When connecting to a WPA Enterprise access point, operating systems like iOS and macOS display the server certificate to the user if it has not been seen before. However, on Linux, using wpa_supplicant, this prompt does not appear. I have configured wpa_supplicant using a .conf file, but I do not get the server certificate. Is there any way to obtain the certificate when connecting to the AP on linux? This is one of the configurations I have used: network={ ssid="ssid" key_mgmt=WPA-EAP eap=PEAP identity="your.username@example.com" password="yourpassword" phase1="peapver=0" phase2="auth=MSCHAPV2" ca_cert="/etc/ssl/certs/your_CA_cert.pem" } And the usage of wpa_supplicant: sudo wpa_supplicant -i wlan0 -c /etc/tmp/network.conf -D nl80211 -dd

I managed to setup freeradius server on Centos 7 using compiled source at ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.18.tar.gz Everything works perfectly fine except, the service can't run every time after reboot. I have to issue command... sudo systemctl start radiusd The service run successfully. Below are the logs ● radiusd.service - FreeRADIUS config by ME. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2022-01-22 00:10:50 +08; 7s ago Process: 2036 ExecStart=/opt/freeradius/sbin/radiusd -d /opt/freeradius/etc/raddb (code=exited, status=0/SUCCESS) Process: 2028 ExecStartPre=/opt/freeradius/sbin/radiusd (code=exited, status=0/SUCCESS) Process: 2023 ExecStartPre=/opt/freeradius/sbin/radiusd -C (code=exited, status=0/SUCCESS) Process: 2020 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS) Main PID: 2039 (radiusd) CGroup: /system.slice/radiusd.service └─2039 /opt/freeradius/sbin/radiusd -d /opt/freeradius/etc/raddb Here is my systemd content for radiusd.service [Unit] Description=FreeRADIUS config by ME. After=syslog.target network.target ipa.service dirsrv.target krb5kdc.service smb.service nmb.service [Service] Type=forking #PIDFile=/var/run/radiusd/radiusd.pid ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd ExecStartPre=/opt/freeradius/sbin/radiusd -C ExecStart=/opt/freeradius/sbin/radiusd -d /opt/freeradius/etc/raddb ExecReload=/opt/freeradius/sbin/radiusd ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target This is system log after the reboot ● radiusd.service - FreeRADIUS config by ME. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Sat 2022-01-22 00:32:31 +08; 48s ago Process: 1320 ExecStartPre=/opt/freeradius/sbin/radiusd -C (code=exited, status=1/FAILURE) Process: 1284 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS) Jan 22 00:32:22 myhost systemd: Starting FreeRADIUS config by ME.... Jan 22 00:32:31 myhost systemd: radiusd.service: control process exited, code=exited status=1 Jan 22 00:32:31 myhost systemd: Failed to start FreeRADIUS config by ME.. Jan 22 00:32:31 myhost systemd: Unit radiusd.service entered failed state. Jan 22 00:32:31 myhost systemd: radiusd.service failed. I just don't know where else to look because this is the only log that i found.

I have this config for log detail: /opt/freeradius/logs/*/detail { daily rotate 4 compress delaycompress missingok notifempty create 0640 root root sharedscripts maxsize 500M postrotate /bin/systemctl reload freeradius > /dev/null 2>/dev/null || true endscript } I have these olds logs with new logs : [root@freeradius01 192.168.17.10]# pwd /opt/freeradius/logs/192.168.17.10 [root@freeradius01 192.168.17.10]# ll total 56919724 -rwxrwxrwx 1 root root 21048752215 Aug 14 23:59 detail-20240814 -rwxrwxrwx 1 root root 21617187765 Aug 15 23:59 detail-20240815 -rwxrwxrwx 1 root root 5988044800 Aug 16 23:59 detail-20240816 -rwxrwxrwx 1 root root 5947392 Sep 25 23:59 detail-20240925 -rwxrwxrwx 1 root root 7478423552 Oct 21 23:59 detail-20241021 -rwxrwxrwx 1 root root 1907452140 Oct 22 11:19 detail-20241022 [root@freeradius01 192.168.17.10]# When running logrotate manually and forced with verbos I have this result: [root@freeradius01 192.168.17.10]# /usr/sbin/logrotate -v -f /etc/logrotate.d/radiusd reading config file /etc/logrotate.d/radiusd Reading state from file: /var/lib/logrotate/logrotate.status Allocating hash table for state file, size 64 entries Creating new state Creating new state Creating new state .. .. Creating new state Handling logs rotating pattern: /opt/freeradius/logs/*/detail forced from command line (4 rotations) empty log files are not rotated, log files >= 524288000 are rotated earlier, old logs are removed considering log /opt/freeradius/logs/*/detail not running postrotate script, since no logs were rotated [root@freeradius01 192.168.17.10]# ll total 56919724 -rwxrwxrwx 1 root root 21048752215 Aug 14 23:59 detail-20240814 -rwxrwxrwx 1 root root 21617187765 Aug 15 23:59 detail-20240815 -rwxrwxrwx 1 root root 5988044800 Aug 16 23:59 detail-20240816 -rwxrwxrwx 1 root root 5947392 Sep 25 23:59 detail-20240925 -rwxrwxrwx 1 root root 7478423552 Oct 21 23:59 detail-20241021 -rwxrwxrwx 1 root root 1968389637 Oct 22 11:22 detail-20241022 [root@freeradius01 192.168.17.10]# grep "detail" /var/lib/logrotate/logrotate.status "/var/log/radius/radacct/*/detail" 2024-3-5-3:0:0 "/opt/freeradius/logs/*/detail" 2024-3-5-3:0:0 [root@freeradius01 192.168.17.10]# date Tue Oct 22 11:22:45 WAT 2024 [root@freeradius01 192.168.17.10]# **So the log rotation not running despite I runned it manually / also old logs not compressed!!?**

I was able to set up a FreeRadius server, but I would like users without admin rights to the server to be able to change their passwords directly through FreeRadius, not through Active Directory or a third-party app.

I'm currently running freeradius (on v2.1.22, don't shoot me) with sql backend. I need to accept *@randombroadband.co.uk and send an Access Accept. I have defined the realm in proxy.conf as below:

realm randombroadband.co.uk {
    authhost = LOCAL
    nostrip
}

in my users file I have the following:

DEFAULT User-Name =~ "@randombroadband.co.uk"
        Auth-Type := Accept

In the logs we have the following

rad_recv: Access-Request packet from host a.b.c.d port 61384, id=49, length=183
	User-Name = "moo@randombroadband.co.uk"
	User-Password = "moo"
	Service-Type = Framed-User
	Framed-Protocol = PPP
	Chargeable-User-Identity = ""
	Acct-Session-Id = "9277500"
	ERX-Dhcp-Mac-Addr = "abcd.0000.0001"
	NAS-Identifier = "LNS1"
	NAS-Port = 4095
	NAS-Port-Id = "-0/0/0.0"
	NAS-Port-Type = Ethernet
	ERX-Pppoe-Description = "pppoe ab:cd:00:00:00:01"
	NAS-IP-Address = a.b.c.d
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "randombroadband.co.uk" for User-Name = "moo@randombroadband.co.uk"
[suffix] Found realm "randombroadband.co.uk"
[suffix] Adding Realm = "randombroadband.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] 	expand: %{User-Name} -> moo@randombroadband.co.uk
[files] users: Matched entry DEFAULT at line 165
[files] 	expand: %{User-Name} -> moo@randombroadband.co.uk
++[files] returns ok
[sql] 	expand: %{User-Name} -> moo@randombroadband.co.uk
[sql] sql_set_user escaped user --> 'moo@randombroadband.co.uk'
rlm_sql (sql): Reserving sql socket id: 48
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'moo@randombroadband.co.uk'           ORDER BY id
[sql] 	expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'moo@randombroadband.co.uk'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 48
[sql] User moo@randombroadband.co.uk not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.

So it finds the realm and the user in the user file then seems to ignore the accept and decides to lookup the SQL table. Is there any way to get it to stop that once it gets to the accept?

I am trying to use the following at the top of my files authorize to test a new radius installation on default configs. head /etc/raddb/mods-config/files/authorize bob Cleartext-Password := "hello" Reply-Message := "Hello, %{User-Name}" test Cleartext-Password := "test" Reply-Message := "Hello, %{User-Name} # # Configuration file for the rlm_files module. # Please see rlm_files(5) manpage for more information. This fails to load at start up. With the last few lines of the logs looking like this. /sbin/radiusd -f -X -x ..... Wed Aug 16 16:37:38 2017 : Debug: reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" Wed Aug 16 16:37:38 2017 : Debug: } Wed Aug 16 16:37:38 2017 : Debug: (Loaded rlm_files, checking if it's valid) Wed Aug 16 16:37:38 2017 : Debug: # Loaded module rlm_files Wed Aug 16 16:37:38 2017 : Debug: # Instantiating module "files" from file /etc/raddb/mods-enabled/files Wed Aug 16 16:37:38 2017 : Debug: files { Wed Aug 16 16:37:38 2017 : Debug: filename = "/etc/raddb/mods-config/files/authorize" Wed Aug 16 16:37:38 2017 : Debug: usersfile = "/etc/raddb/mods-config/files/authorize" Wed Aug 16 16:37:38 2017 : Debug: acctusersfile = "/etc/raddb/mods-config/files/accounting" Wed Aug 16 16:37:38 2017 : Debug: preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" Wed Aug 16 16:37:38 2017 : Debug: compat = "cistron" Wed Aug 16 16:37:38 2017 : Debug: } Wed Aug 16 16:37:38 2017 : Debug: reading pairlist file /etc/raddb/mods-config/files/authorize Wed Aug 16 16:37:38 2017 : Error: /etc/raddb/mods-config/files/authorize: Parse error (reply) for entry test: Expected end of line or comma Wed Aug 16 16:37:38 2017 : Error: Failed reading /etc/raddb/mods-config/files/authorize Wed Aug 16 16:37:38 2017 : Error: /etc/raddb/mods-enabled/files: Instantiation failed for module "files"

I am trying to set up an AP with an external RADIUS server using two Linux hosts for each service,

and

, correspondingly. These hosts and the Wi-Fi client host are Raspberry Pi 4 units running Ubuntu 22.04.4 LTS (jammy). All hosts have an Ethernet connection to the common LAN (10.1.0.0/24): - hostA - Wi-Fi AP (10.1.0.22 Ethernet, 192.168.220.1 Wi-Fi) - hostB - RADIUS server (10.1.0.12 Ethernet) - hostC - Wi-Fi client (10.1.0.50 Ethernet, 192.168.220.101 Wi-Fi) I have configured the

server on the hostB and able to test it from the Wi-Fi client over the Ethernet LAN:

hostC:~$ radtest -x testUser1 testPassword1 10.1.0.12 0 testSecret1
Sent Access-Request Id 155 from 0.0.0.0:35529 to 10.1.0.12:1812 length 79
	User-Name = "testUser1"
	User-Password = "testPassword1"
	NAS-IP-Address = 10.1.0.50
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "testPassword1"
Received Access-Accept Id 155 from 10.1.0.12:1812 to 10.1.0.50:35529 length 20

Then I bring up the Wi-Fi AP (hostA) configured with the following

.conf

content:

logger_syslog=-1
    logger_syslog_level=0
    ctrl_interface=/var/run/hostapd/
    interface=wlp1s0
    driver=nl80211
    country_code=CA
    ieee80211n=1
    hw_mode=g
    channel=6
    beacon_int=100
    dtim_period=2
    disassoc_low_ack=0
    ssid=testAP
    ieee80211w=0
    auth_algs=1
    wpa=0
    ignore_broadcast_ssid=0
    
    eap_server=0
    
    own_ip_addr=10.1.0.22
    auth_server_addr=10.1.0.12 #hostB
    auth_server_port=1812
    auth_server_shared_secret=testSecret1

The

service is built from the latest code available in the main branch with the only modification below from the

file to disable the integrated RADIUS server:

# Integrated EAP server
CONFIG_EAP=n

I can see that the

service starting properly with RADIUS server configuration reported accordingly:

hostA:/usr/src/hostap/hostapd$ sudo ./hostapd /etc/hostapd/hostapd.conf -i wlp1s0
wlp1s0: interface state UNINITIALIZED->COUNTRY_UPDATE
wlp1s0: RADIUS Authentication server 10.1.0.12:1812
wlp1s0: interface state COUNTRY_UPDATE->ENABLED
wlp1s0: AP-ENABLED

I can successfully connect the Wi-Fi client (hostC) to the Wi-Fi AP (hostA). However, when I try to do the RADIUS test now over a Wi-Fi network (192.168.220.0/24) targeting Wi-Fi AP to process RADIUS requests, I get the failure:

hostC:~$ radtest -x testUser1 testPassword1 10.1.0.22 0 testSecret1
Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79
	User-Name = "testUser1"
	User-Password = "testPassword1"
	NAS-IP-Address = 10.1.0.50
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "testPassword1"
Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79
	User-Name = "testUser1"
	User-Password = "testPassword1"
	NAS-IP-Address = 10.1.0.50
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "testPassword1"
Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79
	User-Name = "testUser1"
	User-Password = "testPassword1"
	NAS-IP-Address = 10.1.0.50
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "testPassword1"
(0) No reply from server for ID 235 socket 3

I captured the traffic on the Wi-Fi interface of the

and see that it responds with the ICMP packet saying that

unreachable (Port unreachable)

:

Frame 2: 155 bytes on wire (1240 bits), 155 bytes captured (1240 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr  2, 2024 18:18:11.473305000 PDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1712107091.473305000 seconds
    [Time delta from previous captured frame: 0.000101000 seconds]
    [Time delta from previous displayed frame: 0.000101000 seconds]
    [Time since reference or first frame: 0.000101000 seconds]
    Frame Number: 2
    Frame Length: 155 bytes (1240 bits)
    Capture Length: 155 bytes (1240 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:icmp:ip:udp:radius]
    [Coloring Rule Name: ICMP errors]
    [Coloring Rule String: icmp.type eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4]
Ethernet II, Src: IntelCor_05:02:62 (80:45:dd:05:02:62), Dst: IntelCor_de:58:55 (3c:9c:0f:de:58:55)
    Destination: IntelCor_de:58:55 (3c:9c:0f:de:58:55)
        Address: IntelCor_de:58:55 (3c:9c:0f:de:58:55)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: IntelCor_05:02:62 (80:45:dd:05:02:62)
        Address: IntelCor_05:02:62 (80:45:dd:05:02:62)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.220.1, Dst: 192.168.220.101
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
        1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 141
    Identification: 0xa48f (42127)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 64
    Protocol: ICMP (1)
    Header Checksum: 0x9b68 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.220.1
    Destination Address: 192.168.220.101
Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 3 (Port unreachable)
    Checksum: 0x3724 [correct]
    [Checksum Status: Good]
    Unused: 00000000
    Internet Protocol Version 4, Src: 192.168.220.101, Dst: 192.168.220.1
        0100 .... = Version: 4
        .... 0101 = Header Length: 20 bytes (5)
        Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
            0000 00.. = Differentiated Services Codepoint: Default (0)
            .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
        Total Length: 113
        Identification: 0xc1e8 (49640)
        Flags: 0x00
            0... .... = Reserved bit: Not set
            .0.. .... = Don't fragment: Not set
            ..0. .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment Offset: 0
        Time to Live: 64
        Protocol: UDP (17)
        Header Checksum: 0x7edb [validation disabled]
        [Header checksum status: Unverified]
        Source Address: 192.168.220.101
        Destination Address: 192.168.220.1
    User Datagram Protocol, Src Port: 40929, Dst Port: 1812
        Source Port: 40929
        Destination Port: 1812
        Length: 93
        Checksum: 0xbfa6 [unverified]
        [Checksum Status: Unverified]
        [Stream index: 0]
        UDP payload (85 bytes)
RADIUS Protocol
    Code: Access-Request (1)
    Packet identifier: 0x95 (149)
    Length: 85
    Authenticator: 2cc8f534dfcac17c947a03ced3daf62f
    Attribute Value Pairs
        AVP: t=User-Name(1) l=11 val=testUser1
            Type: 1
            Length: 11
            User-Name: testUser1
        AVP: t=User-Password(2) l=18 val=Encrypted
            Type: 2
            Length: 18
            User-Password (encrypted): 986ed23c9a832e3a98a328697e8fab38
        AVP: t=NAS-IP-Address(4) l=6 val=192.168.220.101
            Type: 4
            Length: 6
            NAS-IP-Address: 192.168.220.101
        AVP: t=NAS-Port(5) l=6 val=0
            Type: 5
            Length: 6
            NAS-Port: 0
        AVP: t=Message-Authenticator(80) l=18 val=b4669b2314a4738a956f683b59b645c4
            Type: 80
            Length: 18
            Message-Authenticator: b4669b2314a4738a956f683b59b645c4
        AVP: t=Framed-Protocol(7) l=6 val=PPP(1)
            Type: 7
            Length: 6
            Framed-Protocol: PPP (1)

What do I miss here?

Help me solve the problem with setting up two-factor authentication on FreeRadius. FreeRADIUS Version 3.0.20 In general, I configured the second factor for all connecting users, but I can’t configure it so that only certain users should have been tested for the second factor. Now the workflow is like this: all users are checked for LDAP and for the second factor upon connection. How to: All users are verified on the LDAP server, and users that are defined in a separate file (only their LDAP logins) were also tested for the second factor. Here is an example of my config that works for all users:

cat /etc/raddb/sites-enabled/default

authorize {
    filter_username
    filter_google_otp
    preprocess

    if ((ok || updated) && Google-Password && !control:Auth-Type) {
        update control {
            Auth-Type := /path_to_script/auth_2fa.py %{User-Name} %{Google-Password}
        }
    }
}

My idea is to add a check after filter_username to see if the user's User-Name matches the user from the file. And if this match is found, perform a test for factor 2. if not, move on. I really couldn’t find anything like it on the Internet.

filter_username

        if (&User-Name) {
           update control {
                2FA_USERS := check-item {
                    filename = "/etc/raddb/users_2fa",
                    item-name = "%{User-Name}",
                    flags = case-sensitive 
                }
            }

            if (2FA_USERS) {
                filter_google_otp

Perhaps my implementation idea is not suitable. Has anyone encountered such a problem?

i was trying to install radius server on our test server running AIX7.3 on it. i have perform following things: 1. Extract the tar file to /tmp where i have downloaded pam_radius-1.4.0.tar.gz. 2. Modify the pam_radius-1.4.0/src/pam_radius_auth.h On line 80, add #define __sun, just before #ifndef CONST 3. Configure and compile the changes > #./configure > # make on executing make command it gives me following error # make cc -Wall -fPIC -c src/pam_radius_auth.c -o pam_radius_auth.o cc: not found make: 1254-004 The error code from the last command is 1. on doing #make CC=gcc it gives me following error and i have no idea how to solve it. Better if anybody explain me error and have some latest Docs on installing r4adius on AIX7.3 # make CC=gcc gcc -Wall -fPIC -c src/pam_radius_auth.c -o pam_radius_auth.o src/pam_radius_auth.c: In function 'rad_converse': src/pam_radius_auth.c:1028:40: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1028 | retval = pam_get_item(pamh, PAM_CONV, (CONST void **) &conv); | ^~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ src/pam_radius_auth.c:1031:25: warning: passing argument 2 of 'conv->conv' from incompatible pointer type [-Wincompatible-pointer-types] 1031 | retval = conv->conv(1, msg, &resp,conv->appdata_ptr); | ^~~ | | | const struct pam_message ** src/pam_radius_auth.c:1031:25: note: expected 'struct pam_message **' but argument is of type 'const struct pam_message **' src/pam_radius_auth.c: In function 'pam_sm_authenticate': src/pam_radius_auth.c:1081:30: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type [-Wincompatible-pointer-types] 1081 | retval = pam_get_user(pamh, &user, NULL); | ^~~~~ | | | const char ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:221:9: note: expected 'char **' but argument is of type 'const char **' 221 | char **user, /* User Name */ | ~~~~~~~^~~~ src/pam_radius_auth.c:1096:42: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1096 | retval = pam_get_item(pamh, PAM_RUSER, (CONST void **) &userinfo); | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ src/pam_radius_auth.c:1120:44: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1120 | retval = pam_get_item(pamh, PAM_SERVICE, (CONST void **) &config.client_id); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ src/pam_radius_auth.c:1136:44: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1136 | retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password); | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ src/pam_radius_auth.c:1170:41: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1170 | retval = pam_get_item(pamh, PAM_RHOST, (CONST void **) &rhost); | ^~~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ src/pam_radius_auth.c: In function 'pam_sm_setcred': src/pam_radius_auth.c:1290:43: warning: passing argument 3 of 'pam_get_data' from incompatible pointer type [-Wincompatible-pointer-types] 1290 | pam_get_data(pamh, "rad_setcred_return", (CONST void **) &pret); | ^~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:246:9: note: expected 'void **' but argument is of type 'const void **' 246 | void **data | ~~~~~~~^~~~ src/pam_radius_auth.c: In function 'pam_private_session': src/pam_radius_auth.c:1312:30: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type [-Wincompatible-pointer-types] 1312 | retval = pam_get_user(pamh, &user, NULL); | ^~~~~ | | | const char ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:221:9: note: expected 'char **' but argument is of type 'const char **' 221 | char **user, /* User Name */ | ~~~~~~~^~~~ src/pam_radius_auth.c:1332:44: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1332 | retval = pam_get_item(pamh, PAM_SERVICE, (CONST void **) &config.client_id); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ src/pam_radius_auth.c:1300:6: warning: variable 'ctrl' set but not used [-Wunused-but-set-variable] 1300 | int ctrl; | ^~~~ src/pam_radius_auth.c: In function 'pam_sm_chauthtok': src/pam_radius_auth.c:1412:30: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type [-Wincompatible-pointer-types] 1412 | retval = pam_get_user(pamh, &user, NULL); | ^~~~~ | | | const char ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:221:9: note: expected 'char **' but argument is of type 'const char **' 221 | char **user, /* User Name */ | ~~~~~~~^~~~ src/pam_radius_auth.c:1432:44: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1432 | retval = pam_get_item(pamh, PAM_SERVICE, (CONST void **) &config.client_id); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ src/pam_radius_auth.c:1441:46: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1441 | retval = pam_get_item(pamh, PAM_OLDAUTHTOK, (CONST void **) &password); | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ src/pam_radius_auth.c:1446:43: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1446 | retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &new_password); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ gcc -Wall -fPIC -c src/md5.c -o md5.o gcc -shared pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so Target "all" is up to date.

When I type the following command on my Ubuntu 16.04: **sudo freeradius -X** I've got the message: Failed binding to authentication address * port 1812 as server eduroam: Address already in use I've read previous topics related to that issue and their problem were that freeradius service had been running already. But in my case it's true. Here is output of the command: **sudo ps aux | grep freeradius**: tnur 1349 0.0 0.0 12948 932 pts/0 S+ 09:44 0:00 grep --color=auto freeradius There is no running freeradius service! What could be the problem in my case?

I have a freeradius w/ daloradius server(linuxmint 21) set up, and everything appears to be working as expected, except for accounting, because even when I connect as a user to the wifi (with EAP method type PWD), daloradius will report the user as offline, and also tracks no network activity, even though I'm able to browse the internet normally. I've enabled sql in the accounting{} section in the sites-enabled/default file but still no change. Any ideas on anything I might have missed?

I'm tired idea how to install this package eapol_test, I read online how I can make install it, but it didn't work for many time so How can I Install the eapol_test in Ubuntu in a simple and concise way ? (My Ubuntu 20.04.3 )

I set up Freeradius with the Daloradius WebGUI to manage Users, NAS etc.. It works fine, I can login as admin, create users and those users can authenticate against the Radius Server (tested with radtest). However the user login, that allows users to change their password, accessed via http://domain.com/daloradius/daloradius-users/login.php doesn't work. When trying to login with a user account, I get the following error:

Database connection error
Error Message: DB Error: connect failed

I don't really get why, since the database connection obviously works, because I can login to the admin interface as admin. Has anyone an idea what is going wrong here? Thanks for all replies in advance.

I am on a task to deploy a radius server with Azure AD. I've created my components needed and i've reached the following step: Source: https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto When I run this bash command i need to pass a password but i don't recall giving my user a password. So what password am i supposed to pass here? Thanks, Ahune

I need to do a setup which I expected to be very common: Setup freeRadius, google-authenticator with an existing Active Directory to setup 2FA for Horizon View. Show the qr-code generated by google-authenticator on a website after user authenticated with his Windows-credentials. I found an ages old article on how to get this done on [archive.org](http://web.archive.org/web/20150509034720/http://vcdxorbust.com/totpcgi-and-freeradius-with-vmware-view/ ). Unfortunately, the package totp-cgi mentionned there does not exist on Debian AND depends on pam_url --which apparently I cannot build on Debian, and I have no idea if the needed packages still exist on newer versions of centOS. Displaying qr-codes on website should be problem someone has already solved. What am I missing?

I am attempting to setup a FreeRadius Server with an OTP (LinOTP) backend in Centos 7. My issue is loading a perl module needed to link FreeRADIUS to LinOTP. No matter what I try I just keep getting the error below when I try starting radiusd (with "/usr/sbin/radiusd -C -lstdout -xx"):

/etc/raddb/mods-config/files/authorize: Parse error (check) for entry DEFAULT: Unknown or invalid value "perl" for attribute Auth-Type
Failed reading /etc/raddb/mods-config/files/authorize
/etc/raddb/mods-enabled/files: Instantiation failed for module "files"

per documentation I have completed the following: -added "DEFAULT Auth-type := perl" as the first and only uncommented line in /etc/raddb/users -added the module location to /etc/raddb/mods-available/perl -added the Auth-Type declarations in the site file (/etc/raddb/sites-available/linotp) see below. -I have also tried copying the changes over to the default site but I get the same issue. Here are the contents of the relevant files with comments removed (these things are 99% comments) /etc/raddb/users

DEFAULT         Auth-type := perl

/etc/raddb/mods-available/perl

perl {
        filename = /etc/raddb/mods-config/perl/radius_linotp.pm
}

/etc/raddb/sites-available/linotp

authorize {
        files
        perl
        if (ok || updated) {
                update control {
                        Auth-Type := Perl
                }
        }
        preprocess
        chap
        mschap
        suffix
        unix
        expiration
        logintime
        pap
}
authenticate {
perl
        Auth-Type Perl {
                perl
         }
}
preacct {
        preprocess
        acct_unique
        suffix
        files
}
accounting {
        perl
        detail
        unix
        radutmp
        attr_filter.accounting_response
}
session {
        radutmp
}
post-auth {
        exec
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
}
pre-proxy {
}
post-proxy {
}

/etc/raddb/mods-config/files/authorize

DEFAULT         Auth-type := perl

and finally the verbose startup log from running /usr/sbin/radiusd -C -lstdout -x

FreeRADIUS Version 3.0.13
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/perl
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
main {
 security {
        user = "radiusd"
        group = "radiusd"
        allow_core_dumps = no
 }
        name = "radiusd"
        prefix = "/usr"
        localstatedir = "/var"
        logdir = "/var/log/radius"
        run_dir = "/var/run/radiusd"
}
main {
        name = "radiusd"
        prefix = "/usr"
        localstatedir = "/var"
        sbindir = "/usr/sbin"
        logdir = "/var/log/radius"
        run_dir = "/var/run/radiusd"
        libdir = "/usr/lib64/freeradius"
        radacctdir = "/var/log/radius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 16384
        pidfile = "/var/run/radiusd/radiusd.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log {
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
        colourise = yes
        msg_denied = "You are already logged in - access denied"
 }
 resources {
 }
 security {
        max_attributes = 200
        reject_delay = 1.000000
        status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = no
        dead_time = 120
        wake_all_if_all_dead = no
 }
 home_server localhost {
        ipaddr = 127.0.0.1
        port = 1812
        type = "auth"
        secret = >>
        response_window = 20.000000
        response_timeouts = 1
        max_outstanding = 65536
        zombie_period = 40
        status_check = "status-server"
        ping_interval = 30
        check_interval = 30
        check_timeout = 4
        num_answers_to_alive = 3
        revive_interval = 120
  limit {
        max_connections = 16
        max_requests = 0
        lifetime = 0
        idle_timeout = 0
  }
  coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
  }
 }
 home_server_pool my_auth_failover {
        type = fail-over
        home_server = localhost
 }
 realm example.com {
        auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
        ipaddr = 127.0.0.1
        require_message_authenticator = no
        secret = >>
        nas_type = "other"
        proto = "*"
  limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
  }
 }
 client localhost_ipv6 {
        ipv6addr = ::1
        require_message_authenticator = no
        secret = >>
  limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
  }
 }
Debugger not attached
radiusd: #### Instantiating modules ####
 modules {
  # Loaded module rlm_always
  # Loading module "reject" from file /etc/raddb/mods-enabled/always
  always reject {
        rcode = "reject"
        simulcount = 0
        mpp = no
  }
  # Loading module "fail" from file /etc/raddb/mods-enabled/always
  always fail {
        rcode = "fail"
        simulcount = 0
        mpp = no
  }
  # Loading module "ok" from file /etc/raddb/mods-enabled/always
  always ok {
        rcode = "ok"
        simulcount = 0
        mpp = no
  }
  # Loading module "handled" from file /etc/raddb/mods-enabled/always
  always handled {
        rcode = "handled"
        simulcount = 0
        mpp = no
  }
  # Loading module "invalid" from file /etc/raddb/mods-enabled/always
  always invalid {
        rcode = "invalid"
        simulcount = 0
        mpp = no
  }
  # Loading module "userlock" from file /etc/raddb/mods-enabled/always
  always userlock {
        rcode = "userlock"
        simulcount = 0
        mpp = no
  }
  # Loading module "notfound" from file /etc/raddb/mods-enabled/always
  always notfound {
        rcode = "notfound"
        simulcount = 0
        mpp = no
  }
  # Loading module "noop" from file /etc/raddb/mods-enabled/always
  always noop {
        rcode = "noop"
        simulcount = 0
        mpp = no
  }
  # Loading module "updated" from file /etc/raddb/mods-enabled/always
  always updated {
        rcode = "updated"
        simulcount = 0
        mpp = no
  }
  # Loaded module rlm_attr_filter
  # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.post-proxy {
        filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
        key = "%{Realm}"
        relaxed = no
  }
  # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.pre-proxy {
        filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
        key = "%{Realm}"
        relaxed = no
  }
  # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.access_reject {
        filename = "/etc/raddb/mods-config/attr_filter/access_reject"
        key = "%{User-Name}"
        relaxed = no
  }
  # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.access_challenge {
        filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
        key = "%{User-Name}"
        relaxed = no
  }
  # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.accounting_response {
        filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
        key = "%{User-Name}"
        relaxed = no
  }
  # Loaded module rlm_cache
  # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
  cache cache_eap {
        driver = "rlm_cache_rbtree"
        key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
        ttl = 15
        max_entries = 0
        epoch = 0
        add_stats = no
  }
  # Loaded module rlm_chap
  # Loading module "chap" from file /etc/raddb/mods-enabled/chap
  # Loaded module rlm_date
  # Loading module "date" from file /etc/raddb/mods-enabled/date
  date {
        format = "%b %e %Y %H:%M:%S %Z"
  }
  # Loaded module rlm_detail
  # Loading module "detail" from file /etc/raddb/mods-enabled/detail
  detail {
        filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
        header = "%t"
        permissions = 384
        locking = no
        escape_filenames = no
        log_packet_header = no
  }
  # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
  detail auth_log {
        filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
        header = "%t"
        permissions = 384
        locking = no
        escape_filenames = no
        log_packet_header = no
  }
  # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
  detail reply_log {
        filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
        header = "%t"
        permissions = 384
        locking = no
        escape_filenames = no
        log_packet_header = no
  }
  # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  detail pre_proxy_log {
        filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
        header = "%t"
        permissions = 384
        locking = no
        escape_filenames = no
        log_packet_header = no
  }
  # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  detail post_proxy_log {
        filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
        header = "%t"
        permissions = 384
        locking = no
        escape_filenames = no
        log_packet_header = no
  }
  # Loaded module rlm_dhcp
  # Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
  # Loaded module rlm_digest
  # Loading module "digest" from file /etc/raddb/mods-enabled/digest
  # Loaded module rlm_dynamic_clients
  # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
  # Loaded module rlm_exec
  # Loading module "echo" from file /etc/raddb/mods-enabled/echo
  exec echo {
        wait = yes
        program = "/bin/echo %{User-Name}"
        input_pairs = "request"
        output_pairs = "reply"
        shell_escape = yes
  }
  # Loading module "exec" from file /etc/raddb/mods-enabled/exec
  exec {
        wait = no
        input_pairs = "request"
        shell_escape = yes
        timeout = 10
  }
  # Loaded module rlm_expiration
  # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
  # Loaded module rlm_expr
  # Loading module "expr" from file /etc/raddb/mods-enabled/expr
  expr {
        safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  }
  # Loaded module rlm_files
  # Loading module "files" from file /etc/raddb/mods-enabled/files
  files {
        filename = "/etc/raddb/mods-config/files/authorize"
        acctusersfile = "/etc/raddb/mods-config/files/accounting"
        preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
  }
  # Loaded module rlm_linelog
  # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
  linelog {
        filename = "/var/log/radius/linelog"
        escape_filenames = no
        syslog_severity = "info"
        permissions = 384
        format = "This is a log message for %{User-Name}"
        reference = "messages.%{%{reply:Packet-Type}:-default}"
  }
  # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
  linelog log_accounting {
        filename = "/var/log/radius/linelog-accounting"
        escape_filenames = no
        syslog_severity = "info"
        permissions = 384
        format = ""
        reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  }
  # Loaded module rlm_logintime
  # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
  logintime {
        minimum_timeout = 60
  }
  # Loaded module rlm_mschap
  # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
  mschap {
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = yes
   passchange {
   }
        allow_retry = yes
        winbind_retry_with_normalised_username = no
  }
  # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
  exec ntlm_auth {
        wait = yes
        program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
        shell_escape = yes
  }
  # Loaded module rlm_pap
  # Loading module "pap" from file /etc/raddb/mods-enabled/pap
  pap {
        normalise = yes
  }
  # Loaded module rlm_passwd
  # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
  passwd etc_passwd {
        filename = "/etc/passwd"
        format = "*User-Name:Crypt-Password:"
        delimiter = ":"
        ignore_nislike = no
        ignore_empty = yes
        allow_multiple_keys = no
        hash_size = 100
  }
  # Loaded module rlm_preprocess
  # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
  preprocess {
        huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
        hints = "/etc/raddb/mods-config/preprocess/hints"
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
        with_alvarion_vsa_hack = no
  }
  # Loaded module rlm_radutmp
  # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
  radutmp {
        filename = "/var/log/radius/radutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        permissions = 384
        caller_id = yes
  }
  # Loaded module rlm_realm
  # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
  realm IPASS {
        format = "prefix"
        delimiter = "/"
        ignore_default = no
        ignore_null = no
  }
  # Loading module "suffix" from file /etc/raddb/mods-enabled/realm
  realm suffix {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
  # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
  realm realmpercent {
        format = "suffix"
        delimiter = "%"
        ignore_default = no
        ignore_null = no
  }
  # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
  realm ntdomain {
        format = "prefix"
        delimiter = "\\"
        ignore_default = no
        ignore_null = no
  }
  # Loaded module rlm_replicate
  # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
  # Loaded module rlm_soh
  # Loading module "soh" from file /etc/raddb/mods-enabled/soh
  soh {
        dhcp = yes
  }
  # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
  radutmp sradutmp {
        filename = "/var/log/radius/sradutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        permissions = 420
        caller_id = no
  }
  # Loaded module rlm_unix
  # Loading module "unix" from file /etc/raddb/mods-enabled/unix
  unix {
        radwtmp = "/var/log/radius/radwtmp"
  }
Creating attribute Unix-Group
  # Loaded module rlm_unpack
  # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
  # Loaded module rlm_utf8
  # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
  # Loaded module rlm_perl
  # Loading module "perl" from file /etc/raddb/mods-enabled/perl
  perl {
        filename = "/etc/raddb/mods-config/perl/radius_linotp.pm"
        func_authorize = "authorize"
        func_authenticate = "authenticate"
        func_post_auth = "post_auth"
        func_accounting = "accounting"
        func_preacct = "preacct"
        func_checksimul = "checksimul"
        func_detach = "detach"
        func_xlat = "xlat"
        func_pre_proxy = "pre_proxy"
        func_post_proxy = "post_proxy"
        func_recv_coa = "recv_coa"
        func_send_coa = "send_coa"
  }
  instantiate {
  }
  # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
  # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
  # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
  # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
  # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
  # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
  # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
  # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
  # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
  # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
  # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
  # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject


  # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
  # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
  # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
  # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
  # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
  # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
  # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
  # Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
/etc/raddb/mods-config/files/authorize: Parse error (check) for entry DEFAULT: Unknown or invalid value "perl" for attribute Auth-Type
Failed reading /etc/raddb/mods-config/files/authorize
/etc/raddb/mods-enabled/files: Instantiation failed for module "files"

From this I can see the perl module being loaded but it seems something is not happy about the Auth-Type.

Same problem that the other guys have had but with the difference that the procedure applied to them, are not working in my scenario. Lets make order: Freeradius on RasPi Netstat: root@raspberrypi:~# netstat -unpl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 0.0.0.0:59830 0.0.0.0:* 3574/freeradius udp 0 0 127.0.0.1:18120 0.0.0.0:* 3574/freeradius udp 0 0 0.0.0.0:1812 0.0.0.0:* 3574/freeradius udp 0 0 0.0.0.0:1813 0.0.0.0:* 3574/freeradius udp 0 0 0.0.0.0:1814 0.0.0.0:* 3574/freeradius Debug with freeradius-x Failed binding to authentication address * port 1812: Address already in use /etc/freeradius/radiusd.conf: Error binding to port for 0.0.0.0 port 1812 root@raspberrypi:~# ps aux | grep free freerad 3574 0.0 1.3 54088 6032 ? Ssl 16:32 0:00 /usr/sbin/freeradius root 3610 0.0 0.4 3548 1832 pts/0 S+ 16:35 0:00 grep free If I kill that process I get from freeradius debug ... adding new socket proxy address * port 50820 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. but radtest "John Doe" hello 127.0.0.1 0 test does not work because the service is not running. Any suggestions?

I would like to change: **THIS:** client 192.168.100.1 { secret = ThisIStheSECRET shortname = HOSTNAME } client 192.168.100.2 { secret = ThisIStheSECRET2 shortname = HOSTNAME2 } **THAT:** client HOSTNAME { secret = ThisIStheSECRET, ipaddr = 192.168.100.1 } client HOSTNAME2 { secret = ThisIStheSECRET2, ipaddr = 192.168.100.2 } How to do this? What tools to use?

I have a FreeRadius server doing authentication for my 802.1X infra-structure, in a Debian 9.1. How can I see what is the version and uptime of the running FreeRadius daemon?

I'd like to authenticate and assign WiFi users to different VLANs determined by their Apple Open Directory group. FreeRADIUS has an Open Directory module , however I can't find much information about it. Is it possible to assign a VLAN from a user's group using Open Directory and FreeRADIUS?