I am guessing I am clueless on how the 3.x dynamic-clients works. It
doesn't seem to read the sql entry properly. Any clues would be greatly
appreciated.
David
radiusd: FreeRADIUS Version 3.0.4 (git #eeaca37), for host
x86_64-unknown-linux-gnu, built on Jul 18 2014 at 09:59:22
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/wimax
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/dhcp
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file
/usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/sql
including configuration file
/usr/local/etc/raddb/mods-config/sql/main/mysql/queries.conf
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including configuration file /usr/local/etc/raddb/policy.d/cui
OPTIMIZING no yes --> FALSE
OPTIMIZING no yes --> FALSE
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/control
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file
/usr/local/etc/raddb/sites-enabled/dynamic-clients
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = "yes"
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
realm example.com {
auth_pool = my_auth_failover
realm LOCAL {
radiusd: #### Loading Clients ####
client dynamic {
ipaddr = 172.16.4.0/24
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
dynamic_clients = "dynamic_clients"
lifetime = 3600
radiusd: #### Instantiating modules ####
instantiate {
modules {
# Loaded module rlm_exec
# Instantiating module "echo" from file
/usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
# Loaded module rlm_wimax
# Instantiating module "wimax" from file
/usr/local/etc/raddb/mods-enabled/wimax
wimax {
delete_mppe_keys = yes
# Loaded module rlm_logintime
# Instantiating module "logintime" from file
/usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
# Loaded module rlm_mschap
# Instantiating module "mschap" from file
/usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
allow_retry = yes
# Loaded module rlm_pap
# Instantiating module "pap" from file
/usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
# Loaded module rlm_eap
# Instantiating module "eap" from file
/usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 1024
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
ca_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/usr/local/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
verify {
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = yes
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
# Loaded module rlm_expr
# Instantiating module "expr" from file
/usr/local/etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
# Loaded module rlm_replicate
# Instantiating module "replicate" from file
/usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename =
"/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Loaded module rlm_unpack
# Instantiating module "unpack" from file
/usr/local/etc/raddb/mods-enabled/unpack
# Loaded module rlm_always
# Instantiating module "reject" from file
/usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
# Instantiating module "fail" from file
/usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
# Instantiating module "ok" from file
/usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
# Instantiating module "handled" from file
/usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
# Instantiating module "invalid" from file
/usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
# Instantiating module "userlock" from file
/usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
# Instantiating module "notfound" from file
/usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
# Instantiating module "noop" from file
/usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
# Instantiating module "updated" from file
/usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
# Loaded module rlm_detail
# Instantiating module "detail" from file
/usr/local/etc/raddb/mods-enabled/detail
detail {
filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-
IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
# Loaded module rlm_radutmp
# Instantiating module "radutmp" from file
/usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
# Loaded module rlm_dhcp
# Instantiating module "dhcp" from file
/usr/local/etc/raddb/mods-enabled/dhcp
# Instantiating module "exec" from file
/usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
# Instantiating module "sradutmp" from file
/usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/usr/local/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
# Loaded module rlm_soh
# Instantiating module "soh" from file
/usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file
/usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups =
"/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
# Loaded module rlm_passwd
# Instantiating module "etc_passwd" from file
/usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Loaded module rlm_linelog
# Instantiating module "linelog" from file
/usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/usr/local/var/log/radius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{Packet-Type}:-default}"
# Instantiating module "log_accounting" from file
/usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/usr/local/var/log/radius/linelog-accounting"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
# Loaded module rlm_unix
# Instantiating module "unix" from file
/usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from file
/usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_files
# Instantiating module "files" from file
/usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
usersfile = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile =
"/usr/local/etc/raddb/mods-config/files/pre-proxy"
compat = "cistron"
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
[/usr/local/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility
checks for entry DEFAULT ...
[/usr/local/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility
checks for entry DEFAULT ...
[/usr/local/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility
checks for entry DEFAULT ...
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
[/usr/local/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility
checks for entry DEFAULT ...
[/usr/local/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility
checks for entry DEFAULT ...
[/usr/local/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility
checks for entry DEFAULT ...
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
# Loaded module rlm_sql
# Instantiating module "sql" from file
/usr/local/etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_null"
server = "localhost"
port = "3306"
login = "root"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server
FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id"
group_membership_query = "# SELECT groupname # FROM
radusergroup # WHERE username = BINARY '%{SQL-User-Name}' # ORDER
BY priority"
simul_count_query = ""
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol
FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
post-auth {
reference = ".query"
rlm_sql (sql): Driver rlm_sql_null (module rlm_sql_null) loaded and linked
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 4
max = 32
spare = 3
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
rlm_sql (sql): Opening additional connection (0)
rlm_sql (sql): Opening additional connection (1)
rlm_sql (sql): Opening additional connection (2)
rlm_sql (sql): Opening additional connection (3)
rlm_sql (sql): Opening additional connection (4)
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname,
shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (4)
rlm_sql (sql): Executing query: 'SELECT id, nasname, shortname, type,
secret, server FROM nas'
rlm_sql (sql): Released connection (4)
# Loaded module rlm_realm
# Instantiating module "IPASS" from file
/usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
# Instantiating module "suffix" from file
/usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
# Instantiating module "realmpercent" from file
/usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
# Instantiating module "ntdomain" from file
/usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
# Instantiating module "ntlm_auth" from file
/usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
# Loaded module rlm_expiration
# Instantiating module "expiration" from file
/usr/local/etc/raddb/mods-enabled/expiration
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file
/usr/local/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
# Loaded module rlm_utf8
# Instantiating module "utf8" from file
/usr/local/etc/raddb/mods-enabled/utf8
# Loaded module rlm_digest
# Instantiating module "digest" from file
/usr/local/etc/raddb/mods-enabled/digest
# Loaded module rlm_chap
# Instantiating module "chap" from file
/usr/local/etc/raddb/mods-enabled/chap
# Instantiating module "auth_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-
IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail
output
# Instantiating module "reply_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-
IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
# Instantiating module "pre_proxy_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-
IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
# Instantiating module "post_proxy_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-
IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server dynamic_clients { # from file
/usr/local/etc/raddb/sites-enabled/dynamic-clients
# Loading authorize {...}
} # server dynamic_clients
server default { # from file /usr/local/etc/raddb/sites-enabled/default
# Creating Auth-Type = digest
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address :: port 1812 as server default
Listening on acct address :: port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 60490
Ready to process requests
Received Access-Request Id 211 from 172.16.4.11:1812 to 172.16.4.14:1812
length 190
server dynamic_clients {
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/dynamic-clients
(0) authorize {
(0) if ("%{sql: SELECT nasname FROM nas WHERE nasname =
'%{Packet-Src-IP-Address}'}")
(0) EXPAND %{User-Name}
(0) -->
(0) SQL-User-Name set to ''
rlm_sql (sql): Reserved connection (4)
rlm_sql (sql): Executing query: ' SELECT nasname FROM nas WHERE nasname =
'172.16.4.11''
(0) SQL query returned no results
rlm_sql (sql): Released connection (4)
(0) EXPAND %{sql: SELECT nasname FROM nas WHERE nasname =
'%{Packet-Src-IP-Address}'}
(0) -->
(0) if ("%{sql: SELECT nasname FROM nas WHERE nasname =
'%{Packet-Src-IP-Address}'}") -> FALSE
(0) [ok] = ok
(0) } # authorize = ok
} # server dynamic_clients
- Cannot add client 172.16.4.11: Required attribute
"FreeRADIUS-Client-Secret" is missing.
Ignoring request to auth address * port 1812 as server default from unknown
client 172.16.4.11 port 1812 proto udp
Ready to process requests
doesn't seem to read the sql entry properly. Any clues would be greatly
appreciated.
David
radiusd: FreeRADIUS Version 3.0.4 (git #eeaca37), for host
x86_64-unknown-linux-gnu, built on Jul 18 2014 at 09:59:22
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/wimax
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/dhcp
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file
/usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/sql
including configuration file
/usr/local/etc/raddb/mods-config/sql/main/mysql/queries.conf
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including configuration file /usr/local/etc/raddb/policy.d/cui
OPTIMIZING no yes --> FALSE
OPTIMIZING no yes --> FALSE
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/control
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file
/usr/local/etc/raddb/sites-enabled/dynamic-clients
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = "yes"
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
realm example.com {
auth_pool = my_auth_failover
realm LOCAL {
radiusd: #### Loading Clients ####
client dynamic {
ipaddr = 172.16.4.0/24
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
dynamic_clients = "dynamic_clients"
lifetime = 3600
radiusd: #### Instantiating modules ####
instantiate {
modules {
# Loaded module rlm_exec
# Instantiating module "echo" from file
/usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
# Loaded module rlm_wimax
# Instantiating module "wimax" from file
/usr/local/etc/raddb/mods-enabled/wimax
wimax {
delete_mppe_keys = yes
# Loaded module rlm_logintime
# Instantiating module "logintime" from file
/usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
# Loaded module rlm_mschap
# Instantiating module "mschap" from file
/usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
allow_retry = yes
# Loaded module rlm_pap
# Instantiating module "pap" from file
/usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
# Loaded module rlm_eap
# Instantiating module "eap" from file
/usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 1024
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
ca_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/usr/local/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
verify {
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = yes
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
# Loaded module rlm_expr
# Instantiating module "expr" from file
/usr/local/etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
# Loaded module rlm_replicate
# Instantiating module "replicate" from file
/usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename =
"/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Loaded module rlm_unpack
# Instantiating module "unpack" from file
/usr/local/etc/raddb/mods-enabled/unpack
# Loaded module rlm_always
# Instantiating module "reject" from file
/usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
# Instantiating module "fail" from file
/usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
# Instantiating module "ok" from file
/usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
# Instantiating module "handled" from file
/usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
# Instantiating module "invalid" from file
/usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
# Instantiating module "userlock" from file
/usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
# Instantiating module "notfound" from file
/usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
# Instantiating module "noop" from file
/usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
# Instantiating module "updated" from file
/usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
# Loaded module rlm_detail
# Instantiating module "detail" from file
/usr/local/etc/raddb/mods-enabled/detail
detail {
filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-
IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
# Loaded module rlm_radutmp
# Instantiating module "radutmp" from file
/usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
# Loaded module rlm_dhcp
# Instantiating module "dhcp" from file
/usr/local/etc/raddb/mods-enabled/dhcp
# Instantiating module "exec" from file
/usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
# Instantiating module "sradutmp" from file
/usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/usr/local/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
# Loaded module rlm_soh
# Instantiating module "soh" from file
/usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file
/usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups =
"/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
# Loaded module rlm_passwd
# Instantiating module "etc_passwd" from file
/usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Loaded module rlm_linelog
# Instantiating module "linelog" from file
/usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/usr/local/var/log/radius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{Packet-Type}:-default}"
# Instantiating module "log_accounting" from file
/usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/usr/local/var/log/radius/linelog-accounting"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
# Loaded module rlm_unix
# Instantiating module "unix" from file
/usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from file
/usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_files
# Instantiating module "files" from file
/usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
usersfile = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile =
"/usr/local/etc/raddb/mods-config/files/pre-proxy"
compat = "cistron"
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
[/usr/local/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility
checks for entry DEFAULT ...
[/usr/local/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility
checks for entry DEFAULT ...
[/usr/local/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility
checks for entry DEFAULT ...
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
[/usr/local/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility
checks for entry DEFAULT ...
[/usr/local/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility
checks for entry DEFAULT ...
[/usr/local/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility
checks for entry DEFAULT ...
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
# Loaded module rlm_sql
# Instantiating module "sql" from file
/usr/local/etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_null"
server = "localhost"
port = "3306"
login = "root"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server
FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id"
group_membership_query = "# SELECT groupname # FROM
radusergroup # WHERE username = BINARY '%{SQL-User-Name}' # ORDER
BY priority"
simul_count_query = ""
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol
FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
post-auth {
reference = ".query"
rlm_sql (sql): Driver rlm_sql_null (module rlm_sql_null) loaded and linked
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 4
max = 32
spare = 3
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
rlm_sql (sql): Opening additional connection (0)
rlm_sql (sql): Opening additional connection (1)
rlm_sql (sql): Opening additional connection (2)
rlm_sql (sql): Opening additional connection (3)
rlm_sql (sql): Opening additional connection (4)
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname,
shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (4)
rlm_sql (sql): Executing query: 'SELECT id, nasname, shortname, type,
secret, server FROM nas'
rlm_sql (sql): Released connection (4)
# Loaded module rlm_realm
# Instantiating module "IPASS" from file
/usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
# Instantiating module "suffix" from file
/usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
# Instantiating module "realmpercent" from file
/usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
# Instantiating module "ntdomain" from file
/usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
# Instantiating module "ntlm_auth" from file
/usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
# Loaded module rlm_expiration
# Instantiating module "expiration" from file
/usr/local/etc/raddb/mods-enabled/expiration
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file
/usr/local/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
# Loaded module rlm_utf8
# Instantiating module "utf8" from file
/usr/local/etc/raddb/mods-enabled/utf8
# Loaded module rlm_digest
# Instantiating module "digest" from file
/usr/local/etc/raddb/mods-enabled/digest
# Loaded module rlm_chap
# Instantiating module "chap" from file
/usr/local/etc/raddb/mods-enabled/chap
# Instantiating module "auth_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-
IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail
output
# Instantiating module "reply_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-
IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
# Instantiating module "pre_proxy_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-
IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
# Instantiating module "post_proxy_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-
IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server dynamic_clients { # from file
/usr/local/etc/raddb/sites-enabled/dynamic-clients
# Loading authorize {...}
} # server dynamic_clients
server default { # from file /usr/local/etc/raddb/sites-enabled/default
# Creating Auth-Type = digest
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address :: port 1812 as server default
Listening on acct address :: port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 60490
Ready to process requests
Received Access-Request Id 211 from 172.16.4.11:1812 to 172.16.4.14:1812
length 190
server dynamic_clients {
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/dynamic-clients
(0) authorize {
(0) if ("%{sql: SELECT nasname FROM nas WHERE nasname =
'%{Packet-Src-IP-Address}'}")
(0) EXPAND %{User-Name}
(0) -->
(0) SQL-User-Name set to ''
rlm_sql (sql): Reserved connection (4)
rlm_sql (sql): Executing query: ' SELECT nasname FROM nas WHERE nasname =
'172.16.4.11''
(0) SQL query returned no results
rlm_sql (sql): Released connection (4)
(0) EXPAND %{sql: SELECT nasname FROM nas WHERE nasname =
'%{Packet-Src-IP-Address}'}
(0) -->
(0) if ("%{sql: SELECT nasname FROM nas WHERE nasname =
'%{Packet-Src-IP-Address}'}") -> FALSE
(0) [ok] = ok
(0) } # authorize = ok
} # server dynamic_clients
- Cannot add client 172.16.4.11: Required attribute
"FreeRADIUS-Client-Secret" is missing.
Ignoring request to auth address * port 1812 as server default from unknown
client 172.16.4.11 port 1812 proto udp
Ready to process requests