7
Freeradius erkennt Attribute in user Config nicht
@aqui Ausgangspunkt
Ich komme einfach nicht weiter. Ich nutze das offizielle Freeradius Dockerimage und habe jetzt mal, wie von aqui vorgeschlagen, folgendes probiert:
Aber auch da kommt sofort im Debugmodus die Fehlermeldung:
Unter user/share/freeradius sind aber im Container alle Dictionaries enthalten, nämlich:
Die werden dann im File dictionary inkludiert:
Ich habe bisher noch nichts mit Freeradius gemacht und habe so den Eindruck, dass mir irgendein Basic fehlt, oder irgendetwas grundsätzlich hakt. Wenn noch jemand eine Idee hat, dann bitte hier posten. Ich bin jetzt schon seit Stunden an dem Thema dran und mir gehen langsam die Ideen aus.
Ich komme einfach nicht weiter. Ich nutze das offizielle Freeradius Dockerimage und habe jetzt mal, wie von aqui vorgeschlagen, folgendes probiert:
00235A3F0122 Cleartext-Password := "00235A3F0122"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 10 Aber auch da kommt sofort im Debugmodus die Fehlermeldung:
/etc/freeradius/mods-config/files/authorize[11]: Parse error (check) for entry Tunnel-Type: Invalid attribute name
Failed reading /etc/freeradius/mods-config/files/authorize
/etc/freeradius/mods-enabled/files[9]: Instantiation failed for module "files" Unter user/share/freeradius sind aber im Container alle Dictionaries enthalten, nämlich:
dictionary dictionary.chillispot dictionary.iea dictionary.proxim dictionary.sg
dictionary.3com dictionary.cisco dictionary.infinera dictionary.purewave dictionary.shasta
dictionary.3gpp dictionary.cisco.asa dictionary.infoblox dictionary.quiconnect dictionary.shiva
dictionary.3gpp2 dictionary.cisco.bbsm dictionary.infonet dictionary.quintum dictionary.siemens
dictionary.acc dictionary.cisco.vpn3000 dictionary.ipunplugged dictionary.rcntec dictionary.slipstream
dictionary.acme dictionary.cisco.vpn5000 dictionary.issanni dictionary.redcreek dictionary.sofaware
dictionary.actelis dictionary.citrix dictionary.itk dictionary.rfc2865 dictionary.softbank
dictionary.adtran dictionary.clavister dictionary.juniper dictionary.rfc2866 dictionary.sonicwall
dictionary.aerohive dictionary.cnergee dictionary.karlnet dictionary.rfc2867 dictionary.springtide
dictionary.airespace dictionary.colubris dictionary.kineto dictionary.rfc2868 dictionary.starent
dictionary.alcatel dictionary.columbia_university dictionary.lancom dictionary.rfc2869 dictionary.starent.vsa1
dictionary.alcatel-lucent.aaa dictionary.compat dictionary.lantronix dictionary.rfc3162 dictionary.surfnet
dictionary.alcatel.esam dictionary.compatible dictionary.livingston dictionary.rfc3576 dictionary.symbol
dictionary.alcatel.sr dictionary.cosine dictionary.localweb dictionary.rfc3580 dictionary.t_systems_nova
dictionary.alteon dictionary.dante dictionary.lucent dictionary.rfc4072 dictionary.telebit
dictionary.altiga dictionary.dellemc dictionary.manzara dictionary.rfc4372 dictionary.telkom
dictionary.alvarion dictionary.dhcp dictionary.meinberg dictionary.rfc4603 dictionary.telrad
dictionary.alvarion.wimax.v2_2 dictionary.digium dictionary.meraki dictionary.rfc4675 dictionary.terena
dictionary.apc dictionary.dlink dictionary.merit dictionary.rfc4679 dictionary.trapeze
dictionary.aptilo dictionary.dragonwave dictionary.meru dictionary.rfc4818 dictionary.travelping
dictionary.aptis dictionary.efficientip dictionary.microsemi dictionary.rfc4849 dictionary.tripplite
dictionary.arbor dictionary.eltex dictionary.microsoft dictionary.rfc5090 dictionary.tropos
dictionary.arista dictionary.epygi dictionary.mikrotik dictionary.rfc5176 dictionary.ukerna
dictionary.aruba dictionary.equallogic dictionary.mimosa dictionary.rfc5447 dictionary.unix
dictionary.ascend dictionary.ericsson dictionary.motorola dictionary.rfc5580 dictionary.usr
dictionary.ascend.illegal dictionary.ericsson.ab dictionary.motorola.illegal dictionary.rfc5607 dictionary.usr.illegal
dictionary.asn dictionary.ericsson.packet.core.networks dictionary.motorola.wimax dictionary.rfc5904 dictionary.utstarcom
dictionary.audiocodes dictionary.erx dictionary.navini dictionary.rfc6519 dictionary.valemount
dictionary.avaya dictionary.extreme dictionary.net dictionary.rfc6572 dictionary.vasexperts
dictionary.azaire dictionary.f5 dictionary.netscreen dictionary.rfc6677 dictionary.verizon
dictionary.bay dictionary.fdxtended dictionary.networkphysics dictionary.rfc6911 dictionary.versanet
dictionary.bigswitch dictionary.force10 dictionary.nexans dictionary.rfc6929 dictionary.vqp
dictionary.bintec dictionary.fortinet dictionary.nokia dictionary.rfc6930 dictionary.walabi
dictionary.bluecoat dictionary.foundry dictionary.nokia.conflict dictionary.rfc7055 dictionary.waverider
dictionary.boingo dictionary.freedhcp dictionary.nomadix dictionary.rfc7155 dictionary.wichorus
dictionary.bristol dictionary.freeradius dictionary.nortel dictionary.rfc7268 dictionary.wifialliance
dictionary.broadsoft dictionary.freeradius.internal dictionary.ntua dictionary.rfc7499 dictionary.wimax
dictionary.brocade dictionary.freeswitch dictionary.openser dictionary.rfc7930 dictionary.wimax.alvarion
dictionary.bskyb dictionary.gandalf dictionary.packeteer dictionary.rfc8045 dictionary.wimax.wichorus
dictionary.bt dictionary.garderos dictionary.paloalto dictionary.rfc8559 dictionary.wispr
dictionary.cablelabs dictionary.gemtek dictionary.patton dictionary.riverbed dictionary.xedia
dictionary.cabletron dictionary.h3c dictionary.perle dictionary.riverstone dictionary.xylan
dictionary.cambium dictionary.hillstone dictionary.pfsense dictionary.roaringpenguin dictionary.yubico
dictionary.camiant dictionary.hp dictionary.pica8 dictionary.ruckus dictionary.zeus
dictionary.centec dictionary.huawei dictionary.propel dictionary.ruggedcom dictionary.zte
dictionary.checkpoint dictionary.iana dictionary.prosoft dictionary.sangoma dictionary.zyxelDie werden dann im File dictionary inkludiert:
# Copyright (C) 2019 The FreeRADIUS Server project and contributors
# This work is licensed under CC-BY version 4.0 https:{{comment_single_line_double_slash:0}}
#
# Version $Id: b954351fd5bd135752f3b1b931ab7a9f203b934b $
#
# DO NOT EDIT THE FILES IN THIS DIRECTORY
#
# The files in this directory are maintained and updated by
# the FreeRADIUS project. Newer releases of software may update
# or change these files.
#
# Use the main dictionary file (usually /etc/raddb/dictionary)
# for local system attributes and $INCLUDEs.
#
#
#
# This file contains dictionary translations for parsing
# requests and generating responses. All transactions are
# composed of Attribute/Value Pairs. The value of each attribute
# is specified as one of a few data types. Valid data types are:
#
# string - printable text, generally UTF-8 encoded. (The RFCs call this "text")
# ipaddr - 4 octets in network byte order
# ipv4prefix - 1 octet reserved, one octet prefix, 4 octets ipaddr
# integer - 32 bit value in big endian order
# integer64 - 64 bit value in big endian order
# date - 32 bit value in big endian order - seconds since
# 00:00:00 GMT, Jan. 1, 1970
# ifid - 8 octets in network byte order
# ipv6addr - 16 octets in network byte order
# ipv6prefix - 1 octet reserved, one octet prefix, 16 octets ipv6addr
# tlv - type-length-value
#
# FreeRADIUS includes data types which are not defined
# in the RFC's. These data types are:
#
# abinary - Ascend's binary filter format.
# byte - 8 bit unsigned integer
# ether - 6 octets of hh:hh:hh:hh:hh:hh
# where 'h' is hex digits, upper or lowercase.
# short - 16-bit unsigned integer in network byte order
# signed - 32-bit signed integer in network byte order
# octets - raw octets, printed and input as hex strings.
# e.g.: 0x123456789abcdef The RFCs call this "string".
#
# FreeRADIUS uses a number of data types which are defined in
# RFC 6929. These data types should NEVER be used in any other
# dictionary. We won't even list them here.
#
#
# Enumerated values are stored in the user file with dictionary
# VALUE translations for easy administration.
#
# Example:
#
# ATTRIBUTE VALUE
# --------------- -----
# Framed-Protocol = PPP
# 7 = 1 (integer encoding)
#
#
# Include compatibility dictionary for older users file. Move
# this directive to the end of this file if you want to see the
# old names in the logfiles, instead of the new names.
#
$INCLUDE dictionary.compat
#
# These dictionaries define attributes in the IETF managed space.
# (i.e. 1..255). This is wrong. We include them here to allow them.
# The IETF allocated ones are listed below, which gives them priority.
#
# i.e. don't do this. Don't use these attributes
#
$INCLUDE dictionary.usr.illegal
$INCLUDE dictionary.ascend.illegal
#
# IETF allocated attributes and values. Split out into
# the RFC which defined them.
#
# For a complete list of the standard attributes and values,
# see:
# http://www.iana.org/assignments/radius-types
#
$INCLUDE dictionary.rfc2865
$INCLUDE dictionary.rfc2866
$INCLUDE dictionary.rfc2867
$INCLUDE dictionary.rfc2868
$INCLUDE dictionary.rfc2869
$INCLUDE dictionary.rfc3162
$INCLUDE dictionary.rfc3576
$INCLUDE dictionary.rfc3580
$INCLUDE dictionary.rfc4072
$INCLUDE dictionary.rfc4372
$INCLUDE dictionary.rfc4603
$INCLUDE dictionary.rfc4675
$INCLUDE dictionary.rfc4679
$INCLUDE dictionary.rfc4818
$INCLUDE dictionary.rfc4849
$INCLUDE dictionary.rfc5176
$INCLUDE dictionary.rfc5447
$INCLUDE dictionary.rfc5580
$INCLUDE dictionary.rfc5607
$INCLUDE dictionary.rfc5904
$INCLUDE dictionary.rfc6519
$INCLUDE dictionary.rfc6572
$INCLUDE dictionary.rfc6677
$INCLUDE dictionary.rfc6911
$INCLUDE dictionary.rfc6929
$INCLUDE dictionary.rfc6930
$INCLUDE dictionary.rfc7055
$INCLUDE dictionary.rfc7155
$INCLUDE dictionary.rfc7268
$INCLUDE dictionary.rfc7499
$INCLUDE dictionary.rfc7930
$INCLUDE dictionary.rfc8045
$INCLUDE dictionary.rfc8559
#
# Mostly values which have been allocated by IANA under
# "expert review", but which don't have an RFC associated with them.
#
$INCLUDE dictionary.iana
#
# Commented out because of attribute conflicts.
#
#$INCLUDE dictionary.alvarion.wimax.v2_2
#$INCLUDE dictionary.nokia.conflict
#$INCLUDE dictionary.openser
#$INCLUDE dictionary.starent.vsa1
#$INCLUDE dictionary.wimax.wichorus
#
# Vendor dictionaries are listed after the standard ones.
#
$INCLUDE dictionary.3com
$INCLUDE dictionary.3gpp
$INCLUDE dictionary.3gpp2
$INCLUDE dictionary.acc
$INCLUDE dictionary.acme
$INCLUDE dictionary.actelis
$INCLUDE dictionary.adtran
$INCLUDE dictionary.aerohive
$INCLUDE dictionary.airespace
$INCLUDE dictionary.alcatel
$INCLUDE dictionary.alcatel-lucent.aaa
$INCLUDE dictionary.alcatel.esam
$INCLUDE dictionary.alcatel.sr
$INCLUDE dictionary.alteon
$INCLUDE dictionary.altiga
$INCLUDE dictionary.alvarion
$INCLUDE dictionary.apc
$INCLUDE dictionary.aptilo
$INCLUDE dictionary.aptis
$INCLUDE dictionary.arbor
$INCLUDE dictionary.arista
$INCLUDE dictionary.aruba
$INCLUDE dictionary.ascend
$INCLUDE dictionary.asn
$INCLUDE dictionary.audiocodes
$INCLUDE dictionary.avaya
$INCLUDE dictionary.azaire
$INCLUDE dictionary.bay
$INCLUDE dictionary.bigswitch
$INCLUDE dictionary.bintec
$INCLUDE dictionary.bluecoat
$INCLUDE dictionary.boingo
$INCLUDE dictionary.bristol
$INCLUDE dictionary.broadsoft
$INCLUDE dictionary.brocade
$INCLUDE dictionary.bskyb
$INCLUDE dictionary.bt
$INCLUDE dictionary.cablelabs
$INCLUDE dictionary.cabletron
$INCLUDE dictionary.cambium
$INCLUDE dictionary.camiant
$INCLUDE dictionary.centec
$INCLUDE dictionary.checkpoint
$INCLUDE dictionary.chillispot
$INCLUDE dictionary.cisco
$INCLUDE dictionary.cisco.asa
#
# The Cisco VPN300 dictionary uses the same Vendor ID as the ASA one.
# You shouldn't use both at the same time.
#
# Note : the altiga dictionary, not listed here, also uses the same Vendor ID
#
#$INCLUDE dictionary.cisco.vpn3000
$INCLUDE dictionary.cisco.bbsm
$INCLUDE dictionary.cisco.vpn5000
$INCLUDE dictionary.citrix
$INCLUDE dictionary.clavister
$INCLUDE dictionary.cnergee
$INCLUDE dictionary.colubris
$INCLUDE dictionary.columbia_university
$INCLUDE dictionary.compatible
$INCLUDE dictionary.cosine
$INCLUDE dictionary.dante
$INCLUDE dictionary.dellemc
$INCLUDE dictionary.digium
$INCLUDE dictionary.dlink
$INCLUDE dictionary.dragonwave
$INCLUDE dictionary.efficientip
$INCLUDE dictionary.eltex
$INCLUDE dictionary.epygi
$INCLUDE dictionary.equallogic
$INCLUDE dictionary.ericsson
$INCLUDE dictionary.ericsson.ab
$INCLUDE dictionary.ericsson.packet.core.networks
$INCLUDE dictionary.erx
$INCLUDE dictionary.extreme
$INCLUDE dictionary.f5
$INCLUDE dictionary.fdxtended
$INCLUDE dictionary.force10
$INCLUDE dictionary.fortinet
$INCLUDE dictionary.foundry
$INCLUDE dictionary.freeradius
$INCLUDE dictionary.freeswitch
$INCLUDE dictionary.gandalf
$INCLUDE dictionary.garderos
$INCLUDE dictionary.gemtek
$INCLUDE dictionary.h3c
$INCLUDE dictionary.hillstone
$INCLUDE dictionary.hp
$INCLUDE dictionary.huawei
$INCLUDE dictionary.iea
$INCLUDE dictionary.infinera
$INCLUDE dictionary.infoblox
$INCLUDE dictionary.infonet
$INCLUDE dictionary.ipunplugged
$INCLUDE dictionary.issanni
$INCLUDE dictionary.itk
$INCLUDE dictionary.juniper
$INCLUDE dictionary.karlnet
$INCLUDE dictionary.kineto
$INCLUDE dictionary.lancom
$INCLUDE dictionary.lantronix
$INCLUDE dictionary.livingston
$INCLUDE dictionary.localweb
$INCLUDE dictionary.lucent
$INCLUDE dictionary.manzara
$INCLUDE dictionary.meinberg
$INCLUDE dictionary.meraki
$INCLUDE dictionary.merit
$INCLUDE dictionary.meru
$INCLUDE dictionary.microsemi
$INCLUDE dictionary.microsoft
$INCLUDE dictionary.mikrotik
$INCLUDE dictionary.mimosa
$INCLUDE dictionary.motorola
$INCLUDE dictionary.motorola.wimax
$INCLUDE dictionary.navini
$INCLUDE dictionary.net
$INCLUDE dictionary.netscreen
$INCLUDE dictionary.networkphysics
$INCLUDE dictionary.nexans
$INCLUDE dictionary.nokia
$INCLUDE dictionary.nomadix
$INCLUDE dictionary.nortel
$INCLUDE dictionary.ntua
$INCLUDE dictionary.packeteer
$INCLUDE dictionary.paloalto
$INCLUDE dictionary.patton
$INCLUDE dictionary.perle
$INCLUDE dictionary.pfsense
$INCLUDE dictionary.pica8
$INCLUDE dictionary.propel
$INCLUDE dictionary.prosoft
$INCLUDE dictionary.proxim
$INCLUDE dictionary.purewave
$INCLUDE dictionary.quiconnect
$INCLUDE dictionary.quintum
$INCLUDE dictionary.rcntec
$INCLUDE dictionary.redcreek
$INCLUDE dictionary.riverbed
$INCLUDE dictionary.riverstone
$INCLUDE dictionary.roaringpenguin
$INCLUDE dictionary.ruckus
$INCLUDE dictionary.ruggedcom
$INCLUDE dictionary.sangoma
$INCLUDE dictionary.sg
$INCLUDE dictionary.shasta
$INCLUDE dictionary.shiva
$INCLUDE dictionary.siemens
$INCLUDE dictionary.slipstream
$INCLUDE dictionary.sofaware
$INCLUDE dictionary.softbank
$INCLUDE dictionary.sonicwall
$INCLUDE dictionary.springtide
$INCLUDE dictionary.starent
$INCLUDE dictionary.surfnet
$INCLUDE dictionary.symbol
$INCLUDE dictionary.t_systems_nova
$INCLUDE dictionary.telebit
$INCLUDE dictionary.telkom
$INCLUDE dictionary.telrad
$INCLUDE dictionary.terena
$INCLUDE dictionary.trapeze
$INCLUDE dictionary.travelping
$INCLUDE dictionary.tripplite
$INCLUDE dictionary.tropos
$INCLUDE dictionary.ukerna
$INCLUDE dictionary.unix
$INCLUDE dictionary.usr
$INCLUDE dictionary.utstarcom
$INCLUDE dictionary.valemount
$INCLUDE dictionary.vasexperts
$INCLUDE dictionary.verizon
$INCLUDE dictionary.versanet
$INCLUDE dictionary.walabi
$INCLUDE dictionary.waverider
$INCLUDE dictionary.wichorus
$INCLUDE dictionary.wifialliance
$INCLUDE dictionary.wimax
$INCLUDE dictionary.wispr
$INCLUDE dictionary.xedia
$INCLUDE dictionary.xylan
$INCLUDE dictionary.yubico
$INCLUDE dictionary.zeus
$INCLUDE dictionary.zte
$INCLUDE dictionary.zyxel
#
# And finally the server internal attributes.
# These are attributes which NEVER go into a RADIUS packet.
#
$INCLUDE dictionary.freeradius.internalIch habe bisher noch nichts mit Freeradius gemacht und habe so den Eindruck, dass mir irgendein Basic fehlt, oder irgendetwas grundsätzlich hakt. Wenn noch jemand eine Idee hat, dann bitte hier posten. Ich bin jetzt schon seit Stunden an dem Thema dran und mir gehen langsam die Ideen aus.
Auf Facebook teilen
Auf Twitter teilen
Auf Reddit teilen
Auf Linkedin teilenBitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Content-ID: 1768987349
Url: https://administrator.de/contentid/1768987349
Ausgedruckt am: 19.11.2024 um 00:11 Uhr
7 Kommentare
Neuester Kommentar
Was noch möglich ist das ein falscher Auth Type in deiner Konfig im Server Setup gesetzt ist. Eigentlich sollte der in der 3.0er und höher im Default auf Framed stehen.
Du kannst als Workaround mal den Auth Type setzen:
Mac Authentication mit dynam. VLAN Zuordnung (Hier VLAN ID 7 im Beispiel):
Wenn das den Parser Error verschwinden lässt ist der Default Auth Type falsch.
Weitere Infos findest du u.a. auch hier:
Freeradius Management mit WebGUI
Du kannst als Workaround mal den Auth Type setzen:
# Nur MAC Authentication
000039fc9933 Service-Type == Framed-User, User-Password == "000039fc9933" # MAC Auth. und dyn. VLAN
#
000039fc9935 Service-Type == Framed-User, User-Password == "000039fc9935"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 7
# Weitere Infos findest du u.a. auch hier:
Freeradius Management mit WebGUI
@aqui Das war es leider auch nicht. Ich habe hier mal die gesamte Debugausgabe angefügt, vielleicht kann man da noch was erkennen?
Teil 1:
Teil 1:
FreeRADIUS Version 3.0.25
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/cache_eap
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/date
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/digest
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/eap
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/totp
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/unpack
including configuration file /etc/freeradius/mods-enabled/utf8
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/abfab-tr
including configuration file /etc/freeradius/policy.d/accounting
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/control
including configuration file /etc/freeradius/policy.d/cui
including configuration file /etc/freeradius/policy.d/debug
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/eap
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/rfc7542
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
postauth_client_lost = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client home-network {
ipaddr = 192.168.2.1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
[1mDebug state unknown (cap_sys_ptrace capability not set)[0m
[1msystemd watchdog is disabled[0m
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Autz-Type = New-TLS-Connection
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.coa {
filename = "/etc/freeradius/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /etc/freeradius/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /etc/freeradius/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/freeradius/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
Teil 2:
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /etc/freeradius/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/mods-enabled/files
files {
filename = "/etc/freeradius/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/freeradius/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_totp
# Loading module "totp" from file /etc/freeradius/mods-enabled/totp
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8
instantiate {
}
# Instantiating module "reject" from file /etc/freeradius/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.coa" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/coa
# Instantiating module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail
# Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.pem"
certificate_file = "/etc/freeradius/certs/server.pem"
ca_file = "/etc/freeradius/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT"
cipher_server_preference = no
reject_unknown_intermediate_ca = no
ecdh_curve = "prime256v1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Instantiating module "files" from file /etc/freeradius/mods-enabled/files
reading pairlist file /etc/freeradius/mods-config/files/authorize
/etc/freeradius/mods-config/files/authorize[11]: Parse error (check) for entry Tunnel-Type: Invalid attribute name
Failed reading /etc/freeradius/mods-config/files/authorize
/etc/freeradius/mods-enabled/files[9]: Instantiation failed for module "files" 
Servus @carsten04,
du hast nur vergessen die zum Account zugeordneten Attribut-Zeilen mit einem TAB einzurücken, deswegen auch der Parser-Fehler, einfacher Syntax-Fehler große Wirkung 
https://freeradius.org/radiusd/man/users.html
Grüße Uwe
00235A3F0122 Cleartext-Password := "00235A3F0122"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 10 00235A3F0122 Cleartext-Password := "00235A3F0122"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 10 https://freeradius.org/radiusd/man/users.html
Each entry of the file begins with a username, followed by a (possibly empty) list of check items, all on one line. The next line begins with a tab, and a (possibly empty) list of reply items. Each item in the check or reply item list is an attribute of the form name = value. Multiple items may be placed on one line, in which case they must be separated by commas. The reply items may be specified over multiple lines, in which case each line must end with a comma, and the last line of the reply items must not end with a comma.
Grüße Uwe
2
@colinardo Neiiiiiiiiiiinnnnnnnn, das wars! Vielen Dank! Ich breche gerade im Strahl. Manchmal sieht man den Wald vor lauter Bäumen nicht.
@aqui Vielleicht kannst Du in Deinem Tutorial die Tab-Einrückung noch nachziehen. Ich bin nämlich hingegangen, hab copy and paste gemacht und habe dann an meine Situation angepasst. Ich wäre nie auf die Idee gekommen, dass es an einer Tab-Einrückung liegen könnte. Dafür war dann die Fehlermeldung in dieser Richtung viel zu unspezifisch.
Vielen Dank nochmal für eure Unterstützung!
@aqui Vielleicht kannst Du in Deinem Tutorial die Tab-Einrückung noch nachziehen. Ich bin nämlich hingegangen, hab copy and paste gemacht und habe dann an meine Situation angepasst. Ich wäre nie auf die Idee gekommen, dass es an einer Tab-Einrückung liegen könnte. Dafür war dann die Fehlermeldung in dieser Richtung viel zu unspezifisch.
Vielen Dank nochmal für eure Unterstützung!
Guter Hinweis. Den Punkt füge ich dem Tutorial noch Hinzu. Dank auch an @colinardo für den Hinweis ! Auf das Einfachste kommt man ja oft nicht mehr...
Der ursprüngliche Grund ist aber leider ein schon länger bekannter Bug der Forensoftware den @Frank auch schon länger kennt, der aber leider noch nicht gefixt wurde. ☹️
Nutzt man in den Code Tags den Parameter "type=plain" um z.B. die Zeilennummerung für eine bessere Übersicht zu entfernen, entfernt das leider auch seit kurzem die Formatierung. Leider auch rückwirkend bei bestehenden Code Tags in älteren Posts, so das alles diese "plain" Code Blöcke allesamt linksbündig dargestellt werden ! Das wurde dir leider zum Verhängnis !
Vielleicht nochmal ein Grund für @Frank da schnell tätig zu werden.
Die Code Tabs wurden jetzt entsprechend auf den Standard Type geändert im Tutorial.
Der ursprüngliche Grund ist aber leider ein schon länger bekannter Bug der Forensoftware den @Frank auch schon länger kennt, der aber leider noch nicht gefixt wurde. ☹️
Nutzt man in den Code Tags den Parameter "type=plain" um z.B. die Zeilennummerung für eine bessere Übersicht zu entfernen, entfernt das leider auch seit kurzem die Formatierung. Leider auch rückwirkend bei bestehenden Code Tags in älteren Posts, so das alles diese "plain" Code Blöcke allesamt linksbündig dargestellt werden ! Das wurde dir leider zum Verhängnis !
Vielleicht nochmal ein Grund für @Frank da schnell tätig zu werden.
Die Code Tabs wurden jetzt entsprechend auf den Standard Type geändert im Tutorial.
1Zitat von @aqui:
Nutzt man in den Code Tags den Parameter "type=plain" um z.B. die Zeilennummerung für eine bessere Übersicht zu entfernen, entfernt das leider auch seit kurzem die Formatierung.
Ja, das ist mir vor einiger Zeit auch schon aufgefallen. Frank hat aber momentan noch genug mit der Migration der User-DB zu tun, er wollte in den Blöcken ohne Zeilennummern einen Zeilenumbruch mit Scrollbar implementieren damit man bei langen Zeilen nicht ewig nach rechts scrollen muss und das ist wohl noch nicht ganz fertig.Nutzt man in den Code Tags den Parameter "type=plain" um z.B. die Zeilennummerung für eine bessere Übersicht zu entfernen, entfernt das leider auch seit kurzem die Formatierung.
