$ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
Inner-tunnel
This virtual server handles only inner tunnel requests for EAP-TTLS and PEAP types.
This next section allows testing of the "inner-tunnel" authentication methods. The testing is independent from the "default" server. The example listener here is configured to accept packets only sent from localhost, to localhost.
Note: There are no accounting requests inside of EAP-TTLS or PEAP tunnels.
If the above test works, then the inner tunnel has been configured correctly. To check if PEAP will work, use the following:
$ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
If the above command works, then PEAP should work. If not, then fix the inner tunnel configuration so that it works.
Note: Do not run any PEAP tests. It won’t help. Instead, concentrate on fixing the inner tunnel configuration. Do nothing else.
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
Authorization.
First preprocess (hints and huntgroups files), then realms, and finally look in the "users" file.
The order of the realm modules determines the order in which a matching realm is searched.
Make sure that 'preprocess' comes before any realm if hint setup is required for the remote radius server.
authorize {
When handling a chap
request, if the Auth-Type
has not already been set to chap
, then the chap module will set Auth-Type := CHAP
.
When an MS-CHAP-Challenge
attribute is used for authentication at user login, the mschap module finds
the MS-CHAP-Challenge
attribute and adds Auth-Type := MS-CHAP
to the request. This addition causes the server to use
the mschap module for authentication.
mschap
The module below pulls crypt’d passwords from `/etc/passwd
or /etc/shadow
using the system APIs to get the password. To read /etc/passwd
or /etc/shadow
directly, see the
passwd module.
unix
The following looks for IPASS style 'realm/' and, if not found, looks for '@realm' and decides whether or not to proxy based on those results.
IPASS
When using multiple kinds of realms, it is prudent to set ignore_null = yes
for all of them.
Otherwise, if the first style of realm doesn’t match,
the other styles won’t be checked.
Note: proxying the inner tunnel authentication means that the user may use one identity in the outer session (e.g., "anonymous") and a different one here (e.g., "user@example.com"). The inner session will then be proxied elsewhere for authentication. If this section is not set up correctly, then the user’s actions may cause the authentication to be forwarded to another RADIUS server but the accounting logs would not be sent to the other server. This makes it difficult to bill people for their network activity.
suffix
ntdomain
The "suffix" module takes strips the domain
(e.g., "@example.com") from the User-Name
attribute, and the
next few lines ensure that the request is not proxied.
To proxy the inner tunnel request, delete the next few lines.
update control {
&Proxy-To-Realm := LOCAL
}
This module takes care of EAP-MSCHAPv2
authentication.
It also sets the EAP-Type
attribute in the request
attribute list to the EAP type from the packet.
The example below uses module failover to avoid querying all
of the following modules if the eap module returns ok
.
In this case, the LDAP and/or SQL servers will not be queried
for the many packets that go back and forth to set up TTLS
or PEAP. The load on those servers will therefore be reduced.
eap {
ok = return
}
This section reads the 'users' file.
files
This section looks in an SQL database. The schema of the database is meant to mirror the 'users' file.
See also "Authorization Queries" in sql.conf
The dash before the module name below is so that the server will start if the module is not configured.
-sql
When using /etc/smbpasswd
in combination with
mschap
authentication, uncomment this line and
enable the smbpasswd module.
# smbpasswd
The ldap module reads passwords from the LDAP database.
The dash before the module name below is so that the server will start if the module is not configured.
-ldap
The following enforces daily limits on time spent logged in.
daily
expiration
logintime
If no other module has set Auth-Type
, then try
pap. When PAP
is used, the
other modules listed should add a known good
password to the request
and let another module do the authentication. The
ink:/raddb/mods-available/pap[pap] module will then see that
password and use it to do PAP
authentication.
This module should be listed last so that the other modules
get a chance to set Auth-Type
for themselves.
pap
Authentication
This section lists those modules that are available for authentication.
Note that the order of this list does not mean 'try each module in order'. Instead, look for the configuration attribute Auth-Type := FOO
, which is added by the authorize
section. That authentication type is then
used to pick the appropriate module from the list below.
In general, manually setting the Auth-Type
attribute is not recommended. The server
will usually figure it out on its own and will use the correct authentication method. The
most common side effect of erroneously setting the Auth-Type
attribute is that one authentication method will work but the
others will not.
The common reasons to set the Auth-Type
attribute by hand
are to either forcibly reject the user (Auth-Type := Reject
) or forcibly accept the user (Auth-Type := Accept
).
authenticate {
The following provides PAP authentication when a back-end database listed
in the authorize
section supplies a password. The password can be clear-text or encrypted.
Auth-Type PAP {
pap
}
Most people want CHAP authentication.
For CHAP authentication, back-end databases listed in the authorize
section must supply a Cleartext-Password
attribute; encrypted passwords won’t work.
Auth-Type CHAP {
chap
}
mschap authentication.
Auth-Type MS-CHAP {
mschap
}
Pluggable Authentication Modules (pam).
pam
To use ldap for authentication, uncomment the following line.
Note: uncommenting this line means "check plain-text password against the ldap database". When uncommenting this line, be aware that EAP won’t work, as it does not supply a plain-text password.
Warning
|
Uncommenting this line is not recommended. LDAP servers are databases. They are not authentication servers. FreeRADIUS is an authentication server and thus knows what to do with authentication. LDAP servers do not. |
Auth-Type LDAP {
ldap
}
Allows eap authentication.
eap
The following is a session database that is used for checking Simultaneous-Use. Either the radutmp or sql module can handle this section.
Note: The sql module is much faster than radutmp.
session {
radutmp
See "Simultaneous Use Checking Queries" in sql.conf
sql
Post-Authentication
Once it is known that the user has been authenticated, there are additional steps that can be taken.
Note that the last packet of the inner-tunnel authentication may not be the last packet of the outer session. So updating the outer reply might or might not work. The exact functionality depends on both the inner and outer authentication methods.
If a reply attribute needs to be sent in the outer session,
then the only safe way to send it is to set use_tunneled_reply = yes
and
then to update the inner-tunnel reply.
post-auth {
For privacy to remain, see the
Chargeable-User-Identity
attribute from RFC 4372.
To use it, just uncomment the line below.
cui-inner
To have a log of authentication replies, uncomment the following line and enable the detail reply_log module.
reply_log
After authenticating the user, this section does another SQL query.
See "Authentication Logging Queries" in sql.conf
The dash before the module name below is so that the server will start if the module is not configured.
-sql
Instead of sending the query to the SQL server, the following writes it into a log file.
sql_log
If edir_account_policy_check = yes
has been set in the ldap module sub-section of
the modules
section, then uncomment the following.
ldap
Instead of use_tunneled_reply
, uncomment the
next two update
blocks.
update {
&outer.session-state: += &reply:
}
These attributes are for the inner session only. They must not be sent in the outer reply.
If the previous block is uncommented and
this one is left commented out, then WiFi will not work
because the client will get two MS-MPPE-keys
.
update outer.session-state {
MS-MPPE-Encryption-Policy !* ANY
MS-MPPE-Encryption-Types !* ANY
MS-MPPE-Send-Key !* ANY
MS-MPPE-Recv-Key !* ANY
Message-Authenticator !* ANY
EAP-Message !* ANY
Proxy-State !* ANY
}
Access-Reject
packets are sent through the REJECT
sub-section of the
post-auth
section.
The following adds the ldap module name (or instance) if
edir_account_policy_check = yes
has been set in the ldap module configuration.
Post-Auth-Type REJECT {
log failed authentications in SQL, too.
-sql
attr_filter.access_reject
The following lets the outer session know which module failed and why.
update outer.session-state {
Module-Failure-Message := &request:Module-Failure-Message
}
When the server proxies a request to a home server, that request is first passed through the pre-proxy stage. This stage can re-write the request or cancel the proxy.
Only a few modules currently have this method.
pre-proxy {
Uncomment the following line to change attributes as defined in the preproxy_users file.
files
Uncomment the following line to filter requests sent to remote servers based on the rules defined in the 'attrs.pre-proxy' file.
attr_filter.pre-proxy
To have a log of packets proxied to a home server, uncomment the following line and the 'detail pre_proxy_log' section.
pre_proxy_log
When the server receives a reply to a request it proxied to a home server, the request may be massaged here in the post-proxy stage.
post-proxy {
To have a log of replies from a home server, uncomment the following line and the 'detail post_proxy_log' section.
post_proxy_log
Uncomment the following line to filter replies from remote proxies based on the rules defined in the 'attrs' file.
attr_filter.post-proxy
When proxying LEAP, the eap module must be configured and it must be listed here in the post-proxy stage.
The nostrip
option must also be used in the realm
configuration. Otherwise, the User-Name
attribute
in the proxied request will not match the user name
hidden inside of the EAP packet, and the end server will
reject the EAP request.
eap
If the server tries to proxy a request and fails, then the request is processed through the modules in this section.
The main use of this section is to permit robust proxying of accounting packets. The server can be configured to proxy accounting packets as part of normal processing. Thus, if the home server goes down, accounting packets can be logged to a local "detail" file for processing with radrelay. When the home server comes back up, radrelay will read the detail file and send the packets to the home server.
With this configuration, the server always responds to
Accounting-Requests
from the NAS, but only writes
accounting packets to disk if the home server is down.
Post-Proxy-Type Fail {
detail
}