
      virtual_server = "pf.degraded"
      port = 0
      response_window = 30.000000
      response_timeouts = 1
      max_outstanding = 65536
      zombie_period = 40
      status_check = "none"
      ping_interval = 30
      check_timeout = 4
      num_answers_to_alive = 3
      revive_interval = 300
   limit {
       max_connections = 16
       max_requests = 0
       lifetime = 0
       idle_timeout = 0
   }
   coa {
       irt = 2
       mrt = 16
       mrc = 5
       mrd = 30
   }
  }
Ignoring "response_window = 30.000000", forcing to "response_window =
10.000000"
  home_server pf0.cluster {
      ipaddr = 172.20.135.4
      port = 1812
      type = "auth+acct"
      secret = <<< secret >>>
      src_ipaddr = "172.20.135.5"
      response_window = 6.000000
      response_timeouts = 1
      max_outstanding = 65536
      zombie_period = 40
      status_check = "status-server"
      ping_interval = 30
      check_interval = 30
      check_timeout = 4
      num_answers_to_alive = 3
      revive_interval = 120
   limit {
       max_connections = 16
       max_requests = 0
       lifetime = 0
       idle_timeout = 0
   }
   coa {
       irt = 2
       mrt = 16
       mrc = 5
       mrd = 30
   }
  }
  home_server pf0.cli.cluster {
      ipaddr = 172.20.135.4
      port = 1815
      type = "auth"
      secret = <<< secret >>>
      src_ipaddr = "172.20.135.5"
      response_window = 6.000000
      response_timeouts = 1
      max_outstanding = 65536
      zombie_period = 40
      status_check = "status-server"
      ping_interval = 30
      check_interval = 30
      check_timeout = 4
      num_answers_to_alive = 3
      revive_interval = 120
   limit {
       max_connections = 16
       max_requests = 0
       lifetime = 0
       idle_timeout = 0
   }
   coa {
       irt = 2
       mrt = 16
       mrc = 5
       mrd = 30
   }
  }
  home_server_pool my_auth_failover {
     type = fail-over
     home_server = localhost
  }
  realm example.com {
     auth_pool = my_auth_failover
  }
  realm default {
  }
  realm local {
  }
  realm null {
  }
  realm bob {
  }
  realm bibi {
  }
  realm inverse.inc {
  }
  realm eduroam.default {
  }
  realm eduroam.local {
  }
  realm eduroam.null {
  }
  realm eduroam.bob {
  }
  realm eduroam.bibi {
  }
  realm eduroam.inverse.inc {
  }
  home_server_pool pf_auth_pool {
     type = fail-over
     home_server = pf.remote
     home_server = degraded
  }
  home_server_pool pf_acct_pool {
     type = fail-over
     home_server = pf.remote
  }
  realm remote {
     auth_pool = pf_auth_pool
     acct_pool = pf_acct_pool
  }
  home_server_pool pf_pool.cluster {
     type = keyed-balance
     home_server = pf0.cluster
  }
  home_server_pool pfacct_pool.cluster {
     type = load-balance
     home_server = pf0.cluster
  }
  realm packetfence {
     auth_pool = pf_pool.cluster
     acct_pool = pfacct_pool.cluster
  }
  home_server_pool pfcli_pool.cluster {
     type = keyed-balance
     home_server = pf0.cli.cluster
  }
  realm packetfence-cli {
     auth_pool = pfcli_pool.cluster
  }
auth: #### Loading Clients ####
  client localhost {
      ipaddr = 127.0.0.1
      require_message_authenticator = no
      secret = <<< secret >>>
      nas_type = "other"
      proto = "*"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client localhost_ipv6 {
      ipv6addr = ::1
      require_message_authenticator = no
      secret = <<< secret >>>
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client 172.20.135.4 {
      ipaddr = 172.20.135.4
      require_message_authenticator = no
      secret = <<< secret >>>
      shortname = "pf"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client 172.20.135.5 {
      ipaddr = 172.20.135.5
      require_message_authenticator = no
      secret = <<< secret >>>
      shortname = "pf"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client 172.20.135.11 {
      ipaddr = 172.20.135.11
      require_message_authenticator = no
      secret = <<< secret >>>
      shortname = "pf"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client 172.20.135.12 {
      ipaddr = 172.20.135.12
      require_message_authenticator = no
      secret = <<< secret >>>
      shortname = "pf"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client 172.20.135.13 {
      ipaddr = 172.20.135.13
      require_message_authenticator = no
      secret = <<< secret >>>
      shortname = "pf"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client dynamic {
      ipaddr = 0.0.0.0/0
      require_message_authenticator = no
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
      dynamic_clients = "dynamic_clients"
      lifetime = 300
  }
Debugger not attached
systemd watchdog is disabled
  # Creating Auth-Type = eap
  # Creating Auth-Type = PAP
  # Creating Auth-Type = CHAP
  # Creating Auth-Type = MS-CHAP
  # Creating Auth-Type = eap-degraded
  # Creating Autz-Type = Status-Server
auth: #### Instantiating modules ####
  modules {
   # Loaded module rlm_logintime
   # Loading module "logintime" from file
/usr/local/pf/raddb/mods-enabled/logintime
   logintime {
       minimum_timeout = 60
   }
   # Loaded module rlm_exec
   # Loading module "ntlm_auth" from file
/usr/local/pf/raddb/mods-enabled/ntlm_auth
   exec ntlm_auth {
       wait = yes
       program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
       shell_escape = yes
   }
   # Loaded module rlm_pap
   # Loading module "pap" from file /usr/local/pf/raddb/mods-enabled/pap
   pap {
       normalise = yes
   }
   # Loaded module rlm_passwd
   # Loading module "etc_passwd" from file
/usr/local/pf/raddb/mods-enabled/passwd
   passwd etc_passwd {
       filename = "/etc/passwd"
       format = "*User-Name:Crypt-Password:"
       delimiter = ":"
       ignore_nislike = no
       ignore_empty = yes
       allow_multiple_keys = no
       hash_size = 100
   }
   # Loaded module rlm_perl
   # Loading module "perl" from file /usr/local/pf/raddb/mods-enabled/perl
   perl {
       filename = "/usr/local/pf/raddb/mods-config/perl/example.pl"
       func_authorize = "authorize"
       func_authenticate = "authenticate"
       func_post_auth = "post_auth"
       func_accounting = "accounting"
       func_preacct = "preacct"
       func_checksimul = "checksimul"
       func_detach = "detach"
       func_xlat = "xlat"
       func_pre_proxy = "pre_proxy"
       func_post_proxy = "post_proxy"
       func_recv_coa = "recv_coa"
       func_send_coa = "send_coa"
   }
   # Loading module "packetfence" from file
/usr/local/pf/raddb/mods-enabled/perl
   perl packetfence {
       filename = "/usr/local/pf/raddb/mods-config/perl/packetfence.pm"
       func_authorize = "authorize"
       func_authenticate = "authenticate"
       func_post_auth = "post_auth"
       func_accounting = "accounting"
       func_preacct = "preacct"
       func_checksimul = "checksimul"
       func_detach = "detach"
       func_xlat = "xlat"
       func_pre_proxy = "pre_proxy"
       func_post_proxy = "post_proxy"
       func_recv_coa = "recv_coa"
       func_send_coa = "send_coa"
   }
   # Loading module "packetfence-multi-domain" from file
/usr/local/pf/raddb/mods-enabled/perl
   perl packetfence-multi-domain {
       filename =
"/usr/local/pf/raddb/mods-config/perl/packetfence-multi-domain.pm"
       func_authorize = "authorize"
       func_authenticate = "authenticate"
       func_post_auth = "post_auth"
       func_accounting = "accounting"
       func_preacct = "preacct"
       func_checksimul = "checksimul"
       func_detach = "detach"
       func_xlat = "xlat"
       func_pre_proxy = "pre_proxy"
       func_post_proxy = "post_proxy"
       func_recv_coa = "recv_coa"
       func_send_coa = "send_coa"
   }
   # Loading module "reply_in_db" from file
/usr/local/pf/raddb/mods-enabled/perl
   perl reply_in_db {
       filename = "/usr/local/pf/raddb/mods-config/perl/reply_in_db.pm"
       func_authorize = "authorize"
       func_authenticate = "authenticate"
       func_post_auth = "post_auth"
       func_accounting = "accounting"
       func_preacct = "preacct"
       func_checksimul = "checksimul"
       func_detach = "detach"
       func_xlat = "xlat"
       func_pre_proxy = "pre_proxy"
       func_post_proxy = "post_proxy"
       func_recv_coa = "recv_coa"
       func_send_coa = "send_coa"
   }
   # Loaded module rlm_preprocess
   # Loading module "preprocess" from file
/usr/local/pf/raddb/mods-enabled/preprocess
   preprocess {
       huntgroups = "/usr/local/pf/raddb/mods-config/preprocess/huntgroups"
       hints = "/usr/local/pf/raddb/mods-config/preprocess/hints"
       with_ascend_hack = no
       ascend_channels_per_line = 23
       with_ntdomain_hack = no
       with_specialix_jetstream_hack = no
       with_cisco_vsa_hack = no
       with_alvarion_vsa_hack = no
   }
   # Loaded module rlm_radutmp
   # Loading module "radutmp" from file
/usr/local/pf/raddb/mods-enabled/radutmp
   radutmp {
       filename = "/usr/local/pf/logs/radutmp"
       username = "%{User-Name}"
       case_sensitive = yes
       check_with_nas = yes
       permissions = 384
       caller_id = yes
   }
   # Loaded module rlm_raw
   # Loading module "raw" from file /usr/local/pf/raddb/mods-enabled/raw
   raw {
       name = "raw"
   }
   # Loaded module rlm_realm
   # Loading module "IPASS" from file /usr/local/pf/raddb/mods-enabled/realm
   realm IPASS {
       format = "prefix"
       delimiter = "/"
       ignore_default = no
       ignore_null = no
   }
   # Loading module "suffix" from file
/usr/local/pf/raddb/mods-enabled/realm
   realm suffix {
       format = "suffix"
       delimiter = "@"
       ignore_default = no
       ignore_null = yes
   }
   # Loading module "realmpercent" from file
/usr/local/pf/raddb/mods-enabled/realm
   realm realmpercent {
       format = "suffix"
       delimiter = "%"
       ignore_default = no
       ignore_null = no
   }
   # Loading module "ntdomain" from file
/usr/local/pf/raddb/mods-enabled/realm
   realm ntdomain {
       format = "prefix"
       delimiter = "\\"
       ignore_default = no
       ignore_null = no
   }
   # Loaded module rlm_redis
   # Loading module "redis" from file /usr/local/pf/raddb/mods-enabled/redis
   redis {
       server = "127.0.0.1"
       port = 6379
       database = 0
       query_timeout = 5
   }
rlm_redis: libhiredis version: 0.12.1
   # Loading module "redis_ntlm" from file
/usr/local/pf/raddb/mods-enabled/redis
   redis redis_ntlm {
       server = "127.0.0.1"
       port = 6383
       database = 0
       query_timeout = 5
   }
rlm_redis: libhiredis version: 0.12.1
   # Loaded module rlm_replicate
   # Loading module "replicate" from file
/usr/local/pf/raddb/mods-enabled/replicate
   # Loaded module rlm_soh
   # Loading module "soh" from file /usr/local/pf/raddb/mods-enabled/soh
   soh {
       dhcp = yes
   }
   # Loading module "sradutmp" from file
/usr/local/pf/raddb/mods-enabled/sradutmp
   radutmp sradutmp {
       filename = "/usr/local/pf/logs/sradutmp"
       username = "%{User-Name}"
       case_sensitive = yes
       check_with_nas = yes
       permissions = 420
       caller_id = no
   }
   # Loaded module rlm_unix
   # Loading module "unix" from file /usr/local/pf/raddb/mods-enabled/unix
   unix {
       radwtmp = "/usr/local/pf/logs/radwtmp"
   }
Creating attribute Unix-Group
   # Loaded module rlm_unpack
   # Loading module "unpack" from file
/usr/local/pf/raddb/mods-enabled/unpack
   # Loaded module rlm_utf8
   # Loading module "utf8" from file /usr/local/pf/raddb/mods-enabled/utf8
   # Loaded module rlm_eap
   # Loading module "eap" from file /usr/local/pf/raddb/mods-enabled/eap
   eap {
       default_eap_type = "peap"
       timer_expire = 60
       ignore_unknown_eap_types = no
       cisco_accounting_username_bug = no
       max_sessions = 20000
   }
   # Loading module "eap-degraded" from file
/usr/local/pf/raddb/mods-enabled/eap
   eap eap-degraded {
       default_eap_type = "peap"
       timer_expire = 60
       ignore_unknown_eap_types = no
       cisco_accounting_username_bug = no
       max_sessions = 20000
   }
   # Loaded module rlm_rest
   # Loading module "rest" from file /usr/local/pf/raddb/mods-enabled/rest
   rest {
       connect_uri = "http://127.0.0.1:7070/"
       connect_timeout = 4.000000
   }
   # Loading module "rest-cli" from file
/usr/local/pf/raddb/mods-enabled/rest
   rest rest-cli {
       connect_uri = "http://127.0.0.1:7070/"
       connect_timeout = 4.000000
   }
   # Loaded module rlm_sql
   # Loading module "sql" from file /usr/local/pf/raddb/mods-enabled/sql
   sql {
       driver = "rlm_sql_mysql"
       server = "127.0.0.1"
       port = 3306
       login = "pf"
       password = <<< secret >>>
       radius_db = "pf"
       read_groups = yes
       read_profiles = yes
       read_clients = yes
       delete_stale_sessions = yes
       sql_user_name = "%{User-Name}"
       default_user_profile = ""
       client_query = "SELECT  id, nasname, shortname, type, secret,
server, tenant_id FROM radius_nas where 1=0"
       authorize_check_query = "SELECT id, username, attribute, value,
op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
       authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
       authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
       authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
       group_membership_query = "SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority"
       simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress, callingstationid,
framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND
acctstoptime IS NULL"
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
       auto_escape = no
    accounting {
        reference = "%{tolower:type.%{Acct-Status-Type}.query}"
     type {
      accounting-on {
          query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime    =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
      }
      accounting-off {
          query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime    =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
      }
      start {
          query = "CALL acct_start ( '%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}),
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0',
'%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}',
'%{Acct-Status-Type}','%{NAS-Identifier}', '%{Called-Station-SSID}',
'%{control:PacketFence-Tenant-Id}')"
      }
      interim-update {
          query = "CALL acct_update (
FROM_UNIXTIME(%{integer:Event-Timestamp}), '%{Framed-IP-Address}',
'%{%{Acct-Session-Time}:-0}', '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Acct-Unique-Session-Id}',
'%{Acct-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', '%{Acct-Authentic}', '%{Connect-Info}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Acct-Status-Type}','%{NAS-Identifier}',
'%{Called-Station-SSID}', '%{control:PacketFence-Tenant-Id}')"
      }
      stop {
          query = "CALL acct_stop (
FROM_UNIXTIME(%{integer:Event-Timestamp}), '%{Framed-IP-Address}',
'%{%{Acct-Session-Time}:-0}', '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Acct-Unique-Session-Id}',
'%{Acct-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', '%{Acct-Authentic}', '%{Connect-Info}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Acct-Terminate-Cause}', '%{Acct-Status-Type}',
'%{NAS-Identifier}', '%{Called-Station-SSID}',
'%{control:PacketFence-Tenant-Id}')"
      }
     }
    }
    post-auth {
        reference = "type.accept.query"
    }
   }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
   # Loading module "pfguest" from file /usr/local/pf/raddb/mods-enabled/sql
   sql pfguest {
       driver = "rlm_sql_mysql"
       server = "127.0.0.1"
       port = 3306
       login = "pf"
       password = <<< secret >>>
       radius_db = "pf"
       read_groups = yes
       read_profiles = yes
       read_clients = no
       delete_stale_sessions = yes
       sql_user_name = "%{User-Name}"
       default_user_profile = ""
       client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
       authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "guest"
AND ( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
       group_membership_query = "select 1"
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
       auto_escape = no
    accounting {
        reference = ".query"
     type {
      accounting-on {
      }
      accounting-off {
      }
      start {
      }
      interim-update {
      }
      stop {
      }
     }
    }
    post-auth {
        reference = ".query"
    }
   }
rlm_sql (pfguest): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pfguest-SQL-Group
   # Loading module "pfsponsor" from file
/usr/local/pf/raddb/mods-enabled/sql
   sql pfsponsor {
       driver = "rlm_sql_mysql"
       server = "127.0.0.1"
       port = 3306
       login = "pf"
       password = <<< secret >>>
       radius_db = "pf"
       read_groups = yes
       read_profiles = yes
       read_clients = no
       delete_stale_sessions = yes
       sql_user_name = "%{User-Name}"
       default_user_profile = ""
       client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
       authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "sponsor"
AND ( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
       group_membership_query = "select 1"
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
       auto_escape = no
    accounting {
        reference = ".query"
     type {
      accounting-on {
      }
      accounting-off {
      }
      start {
      }
      interim-update {
      }
      stop {
      }
     }
    }
    post-auth {
        reference = ".query"
    }
   }
rlm_sql (pfsponsor): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pfsponsor-SQL-Group
   # Loading module "pfsms" from file /usr/local/pf/raddb/mods-enabled/sql
   sql pfsms {
       driver = "rlm_sql_mysql"
       server = "127.0.0.1"
       port = 3306
       login = "pf"
       password = <<< secret >>>
       radius_db = "pf"
       read_groups = yes
       read_profiles = yes
       read_clients = no
       delete_stale_sessions = yes
       sql_user_name = "%{User-Name}"
       default_user_profile = ""
       client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
       authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "sms" AND
( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
       group_membership_query = "select 1"
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
       auto_escape = no
    accounting {
        reference = ".query"
     type {
      accounting-on {
      }
      accounting-off {
      }
      start {
      }
      interim-update {
      }
      stop {
      }
     }
    }
    post-auth {
        reference = ".query"
    }
   }
rlm_sql (pfsms): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and
linked
Creating attribute pfsms-SQL-Group
   # Loading module "pflocal" from file /usr/local/pf/raddb/mods-enabled/sql
   sql pflocal {
       driver = "rlm_sql_mysql"
       server = "127.0.0.1"
       port = 3306
       login = "pf"
       password = <<< secret >>>
       radius_db = "pf"
       read_groups = yes
       read_profiles = yes
       read_clients = no
       delete_stale_sessions = yes
       sql_user_name = "%{User-Name}"
       default_user_profile = ""
       client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
       authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password WHERE pid =
'%{SQL-User-Name}' AND password.tenant_id =
'%{control:PacketFence-Tenant-Id}' AND NOT EXISTS (SELECT pid FROM
activation WHERE pid = '%{SQL-User-Name}')"
       group_membership_query = "select 1"
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
       auto_escape = no
    accounting {
        reference = ".query"
     type {
      accounting-on {
      }
      accounting-off {
      }
      start {
      }
      interim-update {
      }
      stop {
      }
     }
    }
    post-auth {
        reference = ".query"
    }
   }
rlm_sql (pflocal): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pflocal-SQL-Group
   # Loading module "sql_reject" from file
/usr/local/pf/raddb/mods-enabled/sql
   sql sql_reject {
       driver = "rlm_sql_mysql"
       server = "127.0.0.1"
       port = 3306
       login = "pf"
       password = <<< secret >>>
       radius_db = "pf"
       read_groups = yes
       read_profiles = yes
       read_clients = no
       delete_stale_sessions = yes
       sql_user_name = "%{User-Name}"
       default_user_profile = ""
       client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
       authorize_check_query = ""
       authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{Calling-Station-Id}' ORDER BY id"
       group_membership_query = ""
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
       auto_escape = no
    accounting {
        reference = ".query"
     type {
      accounting-on {
      }
      accounting-off {
      }
      start {
      }
      interim-update {
      }
      stop {
      }
     }
    }
    post-auth {
        reference = "type.reject.query"
    }
   }
rlm_sql (sql_reject): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute sql_reject-SQL-Group
   # Loading module "sql_degraded" from file
/usr/local/pf/raddb/mods-enabled/sql
   sql sql_degraded {
       driver = "rlm_sql_mysql"
       server = "127.0.0.1"
       port = 3306
       login = "pf"
       password = <<< secret >>>
       radius_db = "pf"
       read_groups = yes
       read_profiles = yes
       read_clients = no
       delete_stale_sessions = yes
       sql_user_name = "%{User-Name}"
       default_user_profile = ""
       client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
       authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{Calling-Station-Id}' ORDER BY id"
       group_membership_query = ""
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"
       auto_escape = no
    accounting {
        reference = ".query"
     type {
      accounting-on {
      }
      accounting-off {
      }
      start {
      }
      interim-update {
      }
      stop {
      }
     }
    }
    post-auth {
        reference = "type.reject.query"
    }
   }
rlm_sql (sql_degraded): Driver rlm_sql_mysql (module rlm_sql_mysql)
loaded and linked
Creating attribute sql_degraded-SQL-Group
   # Loaded module rlm_mschap
   # Loading module "mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
   mschap {
       use_mppe = yes
       require_encryption = yes
       require_strong = yes
       with_ntdomain_hack = yes
       ntlm_auth = "/usr/local/pf/bin/ntlm_auth_wrapper -p 8125 --      
   --request-nt-key
--username=%{%{control:AD-Samaccountname}:-%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
       ntlm_auth_timeout = 3
    passchange {
    }
       allow_retry = no
       winbind_retry_with_normalised_username = no
   }
   # Loading module "chrooted_mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
   mschap chrooted_mschap {
       use_mppe = no
       require_encryption = yes
       require_strong = yes
       with_ntdomain_hack = yes
       ntlm_auth = "/usr/bin/sudo /usr/sbin/chroot
/chroots/%{PacketFence-Domain} /usr/local/pf/bin/ntlm_auth_wrapper -p
8125 --          --request-nt-key
--username=%{%{control:AD-Samaccountname}:-%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
       ntlm_auth_timeout = 3
    passchange {
    }
       allow_retry = no
       winbind_retry_with_normalised_username = no
   }
   # Loading module "chrooted_mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
   mschap chrooted_mschap_machine {
       use_mppe = yes
       require_encryption = yes
       require_strong = yes
       with_ntdomain_hack = yes
       ntlm_auth = "/usr/bin/sudo /usr/sbin/chroot
/chroots/%{PacketFence-Domain} /usr/local/pf/bin/ntlm_auth_wrapper -p
8125 --              --request-nt-key
--username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
       ntlm_auth_timeout = 3
    passchange {
    }
       allow_retry = no
       winbind_retry_with_normalised_username = no
   }
   # Loading module "mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
   mschap mschap_machine {
       use_mppe = yes
       require_encryption = yes
       require_strong = yes
       with_ntdomain_hack = yes
       ntlm_auth = "/usr/local/pf/bin/ntlm_auth_wrapper -p 8125 --     
         --request-nt-key --username=%{mschap:User-Name:-None}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
       ntlm_auth_timeout = 3
    passchange {
    }
       allow_retry = no
       winbind_retry_with_normalised_username = no
   }
   # Loading module "mschap_local" from file
/usr/local/pf/raddb/mods-enabled/mschap
   mschap mschap_local {
       use_mppe = no
       require_encryption = yes
       require_strong = yes
       with_ntdomain_hack = yes
    passchange {
    }
       allow_retry = yes
       winbind_retry_with_normalised_username = no
   }
   # Loaded module rlm_always
   # Loading module "reject" from file
/usr/local/pf/raddb/mods-enabled/always
   always reject {
       rcode = "reject"
       simulcount = 0
       mpp = no
   }
   # Loading module "fail" from file /usr/local/pf/raddb/mods-enabled/always
   always fail {
       rcode = "fail"
       simulcount = 0
       mpp = no
   }
   # Loading module "ok" from file /usr/local/pf/raddb/mods-enabled/always
   always ok {
       rcode = "ok"
       simulcount = 0
       mpp = no
   }
   # Loading module "handled" from file
/usr/local/pf/raddb/mods-enabled/always
   always handled {
       rcode = "handled"
       simulcount = 0
       mpp = no
   }
   # Loading module "invalid" from file
/usr/local/pf/raddb/mods-enabled/always
   always invalid {
       rcode = "invalid"
       simulcount = 0
       mpp = no
   }
   # Loading module "userlock" from file
/usr/local/pf/raddb/mods-enabled/always
   always userlock {
       rcode = "userlock"
       simulcount = 0
       mpp = no
   }
   # Loading module "notfound" from file
/usr/local/pf/raddb/mods-enabled/always
   always notfound {
       rcode = "notfound"
       simulcount = 0
       mpp = no
   }
   # Loading module "noop" from file /usr/local/pf/raddb/mods-enabled/always
   always noop {
       rcode = "noop"
       simulcount = 0
       mpp = no
   }
   # Loading module "updated" from file
/usr/local/pf/raddb/mods-enabled/always
   always updated {
       rcode = "updated"
       simulcount = 0
       mpp = no
   }
   # Loaded module rlm_attr_filter
   # Loading module "attr_filter.post-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.post-proxy {
       filename = "/usr/local/pf/raddb/mods-config/attr_filter/post-proxy"
       key = "%{Realm}"
       relaxed = no
   }
   # Loading module "attr_filter.pre-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.pre-proxy {
       filename = "/usr/local/pf/raddb/mods-config/attr_filter/pre-proxy"
       key = "%{Realm}"
       relaxed = no
   }
   # Loading module "attr_filter.access_reject" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.access_reject {
       filename =
"/usr/local/pf/raddb/mods-config/attr_filter/access_reject"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loading module "attr_filter.access_challenge" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.access_challenge {
       filename =
"/usr/local/pf/raddb/mods-config/attr_filter/access_challenge"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loading module "attr_filter.accounting_response" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.accounting_response {
       filename =
"/usr/local/pf/raddb/mods-config/attr_filter/accounting_response"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loading module "attr_filter.packetfence_post_auth" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.packetfence_post_auth {
       filename =
"/usr/local/pf/raddb/mods-config/attr_filter/packetfence-post-auth"
       key = "%{User-Name}"
       relaxed = yes
   }
   # Loading module "attr_filter.packetfence_pre_proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.packetfence_pre_proxy {
       filename =
"/usr/local/pf/raddb/mods-config/attr_filter/packetfence-pre-proxy"
       key = "%{User-Name}"
       relaxed = yes
   }
   # Loaded module rlm_cache
   # Loading module "cache_eap" from file
/usr/local/pf/raddb/mods-enabled/cache_eap
   cache cache_eap {
       driver = "rlm_cache_rbtree"
       key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
       ttl = 15
       max_entries = 0
       epoch = 0
       add_stats = no
   }
   # Loading module "cache_ntlm" from file
/usr/local/pf/raddb/mods-enabled/cache_ntlm
   cache cache_ntlm {
       driver = "rlm_cache_rbtree"
       key = "%{User-Name}%{Calling-Station-Id}"
       ttl = 300
       max_entries = 0
       epoch = 0
       add_stats = no
   }
   # Loading module "cache_password" from file
/usr/local/pf/raddb/mods-enabled/cache_password
   cache cache_password {
       driver = "rlm_cache_rbtree"
       key = "%{User-Name}"
       ttl = 3600
       max_entries = 0
       epoch = 0
       add_stats = no
   }
   # Loading module "userprincipalname" from file
/usr/local/pf/raddb/mods-enabled/cache_password
   cache userprincipalname {
       driver = "rlm_cache_rbtree"
       key = "%{User-Name}"
       ttl = 3600
       max_entries = 0
       epoch = 0
       add_stats = no
   }
   # Loading module "PacketFence-NTCacheHash" from file
/usr/local/pf/raddb/mods-enabled/cache_password
   cache PacketFence-NTCacheHash {
       driver = "rlm_cache_rbtree"
       key = "%{User-Name}"
       ttl = 10
       max_entries = 0
       epoch = 0
       add_stats = no
   }
   # Loaded module rlm_chap
   # Loading module "chap" from file /usr/local/pf/raddb/mods-enabled/chap
   # Loaded module rlm_detail
   # Loading module "detail" from file
/usr/local/pf/raddb/mods-enabled/detail
   detail {
       filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "auth_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
   detail auth_log {
       filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "reply_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
   detail reply_log {
       filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "pre_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
   detail pre_proxy_log {
       filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "post_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
   detail post_proxy_log {
       filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loaded module rlm_digest
   # Loading module "digest" from file
/usr/local/pf/raddb/mods-enabled/digest
   # Loaded module rlm_dynamic_clients
   # Loading module "dynamic_clients" from file
/usr/local/pf/raddb/mods-enabled/dynamic_clients
   # Loading module "echo" from file /usr/local/pf/raddb/mods-enabled/echo
   exec echo {
       wait = yes
       program = "/bin/echo %{User-Name}"
       input_pairs = "request"
       output_pairs = "reply"
       shell_escape = yes
   }
   # Loading module "exec" from file /usr/local/pf/raddb/mods-enabled/exec
   exec {
       wait = no
       input_pairs = "request"
       shell_escape = yes
       timeout = 10
   }
   # Loaded module rlm_expiration
   # Loading module "expiration" from file
/usr/local/pf/raddb/mods-enabled/expiration
   # Loaded module rlm_expr
   # Loading module "expr" from file /usr/local/pf/raddb/mods-enabled/expr
   expr {
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
   }
   # Loaded module rlm_files
   # Loading module "files" from file /usr/local/pf/raddb/mods-enabled/files
   files {
       filename = "/usr/local/pf/raddb/mods-config/files/authorize"
       acctusersfile = "/usr/local/pf/raddb/mods-config/files/accounting"
       preproxy_usersfile =
"/usr/local/pf/raddb/mods-config/files/pre-proxy"
   }
   # Loaded module rlm_linelog
   # Loading module "linelog" from file
/usr/local/pf/raddb/mods-enabled/linelog
   linelog {
       filename = "syslog"
       escape_filenames = no
       syslog_facility = "local1"
       syslog_severity = "info"
       permissions = 384
       format = "This is a log message for %{User-Name}"
       reference = "messages.%{%{reply:Packet-Type}:-default}"
   }
   # Loading module "log_accounting" from file
/usr/local/pf/raddb/mods-enabled/linelog
   linelog log_accounting {
       filename = "syslog"
       escape_filenames = no
       syslog_facility = "local2"
       syslog_severity = "info"
       permissions = 384
       format = ""
       reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
   }
   instantiate {
   # Instantiating module "redis" from file
/usr/local/pf/raddb/mods-enabled/redis
rlm_redis (redis): Initialising connection pool
    pool {
        start = 0
        min = 3
        max = 64
        spare = 10
        uses = 0
        lifetime = 86400
        cleanup_interval = 300
        idle_timeout = 600
        retry_delay = 30
        spread = no
    }
   # Instantiating module "rest" from file
/usr/local/pf/raddb/mods-enabled/rest
    authorize {
        uri = "http://127.0.0.1:7070//radius/rest/filter"
        method = "post"
        body = "json"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
    authenticate {
        uri = "http://127.0.0.1:7070//radius/rest/filter"
        method = "post"
        body = "json"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
    preacct {
        uri = "http://127.0.0.1:7070//radius/rest/filter"
        method = "post"
        body = "json"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
    accounting {
        uri = "http://127.0.0.1:7070//radius/rest/accounting"
        method = "post"
        body = "json"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
    pre-proxy {
        uri = "http://127.0.0.1:7070//radius/rest/filter"
        method = "post"
        body = "json"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
    post-proxy {
        uri = "http://127.0.0.1:7070//radius/rest/filter"
        method = "post"
        body = "json"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
    post-auth {
        uri = "http://127.0.0.1:7070//radius/rest/authorize"
        method = "post"
        body = "json"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
rlm_rest: libcurl version: libcurl/7.29.0 NSS/3.44 zlib/1.2.7
libidn/1.28 libssh2/1.8.0
rlm_rest (rest): Initialising connection pool
    pool {
        start = 0
        min = 3
        max = 64
        spare = 10
        uses = 0
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 30
        spread = no
    }
   # Instantiating module "raw" from file
/usr/local/pf/raddb/mods-enabled/raw
   }
   # Instantiating module "logintime" from file
/usr/local/pf/raddb/mods-enabled/logintime
   # Instantiating module "pap" from file
/usr/local/pf/raddb/mods-enabled/pap
   # Instantiating module "etc_passwd" from file
/usr/local/pf/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
   # Instantiating module "perl" from file
/usr/local/pf/raddb/mods-enabled/perl
   # Instantiating module "packetfence" from file
/usr/local/pf/raddb/mods-enabled/perl
   # Instantiating module "packetfence-multi-domain" from file
/usr/local/pf/raddb/mods-enabled/perl
   # Instantiating module "reply_in_db" from file
/usr/local/pf/raddb/mods-enabled/perl
   # Instantiating module "preprocess" from file
/usr/local/pf/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/pf/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/pf/raddb/mods-config/preprocess/hints
   # Instantiating module "IPASS" from file
/usr/local/pf/raddb/mods-enabled/realm
   # Instantiating module "suffix" from file
/usr/local/pf/raddb/mods-enabled/realm
   # Instantiating module "realmpercent" from file
/usr/local/pf/raddb/mods-enabled/realm
   # Instantiating module "ntdomain" from file
/usr/local/pf/raddb/mods-enabled/realm
   # Instantiating module "redis_ntlm" from file
/usr/local/pf/raddb/mods-enabled/redis
rlm_redis (redis_ntlm): Initialising connection pool
    pool {
        start = 0
        min = 3
        max = 64
        spare = 10
        uses = 0
        lifetime = 86400
        cleanup_interval = 300
        idle_timeout = 600
        retry_delay = 30
        spread = no
    }
   # Instantiating module "eap" from file
/usr/local/pf/raddb/mods-enabled/eap
    # Linked to sub-module rlm_eap_md5
    # Linked to sub-module rlm_eap_mschapv2
    mschapv2 {
        with_ntdomain_hack = no
        send_error = no
    }
    # Linked to sub-module rlm_eap_peap
    peap {
        tls = "tls-common"
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        proxy_tunneled_request_as_eap = yes
        virtual_server = "packetfence-degraded-tunnel"
        soh = no
        require_client_cert = no
    }
    tls-config tls-common {
        verify_depth = 0
        pem_file_type = yes
        private_key_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.key"
        certificate_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.crt"
        ca_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.pem"
        dh_file = "/usr/local/pf/raddb/certs/dh"
        fragment_size = 1024
        include_length = yes
        auto_chain = yes
        check_crl = no
        check_all_crl = no
        cipher_list = "DEFAULT"
        ecdh_curve = "prime256v1"
        tls_max_version = ""
        tls_min_version = "1.0"
     cache {
         enable = no
         lifetime = 24
         max_entries = 255
     }
     verify {
         skip_if_ocsp_ok = no
     }
     ocsp {
         enable = no
         override_cert_url = yes
         url = "http://127.0.0.1:22225/api/v1/pki/ocsp"
         use_nonce = yes
         timeout = 0
         softfail = no
     }
    }
The configuration allows TLS 1.0 and/or TLS 1.1.  We STRONGLY recommned
using only TLS 1.2 for security
Please set: tls_min_version = "1.2"
    # Linked to sub-module rlm_eap_tls
    tls {
        tls = "tls-common"
    }
tls: Using cached TLS configuration from previous invocation
    # Linked to sub-module rlm_eap_ttls
    ttls {
        tls = "tls-common"
        default_eap_type = "md5"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        virtual_server = "packetfence-tunnel"
        include_length = yes
        require_client_cert = no
    }
tls: Using cached TLS configuration from previous invocation
   # Instantiating module "eap-degraded" from file
/usr/local/pf/raddb/mods-enabled/eap
    # Linked to sub-module rlm_eap_md5
    # Linked to sub-module rlm_eap_mschapv2
    mschapv2 {
        with_ntdomain_hack = no
        send_error = no
    }
    # Linked to sub-module rlm_eap_peap
    peap {
        tls = "tls-common"
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        proxy_tunneled_request_as_eap = yes
        virtual_server = "packetfence-tunnel"
        soh = no
        require_client_cert = no
    }
    tls-config tls-common {
        verify_depth = 0
        pem_file_type = yes
        private_key_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.key"
        certificate_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.crt"
        ca_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.pem"
        dh_file = "/usr/local/pf/raddb/certs/dh"
        fragment_size = 1024
        include_length = yes
        auto_chain = yes
        check_crl = no
        check_all_crl = no
        cipher_list = "DEFAULT"
        ecdh_curve = "prime256v1"
        tls_max_version = ""
        tls_min_version = "1.0"
     cache {
         enable = no
         lifetime = 24
         max_entries = 255
     }
     verify {
         skip_if_ocsp_ok = no
     }
     ocsp {
         enable = no
         override_cert_url = yes
         url = "http://127.0.0.1:22225/api/v1/pki/ocsp"
         use_nonce = yes
         timeout = 0
         softfail = no
     }
    }
The configuration allows TLS 1.0 and/or TLS 1.1.  We STRONGLY recommned
using only TLS 1.2 for security
Please set: tls_min_version = "1.2"
    # Linked to sub-module rlm_eap_tls
    tls {
        tls = "tls-common"
    }
tls: Using cached TLS configuration from previous invocation
    # Linked to sub-module rlm_eap_ttls
    ttls {
        tls = "tls-common"
        default_eap_type = "md5"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        virtual_server = "packetfence-degraded-tunnel"
        include_length = yes
        require_client_cert = no
    }
tls: Using cached TLS configuration from previous invocation
   # Instantiating module "rest-cli" from file
/usr/local/pf/raddb/mods-enabled/rest
    authorize {
        uri = "http://127.0.0.1:7070//radius/rest/switch/authorize"
        method = "post"
        body = "json"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
    authenticate {
        uri = ""
        method = "GET"
        body = "none"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
    accounting {
        uri = ""
        method = "GET"
        body = "none"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
    post-auth {
        uri = ""
        method = "GET"
        body = "none"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
rlm_rest (rest-cli): Initialising connection pool
    pool {
        start = 0
        min = 3
        max = 64
        spare = 10
        uses = 0
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 30
        spread = no
    }
   # Instantiating module "sql" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql_mysql: libmysql version: 10.1.21-MariaDB
    mysql {
     tls {
         tls_required = no
     }
        warnings = "auto"
    }
rlm_sql (sql): Attempting to connect to database "pf"
rlm_sql (sql): Initialising connection pool
    pool {
        start = 0
        min = 3
        max = 64
        spare = 10
        uses = 0
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 30
        spread = no
    }
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT  id, nasname,
shortname, type, secret, server, tenant_id FROM radius_nas where 1=0
rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_sql (sql): Opening additional connection (0), 1 of 64 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT  id, nasname, shortname,
type, secret, server, tenant_id FROM radius_nas where 1=0
rlm_sql (sql): Released connection (0)
Need 2 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (1), 1 of 63 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
   # Instantiating module "pfguest" from file
/usr/local/pf/raddb/mods-enabled/sql
    mysql {
     tls {
         tls_required = no
     }
        warnings = "auto"
    }
rlm_sql (pfguest): Attempting to connect to database "pf"
   # Instantiating module "pfsponsor" from file
/usr/local/pf/raddb/mods-enabled/sql
    mysql {
     tls {
         tls_required = no
     }
        warnings = "auto"
    }
rlm_sql (pfsponsor): Attempting to connect to database "pf"
   # Instantiating module "pfsms" from file
/usr/local/pf/raddb/mods-enabled/sql
    mysql {
     tls {
         tls_required = no
     }
        warnings = "auto"
    }
rlm_sql (pfsms): Attempting to connect to database "pf"
   # Instantiating module "pflocal" from file
/usr/local/pf/raddb/mods-enabled/sql
    mysql {
     tls {
         tls_required = no
     }
        warnings = "auto"
    }
rlm_sql (pflocal): Attempting to connect to database "pf"
   # Instantiating module "sql_reject" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql (sql_reject): groupmemb_query is empty.  Please delete it from
the configuration
rlm_sql (sql_reject): authorize_check_query is empty.  Please delete it
from the configuration
    mysql {
     tls {
         tls_required = no
     }
        warnings = "auto"
    }
rlm_sql (sql_reject): Attempting to connect to database "pf"
   # Instantiating module "sql_degraded" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql (sql_degraded): groupmemb_query is empty.  Please delete it from
the configuration
    mysql {
     tls {
         tls_required = no
     }
        warnings = "auto"
    }
rlm_sql (sql_degraded): Attempting to connect to database "pf"
   # Instantiating module "mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
   # Instantiating module "chrooted_mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (chrooted_mschap): authenticating by calling 'ntlm_auth'
   # Instantiating module "chrooted_mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (chrooted_mschap_machine): authenticating by calling 'ntlm_auth'
   # Instantiating module "mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap_machine): authenticating by calling 'ntlm_auth'
   # Instantiating module "mschap_local" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap_local): using internal authentication
   # Instantiating module "reject" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "fail" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "ok" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "handled" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "invalid" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "userlock" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "notfound" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "noop" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "updated" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "attr_filter.post-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/pf/raddb/mods-config/attr_filter/post-proxy
   # Instantiating module "attr_filter.pre-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/pf/raddb/mods-config/attr_filter/pre-proxy
   # Instantiating module "attr_filter.access_reject" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/access_reject
[/usr/local/pf/raddb/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay"     found in filter list for realm
"DEFAULT".
[/usr/local/pf/raddb/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay-USec"     found in filter list for realm
"DEFAULT".
   # Instantiating module "attr_filter.access_challenge" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/access_challenge
   # Instantiating module "attr_filter.accounting_response" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/accounting_response
   # Instantiating module "attr_filter.packetfence_post_auth" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/packetfence-post-auth
   # Instantiating module "attr_filter.packetfence_pre_proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/packetfence-pre-proxy
   # Instantiating module "cache_eap" from file
/usr/local/pf/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
   # Instantiating module "cache_ntlm" from file
/usr/local/pf/raddb/mods-enabled/cache_ntlm
rlm_cache (cache_ntlm): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
   # Instantiating module "cache_password" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (cache_password): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
   # Instantiating module "userprincipalname" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (userprincipalname): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
   # Instantiating module "PacketFence-NTCacheHash" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (PacketFence-NTCacheHash): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
   # Instantiating module "detail" from file
/usr/local/pf/raddb/mods-enabled/detail
   # Instantiating module "auth_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
   # Instantiating module "reply_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
   # Instantiating module "pre_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
   # Instantiating module "post_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
   # Instantiating module "expiration" from file
/usr/local/pf/raddb/mods-enabled/expiration
   # Instantiating module "files" from file
/usr/local/pf/raddb/mods-enabled/files
reading pairlist file /usr/local/pf/raddb/mods-config/files/authorize
reading pairlist file /usr/local/pf/raddb/mods-config/files/accounting
reading pairlist file /usr/local/pf/raddb/mods-config/files/pre-proxy
   # Instantiating module "linelog" from file
/usr/local/pf/raddb/mods-enabled/linelog
   # Instantiating module "log_accounting" from file
/usr/local/pf/raddb/mods-enabled/linelog
  } # modules
auth: #### Loading Virtual Servers ####
server { # from file /usr/local/pf/raddb/auth.conf
} # server
server packetfence { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading preacct {...}
  # Loading accounting {...}
  # Loading pre-proxy {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
} # server packetfence
server pf-remote { # from file /usr/local/pf/raddb/sites-enabled/packetfence
  # Loading authorize {...}
  # Loading accounting {...}
  # Loading post-proxy {...}
} # server pf-remote
server pf.degraded { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading preacct {...}
  # Loading accounting {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
} # server pf.degraded
server packetfence-degraded-tunnel { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading session {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
} # server packetfence-degraded-tunnel
server packetfence-tunnel { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading session {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
} # server packetfence-tunnel
server packetfence-tunnel-fast { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading session {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
} # server packetfence-tunnel-fast
server packetfence-cli { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cli
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading accounting {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
} # server packetfence-cli
server dynamic_clients { # from file
/usr/local/pf/raddb/sites-enabled/dynamic-clients
  # Loading authorize {...}
} # server dynamic_clients
server status { # from file /usr/local/pf/raddb/sites-enabled/status
  # Loading authorize {...}
} # server status
server pf.cluster { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
  # Loading authorize {...}
  # Loading accounting {...}
  # Loading post-proxy {...}
} # server pf.cluster
server pfcli.cluster { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
  # Loading authorize {...}
  # Loading post-proxy {...}
} # server pfcli.cluster
  thread pool {
      start_servers = 0
      max_servers = 64
      min_spare_servers = 3
      max_spare_servers = 10
      max_requests_per_server = 0
      cleanup_delay = 5
      max_queue_size = 65536
      auto_limit_acct = no
  }
Thread pool initialized
auth: #### Opening IP addresses and Ports ####
listen {
      type = "status"
      virtual_server = "status"
      ipaddr = 127.0.0.1
      port = 18121
   client admin {
       ipaddr = 127.0.0.1
       require_message_authenticator = no
       secret = <<< secret >>>
    limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
    }
   }
}
listen {
      type = "auth"
      virtual_server = "pf-remote"
      ipaddr = 172.20.135.4
      port = 0
}
listen {
      type = "auth+acct"
      virtual_server = "packetfence"
      ipaddr = 172.20.135.4
      port = 2083
      proto = "tcp"
   tls {
       verify_depth = 0
       ca_path = "/usr/local/pf/raddb/certs"
       pem_file_type = yes
       private_key_file = "/usr/local/pf/raddb/certs/server.key"
       certificate_file = "/usr/local/pf/raddb/certs/server.crt"
       ca_file = "/usr/local/pf/raddb/certs/ca.pem"
       dh_file = "/usr/local/pf/raddb/certs/dh"
       fragment_size = 8192
       include_length = yes
       auto_chain = yes
       check_crl = no
       check_all_crl = no
       cipher_list = "DEFAULT"
       require_client_cert = yes
       ecdh_curve = "prime256v1"
       tls_max_version = ""
       tls_min_version = "1.0"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }
    verify {
        skip_if_ocsp_ok = no
    }
    ocsp {
        enable = no
        override_cert_url = no
        use_nonce = yes
        timeout = 0
        softfail = no
    }
   }
The configuration allows TLS 1.0 and/or TLS 1.1.  We STRONGLY recommned
using only TLS 1.2 for security
Please set: tls_min_version = "1.2"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
}
listen {
      type = "control"
  listen {
      socket = "/usr/local/pf/var/run/radiusd.sock"
      mode = "rw"
      peercred = yes
  }
}
Listening on status address 127.0.0.1 port 18121 bound to server status
Listening on auth address 172.20.135.4 port 1812 bound to server pf-remote
Listening on auth+acct proto tcp address 172.20.135.4 port 2083 (TLS)
bound to server packetfence
Listening on command file /usr/local/pf/var/run/radiusd.sock
Listening on proxy address * port 63313
Ready to process requests
Threads: Spawning 3 spares
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Waking up in 0.3 seconds.
Thread 3 waiting to be assigned a request
Thread 3 got semaphore
Thread 2 waiting to be assigned a request
Thread 1 waiting to be assigned a request
Thread 3 handling request 0, (1 handled so far)
(0) Received Access-Request Id 187 from 172.20.135.5:65296 to
172.20.135.4:1812 length 243
(0)   User-Name = "64-76-ba-89-71-4c"
(0)   User-Password = "64-76-ba-89-71-4c"
(0)   NAS-IP-Address = 172.20.110.250
(0)   NAS-Port = 0
(0)   Service-Type = Call-Check
(0)   Called-Station-Id = "00:1a:1e:01:68:f8"
(0)   Calling-Station-Id = "64:76:ba:89:71:4c"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Aruba-Essid-Name = "CPS-District"
(0)   Aruba-Location-Id = "MS-A181"
(0)   Aruba-AP-Group = "MS"
(0)   PacketFence-KeyBalanced = "2cab901e9652f08e98b274d193485eb3"
(0)   Message-Authenticator = 0xc9b164a131d9c0875f68c065f031408e
(0)   Proxy-State = 0x323338
(0) # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0)   authorize {
(0)     update control {
(0)       EXPAND %{Calling-Station-Id}
(0)          --> 64:76:ba:89:71:4c
(0)       Load-Balance-Key := 64:76:ba:89:71:4c
(0)       Proxy-To-Realm := "remote"
(0)     } # update control = noop
(0)     if (!NAS-IP-Address){
(0)     if (!NAS-IP-Address) -> FALSE
(0)   } # authorize = noop
(0) Starting proxy to home server 172.20.135.10 port 1812
(0) server pf-remote {
(0) }
(0) Proxying request to home server 172.20.135.10 port 1812 timeout 6.000000
(0) Sent Access-Request Id 211 from 172.20.135.4:41039 to
172.20.135.10:1812 length 248
(0)   User-Name = "64-76-ba-89-71-4c"
(0)   User-Password = "64-76-ba-89-71-4c"
(0)   NAS-IP-Address = 172.20.110.250
(0)   NAS-Port = 0
(0)   Service-Type = Call-Check
(0)   Called-Station-Id = "00:1a:1e:01:68:f8"
(0)   Calling-Station-Id = "64:76:ba:89:71:4c"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Aruba-Essid-Name = "CPS-District"
(0)   Aruba-Location-Id = "MS-A181"
(0)   Aruba-AP-Group = "MS"
(0)   PacketFence-KeyBalanced = "2cab901e9652f08e98b274d193485eb3"
(0)   Message-Authenticator = 0xc9b164a131d9c0875f68c065f031408e
(0)   Proxy-State = 0x323338
(0)   Proxy-State = 0x313837
Thread 3 waiting to be assigned a request
Listening on proxy address 172.20.135.4 port 41039
Waking up in 0.3 seconds.
(0) Marking home server 172.20.135.10 port 1812 alive
Threads: total/active/spare threads = 3/0/3
Waking up in 0.3 seconds.
Thread 2 got semaphore
Thread 2 handling request 0, (1 handled so far)
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 211 from 172.20.135.10:1812 to
172.20.135.4:41039 length 47
(0)   Tunnel-Type:0 = VLAN
(0)   Tunnel-Private-Group-Id:0 = "135"
(0)   Tunnel-Medium-Type:0 = IEEE-802
(0)   Proxy-State = 0x323338
(0)   Proxy-State = 0x313837
(0) server pf-remote {
(0)   # Executing section post-proxy from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0)     post-proxy {
(0)       update control {
(0)         EXPAND %{home_server:ipaddr}
(0)            --> 172.20.135.10
(0)         PacketFence-Proxied-To := 172.20.135.10
(0)       } # update control = noop
(0)       if (&proxy-reply:Packet-Type == Access-Accept) {
(0)       EXPAND &proxy-reply:Packet-Type
(0)          --> Access-Accept
(0)       if (&proxy-reply:Packet-Type == Access-Accept) -> TRUE
(0)       if (&proxy-reply:Packet-Type == Access-Accept)  {
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (2), 1 of 62 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
(0)         EXPAND %{User-Name}
(0)            --> 64-76-ba-89-71-4c
(0)         SQL-User-Name set to '64-76-ba-89-71-4c'
rlm_sql (sql): Reserved connection (1)
(0)         Executing query: DELETE FROM radreply where
username="64:76:ba:89:71:4c"
rlm_sql (sql): Released connection (1)
(0)         EXPAND %{sql_degraded:DELETE FROM radreply where
username="%{Calling-Station-Id}"}
(0)            --> 3
(0) reply_in_db:   $RAD_REQUEST{'User-Name'} = &request:User-Name ->
'64-76-ba-89-71-4c'
(0) reply_in_db:   $RAD_REQUEST{'User-Password'} =
&request:User-Password -> '64-76-ba-89-71-4c'
(0) reply_in_db:   $RAD_REQUEST{'NAS-IP-Address'} =
&request:NAS-IP-Address -> '172.20.110.250'
(0) reply_in_db:   $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '0'
(0) reply_in_db:   $RAD_REQUEST{'Service-Type'} = &request:Service-Type
-> 'Call-Check'
(0) reply_in_db:   $RAD_REQUEST{'Called-Station-Id'} =
&request:Called-Station-Id -> '00:1a:1e:01:68:f8'
(0) reply_in_db:   $RAD_REQUEST{'Calling-Station-Id'} =
&request:Calling-Station-Id -> '64:76:ba:89:71:4c'
(0) reply_in_db:   $RAD_REQUEST{'Proxy-State'} = &request:Proxy-State ->
'0x323338'
(0) reply_in_db:   $RAD_REQUEST{'NAS-Port-Type'} =
&request:NAS-Port-Type -> 'Wireless-802.11'
(0) reply_in_db:   $RAD_REQUEST{'Message-Authenticator'} =
&request:Message-Authenticator -> '0xc9b164a131d9c0875f68c065f031408e'
(0) reply_in_db:   $RAD_REQUEST{'Aruba-Essid-Name'} =
&request:Aruba-Essid-Name -> 'CPS-District'
(0) reply_in_db:   $RAD_REQUEST{'Aruba-Location-Id'} =
&request:Aruba-Location-Id -> 'MS-A181'
(0) reply_in_db:   $RAD_REQUEST{'Aruba-AP-Group'} =
&request:Aruba-AP-Group -> 'MS'
(0) reply_in_db:   $RAD_REQUEST{'Realm'} = &request:Realm -> 'remote'
(0) reply_in_db:   $RAD_REQUEST{'SQL-User-Name'} =
&request:SQL-User-Name -> '64-76-ba-89-71-4c'
(0) reply_in_db:   $RAD_REQUEST{'PacketFence-KeyBalanced'} =
&request:PacketFence-KeyBalanced -> '2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db:   $RAD_CHECK{'Load-Balance-Key'} =
&control:Load-Balance-Key -> '64:76:ba:89:71:4c'
(0) reply_in_db:   $RAD_CHECK{'Proxy-To-Realm'} =
&control:Proxy-To-Realm -> 'remote'
(0) reply_in_db:   $RAD_CHECK{'PacketFence-Proxied-To'} =
&control:PacketFence-Proxied-To -> '172.20.135.10'
(0) reply_in_db:   $RAD_CONFIG{'Load-Balance-Key'} =
&control:Load-Balance-Key -> '64:76:ba:89:71:4c'
(0) reply_in_db:   $RAD_CONFIG{'Proxy-To-Realm'} =
&control:Proxy-To-Realm -> 'remote'
(0) reply_in_db:   $RAD_CONFIG{'PacketFence-Proxied-To'} =
&control:PacketFence-Proxied-To -> '172.20.135.10'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'User-Name'} =
&proxy-request:User-Name -> '64-76-ba-89-71-4c'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'User-Password'} =
&proxy-request:User-Password -> '64-76-ba-89-71-4c'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'NAS-IP-Address'} =
&proxy-request:NAS-IP-Address -> '172.20.110.250'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'NAS-Port'} =
&proxy-request:NAS-Port -> '0'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Service-Type'} =
&proxy-request:Service-Type -> 'Call-Check'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Called-Station-Id'} =
&proxy-request:Called-Station-Id -> '00:1a:1e:01:68:f8'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Calling-Station-Id'} =
&proxy-request:Calling-Station-Id -> '64:76:ba:89:71:4c'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Proxy-State'}[0] =
&proxy-request:Proxy-State -> '0x313837'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Proxy-State'}[1] =
&proxy-request:Proxy-State -> '0x323338'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'NAS-Port-Type'} =
&proxy-request:NAS-Port-Type -> 'Wireless-802.11'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Message-Authenticator'} =
&proxy-request:Message-Authenticator -> '0xc9b164a131d9c0875f68c065f031408e'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Aruba-Essid-Name'} =
&proxy-request:Aruba-Essid-Name -> 'CPS-District'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Aruba-Location-Id'} =
&proxy-request:Aruba-Location-Id -> 'MS-A181'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Aruba-AP-Group'} =
&proxy-request:Aruba-AP-Group -> 'MS'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'PacketFence-KeyBalanced'} =
&proxy-request:PacketFence-KeyBalanced -> '2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db:   $RAD_REQUEST_PROXY_REPLY{'Proxy-State'}[0] =
&proxy-reply:Proxy-State -> '0x323338'
(0) reply_in_db:   $RAD_REQUEST_PROXY_REPLY{'Proxy-State'}[1] =
&proxy-reply:Proxy-State -> '0x313837'
(0) reply_in_db:   $RAD_REQUEST_PROXY_REPLY{'Tunnel-Type'} =
&proxy-reply:Tunnel-Type -> 'VLAN'
(0) reply_in_db:   $RAD_REQUEST_PROXY_REPLY{'Tunnel-Medium-Type'} =
&proxy-reply:Tunnel-Medium-Type -> 'IEEE-802'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Tunnel-Private-Group-Id'} =
&proxy-reply:Tunnel-Private-Group-Id -> '135'
(0) reply_in_db: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'}
-> 'Wireless-802.11'
(0) reply_in_db: &request:Proxy-State = $RAD_REQUEST{'Proxy-State'} ->
'0x323338'
(0) reply_in_db: &request:Service-Type = $RAD_REQUEST{'Service-Type'} ->
'Call-Check'
(0) reply_in_db: &request:Called-Station-Id =
$RAD_REQUEST{'Called-Station-Id'} -> '00:1a:1e:01:68:f8'
(0) reply_in_db: &request:Message-Authenticator =
$RAD_REQUEST{'Message-Authenticator'} ->
'0xc9b164a131d9c0875f68c065f031408e'
(0) reply_in_db: &request:Realm = $RAD_REQUEST{'Realm'} -> 'remote'
(0) reply_in_db: &request:NAS-IP-Address =
$RAD_REQUEST{'NAS-IP-Address'} -> '172.20.110.250'
(0) reply_in_db: &request:SQL-User-Name = $RAD_REQUEST{'SQL-User-Name'}
-> '64-76-ba-89-71-4c'
(0) reply_in_db: &request:Calling-Station-Id =
$RAD_REQUEST{'Calling-Station-Id'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &request:Aruba-Essid-Name =
$RAD_REQUEST{'Aruba-Essid-Name'} -> 'CPS-District'
(0) reply_in_db: &request:PacketFence-KeyBalanced =
$RAD_REQUEST{'PacketFence-KeyBalanced'} ->
'2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: &request:Aruba-AP-Group =
$RAD_REQUEST{'Aruba-AP-Group'} -> 'MS'
(0) reply_in_db: &request:User-Name = $RAD_REQUEST{'User-Name'} ->
'64-76-ba-89-71-4c'
(0) reply_in_db: &request:Aruba-Location-Id =
$RAD_REQUEST{'Aruba-Location-Id'} -> 'MS-A181'
(0) reply_in_db: &request:User-Password = $RAD_REQUEST{'User-Password'}
-> '64-76-ba-89-71-4c'
(0) reply_in_db: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '0'
(0) reply_in_db: &control:PacketFence-Proxied-To =
$RAD_CHECK{'PacketFence-Proxied-To'} -> '172.20.135.10'
(0) reply_in_db: &control:Load-Balance-Key =
$RAD_CHECK{'Load-Balance-Key'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &control:PacketFence-reply-insert =
$RAD_CHECK{'PacketFence-reply-insert'} -> 'INSERT into radreply
(username, attribute, value) values
('64:76:ba:89:71:4c','Tunnel-Medium-Type:0','IEEE-802'),
('64:76:ba:89:71:4c','Tunnel-Private-Group-Id:0','135'),
('64:76:ba:89:71:4c','Tunnel-Type:0','VLAN')'
(0) reply_in_db: &control:Proxy-To-Realm = $RAD_CHECK{'Proxy-To-Realm'}
-> 'remote'
(0) reply_in_db: &proxy-request:NAS-Port-Type =
$RAD_REQUEST_PROXY{'NAS-Port-Type'} -> 'Wireless-802.11'
(0) reply_in_db: &proxy-request:Proxy-State +=
$RAD_REQUEST_PROXY{'Proxy-State'} -> '0x313837'
(0) reply_in_db: &proxy-request:Proxy-State +=
$RAD_REQUEST_PROXY{'Proxy-State'} -> '0x323338'
(0) reply_in_db: &proxy-request:Service-Type =
$RAD_REQUEST_PROXY{'Service-Type'} -> 'Call-Check'
(0) reply_in_db: &proxy-request:Aruba-Essid-Name =
$RAD_REQUEST_PROXY{'Aruba-Essid-Name'} -> 'CPS-District'
(0) reply_in_db: &proxy-request:Calling-Station-Id =
$RAD_REQUEST_PROXY{'Calling-Station-Id'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &proxy-request:Called-Station-Id =
$RAD_REQUEST_PROXY{'Called-Station-Id'} -> '00:1a:1e:01:68:f8'
(0) reply_in_db: &proxy-request:PacketFence-KeyBalanced =
$RAD_REQUEST_PROXY{'PacketFence-KeyBalanced'} ->
'2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: &proxy-request:Message-Authenticator =
$RAD_REQUEST_PROXY{'Message-Authenticator'} ->
'0xc9b164a131d9c0875f68c065f031408e'
(0) reply_in_db: &proxy-request:Aruba-AP-Group =
$RAD_REQUEST_PROXY{'Aruba-AP-Group'} -> 'MS'
(0) reply_in_db: &proxy-request:Aruba-Location-Id =
$RAD_REQUEST_PROXY{'Aruba-Location-Id'} -> 'MS-A181'
(0) reply_in_db: &proxy-request:User-Name =
$RAD_REQUEST_PROXY{'User-Name'} -> '64-76-ba-89-71-4c'
(0) reply_in_db: &proxy-request:User-Password =
$RAD_REQUEST_PROXY{'User-Password'} -> '64-76-ba-89-71-4c'
(0) reply_in_db: &proxy-request:NAS-IP-Address =
$RAD_REQUEST_PROXY{'NAS-IP-Address'} -> '172.20.110.250'
(0) reply_in_db: &proxy-request:NAS-Port =
$RAD_REQUEST_PROXY{'NAS-Port'} -> '0'
(0) reply_in_db: &proxy-reply:Tunnel-Private-Group-Id:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Private-Group-Id:0'} -> '135'
(0) reply_in_db: &proxy-reply:Tunnel-Medium-Type:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Medium-Type:0'} -> 'IEEE-802'
(0) reply_in_db: &proxy-reply:Tunnel-Type:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Type:0'} -> 'VLAN'
(0) reply_in_db: &proxy-reply:Proxy-State +=
$RAD_REQUEST_PROXY_REPLY{'Proxy-State'} -> '0x323338'
(0) reply_in_db: &proxy-reply:Proxy-State +=
$RAD_REQUEST_PROXY_REPLY{'Proxy-State'} -> '0x313837'
(0)         [reply_in_db] = ok
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
(0)         EXPAND %{User-Name}
(0)            --> 64-76-ba-89-71-4c
(0)         SQL-User-Name set to '64-76-ba-89-71-4c'
rlm_sql (sql): Reserved connection (2)
(0)         Executing query: INSERT into radreply =28username=2C
attribute=2C value=29 values
=28=2764:76:ba:89:71:4c=27=2C=27Tunnel-Medium-Type:0=27=2C=27IEEE-802=27=29=2C
=28=2764:76:ba:89:71:4c=27=2C=27Tunnel-Private-Group-Id:0=27=2C=27135=27=29=2C
=28=2764:76:ba:89:71:4c=27=2C=27Tunnel-Type:0=27=2C=27VLAN=27=29
(0)         ERROR: rlm_sql_mysql: ERROR 1064 (You have an error in your
SQL syntax; check the manual that corresponds to your MariaDB server
version for the right syntax to use near '=28username=2C attribute=2C
value=29 values =28=2764:76:ba:89:71:4c=27=2C=27Tunn' at line 1): 42000
(0)         ERROR: SQL query failed: server error
rlm_sql (sql): Released connection (2)
(0)         EXPAND %{sql_degraded:%{control:PacketFence-reply-insert}}
(0)            -->
(0)       } # if (&proxy-reply:Packet-Type == Access-Accept) = ok
(0)       ... skipping else: Preceding "if" was taken
(0) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
(0) attr_filter.packetfence_post_auth:    --> 64-76-ba-89-71-4c
(0) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
(0)       [attr_filter.packetfence_post_auth] = updated
(0)     } # post-proxy = updated
(0) }
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) Login OK: [64-76-ba-89-71-4c] (from client pf port 0 cli
64:76:ba:89:71:4c)
(0) Sent Access-Accept Id 187 from 172.20.135.4:1812 to
172.20.135.5:65296 length 0
(0)   Tunnel-Private-Group-Id:0 = "135"
(0)   Tunnel-Medium-Type:0 = IEEE-802
(0)   Tunnel-Type:0 = VLAN
(0)   Proxy-State = 0x323338
(0) Finished request
Thread 2 waiting to be assigned a request
Waking up in 4.6 seconds.

```

```

FreeRADIUS Version 3.0.13
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /usr/local/pf/raddb/dictionary
including configuration file /usr/local/pf/raddb/auth.conf
including configuration file /usr/local/pf/raddb/radiusd.conf
including configuration file /usr/local/pf/raddb/proxy.conf
including configuration file /usr/local/pf/raddb/proxy.conf.inc
including configuration file /usr/local/pf/raddb/clients.conf
including configuration file /usr/local/pf/raddb/clients.conf.inc
including configuration file /usr/local/pf/raddb/clients.eduroam.conf.inc
including files in directory /usr/local/pf/raddb/mods-enabled/
including configuration file /usr/local/pf/raddb/mods-enabled/logintime
including configuration file /usr/local/pf/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/pf/raddb/mods-enabled/pap
including configuration file /usr/local/pf/raddb/mods-enabled/passwd
including configuration file /usr/local/pf/raddb/mods-enabled/perl
including configuration file /usr/local/pf/raddb/mods-enabled/preprocess
including configuration file /usr/local/pf/raddb/mods-enabled/radutmp
including configuration file /usr/local/pf/raddb/mods-enabled/raw
including configuration file /usr/local/pf/raddb/mods-enabled/realm
including configuration file /usr/local/pf/raddb/mods-enabled/redis
including configuration file /usr/local/pf/raddb/mods-enabled/replicate
including configuration file /usr/local/pf/raddb/mods-enabled/soh
including configuration file /usr/local/pf/raddb/mods-enabled/sradutmp
including configuration file /usr/local/pf/raddb/mods-enabled/unix
including configuration file /usr/local/pf/raddb/mods-enabled/unpack
including configuration file /usr/local/pf/raddb/mods-enabled/utf8
including configuration file /usr/local/pf/raddb/mods-enabled/eap
including configuration file /usr/local/pf/raddb/mods-enabled/rest
including configuration file /usr/local/pf/raddb/mods-enabled/sql
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/queries.conf
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/reject.conf
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/reject.conf
including configuration file /usr/local/pf/raddb/mods-enabled/mschap
including configuration file /usr/local/pf/raddb/mods-enabled/go
including configuration file /usr/local/pf/raddb/mods-enabled/always
including configuration file /usr/local/pf/raddb/mods-enabled/attr_filter
including configuration file /usr/local/pf/raddb/mods-enabled/cache_eap
including configuration file /usr/local/pf/raddb/mods-enabled/cache_ntlm
including configuration file /usr/local/pf/raddb/mods-enabled/cache_password
including configuration file /usr/local/pf/raddb/mods-enabled/chap
including configuration file /usr/local/pf/raddb/mods-enabled/detail
including configuration file /usr/local/pf/raddb/mods-enabled/detail.log
including configuration file /usr/local/pf/raddb/mods-enabled/digest
including configuration file
/usr/local/pf/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/pf/raddb/mods-enabled/echo
including configuration file /usr/local/pf/raddb/mods-enabled/exec
including configuration file /usr/local/pf/raddb/mods-enabled/expiration
including configuration file /usr/local/pf/raddb/mods-enabled/expr
including configuration file /usr/local/pf/raddb/mods-enabled/files
including configuration file /usr/local/pf/raddb/mods-enabled/linelog
including files in directory /usr/local/pf/raddb/policy.d/
including configuration file /usr/local/pf/raddb/policy.d/abfab-tr
including configuration file /usr/local/pf/raddb/policy.d/accounting
including configuration file /usr/local/pf/raddb/policy.d/canonicalization
including configuration file /usr/local/pf/raddb/policy.d/control
including configuration file /usr/local/pf/raddb/policy.d/cui
including configuration file /usr/local/pf/raddb/policy.d/debug
including configuration file /usr/local/pf/raddb/policy.d/dhcp
including configuration file /usr/local/pf/raddb/policy.d/eap
including configuration file /usr/local/pf/raddb/policy.d/filter
including configuration file /usr/local/pf/raddb/policy.d/operator-name
including configuration file /usr/local/pf/raddb/policy.d/packetfence
including files in directory /usr/local/pf/raddb/sites-enabled/
including configuration file /usr/local/pf/raddb/sites-enabled/packetfence
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-cli
including configuration file
/usr/local/pf/raddb/sites-enabled/dynamic-clients
including configuration file /usr/local/pf/raddb/sites-enabled/status
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
main {
  security {
      user = "pf"
      group = "pf"
      allow_core_dumps = no
  }
     name = "radiusd"
     prefix = "/usr"
     localstatedir = "/usr/local/pf/var"
     logdir = "/usr/local/pf/logs"
     run_dir = "/usr/local/pf/var/run"
}
main {
     name = "radiusd"
     prefix = "/usr"
     localstatedir = "/usr/local/pf/var"
     sbindir = "/usr/sbin"
     logdir = "/usr/local/pf/logs"
     run_dir = "/usr/local/pf/var/run"
     libdir = "/usr/lib64/freeradius:/usr/lib/freeradius"
     radacctdir = "/usr/local/pf/logs/radacct"
     hostname_lookups = no
     max_request_time = 10
     cleanup_delay = 5
     max_requests = 20000
     pidfile = "/usr/local/pf/var/run/radiusd.pid"
     checkrad = "/usr/sbin/checkrad"
     debug_level = 0
     proxy_requests = yes
  log {
      stripped_names = no
      auth = yes
      auth_badpass = no
      auth_goodpass = no
      colourise = yes
      msg_denied = "You are already logged in - access denied"
  }
  resources {
  }
  security {
      max_attributes = 200
      reject_delay = 1.000000
      status_server = yes
      allow_vulnerable_openssl = "yes"
  }
}
auth: #### Loading Realms and Home Servers ####
  proxy server {
      retry_delay = 5
      retry_count = 3
      default_fallback = no
      dead_time = 120
      wake_all_if_all_dead = no
  }
  home_server localhost {
      ipaddr = 127.0.0.1
      port = 1812
      type = "auth"
      secret = <<< secret >>>
      response_window = 20.000000
      response_timeouts = 1
      max_outstanding = 65536
      zombie_period = 40
      status_check = "status-server"
      ping_interval = 30
      check_interval = 30
      check_timeout = 4
      num_answers_to_alive = 3
      revive_interval = 120
   limit {
       max_connections = 16
       max_requests = 0
       lifetime = 0
       idle_timeout = 0
   }
   coa {
       irt = 2
       mrt = 16
       mrc = 5
       mrd = 30
   }
  }
WARNING: Ignoring "response_window = 20.000000", forcing to
"response_window = 10.000000"
  home_server pf.remote {
      ipaddr = 172.20.135.10
      port = 1812
      type = "auth+acct"
      secret = <<< secret >>>
      src_ipaddr = "172.20.135.4"
      response_window = 6.000000
      response_timeouts = 1
      max_outstanding = 65536
      zombie_period = 40
      status_check = "status-server"
      ping_interval = 30
      check_interval = 30
      check_timeout = 4
      num_answers_to_alive = 3
      revive_interval = 120
   limit {
       max_connections = 16
       max_requests = 0
       lifetime = 0
       idle_timeout = 0
   }
   coa {
       irt = 2
       mrt = 16
       mrc = 5
       mrd = 30
   }
  }
  home_server degraded {
      virtual_server = "pf.degraded"
      port = 0
      response_window = 30.000000
      response_timeouts = 1
      max_outstanding = 65536
      zombie_period = 40
      status_check = "none"
      ping_interval = 30
      check_timeout = 4
      num_answers_to_alive = 3
      revive_interval = 300
   limit {
       max_connections = 16
       max_requests = 0
       lifetime = 0
       idle_timeout = 0
   }
   coa {
       irt = 2
       mrt = 16
       mrc = 5
       mrd = 30
   }
  }
WARNING: Ignoring "response_window = 30.000000", forcing to
"response_window = 10.000000"
  home_server pf0.cluster {
      ipaddr = 172.20.135.4
      port = 1812
      type = "auth+acct"
      secret = <<< secret >>>
      src_ipaddr = "172.20.135.5"
      response_window = 6.000000
      response_timeouts = 1
      max_outstanding = 65536
      zombie_period = 40
      status_check = "status-server"
      ping_interval = 30
      check_interval = 30
      check_timeout = 4
      num_answers_to_alive = 3
      revive_interval = 120
   limit {
       max_connections = 16
       max_requests = 0
       lifetime = 0
       idle_timeout = 0
   }
   coa {
       irt = 2
       mrt = 16
       mrc = 5
       mrd = 30
   }
  }
  home_server pf0.cli.cluster {
      ipaddr = 172.20.135.4
      port = 1815
      type = "auth"
      secret = <<< secret >>>
      src_ipaddr = "172.20.135.5"
      response_window = 6.000000
      response_timeouts = 1
      max_outstanding = 65536
      zombie_period = 40
      status_check = "status-server"
      ping_interval = 30
      check_interval = 30
      check_timeout = 4
      num_answers_to_alive = 3
      revive_interval = 120
   limit {
       max_connections = 16
       max_requests = 0
       lifetime = 0
       idle_timeout = 0
   }
   coa {
       irt = 2
       mrt = 16
       mrc = 5
       mrd = 30
   }
  }
  home_server_pool my_auth_failover {
     type = fail-over
     home_server = localhost
  }
  realm example.com {
     auth_pool = my_auth_failover
  }
  realm default {
  }
  realm local {
  }
  realm null {
  }
  realm bob {
  }
  realm bibi {
  }
  realm inverse.inc {
  }
  realm eduroam.default {
  }
  realm eduroam.local {
  }
  realm eduroam.null {
  }
  realm eduroam.bob {
  }
  realm eduroam.bibi {
  }
  realm eduroam.inverse.inc {
  }
  home_server_pool pf_auth_pool {
     type = fail-over
     home_server = pf.remote
     home_server = degraded
  }
  home_server_pool pf_acct_pool {
     type = fail-over
     home_server = pf.remote
  }
  realm remote {
     auth_pool = pf_auth_pool
     acct_pool = pf_acct_pool
  }
  home_server_pool pf_pool.cluster {
     type = keyed-balance
     home_server = pf0.cluster
  }
  home_server_pool pfacct_pool.cluster {
     type = load-balance
     home_server = pf0.cluster
  }
  realm packetfence {
     auth_pool = pf_pool.cluster
     acct_pool = pfacct_pool.cluster
  }
  home_server_pool pfcli_pool.cluster {
     type = keyed-balance
     home_server = pf0.cli.cluster
  }
  realm packetfence-cli {
     auth_pool = pfcli_pool.cluster
  }
auth: #### Loading Clients ####
  client localhost {
      ipaddr = 127.0.0.1
      require_message_authenticator = no
      secret = <<< secret >>>
      nas_type = "other"
      proto = "*"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client localhost_ipv6 {
      ipv6addr = ::1
      require_message_authenticator = no
      secret = <<< secret >>>
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client 172.20.135.4 {
      ipaddr = 172.20.135.4
      require_message_authenticator = no
      secret = <<< secret >>>
      shortname = "pf"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client 172.20.135.5 {
      ipaddr = 172.20.135.5
      require_message_authenticator = no
      secret = <<< secret >>>
      shortname = "pf"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
  client dynamic {
      ipaddr = 0.0.0.0/0
      require_message_authenticator = no
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
      dynamic_clients = "dynamic_clients"
      lifetime = 300
  }
Debugger not attached
  # Creating Auth-Type = eap
  # Creating Auth-Type = PAP
  # Creating Auth-Type = CHAP
  # Creating Auth-Type = MS-CHAP
  # Creating Auth-Type = eap-degraded
  # Creating Autz-Type = Status-Server
auth: #### Instantiating modules ####
  modules {
   # Loaded module rlm_logintime
   # Loading module "logintime" from file
/usr/local/pf/raddb/mods-enabled/logintime
   logintime {
       minimum_timeout = 60
   }
   # Loaded module rlm_exec
   # Loading module "ntlm_auth" from file
/usr/local/pf/raddb/mods-enabled/ntlm_auth
   exec ntlm_auth {
       wait = yes
       program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
       shell_escape = yes
   }
   # Loaded module rlm_pap
   # Loading module "pap" from file /usr/local/pf/raddb/mods-enabled/pap
   pap {
       normalise = yes
   }
   # Loaded module rlm_passwd
   # Loading module "etc_passwd" from file
/usr/local/pf/raddb/mods-enabled/passwd
   passwd etc_passwd {
       filename = "/etc/passwd"
       format = "*User-Name:Crypt-Password:"
       delimiter = ":"
       ignore_nislike = no
       ignore_empty = yes
       allow_multiple_keys = no
       hash_size = 100
   }
   # Loaded module rlm_perl
   # Loading module "perl" from file /usr/local/pf/raddb/mods-enabled/perl
   perl {
       filename = "/usr/local/pf/raddb/mods-config/perl/example.pl"
       func_authorize = "authorize"
       func_authenticate = "authenticate"
       func_post_auth = "post_auth"
       func_accounting = "accounting"
       func_preacct = "preacct"
       func_checksimul = "checksimul"
       func_detach = "detach"
       func_xlat = "xlat"
       func_pre_proxy = "pre_proxy"
       func_post_proxy = "post_proxy"
       func_recv_coa = "recv_coa"
       func_send_coa = "send_coa"
   }
   # Loading module "packetfence" from file
/usr/local/pf/raddb/mods-enabled/perl
   perl packetfence {
       filename = "/usr/local/pf/raddb/mods-config/perl/packetfence.pm"
       func_authorize = "authorize"
       func_authenticate = "authenticate"
       func_post_auth = "post_auth"
       func_accounting = "accounting"
       func_preacct = "preacct"
       func_checksimul = "checksimul"
       func_detach = "detach"
       func_xlat = "xlat"
       func_pre_proxy = "pre_proxy"
       func_post_proxy = "post_proxy"
       func_recv_coa = "recv_coa"
       func_send_coa = "send_coa"
   }
   # Loading module "packetfence-multi-domain" from file
/usr/local/pf/raddb/mods-enabled/perl
   perl packetfence-multi-domain {
       filename =
"/usr/local/pf/raddb/mods-config/perl/packetfence-multi-domain.pm"
       func_authorize = "authorize"
       func_authenticate = "authenticate"
       func_post_auth = "post_auth"
       func_accounting = "accounting"
       func_preacct = "preacct"
       func_checksimul = "checksimul"
       func_detach = "detach"
       func_xlat = "xlat"
       func_pre_proxy = "pre_proxy"
       func_post_proxy = "post_proxy"
       func_recv_coa = "recv_coa"
       func_send_coa = "send_coa"
   }
   # Loading module "reply_in_db" from file
/usr/local/pf/raddb/mods-enabled/perl
   perl reply_in_db {
       filename = "/usr/local/pf/raddb/mods-config/perl/reply_in_db.pm"
       func_authorize = "authorize"
       func_authenticate = "authenticate"
       func_post_auth = "post_auth"
       func_accounting = "accounting"
       func_preacct = "preacct"
       func_checksimul = "checksimul"
       func_detach = "detach"
       func_xlat = "xlat"
       func_pre_proxy = "pre_proxy"
       func_post_proxy = "post_proxy"
       func_recv_coa = "recv_coa"
       func_send_coa = "send_coa"
   }
   # Loaded module rlm_preprocess
   # Loading module "preprocess" from file
/usr/local/pf/raddb/mods-enabled/preprocess
   preprocess {
       huntgroups = "/usr/local/pf/raddb/mods-config/preprocess/huntgroups"
       hints = "/usr/local/pf/raddb/mods-config/preprocess/hints"
       with_ascend_hack = no
       ascend_channels_per_line = 23
       with_ntdomain_hack = no
       with_specialix_jetstream_hack = no
       with_cisco_vsa_hack = no
       with_alvarion_vsa_hack = no
   }
   # Loaded module rlm_radutmp
   # Loading module "radutmp" from file
/usr/local/pf/raddb/mods-enabled/radutmp
   radutmp {
       filename = "/usr/local/pf/logs/radutmp"
       username = "%{User-Name}"
       case_sensitive = yes
       check_with_nas = yes
       permissions = 384
       caller_id = yes
   }
   # Loaded module rlm_raw
   # Loading module "raw" from file /usr/local/pf/raddb/mods-enabled/raw
   raw {
       name = "raw"
   }
   # Loaded module rlm_realm
   # Loading module "IPASS" from file /usr/local/pf/raddb/mods-enabled/realm
   realm IPASS {
       format = "prefix"
       delimiter = "/"
       ignore_default = no
       ignore_null = no
   }
   # Loading module "suffix" from file
/usr/local/pf/raddb/mods-enabled/realm
   realm suffix {
       format = "suffix"
       delimiter = "@"
       ignore_default = no
       ignore_null = yes
   }
   # Loading module "realmpercent" from file
/usr/local/pf/raddb/mods-enabled/realm
   realm realmpercent {
       format = "suffix"
       delimiter = "%"
       ignore_default = no
       ignore_null = no
   }
   # Loading module "ntdomain" from file
/usr/local/pf/raddb/mods-enabled/realm
   realm ntdomain {
       format = "prefix"
       delimiter = "\\"
       ignore_default = no
       ignore_null = no
   }
   # Loaded module rlm_redis
   # Loading module "redis" from file /usr/local/pf/raddb/mods-enabled/redis
   redis {
       server = "127.0.0.1"
       port = 6379
       database = 0
   }
rlm_redis: libhiredis version: 0.12.1
   # Loading module "redis_ntlm" from file
/usr/local/pf/raddb/mods-enabled/redis
   redis redis_ntlm {
       server = "127.0.0.1"
       port = 6383
       database = 0
   }
rlm_redis: libhiredis version: 0.12.1
   # Loaded module rlm_replicate
   # Loading module "replicate" from file
/usr/local/pf/raddb/mods-enabled/replicate
   # Loaded module rlm_soh
   # Loading module "soh" from file /usr/local/pf/raddb/mods-enabled/soh
   soh {
       dhcp = yes
   }
   # Loading module "sradutmp" from file
/usr/local/pf/raddb/mods-enabled/sradutmp
   radutmp sradutmp {
       filename = "/usr/local/pf/logs/sradutmp"
       username = "%{User-Name}"
       case_sensitive = yes
       check_with_nas = yes
       permissions = 420
       caller_id = no
   }
   # Loaded module rlm_unix
   # Loading module "unix" from file /usr/local/pf/raddb/mods-enabled/unix
   unix {
       radwtmp = "/usr/local/pf/logs/radwtmp"
   }
Creating attribute Unix-Group
   # Loaded module rlm_unpack
   # Loading module "unpack" from file
/usr/local/pf/raddb/mods-enabled/unpack
   # Loaded module rlm_utf8
   # Loading module "utf8" from file /usr/local/pf/raddb/mods-enabled/utf8
   # Loaded module rlm_eap
   # Loading module "eap" from file /usr/local/pf/raddb/mods-enabled/eap
   eap {
       default_eap_type = "peap"
       timer_expire = 60
       ignore_unknown_eap_types = no
       cisco_accounting_username_bug = no
       max_sessions = 20000
   }
   # Loading module "eap-degraded" from file
/usr/local/pf/raddb/mods-enabled/eap
   eap eap-degraded {
       default_eap_type = "peap"
       timer_expire = 60
       ignore_unknown_eap_types = no
       cisco_accounting_username_bug = no
       max_sessions = 20000
   }
   # Loaded module rlm_rest
   # Loading module "rest" from file /usr/local/pf/raddb/mods-enabled/rest
   rest {
       connect_uri = "http://127.0.0.1:7070/"
       connect_timeout = 4.000000
   }
   # Loading module "rest-cli" from file
/usr/local/pf/raddb/mods-enabled/rest
   rest rest-cli {
       connect_uri = "http://127.0.0.1:7070/"
       connect_timeout = 4.000000
   }
   # Loaded module rlm_sql
   # Loading module "sql" from file /usr/local/pf/raddb/mods-enabled/sql
   sql {
       driver = "rlm_sql_mysql"
       server = "127.0.0.1"
       port = 3306
       login = "pf"
       password = <<< secret >>>
       radius_db = "pf"
       read_groups = yes
       read_profiles = yes
       read_clients = yes
       delete_stale_sessions = yes
       sql_user_name = "%{User-Name}"
       default_user_profile = ""
       client_query = "SELECT  id, nasname, shortname, type, secret,
server, tenant_id FROM radius_nas where 1=0"
       authorize_check_query = "SELECT id, username, attribute, value,
op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
       authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
       authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
       authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
       group_membership_query = "SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority"
       simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress, callingstationid,
framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND
acctstoptime IS NULL"
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
    accounting {
        reference = "%{tolower:type.%{Acct-Status-Type}.query}"
     type {
      accounting-on {
          query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime    =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
      }
      accounting-off {
          query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime    =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
      }
      start {
          query = "CALL acct_start ( '%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}),
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0',
'%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}',
'%{Acct-Status-Type}','%{NAS-Identifier}', '%{Called-Station-SSID}',
'%{control:PacketFence-Tenant-Id}')"
      }
      interim-update {
          query = "CALL acct_update (
FROM_UNIXTIME(%{integer:Event-Timestamp}), '%{Framed-IP-Address}',
'%{%{Acct-Session-Time}:-0}', '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Acct-Unique-Session-Id}',
'%{Acct-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', '%{Acct-Authentic}', '%{Connect-Info}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Acct-Status-Type}','%{NAS-Identifier}',
'%{Called-Station-SSID}', '%{control:PacketFence-Tenant-Id}')"
      }
      stop {
          query = "CALL acct_stop (
FROM_UNIXTIME(%{integer:Event-Timestamp}), '%{Framed-IP-Address}',
'%{%{Acct-Session-Time}:-0}', '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Acct-Unique-Session-Id}',
'%{Acct-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', '%{Acct-Authentic}', '%{Connect-Info}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Acct-Terminate-Cause}', '%{Acct-Status-Type}',
'%{NAS-Identifier}', '%{Called-Station-SSID}',
'%{control:PacketFence-Tenant-Id}')"
      }
     }
    }
    post-auth {
        reference = "type.accept.query"
    }
   }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
   # Loading module "pfguest" from file /usr/local/pf/raddb/mods-enabled/sql
   sql pfguest {
       driver = "rlm_sql_mysql"
       server = "127.0.0.1"
       port = 3306
       login = "pf"
       password = <<< secret >>>
       radius_db = "pf"
       read_groups = yes
       read_profiles = yes
       read_clients = no
       delete_stale_sessions = yes
       sql_user_name = "%{User-Name}"
       default_user_profile = ""
       client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
       authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "guest"
AND ( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
       group_membership_query = "select 1"
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
    accounting {
        reference = ".query"
     type {
      accounting-on {
      }
      accounting-off {
      }
      start {
      }
      interim-update {
      }
      stop {
      }
     }
    }
    post-auth {
        reference = ".query"
    }
   }
rlm_sql (pfguest): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pfguest-SQL-Group
   # Loading module "pfsponsor" from file
/usr/local/pf/raddb/mods-enabled/sql
   sql pfsponsor {
       driver = "rlm_sql_mysql"
       server = "127.0.0.1"
       port = 3306
       login = "pf"
       password = <<< secret >>>
       radius_db = "pf"
       read_groups = yes
       read_profiles = yes
       read_clients = no
       delete_stale_sessions = yes
       sql_user_name = "%{User-Name}"
       default_user_profile = ""
       client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
       authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "sponsor"
AND ( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
       group_membership_query = "select 1"
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
    accounting {
        reference = ".query"
     type {
      accounting-on {
      }
      accounting-off {
      }
      start {
      }
      interim-update {
      }
      stop {
      }
     }
    }
    post-auth {
        reference = ".query"
    }
   }
rlm_sql (pfsponsor): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pfsponsor-SQL-Group
   # Loading module "pfsms" from file /usr/local/pf/raddb/mods-enabled/sql
   sql pfsms {
       driver = "rlm_sql_mysql"
       server = "127.0.0.1"
       port = 3306
       login = "pf"
       password = <<< secret >>>
       radius_db = "pf"
       read_groups = yes
       read_profiles = yes
       read_clients = no
       delete_stale_sessions = yes
       sql_user_name = "%{User-Name}"
       default_user_profile = ""
       client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
       authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password JOIN activation using
(pid) WHERE pid = '%{SQL-User-Name}' AND (SELECT type from activation
WHERE pid='%{SQL-User-Name}' ORDER BY code_id DESC LIMIT 1) = "sms" AND
( now() <= password.unregdate OR password.unregdate = '0000-00-00
00:00:00' ) AND password.tenant_id = '%{control:PacketFence-Tenant-Id}'
LIMIT 1"
       group_membership_query = "select 1"
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
    accounting {
        reference = ".query"
     type {
      accounting-on {
      }
      accounting-off {
      }
      start {
      }
      interim-update {
      }
      stop {
      }
     }
    }
    post-auth {
        reference = ".query"
    }
   }
rlm_sql (pfsms): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and
linked
Creating attribute pfsms-SQL-Group
   # Loading module "pflocal" from file /usr/local/pf/raddb/mods-enabled/sql
   sql pflocal {
       driver = "rlm_sql_mysql"
       server = "127.0.0.1"
       port = 3306
       login = "pf"
       password = <<< secret >>>
       radius_db = "pf"
       read_groups = yes
       read_profiles = yes
       read_clients = no
       delete_stale_sessions = yes
       sql_user_name = "%{User-Name}"
       default_user_profile = ""
       client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
       authorize_check_query = "SELECT 1, pid, ( CASE WHEN
SUBSTR(password, 1, LENGTH('{ntlm}') ) = '{ntlm}' THEN 'NT-Password'
ELSE 'Cleartext-Password' END ) AS passwordhash,
REPLACE(password,'{ntlm}',''), ":=" FROM password WHERE pid =
'%{SQL-User-Name}' AND password.tenant_id =
'%{control:PacketFence-Tenant-Id}' AND NOT EXISTS (SELECT pid FROM
activation WHERE pid = '%{SQL-User-Name}')"
       group_membership_query = "select 1"
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
    accounting {
        reference = ".query"
     type {
      accounting-on {
      }
      accounting-off {
      }
      start {
      }
      interim-update {
      }
      stop {
      }
     }
    }
    post-auth {
        reference = ".query"
    }
   }
rlm_sql (pflocal): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute pflocal-SQL-Group
   # Loading module "sql_reject" from file
/usr/local/pf/raddb/mods-enabled/sql
   sql sql_reject {
       driver = "rlm_sql_mysql"
       server = "127.0.0.1"
       port = 3306
       login = "pf"
       password = <<< secret >>>
       radius_db = "pf"
       read_groups = yes
       read_profiles = yes
       read_clients = no
       delete_stale_sessions = yes
       sql_user_name = "%{User-Name}"
       default_user_profile = ""
       client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
       authorize_check_query = ""
       authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{Calling-Station-Id}' ORDER BY id"
       group_membership_query = ""
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
    accounting {
        reference = ".query"
     type {
      accounting-on {
      }
      accounting-off {
      }
      start {
      }
      interim-update {
      }
      stop {
      }
     }
    }
    post-auth {
        reference = "type.reject.query"
    }
   }
rlm_sql (sql_reject): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute sql_reject-SQL-Group
   # Loading module "sql_degraded" from file
/usr/local/pf/raddb/mods-enabled/sql
   sql sql_degraded {
       driver = "rlm_sql_mysql"
       server = "127.0.0.1"
       port = 3306
       login = "pf"
       password = <<< secret >>>
       radius_db = "pf"
       read_groups = yes
       read_profiles = yes
       read_clients = no
       delete_stale_sessions = yes
       sql_user_name = "%{User-Name}"
       default_user_profile = ""
       client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
       authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{Calling-Station-Id}' ORDER BY id"
       group_membership_query = ""
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"
    accounting {
        reference = ".query"
     type {
      accounting-on {
      }
      accounting-off {
      }
      start {
      }
      interim-update {
      }
      stop {
      }
     }
    }
    post-auth {
        reference = "type.reject.query"
    }
   }
rlm_sql (sql_degraded): Driver rlm_sql_mysql (module rlm_sql_mysql)
loaded and linked
Creating attribute sql_degraded-SQL-Group
   # Loaded module rlm_mschap
   # Loading module "mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
   mschap {
       use_mppe = yes
       require_encryption = yes
       require_strong = yes
       with_ntdomain_hack = yes
       ntlm_auth = "/usr/local/pf/bin/ntlm_auth_wrapper -p 8125 --      
   --request-nt-key
--username=%{%{control:AD-Samaccountname}:-%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
       ntlm_auth_timeout = 3
    passchange {
    }
       allow_retry = no
       winbind_retry_with_normalised_username = no
   }
   # Loading module "chrooted_mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
   mschap chrooted_mschap {
       use_mppe = no
       require_encryption = yes
       require_strong = yes
       with_ntdomain_hack = yes
       ntlm_auth = "/usr/bin/sudo /usr/sbin/chroot
/chroots/%{PacketFence-Domain} /usr/local/pf/bin/ntlm_auth_wrapper -p
8125 --          --request-nt-key
--username=%{%{control:AD-Samaccountname}:-%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
       ntlm_auth_timeout = 3
    passchange {
    }
       allow_retry = no
       winbind_retry_with_normalised_username = no
   }
   # Loading module "chrooted_mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
   mschap chrooted_mschap_machine {
       use_mppe = yes
       require_encryption = yes
       require_strong = yes
       with_ntdomain_hack = yes
       ntlm_auth = "/usr/bin/sudo /usr/sbin/chroot
/chroots/%{PacketFence-Domain} /usr/local/pf/bin/ntlm_auth_wrapper -p
8125 --              --request-nt-key
--username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
       ntlm_auth_timeout = 3
    passchange {
    }
       allow_retry = no
       winbind_retry_with_normalised_username = no
   }
   # Loading module "mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
   mschap mschap_machine {
       use_mppe = yes
       require_encryption = yes
       require_strong = yes
       with_ntdomain_hack = yes
       ntlm_auth = "/usr/local/pf/bin/ntlm_auth_wrapper -p 8125 --     
         --request-nt-key --username=%{mschap:User-Name:-None}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} %{PacketFence-NTLMv2-Only}"
       ntlm_auth_timeout = 3
    passchange {
    }
       allow_retry = no
       winbind_retry_with_normalised_username = no
   }
   # Loading module "mschap_local" from file
/usr/local/pf/raddb/mods-enabled/mschap
   mschap mschap_local {
       use_mppe = no
       require_encryption = yes
       require_strong = yes
       with_ntdomain_hack = yes
    passchange {
    }
       allow_retry = yes
       winbind_retry_with_normalised_username = no
   }
   # Loaded module rlm_always
   # Loading module "reject" from file
/usr/local/pf/raddb/mods-enabled/always
   always reject {
       rcode = "reject"
       simulcount = 0
       mpp = no
   }
   # Loading module "fail" from file /usr/local/pf/raddb/mods-enabled/always
   always fail {
       rcode = "fail"
       simulcount = 0
       mpp = no
   }
   # Loading module "ok" from file /usr/local/pf/raddb/mods-enabled/always
   always ok {
       rcode = "ok"
       simulcount = 0
       mpp = no
   }
   # Loading module "handled" from file
/usr/local/pf/raddb/mods-enabled/always
   always handled {
       rcode = "handled"
       simulcount = 0
       mpp = no
   }
   # Loading module "invalid" from file
/usr/local/pf/raddb/mods-enabled/always
   always invalid {
       rcode = "invalid"
       simulcount = 0
       mpp = no
   }
   # Loading module "userlock" from file
/usr/local/pf/raddb/mods-enabled/always
   always userlock {
       rcode = "userlock"
       simulcount = 0
       mpp = no
   }
   # Loading module "notfound" from file
/usr/local/pf/raddb/mods-enabled/always
   always notfound {
       rcode = "notfound"
       simulcount = 0
       mpp = no
   }
   # Loading module "noop" from file /usr/local/pf/raddb/mods-enabled/always
   always noop {
       rcode = "noop"
       simulcount = 0
       mpp = no
   }
   # Loading module "updated" from file
/usr/local/pf/raddb/mods-enabled/always
   always updated {
       rcode = "updated"
       simulcount = 0
       mpp = no
   }
   # Loaded module rlm_attr_filter
   # Loading module "attr_filter.post-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.post-proxy {
       filename = "/usr/local/pf/raddb/mods-config/attr_filter/post-proxy"
       key = "%{Realm}"
       relaxed = no
   }
   # Loading module "attr_filter.pre-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.pre-proxy {
       filename = "/usr/local/pf/raddb/mods-config/attr_filter/pre-proxy"
       key = "%{Realm}"
       relaxed = no
   }
   # Loading module "attr_filter.access_reject" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.access_reject {
       filename =
"/usr/local/pf/raddb/mods-config/attr_filter/access_reject"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loading module "attr_filter.access_challenge" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.access_challenge {
       filename =
"/usr/local/pf/raddb/mods-config/attr_filter/access_challenge"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loading module "attr_filter.accounting_response" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.accounting_response {
       filename =
"/usr/local/pf/raddb/mods-config/attr_filter/accounting_response"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loading module "attr_filter.packetfence_post_auth" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.packetfence_post_auth {
       filename =
"/usr/local/pf/raddb/mods-config/attr_filter/packetfence-post-auth"
       key = "%{User-Name}"
       relaxed = yes
   }
   # Loading module "attr_filter.packetfence_pre_proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.packetfence_pre_proxy {
       filename =
"/usr/local/pf/raddb/mods-config/attr_filter/packetfence-pre-proxy"
       key = "%{User-Name}"
       relaxed = yes
   }
   # Loaded module rlm_cache
   # Loading module "cache_eap" from file
/usr/local/pf/raddb/mods-enabled/cache_eap
   cache cache_eap {
       driver = "rlm_cache_rbtree"
       key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
       ttl = 15
       max_entries = 0
       epoch = 0
       add_stats = no
   }
   # Loading module "cache_ntlm" from file
/usr/local/pf/raddb/mods-enabled/cache_ntlm
   cache cache_ntlm {
       driver = "rlm_cache_rbtree"
       key = "%{User-Name}%{Calling-Station-Id}"
       ttl = 300
       max_entries = 0
       epoch = 0
       add_stats = no
   }
   # Loading module "cache_password" from file
/usr/local/pf/raddb/mods-enabled/cache_password
   cache cache_password {
       driver = "rlm_cache_rbtree"
       key = "%{User-Name}"
       ttl = 3600
       max_entries = 0
       epoch = 0
       add_stats = no
   }
   # Loading module "userprincipalname" from file
/usr/local/pf/raddb/mods-enabled/cache_password
   cache userprincipalname {
       driver = "rlm_cache_rbtree"
       key = "%{User-Name}"
       ttl = 3600
       max_entries = 0
       epoch = 0
       add_stats = no
   }
   # Loading module "PacketFence-NTCacheHash" from file
/usr/local/pf/raddb/mods-enabled/cache_password
   cache PacketFence-NTCacheHash {
       driver = "rlm_cache_rbtree"
       key = "%{User-Name}"
       ttl = 10
       max_entries = 0
       epoch = 0
       add_stats = no
   }
   # Loaded module rlm_chap
   # Loading module "chap" from file /usr/local/pf/raddb/mods-enabled/chap
   # Loaded module rlm_detail
   # Loading module "detail" from file
/usr/local/pf/raddb/mods-enabled/detail
   detail {
       filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "auth_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
   detail auth_log {
       filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "reply_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
   detail reply_log {
       filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "pre_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
   detail pre_proxy_log {
       filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "post_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
   detail post_proxy_log {
       filename =
"/usr/local/pf/logs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loaded module rlm_digest
   # Loading module "digest" from file
/usr/local/pf/raddb/mods-enabled/digest
   # Loaded module rlm_dynamic_clients
   # Loading module "dynamic_clients" from file
/usr/local/pf/raddb/mods-enabled/dynamic_clients
   # Loading module "echo" from file /usr/local/pf/raddb/mods-enabled/echo
   exec echo {
       wait = yes
       program = "/bin/echo %{User-Name}"
       input_pairs = "request"
       output_pairs = "reply"
       shell_escape = yes
   }
   # Loading module "exec" from file /usr/local/pf/raddb/mods-enabled/exec
   exec {
       wait = no
       input_pairs = "request"
       shell_escape = yes
       timeout = 10
   }
   # Loaded module rlm_expiration
   # Loading module "expiration" from file
/usr/local/pf/raddb/mods-enabled/expiration
   # Loaded module rlm_expr
   # Loading module "expr" from file /usr/local/pf/raddb/mods-enabled/expr
   expr {
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
   }
   # Loaded module rlm_files
   # Loading module "files" from file /usr/local/pf/raddb/mods-enabled/files
   files {
       filename = "/usr/local/pf/raddb/mods-config/files/authorize"
       acctusersfile = "/usr/local/pf/raddb/mods-config/files/accounting"
       preproxy_usersfile =
"/usr/local/pf/raddb/mods-config/files/pre-proxy"
   }
   # Loaded module rlm_linelog
   # Loading module "linelog" from file
/usr/local/pf/raddb/mods-enabled/linelog
   linelog {
       filename = "syslog"
       escape_filenames = no
       syslog_facility = "local1"
       syslog_severity = "info"
       permissions = 384
       format = "This is a log message for %{User-Name}"
       reference = "messages.%{%{reply:Packet-Type}:-default}"
   }
   # Loading module "log_accounting" from file
/usr/local/pf/raddb/mods-enabled/linelog
   linelog log_accounting {
       filename = "syslog"
       escape_filenames = no
       syslog_facility = "local2"
       syslog_severity = "info"
       permissions = 384
       format = ""
       reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
   }
   instantiate {
   # Instantiating module "redis" from file
/usr/local/pf/raddb/mods-enabled/redis
rlm_redis (redis): Initialising connection pool
    pool {
        start = 0
        min = 3
        max = 64
        spare = 10
        uses = 0
        lifetime = 86400
        cleanup_interval = 300
        idle_timeout = 600
        retry_delay = 30
        spread = no
    }
   # Instantiating module "rest" from file
/usr/local/pf/raddb/mods-enabled/rest
    authorize {
        uri = "http://127.0.0.1:7070//radius/rest/filter"
        method = "post"
        body = "json"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
    authenticate {
        uri = "http://127.0.0.1:7070//radius/rest/filter"
        method = "post"
        body = "json"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
    accounting {
        uri = "http://127.0.0.1:7070//radius/rest/accounting"
        method = "post"
        body = "json"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
    post-auth {
        uri = "http://127.0.0.1:7070//radius/rest/authorize"
        method = "post"
        body = "json"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
rlm_rest: libcurl version: libcurl/7.29.0 NSS/3.44 zlib/1.2.7
libidn/1.28 libssh2/1.8.0
rlm_rest (rest): Initialising connection pool
    pool {
        start = 0
        min = 3
        max = 64
        spare = 10
        uses = 0
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 30
        spread = no
    }
   # Instantiating module "raw" from file
/usr/local/pf/raddb/mods-enabled/raw
   }
   # Instantiating module "logintime" from file
/usr/local/pf/raddb/mods-enabled/logintime
   # Instantiating module "pap" from file
/usr/local/pf/raddb/mods-enabled/pap
   # Instantiating module "etc_passwd" from file
/usr/local/pf/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
   # Instantiating module "perl" from file
/usr/local/pf/raddb/mods-enabled/perl
   # Instantiating module "packetfence" from file
/usr/local/pf/raddb/mods-enabled/perl
   # Instantiating module "packetfence-multi-domain" from file
/usr/local/pf/raddb/mods-enabled/perl
   # Instantiating module "reply_in_db" from file
/usr/local/pf/raddb/mods-enabled/perl
   # Instantiating module "preprocess" from file
/usr/local/pf/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/pf/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/pf/raddb/mods-config/preprocess/hints
   # Instantiating module "IPASS" from file
/usr/local/pf/raddb/mods-enabled/realm
   # Instantiating module "suffix" from file
/usr/local/pf/raddb/mods-enabled/realm
   # Instantiating module "realmpercent" from file
/usr/local/pf/raddb/mods-enabled/realm
   # Instantiating module "ntdomain" from file
/usr/local/pf/raddb/mods-enabled/realm
   # Instantiating module "redis_ntlm" from file
/usr/local/pf/raddb/mods-enabled/redis
rlm_redis (redis_ntlm): Initialising connection pool
    pool {
        start = 0
        min = 3
        max = 64
        spare = 10
        uses = 0
        lifetime = 86400
        cleanup_interval = 300
        idle_timeout = 600
        retry_delay = 30
        spread = no
    }
   # Instantiating module "eap" from file
/usr/local/pf/raddb/mods-enabled/eap
    # Linked to sub-module rlm_eap_md5
    # Linked to sub-module rlm_eap_mschapv2
    mschapv2 {
        with_ntdomain_hack = no
        send_error = no
    }
    # Linked to sub-module rlm_eap_peap
    peap {
        tls = "tls-common"
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        proxy_tunneled_request_as_eap = yes
        virtual_server = "packetfence-degraded-tunnel"
        soh = no
        require_client_cert = no
    }
    tls-config tls-common {
        verify_depth = 0
        pem_file_type = yes
        private_key_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.key"
        certificate_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.crt"
        ca_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.pem"
        dh_file = "/usr/local/pf/raddb/certs/dh"
        fragment_size = 1024
        include_length = yes
        auto_chain = yes
        check_crl = no
        check_all_crl = no
        cipher_list = "DEFAULT"
        ecdh_curve = "prime256v1"
     cache {
         enable = no
         lifetime = 24
         max_entries = 255
     }
     verify {
         skip_if_ocsp_ok = no
     }
     ocsp {
         enable = no
         override_cert_url = yes
         url = "http://127.0.0.1:22225/api/v1/pki/ocsp"
         use_nonce = yes
         timeout = 0
         softfail = no
     }
    }
    # Linked to sub-module rlm_eap_tls
    tls {
        tls = "tls-common"
    }
tls: Using cached TLS configuration from previous invocation
    # Linked to sub-module rlm_eap_ttls
    ttls {
        tls = "tls-common"
        default_eap_type = "md5"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        virtual_server = "packetfence-tunnel"
        include_length = yes
        require_client_cert = no
    }
tls: Using cached TLS configuration from previous invocation
   # Instantiating module "eap-degraded" from file
/usr/local/pf/raddb/mods-enabled/eap
    # Linked to sub-module rlm_eap_md5
    # Linked to sub-module rlm_eap_mschapv2
    mschapv2 {
        with_ntdomain_hack = no
        send_error = no
    }
    # Linked to sub-module rlm_eap_peap
    peap {
        tls = "tls-common"
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        proxy_tunneled_request_as_eap = yes
        virtual_server = "packetfence-tunnel"
        soh = no
        require_client_cert = no
    }
    tls-config tls-common {
        verify_depth = 0
        pem_file_type = yes
        private_key_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.key"
        certificate_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.crt"
        ca_file =
"/usr/local/pf/conf/certmanager/radius_default_tls-common.pem"
        dh_file = "/usr/local/pf/raddb/certs/dh"
        fragment_size = 1024
        include_length = yes
        auto_chain = yes
        check_crl = no
        check_all_crl = no
        cipher_list = "DEFAULT"
        ecdh_curve = "prime256v1"
     cache {
         enable = no
         lifetime = 24
         max_entries = 255
     }
     verify {
         skip_if_ocsp_ok = no
     }
     ocsp {
         enable = no
         override_cert_url = yes
         url = "http://127.0.0.1:22225/api/v1/pki/ocsp"
         use_nonce = yes
         timeout = 0
         softfail = no
     }
    }
    # Linked to sub-module rlm_eap_tls
    tls {
        tls = "tls-common"
    }
tls: Using cached TLS configuration from previous invocation
    # Linked to sub-module rlm_eap_ttls
    ttls {
        tls = "tls-common"
        default_eap_type = "md5"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        virtual_server = "packetfence-degraded-tunnel"
        include_length = yes
        require_client_cert = no
    }
tls: Using cached TLS configuration from previous invocation
   # Instantiating module "rest-cli" from file
/usr/local/pf/raddb/mods-enabled/rest
    authorize {
        uri = "http://127.0.0.1:7070//radius/rest/switch/authorize"
        method = "post"
        body = "json"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
    authenticate {
        uri = ""
        method = "GET"
        body = "none"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
    accounting {
        uri = ""
        method = "GET"
        body = "none"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
    post-auth {
        uri = ""
        method = "GET"
        body = "none"
        auth = "none"
        require_auth = no
        timeout = 4.000000
        chunk = 0
     tls {
         check_cert = yes
         check_cert_cn = yes
     }
    }
rlm_rest (rest-cli): Initialising connection pool
    pool {
        start = 0
        min = 3
        max = 64
        spare = 10
        uses = 0
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 30
        spread = no
    }
   # Instantiating module "sql" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql_mysql: libmysql version: 10.1.21-MariaDB
    mysql {
     tls {
     }
        warnings = "auto"
    }
rlm_sql (sql): Attempting to connect to database "pf"
rlm_sql (sql): Initialising connection pool
    pool {
        start = 0
        min = 3
        max = 64
        spare = 10
        uses = 0
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 30
        spread = no
    }
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT  id, nasname,
shortname, type, secret, server, tenant_id FROM radius_nas where 1=0
rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_sql (sql): Opening additional connection (0), 1 of 64 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT  id, nasname, shortname,
type, secret, server, tenant_id FROM radius_nas where 1=0
rlm_sql (sql): Released connection (0)
Need 2 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (1), 1 of 63 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
   # Instantiating module "pfguest" from file
/usr/local/pf/raddb/mods-enabled/sql
    mysql {
     tls {
     }
        warnings = "auto"
    }
rlm_sql (pfguest): Attempting to connect to database "pf"
   # Instantiating module "pfsponsor" from file
/usr/local/pf/raddb/mods-enabled/sql
    mysql {
     tls {
     }
        warnings = "auto"
    }
rlm_sql (pfsponsor): Attempting to connect to database "pf"
   # Instantiating module "pfsms" from file
/usr/local/pf/raddb/mods-enabled/sql
    mysql {
     tls {
     }
        warnings = "auto"
    }
rlm_sql (pfsms): Attempting to connect to database "pf"
   # Instantiating module "pflocal" from file
/usr/local/pf/raddb/mods-enabled/sql
    mysql {
     tls {
     }
        warnings = "auto"
    }
rlm_sql (pflocal): Attempting to connect to database "pf"
   # Instantiating module "sql_reject" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql (sql_reject): groupmemb_query is empty.  Please delete it from
the configuration
rlm_sql (sql_reject): authorize_check_query is empty.  Please delete it
from the configuration
    mysql {
     tls {
     }
        warnings = "auto"
    }
rlm_sql (sql_reject): Attempting to connect to database "pf"
   # Instantiating module "sql_degraded" from file
/usr/local/pf/raddb/mods-enabled/sql
rlm_sql (sql_degraded): groupmemb_query is empty.  Please delete it from
the configuration
    mysql {
     tls {
     }
        warnings = "auto"
    }
rlm_sql (sql_degraded): Attempting to connect to database "pf"
   # Instantiating module "mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
   # Instantiating module "chrooted_mschap" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (chrooted_mschap): authenticating by calling 'ntlm_auth'
   # Instantiating module "chrooted_mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (chrooted_mschap_machine): authenticating by calling 'ntlm_auth'
   # Instantiating module "mschap_machine" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap_machine): authenticating by calling 'ntlm_auth'
   # Instantiating module "mschap_local" from file
/usr/local/pf/raddb/mods-enabled/mschap
rlm_mschap (mschap_local): using internal authentication
   # Instantiating module "reject" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "fail" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "ok" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "handled" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "invalid" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "userlock" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "notfound" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "noop" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "updated" from file
/usr/local/pf/raddb/mods-enabled/always
   # Instantiating module "attr_filter.post-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/pf/raddb/mods-config/attr_filter/post-proxy
   # Instantiating module "attr_filter.pre-proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/pf/raddb/mods-config/attr_filter/pre-proxy
   # Instantiating module "attr_filter.access_reject" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/access_reject
[/usr/local/pf/raddb/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay"     found in filter list for realm
"DEFAULT".
[/usr/local/pf/raddb/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay-USec"     found in filter list for realm
"DEFAULT".
   # Instantiating module "attr_filter.access_challenge" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/access_challenge
   # Instantiating module "attr_filter.accounting_response" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/accounting_response
   # Instantiating module "attr_filter.packetfence_post_auth" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/packetfence-post-auth
   # Instantiating module "attr_filter.packetfence_pre_proxy" from file
/usr/local/pf/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/pf/raddb/mods-config/attr_filter/packetfence-pre-proxy
   # Instantiating module "cache_eap" from file
/usr/local/pf/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
   # Instantiating module "cache_ntlm" from file
/usr/local/pf/raddb/mods-enabled/cache_ntlm
rlm_cache (cache_ntlm): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
   # Instantiating module "cache_password" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (cache_password): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
   # Instantiating module "userprincipalname" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (userprincipalname): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
   # Instantiating module "PacketFence-NTCacheHash" from file
/usr/local/pf/raddb/mods-enabled/cache_password
rlm_cache (PacketFence-NTCacheHash): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
   # Instantiating module "detail" from file
/usr/local/pf/raddb/mods-enabled/detail
   # Instantiating module "auth_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
   # Instantiating module "reply_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
   # Instantiating module "pre_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
   # Instantiating module "post_proxy_log" from file
/usr/local/pf/raddb/mods-enabled/detail.log
   # Instantiating module "expiration" from file
/usr/local/pf/raddb/mods-enabled/expiration
   # Instantiating module "files" from file
/usr/local/pf/raddb/mods-enabled/files
reading pairlist file /usr/local/pf/raddb/mods-config/files/authorize
reading pairlist file /usr/local/pf/raddb/mods-config/files/accounting
reading pairlist file /usr/local/pf/raddb/mods-config/files/pre-proxy
   # Instantiating module "linelog" from file
/usr/local/pf/raddb/mods-enabled/linelog
   # Instantiating module "log_accounting" from file
/usr/local/pf/raddb/mods-enabled/linelog
  } # modules
auth: #### Loading Virtual Servers ####
server { # from file /usr/local/pf/raddb/auth.conf
} # server
server packetfence { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading preacct {...}
  # Loading accounting {...}
  # Loading pre-proxy {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
} # server packetfence
server pf-remote { # from file /usr/local/pf/raddb/sites-enabled/packetfence
  # Loading authorize {...}
  # Loading accounting {...}
  # Loading post-proxy {...}
} # server pf-remote
server pf.degraded { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading preacct {...}
  # Loading accounting {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
} # server pf.degraded
server packetfence-degraded-tunnel { # from file
/usr/local/pf/raddb/sites-enabled/packetfence
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading session {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
} # server packetfence-degraded-tunnel
server packetfence-tunnel { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading session {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
} # server packetfence-tunnel
server packetfence-tunnel-fast { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading session {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
} # server packetfence-tunnel-fast
server packetfence-cli { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cli
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading accounting {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
} # server packetfence-cli
server dynamic_clients { # from file
/usr/local/pf/raddb/sites-enabled/dynamic-clients
  # Loading authorize {...}
} # server dynamic_clients
server status { # from file /usr/local/pf/raddb/sites-enabled/status
  # Loading authorize {...}
} # server status
server pf.cluster { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
  # Loading authorize {...}
  # Loading accounting {...}
  # Loading post-proxy {...}
} # server pf.cluster
server pfcli.cluster { # from file
/usr/local/pf/raddb/sites-enabled/packetfence-cluster
  # Loading authorize {...}
  # Loading post-proxy {...}
} # server pfcli.cluster
  thread pool {
      start_servers = 0
      max_servers = 64
      min_spare_servers = 3
      max_spare_servers = 10
      max_requests_per_server = 0
      cleanup_delay = 5
      max_queue_size = 65536
      auto_limit_acct = no
  }
Thread pool initialized
auth: #### Opening IP addresses and Ports ####
listen {
      type = "status"
      virtual_server = "status"
      ipaddr = 127.0.0.1
      port = 18121
   client admin {
       ipaddr = 127.0.0.1
       require_message_authenticator = no
       secret = <<< secret >>>
    limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
    }
   }
}
listen {
      type = "auth"
      virtual_server = "pf-remote"
      ipaddr = 172.20.135.4
      port = 0
}
listen {
      type = "auth+acct"
      virtual_server = "packetfence"
      ipaddr = 172.20.135.4
      port = 2083
      proto = "tcp"
   tls {
       verify_depth = 0
       ca_path = "/usr/local/pf/raddb/certs"
       pem_file_type = yes
       private_key_file = "/usr/local/pf/raddb/certs/server.key"
       certificate_file = "/usr/local/pf/raddb/certs/server.crt"
       ca_file = "/usr/local/pf/raddb/certs/ca.pem"
       dh_file = "/usr/local/pf/raddb/certs/dh"
       fragment_size = 8192
       include_length = yes
       auto_chain = yes
       check_crl = no
       check_all_crl = no
       cipher_list = "DEFAULT"
       require_client_cert = yes
       ecdh_curve = "prime256v1"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }
    verify {
        skip_if_ocsp_ok = no
    }
    ocsp {
        enable = no
        override_cert_url = no
        use_nonce = yes
        timeout = 0
        softfail = no
    }
   }
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
}
listen {
      type = "control"
  listen {
      socket = "/usr/local/pf/var/run/radiusd.sock"
      mode = "rw"
      peercred = yes
  }
}
Listening on status address 127.0.0.1 port 18121 bound to server status
Listening on auth address 172.20.135.4 port 1812 bound to server pf-remote
Listening on auth+acct proto tcp address 172.20.135.4 port 2083 (TLS)
bound to server packetfence
Listening on command file /usr/local/pf/var/run/radiusd.sock
Listening on proxy address * port 51771
Ready to process requests
Threads: Spawning 3 spares
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Waking up in 0.3 seconds.
Thread 1 waiting to be assigned a request
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
Thread 3 waiting to be assigned a request
(0) Received Access-Request Id 19 from 172.20.135.5:57221 to
172.20.135.4:1812 length 243
(0)   User-Name = "64-76-ba-89-71-4c"
(0)   User-Password = "64-76-ba-89-71-4c"
(0)   NAS-IP-Address = 172.20.110.250
(0)   NAS-Port = 0
(0)   Service-Type = Call-Check
(0)   Called-Station-Id = "00:1a:1e:01:68:f8"
(0)   Calling-Station-Id = "64:76:ba:89:71:4c"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Aruba-Essid-Name = "CPS-District"
(0)   Aruba-Location-Id = "MS-A181"
(0)   Aruba-AP-Group = "MS"
(0)   PacketFence-KeyBalanced = "2cab901e9652f08e98b274d193485eb3"
(0)   Message-Authenticator = 0xe8f25d7438b80d1efc0f74b8a8951fcf
(0)   Proxy-State = 0x323531
(0) # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0)   authorize {
(0)     update control {
(0)       EXPAND %{Calling-Station-Id}
(0)          --> 64:76:ba:89:71:4c
(0)       Load-Balance-Key := 64:76:ba:89:71:4c
(0)       Proxy-To-Realm := "remote"
(0)     } # update control = noop
(0)     if (!NAS-IP-Address){
(0)     if (!NAS-IP-Address) -> FALSE
(0)   } # authorize = noop
(0) Starting proxy to home server 172.20.135.10 port 1812
(0) Proxying request to home server 172.20.135.10 port 1812 timeout 6.000000
Listening on proxy address 172.20.135.4 port 46328
Waking up in 0.3 seconds.
(0) Sent Access-Request Id 189 from 172.20.135.4:46328 to
172.20.135.10:1812 length 247
(0)   User-Name = "64-76-ba-89-71-4c"
(0)   User-Password = "64-76-ba-89-71-4c"
(0)   NAS-IP-Address = 172.20.110.250
(0)   NAS-Port = 0
(0)   Service-Type = Call-Check
(0)   Called-Station-Id = "00:1a:1e:01:68:f8"
(0)   Calling-Station-Id = "64:76:ba:89:71:4c"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Aruba-Essid-Name = "CPS-District"
(0)   Aruba-Location-Id = "MS-A181"
(0)   Aruba-AP-Group = "MS"
(0)   PacketFence-KeyBalanced = "2cab901e9652f08e98b274d193485eb3"
(0)   Message-Authenticator = 0xe8f25d7438b80d1efc0f74b8a8951fcf
(0)   Proxy-State = 0x323531
(0)   Proxy-State = 0x3139
Thread 1 waiting to be assigned a request
Thread 2 waiting to be assigned a request
(0) Marking home server 172.20.135.10 port 1812 alive
Threads: total/active/spare threads = 3/0/3
Waking up in 0.3 seconds.
Thread 3 got semaphore
Thread 3 handling request 0, (1 handled so far)
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 189 from 172.20.135.10:1812 to
172.20.135.4:46328 length 46
(0)   Tunnel-Type:0 = VLAN
(0)   Tunnel-Private-Group-Id:0 = "135"
(0)   Tunnel-Medium-Type:0 = IEEE-802
(0)   Proxy-State = 0x323531
(0)   Proxy-State = 0x3139
(0) # Executing section post-proxy from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0)   post-proxy {
(0)     update control {
(0)       EXPAND %{home_server:ipaddr}
(0)          --> 172.20.135.10
(0)       PacketFence-Proxied-To := 172.20.135.10
(0)     } # update control = noop
(0)     if (&proxy-reply:Packet-Type == Access-Accept) {
(0)     EXPAND &proxy-reply:Packet-Type
(0)        --> Access-Accept
(0)     if (&proxy-reply:Packet-Type == Access-Accept)  -> TRUE
(0)     if (&proxy-reply:Packet-Type == Access-Accept)  {
(0)       EXPAND %{User-Name}
(0)          --> 64-76-ba-89-71-4c
(0)       SQL-User-Name set to '64-76-ba-89-71-4c'
rlm_sql (sql): Reserved connection (0)
(0)       Executing query: DELETE FROM radreply where
username="64:76:ba:89:71:4c"
rlm_sql (sql): Released connection (0)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (2), 1 of 62 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on 127.0.0.1 via TCP/IP,
server version 10.1.21-MariaDB, protocol version 10
(0)       EXPAND %{sql_degraded:DELETE FROM radreply where
username="%{Calling-Station-Id}"}
(0)          --> 3
(0) reply_in_db:   $RAD_REQUEST{'User-Name'} = &request:User-Name ->
'64-76-ba-89-71-4c'
(0) reply_in_db:   $RAD_REQUEST{'User-Password'} =
&request:User-Password -> '64-76-ba-89-71-4c'
(0) reply_in_db:   $RAD_REQUEST{'NAS-IP-Address'} =
&request:NAS-IP-Address -> '172.20.110.250'
(0) reply_in_db:   $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '0'
(0) reply_in_db:   $RAD_REQUEST{'Service-Type'} = &request:Service-Type
-> 'Call-Check'
(0) reply_in_db:   $RAD_REQUEST{'Called-Station-Id'} =
&request:Called-Station-Id -> '00:1a:1e:01:68:f8'
(0) reply_in_db:   $RAD_REQUEST{'Calling-Station-Id'} =
&request:Calling-Station-Id -> '64:76:ba:89:71:4c'
(0) reply_in_db:   $RAD_REQUEST{'Proxy-State'} = &request:Proxy-State ->
'0x323531'
(0) reply_in_db:   $RAD_REQUEST{'NAS-Port-Type'} =
&request:NAS-Port-Type -> 'Wireless-802.11'
(0) reply_in_db:   $RAD_REQUEST{'Message-Authenticator'} =
&request:Message-Authenticator -> '0xe8f25d7438b80d1efc0f74b8a8951fcf'
(0) reply_in_db:   $RAD_REQUEST{'Aruba-Essid-Name'} =
&request:Aruba-Essid-Name -> 'CPS-District'
(0) reply_in_db:   $RAD_REQUEST{'Aruba-Location-Id'} =
&request:Aruba-Location-Id -> 'MS-A181'
(0) reply_in_db:   $RAD_REQUEST{'Aruba-AP-Group'} =
&request:Aruba-AP-Group -> 'MS'
(0) reply_in_db:   $RAD_REQUEST{'Realm'} = &request:Realm -> 'remote'
(0) reply_in_db:   $RAD_REQUEST{'SQL-User-Name'} =
&request:SQL-User-Name -> '64-76-ba-89-71-4c'
(0) reply_in_db:   $RAD_REQUEST{'PacketFence-KeyBalanced'} =
&request:PacketFence-KeyBalanced -> '2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db:   $RAD_CHECK{'Load-Balance-Key'} =
&control:Load-Balance-Key -> '64:76:ba:89:71:4c'
(0) reply_in_db:   $RAD_CHECK{'Proxy-To-Realm'} =
&control:Proxy-To-Realm -> 'remote'
(0) reply_in_db:   $RAD_CHECK{'PacketFence-Proxied-To'} =
&control:PacketFence-Proxied-To -> '172.20.135.10'
(0) reply_in_db:   $RAD_CONFIG{'Load-Balance-Key'} =
&control:Load-Balance-Key -> '64:76:ba:89:71:4c'
(0) reply_in_db:   $RAD_CONFIG{'Proxy-To-Realm'} =
&control:Proxy-To-Realm -> 'remote'
(0) reply_in_db:   $RAD_CONFIG{'PacketFence-Proxied-To'} =
&control:PacketFence-Proxied-To -> '172.20.135.10'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'User-Name'} =
&proxy-request:User-Name -> '64-76-ba-89-71-4c'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'User-Password'} =
&proxy-request:User-Password -> '64-76-ba-89-71-4c'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'NAS-IP-Address'} =
&proxy-request:NAS-IP-Address -> '172.20.110.250'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'NAS-Port'} =
&proxy-request:NAS-Port -> '0'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Service-Type'} =
&proxy-request:Service-Type -> 'Call-Check'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Called-Station-Id'} =
&proxy-request:Called-Station-Id -> '00:1a:1e:01:68:f8'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Calling-Station-Id'} =
&proxy-request:Calling-Station-Id -> '64:76:ba:89:71:4c'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Proxy-State'}[0] =
&proxy-request:Proxy-State -> '0x3139'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Proxy-State'}[1] =
&proxy-request:Proxy-State -> '0x323531'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'NAS-Port-Type'} =
&proxy-request:NAS-Port-Type -> 'Wireless-802.11'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Message-Authenticator'} =
&proxy-request:Message-Authenticator -> '0xe8f25d7438b80d1efc0f74b8a8951fcf'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Aruba-Essid-Name'} =
&proxy-request:Aruba-Essid-Name -> 'CPS-District'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Aruba-Location-Id'} =
&proxy-request:Aruba-Location-Id -> 'MS-A181'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'Aruba-AP-Group'} =
&proxy-request:Aruba-AP-Group -> 'MS'
(0) reply_in_db:   $RAD_REQUEST_PROXY{'PacketFence-KeyBalanced'} =
&proxy-request:PacketFence-KeyBalanced -> '2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db:   $RAD_REQUEST_PROXY_REPLY{'Proxy-State'}[0] =
&proxy-reply:Proxy-State -> '0x323531'
(0) reply_in_db:   $RAD_REQUEST_PROXY_REPLY{'Proxy-State'}[1] =
&proxy-reply:Proxy-State -> '0x3139'
(0) reply_in_db:   $RAD_REQUEST_PROXY_REPLY{'Tunnel-Type'} =
&proxy-reply:Tunnel-Type -> 'VLAN'
(0) reply_in_db:   $RAD_REQUEST_PROXY_REPLY{'Tunnel-Medium-Type'} =
&proxy-reply:Tunnel-Medium-Type -> 'IEEE-802'
(0) reply_in_db: $RAD_REQUEST_PROXY_REPLY{'Tunnel-Private-Group-Id'} =
&proxy-reply:Tunnel-Private-Group-Id -> '135'
(0) reply_in_db: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'}
-> 'Wireless-802.11'
(0) reply_in_db: &request:Proxy-State = $RAD_REQUEST{'Proxy-State'} ->
'0x323531'
(0) reply_in_db: &request:Service-Type = $RAD_REQUEST{'Service-Type'} ->
'Call-Check'
(0) reply_in_db: &request:Called-Station-Id =
$RAD_REQUEST{'Called-Station-Id'} -> '00:1a:1e:01:68:f8'
(0) reply_in_db: &request:Message-Authenticator =
$RAD_REQUEST{'Message-Authenticator'} ->
'0xe8f25d7438b80d1efc0f74b8a8951fcf'
(0) reply_in_db: &request:Realm = $RAD_REQUEST{'Realm'} -> 'remote'
(0) reply_in_db: &request:NAS-IP-Address =
$RAD_REQUEST{'NAS-IP-Address'} -> '172.20.110.250'
(0) reply_in_db: &request:SQL-User-Name = $RAD_REQUEST{'SQL-User-Name'}
-> '64-76-ba-89-71-4c'
(0) reply_in_db: &request:Calling-Station-Id =
$RAD_REQUEST{'Calling-Station-Id'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &request:Aruba-Essid-Name =
$RAD_REQUEST{'Aruba-Essid-Name'} -> 'CPS-District'
(0) reply_in_db: &request:PacketFence-KeyBalanced =
$RAD_REQUEST{'PacketFence-KeyBalanced'} ->
'2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: &request:Aruba-AP-Group =
$RAD_REQUEST{'Aruba-AP-Group'} -> 'MS'
(0) reply_in_db: &request:User-Name = $RAD_REQUEST{'User-Name'} ->
'64-76-ba-89-71-4c'
(0) reply_in_db: &request:Aruba-Location-Id =
$RAD_REQUEST{'Aruba-Location-Id'} -> 'MS-A181'
(0) reply_in_db: &request:User-Password = $RAD_REQUEST{'User-Password'}
-> '64-76-ba-89-71-4c'
(0) reply_in_db: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '0'
(0) reply_in_db: &control:PacketFence-Proxied-To =
$RAD_CHECK{'PacketFence-Proxied-To'} -> '172.20.135.10'
(0) reply_in_db: &control:Load-Balance-Key =
$RAD_CHECK{'Load-Balance-Key'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &control:PacketFence-reply-insert =
$RAD_CHECK{'PacketFence-reply-insert'} -> 'INSERT into radreply
(username, attribute, value) values
('64:76:ba:89:71:4c','Tunnel-Medium-Type:0','IEEE-802'),
('64:76:ba:89:71:4c','Tunnel-Private-Group-Id:0','135'),
('64:76:ba:89:71:4c','Tunnel-Type:0','VLAN')'
(0) reply_in_db: &control:Proxy-To-Realm = $RAD_CHECK{'Proxy-To-Realm'}
-> 'remote'
(0) reply_in_db: &proxy-request:NAS-Port-Type =
$RAD_REQUEST_PROXY{'NAS-Port-Type'} -> 'Wireless-802.11'
(0) reply_in_db: &proxy-request:Proxy-State +=
$RAD_REQUEST_PROXY{'Proxy-State'} -> '0x3139'
(0) reply_in_db: &proxy-request:Proxy-State +=
$RAD_REQUEST_PROXY{'Proxy-State'} -> '0x323531'
(0) reply_in_db: &proxy-request:Service-Type =
$RAD_REQUEST_PROXY{'Service-Type'} -> 'Call-Check'
(0) reply_in_db: &proxy-request:Aruba-Essid-Name =
$RAD_REQUEST_PROXY{'Aruba-Essid-Name'} -> 'CPS-District'
(0) reply_in_db: &proxy-request:Calling-Station-Id =
$RAD_REQUEST_PROXY{'Calling-Station-Id'} -> '64:76:ba:89:71:4c'
(0) reply_in_db: &proxy-request:Called-Station-Id =
$RAD_REQUEST_PROXY{'Called-Station-Id'} -> '00:1a:1e:01:68:f8'
(0) reply_in_db: &proxy-request:PacketFence-KeyBalanced =
$RAD_REQUEST_PROXY{'PacketFence-KeyBalanced'} ->
'2cab901e9652f08e98b274d193485eb3'
(0) reply_in_db: &proxy-request:Message-Authenticator =
$RAD_REQUEST_PROXY{'Message-Authenticator'} ->
'0xe8f25d7438b80d1efc0f74b8a8951fcf'
(0) reply_in_db: &proxy-request:Aruba-AP-Group =
$RAD_REQUEST_PROXY{'Aruba-AP-Group'} -> 'MS'
(0) reply_in_db: &proxy-request:Aruba-Location-Id =
$RAD_REQUEST_PROXY{'Aruba-Location-Id'} -> 'MS-A181'
(0) reply_in_db: &proxy-request:User-Name =
$RAD_REQUEST_PROXY{'User-Name'} -> '64-76-ba-89-71-4c'
(0) reply_in_db: &proxy-request:User-Password =
$RAD_REQUEST_PROXY{'User-Password'} -> '64-76-ba-89-71-4c'
(0) reply_in_db: &proxy-request:NAS-IP-Address =
$RAD_REQUEST_PROXY{'NAS-IP-Address'} -> '172.20.110.250'
(0) reply_in_db: &proxy-request:NAS-Port =
$RAD_REQUEST_PROXY{'NAS-Port'} -> '0'
(0) reply_in_db: &proxy-reply:Tunnel-Private-Group-Id:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Private-Group-Id:0'} -> '135'
(0) reply_in_db: &proxy-reply:Tunnel-Medium-Type:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Medium-Type:0'} -> 'IEEE-802'
(0) reply_in_db: &proxy-reply:Tunnel-Type:0 =
$RAD_REQUEST_PROXY_REPLY{'Tunnel-Type:0'} -> 'VLAN'
(0) reply_in_db: &proxy-reply:Proxy-State +=
$RAD_REQUEST_PROXY_REPLY{'Proxy-State'} -> '0x323531'
(0) reply_in_db: &proxy-reply:Proxy-State +=
$RAD_REQUEST_PROXY_REPLY{'Proxy-State'} -> '0x3139'
(0)       [reply_in_db] = ok
(0)       EXPAND %{User-Name}
(0)          --> 64-76-ba-89-71-4c
(0)       SQL-User-Name set to '64-76-ba-89-71-4c'
rlm_sql (sql): Reserved connection (1)
(0)       Executing query: INSERT into radreply (username, attribute,
value) values ('64:76:ba:89:71:4c','Tunnel-Medium-Type:0','IEEE-802'),
('64:76:ba:89:71:4c','Tunnel-Private-Group-Id:0','135'),
('64:76:ba:89:71:4c','Tunnel-Type:0','VLAN')
rlm_sql_mysql: Records: 3  Duplicates: 0  Warnings: 0
rlm_sql (sql): Released connection (1)
(0)       EXPAND %{sql_degraded:%{control:PacketFence-reply-insert}}
(0)          --> 3
(0)     } # if (&proxy-reply:Packet-Type == Access-Accept)  = ok
(0)     ... skipping else: Preceding "if" was taken
(0) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
(0) attr_filter.packetfence_post_auth:    --> 64-76-ba-89-71-4c
(0) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
(0)     [attr_filter.packetfence_post_auth] = updated
(0)   } # post-proxy = updated
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) Login OK: [64-76-ba-89-71-4c] (from client pf port 0 cli
64:76:ba:89:71:4c)
(0) Sent Access-Accept Id 19 from 172.20.135.4:1812 to
172.20.135.5:57221 length 0
(0)   Tunnel-Private-Group-Id:0 = "135"
(0)   Tunnel-Medium-Type:0 = IEEE-802
(0)   Tunnel-Type:0 = VLAN
(0)   Proxy-State = 0x323531
(0) Finished request
Thread 3 waiting to be assigned a request
Waking up in 4.6 seconds.

```

--
Fabrice Durand
[hidden email] ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: safe_characters issue

Alan DeKok-2
On Jun 17, 2020, at 8:55 AM, Fabrice Durand <[hidden email]> wrote:
>
> i am trying to set the safe_characters in a sql configuration and it looks that the safe characters are not working anymore (at least the extra i add).

  I'd suggest avoiding "safe_characters".

  From 3.0.18:

        * Some SQL modules can now use "auto_escape" to escape unsafe strings.
          See mods-config/sql/main/mysql/queries.conf

> I have the following configuration:
>
> ```
>
> sql sql_degraded {
>   ...
>         safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"
> }
>
> ```
>
> I added (),' as extra char.

  That should still work.

>
> Followinf the trace from freeradius 3.0.21 (doesn't work) and from freeradius-3.0.13 (works) for exactly the same radius request and exactly the same configuration:

  The key point for the sql_degraded module is:

>      authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{Calling-Station-Id}' ORDER BY id"
>       group_membership_query = ""
>       safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
>       auto_escape = no
>

  So it's not picking up the "safe_characters" string you set.

  Probably because of this:

...
        $INCLUDE ${modconfdir}/${.:name}/main/mysql/reject.conf
        safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"
...

  If the "reject.conf" file *also* has "safe_characters" set, that one will be used instead of the extra one you added.

  You can't "over-ride" configuration items by adding a second one.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: safe_characters issue

Fabrice Durand
Hello Alan,

thanks for the reply, so i tested what you suggested and i am not still
able to make it work.

Le 20-06-17 à 09 h 20, Alan DeKok a écrit :
> On Jun 17, 2020, at 8:55 AM, Fabrice Durand <[hidden email]> wrote:
>> i am trying to set the safe_characters in a sql configuration and it looks that the safe characters are not working anymore (at least the extra i add).
>    I'd suggest avoiding "safe_characters".
>
>    From 3.0.18:
>
> * Some SQL modules can now use "auto_escape" to escape unsafe strings.
>  See mods-config/sql/main/mysql/queries.conf

Just tried with auto_escape:

```

(1) Wed Jun 17 09:34:39 2020: Debug:         SQL-User-Name set to
'64-76-ba-89-71-4c'
(1) Wed Jun 17 09:34:39 2020: Debug:         Executing query: INSERT
into radreply (username, attribute, value) values
(\'64:76:ba:89:71:4c\',\'Tunnel-Medium-Type:0\',\'IEEE-802\'),
(\'64:76:ba:89:71:4c\',\'Tunnel-Private-Group-Id:0\',\'135\'),
(\'64:76:ba:89:71:4c\',\'Tunnel-Type:0\',\'VLAN\')
(1) Wed Jun 17 09:34:39 2020: ERROR:         rlm_sql_mysql: ERROR 1064
(You have an error in your SQL syntax; check the manual that corresponds
to your MariaDB server version for the right syntax to use near
'\'64:76:ba:89:71:4c\',\'Tunnel-Medium-Type:0\',\'IEEE-802\'),
(\'64:76:ba:89:71:' at line 1): 42000
(1) Wed Jun 17 09:34:39 2020: ERROR:         SQL query failed: server error
(1) Wed Jun 17 09:34:39 2020: Debug:         EXPAND
%{sql_degraded:%{control:PacketFence-reply-insert}}

```

>> I have the following configuration:
>>
>> ```
>>
>> sql sql_degraded {
>>    ...
>>          safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"
>> }
>>
>> ```
>>
>> I added (),' as extra char.
>    That should still work.
>
>> Followinf the trace from freeradius 3.0.21 (doesn't work) and from freeradius-3.0.13 (works) for exactly the same radius request and exactly the same configuration:
>    The key point for the sql_degraded module is:
>
>>       authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{Calling-Station-Id}' ORDER BY id"
>>        group_membership_query = ""
>>        safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
>>        auto_escape = no
>>
In the debug the sql_degraded contain that:

```

sql sql_degraded {
       driver = "rlm_sql_mysql"
       server = "127.0.0.1"
       port = 3306
       login = "pf"
       password = <<< secret >>>
       radius_db = "pf"
       read_groups = yes
       read_profiles = yes
       read_clients = no
       delete_stale_sessions = yes
       sql_user_name = "%{User-Name}"
       default_user_profile = ""
       client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
       authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = '%{Calling-Station-Id}' ORDER BY id"
       group_membership_query = ""
       safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"

```

You probably took the one from "sql_reject".

>    So it's not picking up the "safe_characters" string you set.
>
>    Probably because of this:
>
> ...
>          $INCLUDE ${modconfdir}/${.:name}/main/mysql/reject.conf
>          safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"
> ...
>
>    If the "reject.conf" file *also* has "safe_characters" set, that one will be used instead of the extra one you added.
>
>    You can't "over-ride" configuration items by adding a second one.
I removed $INCLUDE ${modconfdir}/${.:name}/main/mysql/reject.conf and
the issue is still here. (attached the new trace)

Regards

Fabrice


>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Fabrice Durand
[hidden email] ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

3.21-2 (107K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: safe_characters issue

Fabrice Durand
OK i found something, it looks if i set the safe_characters in the main
sql definition it works.


```

sql {
         # The sub-module to use to execute queries. This should match
         # the database you're attempting to connect to.
         #
         #    * rlm_sql_mysql
         #    * rlm_sql_mssql
         #    * rlm_sql_oracle
         #    * rlm_sql_postgresql
         #    * rlm_sql_sqlite
         #    * rlm_sql_null (log queries to disk)
         #
         driver = "rlm_sql_mysql"
         safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"

........

```


Le 20-06-17 à 09 h 45, Fabrice Durand a écrit :

> Hello Alan,
>
> thanks for the reply, so i tested what you suggested and i am not
> still able to make it work.
>
> Le 20-06-17 à 09 h 20, Alan DeKok a écrit :
>> On Jun 17, 2020, at 8:55 AM, Fabrice Durand <[hidden email]> wrote:
>>> i am trying to set the safe_characters in a sql configuration and it
>>> looks that the safe characters are not working anymore (at least the
>>> extra i add).
>>    I'd suggest avoiding "safe_characters".
>>
>>    From 3.0.18:
>>
>>     * Some SQL modules can now use "auto_escape" to escape unsafe
>> strings.
>>       See mods-config/sql/main/mysql/queries.conf
>
> Just tried with auto_escape:
>
> ```
>
> (1) Wed Jun 17 09:34:39 2020: Debug:         SQL-User-Name set to
> '64-76-ba-89-71-4c'
> (1) Wed Jun 17 09:34:39 2020: Debug:         Executing query: INSERT
> into radreply (username, attribute, value) values
> (\'64:76:ba:89:71:4c\',\'Tunnel-Medium-Type:0\',\'IEEE-802\'),
> (\'64:76:ba:89:71:4c\',\'Tunnel-Private-Group-Id:0\',\'135\'),
> (\'64:76:ba:89:71:4c\',\'Tunnel-Type:0\',\'VLAN\')
> (1) Wed Jun 17 09:34:39 2020: ERROR:         rlm_sql_mysql: ERROR 1064
> (You have an error in your SQL syntax; check the manual that
> corresponds to your MariaDB server version for the right syntax to use
> near '\'64:76:ba:89:71:4c\',\'Tunnel-Medium-Type:0\',\'IEEE-802\'),
> (\'64:76:ba:89:71:' at line 1): 42000
> (1) Wed Jun 17 09:34:39 2020: ERROR:         SQL query failed: server
> error
> (1) Wed Jun 17 09:34:39 2020: Debug:         EXPAND
> %{sql_degraded:%{control:PacketFence-reply-insert}}
>
> ```
>
>>> I have the following configuration:
>>>
>>> ```
>>>
>>> sql sql_degraded {
>>>    ...
>>>          safe_characters =
>>> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
>>> /(),'"
>>> }
>>>
>>> ```
>>>
>>> I added (),' as extra char.
>>    That should still work.
>>
>>> Followinf the trace from freeradius 3.0.21 (doesn't work) and from
>>> freeradius-3.0.13 (works) for exactly the same radius request and
>>> exactly the same configuration:
>>    The key point for the sql_degraded module is:
>>
>>>       authorize_reply_query = "SELECT id, username, attribute,
>>> value, op FROM radreply WHERE username = '%{Calling-Station-Id}'
>>> ORDER BY id"
>>>        group_membership_query = ""
>>>        safe_characters =
>>> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
>>>        auto_escape = no
>>>
> In the debug the sql_degraded contain that:
>
> ```
>
> sql sql_degraded {
>       driver = "rlm_sql_mysql"
>       server = "127.0.0.1"
>       port = 3306
>       login = "pf"
>       password = <<< secret >>>
>       radius_db = "pf"
>       read_groups = yes
>       read_profiles = yes
>       read_clients = no
>       delete_stale_sessions = yes
>       sql_user_name = "%{User-Name}"
>       default_user_profile = ""
>       client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
>       authorize_reply_query = "SELECT id, username, attribute, value,
> op FROM radreply WHERE username = '%{Calling-Station-Id}' ORDER BY id"
>       group_membership_query = ""
>       safe_characters =
> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
> /(),'"
>
> ```
>
> You probably took the one from "sql_reject".
>
>>    So it's not picking up the "safe_characters" string you set.
>>
>>    Probably because of this:
>>
>> ...
>>          $INCLUDE ${modconfdir}/${.:name}/main/mysql/reject.conf
>>          safe_characters =
>> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
>> /(),'"
>> ...
>>
>>    If the "reject.conf" file *also* has "safe_characters" set, that
>> one will be used instead of the extra one you added.
>>
>>    You can't "over-ride" configuration items by adding a second one.
>
> I removed $INCLUDE ${modconfdir}/${.:name}/main/mysql/reject.conf and
> the issue is still here. (attached the new trace)
>
> Regards
>
> Fabrice
>
>
>>
>>    Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Fabrice Durand
[hidden email] ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: safe_characters issue

Alan DeKok-2
On Jun 17, 2020, at 9:55 AM, Fabrice Durand <[hidden email]> wrote:
>
> OK i found something, it looks if i set the safe_characters in the main sql definition it works.

  The configuration files are read in order, top to bottom.  So if you put the safe_characters line before *any* $INCLUDE statements, then it will override the definitions in some later $INCLUDE.

  What's happening is that you have multiple definitions of safe_characters.  You were editing the second or third one, but only the first one was relevant.  By adding a definition before the others, you've made a new first definition, which is then used.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: safe_characters issue

Fabrice Durand
I am not sure it's the case, the only place i defined safe_characters is
in mods-enabled/sql

```

[root@localhost raddb]# grep safe_characters * -r
mods-available/dhcp_sqlippool:  # To use sqlite you need to add '%' to
safe_characters in
mods-available/expr:#  escape   escape string similar to rlm_sql
safe_characters
mods-available/expr:    safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
mods-config/sql/main/mysql/extras/wimax/queries.conf:#safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
mods-config/sql/main/mysql/queries.conf:#safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
mods-config/sql/main/mysql/reject.conf:#safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
mods-config/sql/main/postgresql/queries.conf:# safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
mods-config/sql/main/sqlite/queries.conf:#safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
mods-enabled/sql:        safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"

```

I attached 2 debug outputs and the sql files used , the one with
safe_characters defined in the sql {...} section (who works) and the
other one with safe_characters defined in sql sql_degraded{...} (that
doesn't works)

For me it looks that even if you define safe_characters in another
section than the sql {...} one the code doesn't use it and use the one
from the sql {...} section instead.

I did exactly the same tests on the FreeRADIUS version 3.0.13 (i am
using another path for the configuration files than /etc/radiusd, so the
files didn't changed) and it takes the safe_characters defined in the
sql_degraded section.

Btw setting the safe_characters in sql{...} fixed my issue, but it looks
to be a regression.

Regards

Fabrice



Le 20-06-17 à 10 h 19, Alan DeKok a écrit :

> On Jun 17, 2020, at 9:55 AM, Fabrice Durand <[hidden email]> wrote:
>> OK i found something, it looks if i set the safe_characters in the main sql definition it works.
>    The configuration files are read in order, top to bottom.  So if you put the safe_characters line before *any* $INCLUDE statements, then it will override the definitions in some later $INCLUDE.
>
>    What's happening is that you have multiple definitions of safe_characters.  You were editing the second or third one, but only the first one was relevant.  By adding a definition before the others, you've made a new first definition, which is then used.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Fabrice Durand
[hidden email] ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

safe_characters_defined_in_sql (107K) Download Attachment
safe_characters_defined_in_sql_degraded (107K) Download Attachment
sql_safe_characters_defined_in_sql (12K) Download Attachment
sql_safe_characters_defined_in_sql_degraded (12K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: safe_characters issue

Alan DeKok-2
On Jun 17, 2020, at 11:11 AM, Fabrice Durand <[hidden email]> wrote:
>
> I am not sure it's the case, the only place i defined safe_characters is in mods-enabled/sql

  OK.

> I attached 2 debug outputs and the sql files used , the one with safe_characters defined in the sql {...} section (who works) and the other one with safe_characters defined in sql sql_degraded{...} (that doesn't works)
>
> For me it looks that even if you define safe_characters in another section than the sql {...} one the code doesn't use it and use the one from the sql {...} section instead.

  Except that the code *always* looks at definition of safe_characters in the current configuration.

  There's nothing in the rlm_sql source which says "search for the base SQL module and use that".

> I did exactly the same tests on the FreeRADIUS version 3.0.13 (i am using another path for the configuration files than /etc/radiusd, so the files didn't changed) and it takes the safe_characters defined in the sql_degraded section.
>
> Btw setting the safe_characters in sql{...} fixed my issue, but it looks to be a regression.

  I just took the current v3.0.x head, and created a "sql sql2" module, which uses MySQL.  The main "sql" module is using sqlite.  I edited the safe_characters definition in mods-config, and I see:

$ radiusd -X | grep safe
  safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  safe_characters = "YYY@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  safe_characters = "XXX@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"

  The first one is from rlm_expr.  The second is from the sqlite definition that I edited.  The third one is from the MySQL definition that I edited.

  And from the debug output you posted:

  # Loading module "sql_degraded" from file /usr/local/pf/raddb/mods-enabled/sql
  sql sql_degraded {
  driver = "rlm_sql_mysql"
  server = "127.0.0.1"
  port = 3306
  login = "pf"
  password = <<< secret >>>
  radius_db = "pf"
  read_groups = yes
  read_profiles = yes
  read_clients = no
  delete_stale_sessions = yes
  sql_user_name = "%{User-Name}"
  default_user_profile = ""
  client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
  group_membership_query = ""
  safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"


  So that seems to work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: safe_characters issue

Fabrice Durand
Hello Alan,

sorry to bother you.

I did one last test and built new binary and revert few commits in
3.0.21 (attached to this email) in the rlm_sql modules and now
freeradius take the safe_characters values from sql_degraded{...}
section and not the sql {...} section anymore. (like it worked in
freeradius 3.0.13)

My skills in C are not good enough to find the issue but it looks that
the "sql_escape_func" use the main sql section.

Regards

Fabrice


Le 20-06-17 à 12 h 10, Alan DeKok a écrit :

> On Jun 17, 2020, at 11:11 AM, Fabrice Durand <[hidden email]> wrote:
>> I am not sure it's the case, the only place i defined safe_characters is in mods-enabled/sql
>    OK.
>
>> I attached 2 debug outputs and the sql files used , the one with safe_characters defined in the sql {...} section (who works) and the other one with safe_characters defined in sql sql_degraded{...} (that doesn't works)
>>
>> For me it looks that even if you define safe_characters in another section than the sql {...} one the code doesn't use it and use the one from the sql {...} section instead.
>    Except that the code *always* looks at definition of safe_characters in the current configuration.
>
>    There's nothing in the rlm_sql source which says "search for the base SQL module and use that".
>
>> I did exactly the same tests on the FreeRADIUS version 3.0.13 (i am using another path for the configuration files than /etc/radiusd, so the files didn't changed) and it takes the safe_characters defined in the sql_degraded section.
>>
>> Btw setting the safe_characters in sql{...} fixed my issue, but it looks to be a regression.
>    I just took the current v3.0.x head, and created a "sql sql2" module, which uses MySQL.  The main "sql" module is using sqlite.  I edited the safe_characters definition in mods-config, and I see:
>
> $ radiusd -X | grep safe
>     safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
>     safe_characters = "YYY@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
>     safe_characters = "XXX@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
>
>    The first one is from rlm_expr.  The second is from the sqlite definition that I edited.  The third one is from the MySQL definition that I edited.
>
>    And from the debug output you posted:
>
>    # Loading module "sql_degraded" from file /usr/local/pf/raddb/mods-enabled/sql
>    sql sql_degraded {
>     driver = "rlm_sql_mysql"
>     server = "127.0.0.1"
>     port = 3306
>     login = "pf"
>     password = <<< secret >>>
>     radius_db = "pf"
>     read_groups = yes
>     read_profiles = yes
>     read_clients = no
>     delete_stale_sessions = yes
>     sql_user_name = "%{User-Name}"
>     default_user_profile = ""
>     client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
>     group_membership_query = ""
>     safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"
>
>
>    So that seems to work.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Fabrice Durand
[hidden email] ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: safe_characters issue

Fabrice Durand
The attached file didn't appear. ( commit id :
c87363675831f74c53028f947521a55319160b4c
7cc5f6154daaca64948cd1053bffa2a11b35ba85
50f18e02597c1d1d5ef7975826159a09fd81f7bf
46d1879513303ea9d311ea0f06c10211c9e4e4a2)


```

diff -ruN
freeradius-server-3.0.21.orig/raddb/mods-config/sql/main/mysql/queries.conf
freeradius-server-3.0.21/raddb/mods-config/sql/main/mysql/queries.conf
---
freeradius-server-3.0.21.orig/raddb/mods-config/sql/main/mysql/queries.conf
2020-03-24 10:55:09.000000000 -0400
+++
freeradius-server-3.0.21/raddb/mods-config/sql/main/mysql/queries.conf
2020-06-17 14:47:54.547176147 -0400
@@ -4,22 +4,10 @@
  #
  #  $Id: 51560a71ed819a95bc0f5ccc352efe69e374f7c5 $

-# Use the driver specific SQL escape method.
-#
-# If you enable this configuration item, the "safe_characters"
-# configuration is ignored.  FreeRADIUS then uses the MySQL escape
-# functions to escape input strings.  The only downside to making this
-# change is that the MySQL escaping method is not the same the one
-# used by FreeRADIUS.  So characters which are NOT in the
-# "safe_characters" list will now be stored differently in the database.
-#
-#auto_escape = yes
-
  # Safe characters list for sql queries. Everything else is replaced
  # with their mime-encoded equivalents.
  # The default list should be ok
-# Using 'auto_escape' is preferred
-safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
+#safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"

  #######################################################################
  #  Connection config
diff -ruN
freeradius-server-3.0.21.orig/raddb/mods-config/sql/main/postgresql/queries.conf
freeradius-server-3.0.21/raddb/mods-config/sql/main/postgresql/queries.conf
---
freeradius-server-3.0.21.orig/raddb/mods-config/sql/main/postgresql/queries.conf
2020-03-24 10:55:09.000000000 -0400
+++
freeradius-server-3.0.21/raddb/mods-config/sql/main/postgresql/queries.conf
2020-06-17 14:47:54.547176147 -0400
@@ -4,21 +4,9 @@
  #
  #  $Id: da82467aea53046e2dd55e1a6986a73b7429b856 $

-# Use the driver specific SQL escape method.
-#
-# If you enable this configuration item, the "safe_characters"
-# configuration is ignored.  FreeRADIUS then uses the PostgreSQL escape
-# functions to escape input strings.  The only downside to making this
-# change is that the PostgreSQL escaping method is not the same the one
-# used by FreeRADIUS.  So characters which are NOT in the
-# "safe_characters" list will now be stored differently in the database.
-#
-#auto_escape = yes
-
  # Safe characters list for sql queries. Everything else is replaced
  # with their mime-encoded equivalents.
  # The default list should be ok
-# Using 'auto_escape' is preferred
  # safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"

  #######################################################################
diff -ruN
freeradius-server-3.0.21.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/rlm_sql_mysql.c
freeradius-server-3.0.21/src/modules/rlm_sql/drivers/rlm_sql_mysql/rlm_sql_mysql.c
---
freeradius-server-3.0.21.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/rlm_sql_mysql.c
2020-03-24 10:55:09.000000000 -0400
+++
freeradius-server-3.0.21/src/modules/rlm_sql/drivers/rlm_sql_mysql/rlm_sql_mysql.c
2020-06-17 14:47:54.547176147 -0400
@@ -811,21 +811,6 @@
      return mysql_affected_rows(conn->sock);
  }

-static size_t sql_escape_func(UNUSED REQUEST *request, char *out,
size_t outlen, char const *in, void *arg)
-{
-    size_t            inlen;
-    rlm_sql_handle_t    *handle = talloc_get_type_abort(arg,
rlm_sql_handle_t);
-    rlm_sql_mysql_conn_t    *conn = handle->conn;
-
-    /* Check for potential buffer overflow */
-    inlen = strlen(in);
-    if ((inlen * 2 + 1) > outlen) return 0;
-    /* Prevent integer overflow */
-    if ((inlen * 2 + 1) <= inlen) return 0;
-
-    return mysql_real_escape_string(conn->sock, out, in, inlen);
-}
-

  /* Exported to rlm_sql */
  extern rlm_sql_module_t rlm_sql_mysql;
@@ -844,6 +829,5 @@
      .sql_free_result        = sql_free_result,
      .sql_error            = sql_error,
      .sql_finish_query        = sql_finish_query,
-    .sql_finish_select_query    = sql_finish_query,
-    .sql_escape_func        = sql_escape_func
+    .sql_finish_select_query    = sql_finish_query
  };
diff -ruN
freeradius-server-3.0.21.orig/src/modules/rlm_sql/drivers/rlm_sql_postgresql/rlm_sql_postgresql.c
freeradius-server-3.0.21/src/modules/rlm_sql/drivers/rlm_sql_postgresql/rlm_sql_postgresql.c
---
freeradius-server-3.0.21.orig/src/modules/rlm_sql/drivers/rlm_sql_postgresql/rlm_sql_postgresql.c
2020-03-24 10:55:09.000000000 -0400
+++
freeradius-server-3.0.21/src/modules/rlm_sql/drivers/rlm_sql_postgresql/rlm_sql_postgresql.c
2020-06-17 14:47:54.547176147 -0400
@@ -553,28 +553,6 @@
      return conn->affected_rows;
  }

-static size_t sql_escape_func(UNUSED REQUEST *request, char *out,
size_t outlen, char const *in, void *arg)
-{
-    size_t            inlen, ret;
-    rlm_sql_handle_t    *handle = talloc_get_type_abort(arg,
rlm_sql_handle_t);
-    rlm_sql_postgres_conn_t    *conn = handle->conn;
-    int            err;
-
-    /* Check for potential buffer overflow */
-    inlen = strlen(in);
-    if ((inlen * 2 + 1) > outlen) return 0;
-    /* Prevent integer overflow */
-    if ((inlen * 2 + 1) <= inlen) return 0;
-
-    ret = PQescapeStringConn(conn->db, out, in, inlen, &err);
-    if (err) {
-        REDEBUG("Error escaping string \"%s\": %s", in,
PQerrorMessage(conn->db));
-        return 0;
-    }
-
-    return ret;
-}
-
  /* Exported to rlm_sql */
  extern rlm_sql_module_t rlm_sql_postgresql;
  rlm_sql_module_t rlm_sql_postgresql = {
@@ -589,6 +567,5 @@
      .sql_error            = sql_error,
      .sql_finish_query        = sql_free_result,
      .sql_finish_select_query    = sql_free_result,
-    .sql_affected_rows        = sql_affected_rows,
-    .sql_escape_func        = sql_escape_func
+    .sql_affected_rows        = sql_affected_rows
  };
diff -ruN freeradius-server-3.0.21.orig/src/modules/rlm_sql/rlm_sql.c
freeradius-server-3.0.21/src/modules/rlm_sql/rlm_sql.c
--- freeradius-server-3.0.21.orig/src/modules/rlm_sql/rlm_sql.c
2020-03-24 10:55:09.000000000 -0400
+++ freeradius-server-3.0.21/src/modules/rlm_sql/rlm_sql.c 2020-06-17
14:47:54.547176147 -0400
@@ -110,7 +110,6 @@
  #endif
      { "safe-characters", FR_CONF_OFFSET(PW_TYPE_STRING |
PW_TYPE_DEPRECATED, rlm_sql_config_t, allowed_chars), NULL },
      { "safe_characters", FR_CONF_OFFSET(PW_TYPE_STRING,
rlm_sql_config_t, allowed_chars),
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" },
-    { "auto_escape", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_sql_config_t,
driver_specific_escape), "no" },

      /*
       *    This only works for a few drivers.
@@ -123,8 +122,6 @@
      CONF_PARSER_TERMINATOR
  };

-static size_t sql_escape_for_xlat_func(REQUEST *request, char *out,
size_t outlen, char const *in, void *arg);
-
  /*
   *    Fall-Through checking function from rlm_files.c
   */
@@ -378,8 +375,7 @@
  static size_t sql_escape_func(UNUSED REQUEST *request, char *out,
size_t outlen,
                    char const *in, void *arg)
  {
-    rlm_sql_handle_t *handle = talloc_get_type_abort(arg,
rlm_sql_handle_t);
-    rlm_sql_t *inst = handle->inst;
+    rlm_sql_t *inst = arg;
      size_t len = 0;

      while (in[0]) {
@@ -482,28 +478,6 @@
      return len;
  }

-/** Passed as the escape function to map_proc and sql xlat methods
- *
- * The variant reserves a connection for the escape functions to use,
and releases it after
- * escaping is complete.
- */
-static size_t sql_escape_for_xlat_func(REQUEST *request, char *out,
size_t outlen, char const *in, void *arg)
-{
-    size_t            ret;
-    rlm_sql_t        *inst = talloc_get_type_abort(arg, rlm_sql_t);
-    rlm_sql_handle_t    *handle;
-
-    handle = fr_connection_get(inst->pool);
-    if (!handle) {
-        out[0] = '\0';
-        return 0;
-    }
-    ret = inst->sql_escape_func(request, out, outlen, in, handle);
-    fr_connection_release(inst->pool, handle);
-
-    return ret;
-}
-
  /*
   *    Set the SQL user name.
   *
@@ -573,7 +547,7 @@

      if (!inst->config->groupmemb_query) return 0;

-    if (radius_axlat(&expanded, request, inst->config->groupmemb_query,
sql_escape_for_xlat_func, inst) < 0) return -1;
+    if (radius_axlat(&expanded, request, inst->config->groupmemb_query,
sql_escape_func, inst) < 0) return -1;

      ret = rlm_sql_select_query(inst, request, handle, expanded);
      talloc_free(expanded);
@@ -752,7 +726,7 @@
               *    Expand the group query
               */
              if (radius_axlat(&expanded, request,
inst->config->authorize_group_check_query,
-                     inst->sql_escape_func, *handle) < 0) {
+                     sql_escape_func, inst) < 0) {
                  REDEBUG("Error generating query");
                  rcode = RLM_MODULE_FAIL;
                  goto finish;
@@ -802,7 +776,7 @@
               *    Now get the reply pairs since the paircompare matched
               */
              if (radius_axlat(&expanded, request,
inst->config->authorize_group_reply_query,
-                     inst->sql_escape_func, *handle) < 0) {
+                     sql_escape_func, inst) < 0) {
                  REDEBUG("Error generating query");
                  rcode = RLM_MODULE_FAIL;
                  goto finish;
@@ -937,7 +911,7 @@
      /*
       *    Register the SQL xlat function
       */
-    xlat_register(inst->name, sql_xlat, sql_escape_for_xlat_func, inst);
+    xlat_register(inst->name, sql_xlat, sql_escape_func, inst);

      return 0;
  }
@@ -1071,14 +1045,6 @@
      inst->sql_select_query        = rlm_sql_select_query;
      inst->sql_fetch_row        = rlm_sql_fetch_row;

-    /*
-     *    Either use the module specific escape function
-     *    or our default one.
-     */
-    inst->sql_escape_func = inst->module->sql_escape_func &&
inst->config->driver_specific_escape ?
-                inst->module->sql_escape_func :
-                sql_escape_func;
-
      if (inst->module->mod_instantiate) {
          CONF_SECTION *cs;
          char const *name;
@@ -1187,7 +1153,7 @@
          VALUE_PAIR *vp;

          if (radius_axlat(&expanded, request,
inst->config->authorize_check_query,
-                 inst->sql_escape_func, handle) < 0) {
+                 sql_escape_func, inst) < 0) {
              REDEBUG("Error generating query");
              rcode = RLM_MODULE_FAIL;
              goto error;
@@ -1239,7 +1205,7 @@
           *    Now get the reply pairs since the paircompare matched
           */
          if (radius_axlat(&expanded, request,
inst->config->authorize_reply_query,
-                 inst->sql_escape_func, handle) < 0) {
+                 sql_escape_func, inst) < 0) {
              REDEBUG("Error generating query");
              rcode = RLM_MODULE_FAIL;
              goto error;
@@ -1459,7 +1425,7 @@
              goto finish;
          }

-        if (radius_axlat(&expanded, request, value,
inst->sql_escape_func, handle) < 0) {
+        if (radius_axlat(&expanded, request, value, sql_escape_func,
inst) < 0) {
              rcode = RLM_MODULE_FAIL;

              goto finish;
@@ -1611,15 +1577,15 @@
          return RLM_MODULE_FAIL;
      }

-    /* initialize the sql socket */
-    handle = fr_connection_get(inst->pool);
-    if (!handle) {
-        talloc_free(expanded);
+    if (radius_axlat(&expanded, request,
inst->config->simul_count_query, sql_escape_func, inst) < 0) {
          sql_unset_user(inst, request);
          return RLM_MODULE_FAIL;
      }

-    if (radius_axlat(&expanded, request,
inst->config->simul_count_query, inst->sql_escape_func, handle) < 0) {
+    /* initialize the sql socket */
+    handle = fr_connection_get(inst->pool);
+    if (!handle) {
+        talloc_free(expanded);
          sql_unset_user(inst, request);
          return RLM_MODULE_FAIL;
      }
@@ -1661,7 +1627,7 @@
          goto finish;
      }

-    if (radius_axlat(&expanded, request,
inst->config->simul_verify_query, inst->sql_escape_func, handle) < 0) {
+    if (radius_axlat(&expanded, request,
inst->config->simul_verify_query, sql_escape_func, inst) < 0) {
          rcode = RLM_MODULE_FAIL;

          goto finish;
diff -ruN freeradius-server-3.0.21.orig/src/modules/rlm_sql/rlm_sql.h
freeradius-server-3.0.21/src/modules/rlm_sql/rlm_sql.h
--- freeradius-server-3.0.21.orig/src/modules/rlm_sql/rlm_sql.h
2020-03-24 10:55:09.000000000 -0400
+++ freeradius-server-3.0.21/src/modules/rlm_sql/rlm_sql.h 2020-06-17
14:47:54.547176147 -0400
@@ -126,7 +126,6 @@
                                  //!< stale sessions.

      char const        *allowed_chars;            //!< Chars which done
need escaping..
-    bool            driver_specific_escape;        //!< Use the driver
specific SQL escape method
      uint32_t        query_timeout;            //!< How long to allow
queries to run for.

      char const        *connect_query;            //!< Query executed
after establishing
@@ -212,8 +211,6 @@

      sql_rcode_t (*sql_finish_query)(rlm_sql_handle_t *handle,
rlm_sql_config_t *config);
      sql_rcode_t (*sql_finish_select_query)(rlm_sql_handle_t *handle,
rlm_sql_config_t *config);
-
-    xlat_escape_t    sql_escape_func;
  } rlm_sql_module_t;

  struct sql_inst {

```

Le 20-06-17 à 15 h 23, Fabrice Durand a écrit :

> Hello Alan,
>
> sorry to bother you.
>
> I did one last test and built new binary and revert few commits in
> 3.0.21 (attached to this email) in the rlm_sql modules and now
> freeradius take the safe_characters values from sql_degraded{...}
> section and not the sql {...} section anymore. (like it worked in
> freeradius 3.0.13)
>
> My skills in C are not good enough to find the issue but it looks that
> the "sql_escape_func" use the main sql section.
>
> Regards
>
> Fabrice
>
>
> Le 20-06-17 à 12 h 10, Alan DeKok a écrit :
>> On Jun 17, 2020, at 11:11 AM, Fabrice Durand <[hidden email]> wrote:
>>> I am not sure it's the case, the only place i defined
>>> safe_characters is in mods-enabled/sql
>>    OK.
>>
>>> I attached 2 debug outputs and the sql files used , the one with
>>> safe_characters defined in the sql {...} section (who works) and the
>>> other one with safe_characters defined in sql sql_degraded{...}
>>> (that doesn't works)
>>>
>>> For me it looks that even if you define safe_characters in another
>>> section than the sql {...} one the code doesn't use it and use the
>>> one from the sql {...} section instead.
>>    Except that the code *always* looks at definition of
>> safe_characters in the current configuration.
>>
>>    There's nothing in the rlm_sql source which says "search for the
>> base SQL module and use that".
>>
>>> I did exactly the same tests on the FreeRADIUS version 3.0.13 (i am
>>> using another path for the configuration files than /etc/radiusd, so
>>> the files didn't changed) and it takes the safe_characters defined
>>> in the sql_degraded section.
>>>
>>> Btw setting the safe_characters in sql{...} fixed my issue, but it
>>> looks to be a regression.
>>    I just took the current v3.0.x head, and created a "sql sql2"
>> module, which uses MySQL.  The main "sql" module is using sqlite.  I
>> edited the safe_characters definition in mods-config, and I see:
>>
>> $ radiusd -X | grep safe
>>        safe_characters =
>> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
>> /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
>>        safe_characters =
>> "YYY@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
>> /"
>>        safe_characters =
>> "XXX@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
>> /"
>>
>>    The first one is from rlm_expr.  The second is from the sqlite
>> definition that I edited.  The third one is from the MySQL definition
>> that I edited.
>>
>>    And from the debug output you posted:
>>
>>    # Loading module "sql_degraded" from file
>> /usr/local/pf/raddb/mods-enabled/sql
>>    sql sql_degraded {
>>        driver = "rlm_sql_mysql"
>>        server = "127.0.0.1"
>>        port = 3306
>>        login = "pf"
>>        password = <<< secret >>>
>>        radius_db = "pf"
>>        read_groups = yes
>>        read_profiles = yes
>>        read_clients = no
>>        delete_stale_sessions = yes
>>        sql_user_name = "%{User-Name}"
>>        default_user_profile = ""
>>        client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
>>        group_membership_query = ""
>>        safe_characters =
>> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
>> /(),'"
>>
>>
>>    So that seems to work.
>>
>>    Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
--
Fabrice Durand
[hidden email] ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: safe_characters issue

Alan DeKok-2
In reply to this post by Fabrice Durand
On Jun 17, 2020, at 3:23 PM, Fabrice Durand <[hidden email]> wrote:
> sorry to bother you.

  Fixing bugs is what I do...

> I did one last test and built new binary and revert few commits in 3.0.21 (attached to this email) in the rlm_sql modules and now freeradius take the safe_characters values from sql_degraded{...} section and not the sql {...} section anymore. (like it worked in freeradius 3.0.13)
>
> My skills in C are not good enough to find the issue but it looks that the "sql_escape_func" use the main sql section.

  The sql_escape_func() uses whatever configuration is in the SQL connection that it's using.

  i.e. If you configure sql_degraded to use the connection pool from the main SQL module, then the escaping is done using that configuration.

 So you have:
sql sql_degraded {
...
        pool = sql
}

  Which means that the "safe_characters" is taken from the main "sql" module.

  I admit that this behaviour is somewhat surprising, but.. I also have to ask, why use different "safe_characters" for connections to the same back-end database?  Do the safe_characters really change, depending on the SQL module, and not the database?

  My $0.02 is to just set "auto_escape = yes", and the problem goes away.  All escaping is done via the database library (not FreeRADIUS), and everything Just Works.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: safe_characters issue

Fabrice Durand

Le 20-06-17 à 15 h 59, Alan DeKok a écrit :

> On Jun 17, 2020, at 3:23 PM, Fabrice Durand <[hidden email]> wrote:
>> sorry to bother you.
>    Fixing bugs is what I do...
>
>> I did one last test and built new binary and revert few commits in 3.0.21 (attached to this email) in the rlm_sql modules and now freeradius take the safe_characters values from sql_degraded{...} section and not the sql {...} section anymore. (like it worked in freeradius 3.0.13)
>>
>> My skills in C are not good enough to find the issue but it looks that the "sql_escape_func" use the main sql section.
>    The sql_escape_func() uses whatever configuration is in the SQL connection that it's using.
>
>    i.e. If you configure sql_degraded to use the connection pool from the main SQL module, then the escaping is done using that configuration.
>
>   So you have:
> sql sql_degraded {
> ...
>          pool = sql
> }
>
>    Which means that the "safe_characters" is taken from the main "sql" module.
>
>    I admit that this behaviour is somewhat surprising, but.. I also have to ask, why use different "safe_characters" for connections to the same back-end database?  Do the safe_characters really change, depending on the SQL module, and not the database?

Oh ok it make sense now, i was disturbed to see in the debug that
"safe_characters" was set to the values i needed in the sql_degraded
section and it let me though that my config was ok.

Btw i did it wrong since the behavior was different with 3.0.13 and it
let me though that it was a regression.

If it's the way it works i am ok with that.

>
>    My $0.02 is to just set "auto_escape = yes", and the problem goes away.  All escaping is done via the database library (not FreeRADIUS), and everything Just Works.

I will make a new try but the first test with that didn't worked.

Thanks for your support.

Regards

Fabrice

>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html