diff -ru default-ori /etc/freeradius/sites-available/default --- original/freeradius/sites-available/default 2010-11-14 18:13:00.000000000 -0300 +++ /etc/freeradius/sites-available/default 2011-11-15 11:49:55.081320643 -0300 --- original/freeradius/sql.conf 2017-01-20 15:42:22.990386917 -0300 +++ /etc/freeradius/sql.conf 2017-01-20 15:42:49.831448774 -0300 @@ -64,7 +64,7 @@ # If set to 'yes' (default) we read the group tables # If set to 'no' the user MUST have Fall-Through = Yes in the radreply table - # read_groups = yes + read_groups = yes # Remove stale session if checkrad does not see a double login deletestalesessions = yes @@ -105,7 +105,7 @@ # and security reasons, finding clients via SQL queries CANNOT # be done "live" while the server is running. # - #readclients = yes + readclients = yes # Table to keep radius client info nas_table = "nas" --- etc/freeradius/dialup-mod.conf 2017-01-20 15:43:21.836720515 -0300 +++ /etc/freeradius/sql/mysql/dialup.conf 2017-01-20 15:43:24.924843537 -0300 @@ -287,17 +287,17 @@ ####################################################################### # Uncomment simul_count_query to enable simultaneous use checking - #simul_count_query = "SELECT COUNT(*) \ - #FROM ${acct_table1} \ - #WHERE username = '%{SQL-User-Name}' \ - #AND acctstoptime IS NULL" + simul_count_query = "SELECT COUNT(*) \ + FROM ${acct_table1} \ + WHERE username = '%{SQL-User-Name}' \ + AND acctstoptime IS NULL" - simul_verify_query = "SELECT radacctid, acctsessionid, username, \ - nasipaddress, nasportid, framedipaddress, \ - callingstationid, framedprotocol \ - FROM ${acct_table1} \ - WHERE username = '%{SQL-User-Name}' \ - AND acctstoptime IS NULL" +# simul_verify_query = "SELECT radacctid, acctsessionid, username, \ +# nasipaddress, nasportid, framedipaddress, \ +# callingstationid, framedprotocol \ +# FROM ${acct_table1} \ +# WHERE username = '%{SQL-User-Name}' \ +# AND acctstoptime IS NULL" ####################################################################### # Authentication Logging Queries +++ /etc/freeradius/radiusd.conf 2017-01-20 15:43:40.509465219 -0300 --- etc/freeradius/radiusd-mod.conf 2017-01-20 15:43:37.969363797 -0300 @@ -473,7 +473,7 @@ # # allowed values: {no, yes} # - auth = no + auth = yes # Log passwords with the authentication requests. # auth_badpass - logs password if it's rejected @@ -481,8 +481,8 @@ # # allowed values: {no, yes} # - auth_badpass = no - auth_goodpass = no + auth_badpass = yes + auth_goodpass = yes # Log additional text at the end of the "Login OK" messages. # for these to work, the "auth" and "auth_goopass" or "auth_badpass" @@ -740,7 +740,7 @@ # Include another file that has the SQL-related configuration. # This is another file only because it tends to be big. # -# $INCLUDE sql.conf + $INCLUDE sql.conf # # This module is an SQL enabled version of the counter module. +++ /etc/freeradius/policy.conf 2017-01-20 15:44:04.126409923 -0300 --- etc/freeradius/policy-mod.conf 2017-01-20 15:43:58.002164648 -0300 @@ -56,6 +56,56 @@ # If you want the server to pretend that it is dead, # then use the "do_not_respond" policy. # + + # Rewrite password if password is empty and user-name have mac format + rewrite_password { + if (User-Name =~ /([0-9a-f]{2})[-:]([0-9a-f]{2})[-:]([0-9a-f]{2})[-:]([0-9a-f]{2})[-:]([0-9a-f]{2})[-:]([0-9a-f]{2})/i){ + if (Password||CHAP-Password){ + + #update request { + # User-Name := "%{1}%{2}%{3}%{4}%{5}%{6}" + #} + update request{ + Password := "%{User-Name}" + } + update control { + Auth-Type = 'PAP' + } + } + + } + else { + noop + } + } + + # + # Rewrite called station id attribute into a standard format. + # + rewrite_calling_station_id { + if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ + if(Calling-Statind-Id == User-Name){ + #update request { + # User-Name := "%{1}%{2}%{3}%{4}%{5}%{6}" + #} + + if(Password||CHAP-Password){ + update request{ + Password := "%{User-Name}" + } + update control { + Auth-Type = 'PAP' + } + } + } + } + else { + noop + } + } + + + do_not_respond { update control { Response-Packet-Type := Do-Not-Respond +++ /etc/freeradius/sites-available/default 2017-01-20 15:48:10.227616980 -0300 --- etc/freeradius/default-mod 2017-01-20 15:48:22.860091196 -0300 @@ -66,6 +66,7 @@ # # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server +server radius { authorize { # # Security settings. Take a User-Name, and do some simple @@ -93,6 +94,16 @@ # section, above. # auth_log + # Machine (Calling-Station-ID based) authentication + # + # RFC 2865 says that a Service-Type value of Call Check is used + # to specify this kind of authentication (though were now dealing with ethernet ports instead of lines). + # + rewrite_password + rewrite_calling_station_id + + + # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set @@ -167,14 +178,15 @@ # # Read the 'users' file - files + #files # # Look in an SQL database. The schema of the database # is meant to mirror the "users" file. # # See "Authorization Queries" in sql.conf -# sql + dupsess + sql # # If you are using /etc/smbpasswd, and are also doing @@ -333,6 +345,16 @@ preacct { preprocess + # + # Authentication based on Calling-Station-ID + # + # Calling-Station-ID authentication is usually done by comparing normalised + # forms of the Calling-Station-ID and User-name fields. + # + + rewrite_calling_station_id + + # # Session start times are *implied* in RADIUS. # The NAS never sends a "start time". Instead, it sends @@ -364,12 +386,12 @@ # Accounting requests are generally proxied to the same # home server as authentication requests. # IPASS - suffix +# suffix # ntdomain # # Read the 'acct_users' file - files + #files } # @@ -403,7 +425,7 @@ # Log traffic to an SQL database. # # See "Accounting queries" in sql.conf -# sql + sql # # If you receive stop packets with zero session length, @@ -447,11 +469,11 @@ # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { - radutmp + #radutmp # # See "Simultaneous Use Checking Queries" in sql.conf -# sql + sql } @@ -472,7 +494,7 @@ # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in sql.conf -# sql + sql # # Instead of sending the query to the SQL server, @@ -657,4 +679,4 @@ # detail # } } - +}