Here you go:
$ cat auth.conf
pidfile = /usr/local/pf/var/run/radiusd.pid
$INCLUDE radiusd.conf
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
virtual_server = packetfence
}
listen {
ipaddr = 10.50.126.16
port = 0
type = auth
virtual_server = packetfence
}
listen {
ipaddr = 10.50.126.16
port = 2083
type = auth+acct
proto = tcp
virtual_server = packetfence
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
tls {
private_key_file = /usr/local/pf/raddb/certs/server.key
certificate_file = /usr/local/pf/raddb/certs/server.crt
ca_file = /usr/local/pf/raddb/certs/ca.pem
dh_file = ${certdir}/dh
fragment_size = 8192
ca_path = ${cadir}
cipher_list = "DEFAULT"
require_client_cert = yes
}
}
listen {
type = control
socket = /usr/local/pf/var/run/radiusd.sock
mode = rw
}
log {
#
# Destination for log messages. This can be one of:
#
# files - log to "file", as defined below.
# syslog - to syslog (see also the
"syslog_facility", below.
# stdout - standard output
# stderr - standard error.
#
# The command-line option "-X" over-rides this option, and
forces
# logging to go to stdout.
#
destination = syslog
#
# Highlight important messages sent to stderr and stdout.
#
# Option will be ignored (disabled) if output if TERM is not
# an xterm or output is not to a TTY.
#
colourise = yes
#
# The logging messages for the server are appended to the
# tail of this file if destination == "files"
#
# If the server is running in debugging mode, this file is
# NOT used.
#
file = ${logdir}/radius.log
#
# If this configuration parameter is set, then log messages for
# a *request* go to this file, rather than to radius.log.
#
# i.e. This is a log file per request, once the server has
accepted
# the request as being from a valid client. Messages that are
# not associated with a request still go to radius.log.
#
# Not all log messages in the server core have been updated to
use
# this new internal API. As a result, some messages will still
# go to radius.log. Please submit patches to fix this
behavior.
#
# The file name is expanded dynamically. You should ONLY user
# server-side attributes for the filename (e.g. things you
control).
# Using this feature MAY also slow down the server
substantially,
# especially if you do thinks like SQL calls as part of the
# expansion of the filename.
#
# The name of the log file should use attributes that don't
change
# over the lifetime of a request, such as User-Name,
# Virtual-Server or Packet-Src-IP-Address. Otherwise, the log
# messages will be distributed over multiple files.
#
# Logging can be enabled for an individual request by a special
# dynamic expansion macro: %{debug: 1}, where the debug level
# for this request is set to '1' (or 2, 3, etc.). e.g.
#
# ...
# update control {
# Tmp-String-0 = "%{debug:1}"
# }
# ...
#
# The attribute that the value is assigned to is unimportant,
# and should be a "throw-away" attribute with no side effects.
#
#requests =
${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
#
# Which syslog facility to use, if ${destination} == "syslog"
#
# The exact values permitted here are OS-dependent. You
probably
# don't want to change this.
#
syslog_facility = local1
# Log the full User-Name attribute, as it was found in the
request.
#
# allowed values: {no, yes}
#
stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = yes
# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
# auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
auth_badpass = no
auth_goodpass = no
# Log additional text at the end of the "Login OK" messages.
# for these to work, the "auth" and "auth_goodpass" or
"auth_badpass"
# configurations above have to be set to "yes".
#
# The strings below are dynamically expanded, which means that
# you can put anything you want in them. However, note that
# this expansion can be slow, and can negatively impact server
# performance.
#
# msg_goodpass = ""
# msg_badpass = ""
# The message when the user exceeds the Simultaneous-Use limit.
#
msg_denied = "You are already logged in - access denied"
}
$
From: Fabrice Durand via PacketFence-users
<[email protected]>
Reply-To: "[email protected]"
<[email protected]>
Date: Thursday, January 4, 2018 at 12:44 PM
To: "[email protected]"
<[email protected]>
Cc: Fabrice Durand <[email protected]>
Subject: Re: [PacketFence-users] packetfence 7.3 configuration wizard - radius?
ATTENTION: This email came from an external source. Do not open attachments or
click on links from unknown senders or unexpected emails.
Can you also paste the file /usr/local/pf/raddb/auth.conf ?
Le 2018-01-03 à 16:52, Auger, Ivan (ITS) via PacketFence-users a écrit :
Here you go:
[root@esppkfence ~]# /usr/local/pf/bin/pfcmd service radiusd generateconfig
service|command
radiusd-acct|config generated
radiusd-auth|config generated
[root@esppkfence ~]# /usr/sbin/radiusd -d /usr/local/pf/raddb -n auth -fxx -l
stdout
FreeRADIUS Version 3.1.0
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /usr/local/pf/raddb/dictionary
including configuration file /usr/local/pf/raddb/auth.conf
including configuration file /usr/local/pf/raddb/radiusd.conf
including configuration file /usr/local/pf/raddb/proxy.conf
including configuration file /usr/local/pf/raddb/proxy.conf.inc
including configuration file /usr/local/pf/raddb/clients.conf
including configuration file /usr/local/pf/raddb/clients.conf.inc
including files in directory /usr/local/pf/raddb/mods-enabled/
including configuration file /usr/local/pf/raddb/mods-enabled/always
including configuration file /usr/local/pf/raddb/mods-enabled/attr_filter
including configuration file /usr/local/pf/raddb/mods-enabled/cache_eap
including configuration file /usr/local/pf/raddb/mods-enabled/cache_ntlm
including configuration file /usr/local/pf/raddb/mods-enabled/cache_password
including configuration file /usr/local/pf/raddb/mods-enabled/chap
including configuration file /usr/local/pf/raddb/mods-enabled/detail
including configuration file /usr/local/pf/raddb/mods-enabled/detail.log
including configuration file /usr/local/pf/raddb/mods-enabled/digest
including configuration file /usr/local/pf/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/pf/raddb/mods-enabled/eap
including configuration file /usr/local/pf/raddb/mods-enabled/echo
including configuration file /usr/local/pf/raddb/mods-enabled/exec
including configuration file /usr/local/pf/raddb/mods-enabled/expiration
including configuration file /usr/local/pf/raddb/mods-enabled/expr
including configuration file /usr/local/pf/raddb/mods-enabled/files
including configuration file /usr/local/pf/raddb/mods-enabled/linelog
including configuration file /usr/local/pf/raddb/mods-enabled/logintime
including configuration file /usr/local/pf/raddb/mods-enabled/mschap
including configuration file /usr/local/pf/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/pf/raddb/mods-enabled/pap
including configuration file /usr/local/pf/raddb/mods-enabled/passwd
including configuration file /usr/local/pf/raddb/mods-enabled/perl
including configuration file /usr/local/pf/raddb/mods-enabled/preprocess
including configuration file /usr/local/pf/raddb/mods-enabled/radutmp
including configuration file /usr/local/pf/raddb/mods-enabled/raw
including configuration file /usr/local/pf/raddb/mods-enabled/realm
including configuration file /usr/local/pf/raddb/mods-enabled/redis
including configuration file /usr/local/pf/raddb/mods-enabled/replicate
including configuration file /usr/local/pf/raddb/mods-enabled/rest
including configuration file /usr/local/pf/raddb/mods-enabled/soh
including configuration file /usr/local/pf/raddb/mods-enabled/sql
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/queries.conf
including configuration file
/usr/local/pf/raddb/mods-config/sql/main/mysql/reject.conf
including configuration file /usr/local/pf/raddb/mods-enabled/sradutmp
including configuration file /usr/local/pf/raddb/mods-enabled/unix
including configuration file /usr/local/pf/raddb/mods-enabled/unpack
including configuration file /usr/local/pf/raddb/mods-enabled/utf8
including files in directory /usr/local/pf/raddb/policy.d/
including configuration file /usr/local/pf/raddb/policy.d/abfab-tr
including configuration file /usr/local/pf/raddb/policy.d/accounting
including configuration file /usr/local/pf/raddb/policy.d/canonicalization
including configuration file /usr/local/pf/raddb/policy.d/control
including configuration file /usr/local/pf/raddb/policy.d/cui
including configuration file /usr/local/pf/raddb/policy.d/debug
including configuration file /usr/local/pf/raddb/policy.d/dhcp
including configuration file /usr/local/pf/raddb/policy.d/eap
including configuration file /usr/local/pf/raddb/policy.d/filter
including configuration file /usr/local/pf/raddb/policy.d/operator-name
including configuration file /usr/local/pf/raddb/policy.d/packetfence
including files in directory /usr/local/pf/raddb/sites-enabled/
including configuration file /usr/local/pf/raddb/sites-enabled/dynamic-clients
including configuration file /usr/local/pf/raddb/sites-enabled/packetfence
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
including configuration file /usr/local/pf/raddb/sites-enabled/packetfence-cli
main {
security {
user = "pf"
group = "pf"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/usr/local/pf/var"
logdir = "/usr/local/pf/logs"
run_dir = "/usr/local/pf/var/run"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/usr/local/pf/var"
sbindir = "/usr/sbin"
logdir = "/usr/local/pf/logs"
run_dir = "/usr/local/pf/var/run"
libdir = "/usr/lib64/freeradius"
radacctdir = "/usr/local/pf/logs/radacct"
hostname_lookups = no
max_request_time = 10
cleanup_delay = 5
continuation_timeout = 15
max_requests = 20000
pidfile = "/usr/local/pf/var/run/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "yes"
}
}
auth: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
Ignoring "response_window = 20.000000", forcing to "response_window = 10.000000"
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm default {
}
realm local {
}
realm null {
}
auth: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client dynamic {
ipaddr = 0.0.0.0/0
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
dynamic_clients = "dynamic_clients"
lifetime = 300
}
Debugger not attached
thread pool {
start_servers = 0
max_servers = 64
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
cleanup_delay = 5
max_queue_size = 65536
auto_limit_acct = no
}
/usr/local/pf/raddb/auth.conf[6]: Listeners of type 'auth' MUST be defined in a
server.
[root@esppkfence ~]#
Ivan Auger
Asst Dir Inf Tech Serv 1
Office of Information Technology Services
Biggs Lab, D280, Albany NY 12201
p: (518) 473-0773 | c: (518) 300-0439 |
[email protected]<mailto:[email protected]>
From: Fabrice Durand via PacketFence-users
[mailto:[email protected]]
Sent: Wednesday, January 03, 2018 10:11 AM
To:
[email protected]<mailto:[email protected]>
Cc: Fabrice Durand <[email protected]><mailto:[email protected]>
Subject: Re: [PacketFence-users] packetfence 7.3 configuration wizard - radius?
ATTENTION: This email came from an external source. Do not open attachments or
click on links from unknown senders or unexpected emails.
Hello Ivan,
what you can do is the following:
/usr/local/pf/bin/pfcmd service radiusd generateconfig
/usr/sbin/radiusd -d /usr/local/pf/raddb -n auth -fxx -l stdout
And paste the debug if the service is not able to start.
Regards
Fabrice
Le 2018-01-03 à 09:31, Auger, Ivan (ITS) via PacketFence-users a écrit :
Selected radius enforcement in configuration wizard – radius does not start in
last step – everything else starts. Is there something additional that needs
to be defined in /usr/local/pf/conf/pf.conf or in /usr/local/pf/conf/raddb
template directory?
Thanks….
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x135) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x135) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
