Re: SQL results going ... wrong
Hi, Thu Apr 14 15:43:07 2011 : Error: rlm_sql: Invalid operator ?x�{?(�{?@�{?D�{?�{?D�{?Z�{?]�{?v�{?swinter for attribute += Thu Apr 14 15:43:07 2011 : Error: rlm_sql (sql-aai): Error getting data from database Thu Apr 14 15:43:07 2011 : Error: [sql-aai] SQL query error; rejecting user Something looks like accessing memory where it better shouldn't. What character set encodings are you using for the database? I suspect the database is set UTF8 and your default character encoding on the system you are developing FreeRadius is different. This does definitely not look like a character encoding issue to me. I've seen lots of these, and I'm using the same database structure all around in our production setup. And the characters being transmitted are all good old plain ASCII characters. If you check the debug output against what's being sent, you'll see striking mismatches; ' Invalid operator ... for attribute +=' There is no attribute += - attributes are all RESTENA-AAI-Attribute - which is defined in my dictionaries. The quoted strange-string content contains my username swinter, but the debug output says it considers this to be part of the operator column. Sorry, but this is beyond character set badnesses. I'll run the same test case with sql module debug on - maybe that sheds more light into what's going wrong. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL results going ... wrong
On 04/15/2011 06:57 AM, Stefan Winter wrote: Hi, Thu Apr 14 15:43:07 2011 : Error: rlm_sql: Invalid operator ?x�{?(�{?@�{?D�{?�{?D�{?Z�{?]�{?v�{?swinter for attribute += Thu Apr 14 15:43:07 2011 : Error: rlm_sql (sql-aai): Error getting data from database Thu Apr 14 15:43:07 2011 : Error: [sql-aai] SQL query error; rejecting user Something looks like accessing memory where it better shouldn't. What character set encodings are you using for the database? I suspect the database is set UTF8 and your default character encoding on the system you are developing FreeRadius is different. This does definitely not look like a character encoding issue to me. I've seen lots of these, and I'm using the same database structure all around in our production setup. And the characters being transmitted are all good old plain ASCII characters. If you check the debug output against what's being sent, you'll see striking mismatches; ' Invalid operator ... for attribute +=' There is no attribute += - attributes are all RESTENA-AAI-Attribute - which is defined in my dictionaries. The quoted strange-string content contains my username swinter, but the debug output says it considers this to be part of the operator column. Sorry, but this is beyond character set badnesses. I'll run the same test case with sql module debug on - maybe that sheds more light into what's going wrong. Maybe try an strace or gdb w/ breakpoint. Is there any possibility you're pulling an attribute of 253 bytes from the database, which might be stomping the stack? IIRC rlm_sql should prevent that itself, but maybe there are holes in the code. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL results going ... wrong
Hi, Maybe try an strace or gdb w/ breakpoint. Is there any possibility you're pulling an attribute of 253 bytes from the database, which might be stomping the stack? IIRC rlm_sql should prevent that itself, but maybe there are holes in the code. Good idea, but that wasn't it... A mix of D'oh and insufficient input checks by FR. My mistake was that my table had 4 columns - which contained all the value I cared for, but FreeRADIUS expects 5 - an id column as first. It also expects this first column to be the row denomination integer, but it got a string from me. I fixed my schema/view and things work just fine now. But: how about a sanity check for SQL along with a more adequate error message? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How can I limit the maximum number of simultaneous logins on a per-user basis?
Hi, I do have a basic understanding of Freeradius. We have a cisco wlan controller and an open ldap server working together with our freeradius server. (Users can authenticate and can accesss our wlan) Now, we'd like to limit the maximum number of simultaneous logins on a per-user and I saw some information, that that should be possible. But how? Where to start? Thanks for any hint to the doc or some examples! Best regards . Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radrelay and off-server accounting
Hello List, I have a problem with radrelay and specifically the IPASS Realm. Attached is the dump of the freeradius -X run. This is the scenario: I have a server that is radrelaying packets to another server. But for some reason - specifically only the RADIUS realm - it tries to proxy the accounting request. I do not want it to attempt to proxy the accounting request to the IPASS server when it is radrelaying, as it should only store the packet details into sql. Can anyone perhaps give me an idea how to work around this issue. Kind Regards, Etienne Pretorius rad_recv: Accounting-Request packet from host *SOURCE-HOST-IP* port 1814, id=90, length=219 Acct-Session-Id = 332C Framed-Protocol = PPP Framed-IP-Address = *FRAMED-IP-ADDRESS* User-Name = IPASS/*USERNAME* X-Ascend-Connect-Progress = LAN-Session-Up Acct-Authentic = RADIUS Acct-Status-Type = Start Calling-Station-Id = 0123454229 Called-Station-Id = 0300 NAS-Port-Type = Async Connect-Info = 45333/26400 V90/V42bis/LAPM NAS-Port = 273 NAS-Port-Id = Async1/57 Service-Type = Framed-User NAS-IP-Address = *NAS-IP-ADDRESS* Acct-Delay-Time = 58387 UPSTREAMPROVIDER-Access-Type = DIAL Proxy-State = 0x3139 Proxy-State = 0x3239393537 server default { # Executing section preacct from file /etc/freeradius/sites-enabled/default +- entering group preacct {...} sql_xlat expand: %{Stripped-User-Name} - ... expanding second conditional expand: %{User-Name} - IPASS/*USERNAME* expand: %{%{Stripped-User-Name}:-%{User-Name}} - IPASS/*USERNAME* sql_set_user escaped user -- 'IPASS/*USERNAME*' expand: SELECT server FROM nas WHERE nasname = '%{NAS-IP-Address}' - SELECT server FROM nas WHERE nasname = '*NAS-IP-ADDRESS*' expand: /var/log/freeradius/sqltrace.sql - /var/log/freeradius/sqltrace.sql rlm_sql (sql): Reserving sql socket id: 118 rlm_sql_mysql: query: SELECT server FROM nas WHERE nasname = '*NAS-IP-ADDRESS*' SQL query did not return any results rlm_sql (sql): Released sql socket id: 118 expand: %{sql: SELECT server FROM nas WHERE nasname = '%{NAS-IP-Address}'} - ... expanding second conditional expand: %{%{sql: SELECT server FROM nas WHERE nasname = '%{NAS-IP-Address}'}:-UPSTREAMPROVIDER} - UPSTREAMPROVIDER ++[control] returns noop WARNING: Empty accounting section. Using default return values. } # server default WARNING: Empty pre-proxy section. Using default return values. Sending proxied request internally to virtual server. server UPSTREAMPROVIDER { # Executing section preacct from file /etc/freeradius/sites-enabled/UPSTREAMPROVIDER +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-IP-Address = *NAS-IP-ADDRESS*,Acct-Session-Id = 332C,User-Name = IPASS/*USERNAME*' [acct_unique] Acct-Unique-Session-ID = 0639689086600ad6. ++[acct_unique] returns ok [IPASS] Looking up realm IPASS for User-Name = IPASS/*USERNAME* [IPASS] Found realm IPASS [IPASS] Adding Realm = IPASS [IPASS] Proxying request from user *USERNAME* to realm IPASS [IPASS] Preparing to proxy accounting request to realm IPASS ++[IPASS] returns updated [KING] Request already proxied. Ignoring. ++[KING] returns ok [KDIAL] Request already proxied. Ignoring. ++[KDIAL] returns ok [KADSL] Request already proxied. Ignoring. ++[KADSL] returns ok # Executing section accounting from file /etc/freeradius/sites-enabled/UPSTREAMPROVIDER +- entering group accounting {...} expand: %{Packet-Src-IP-Address} - *SOURCE-HOST-IP* ++- entering switch %{Packet-Src-IP-Address} {...} +++- entering case *SOURCE-HOST-IP* {...} [ok] returns ok +++- case *SOURCE-HOST-IP* returns ok ++- switch %{Packet-Src-IP-Address} returns ok rlm_perl: Added pair NAS-Port-Type = Async rlm_perl: Added pair X-Ascend-Connect-Progress = LAN-Session-Up rlm_perl: Added pair Acct-Session-Id = 332C rlm_perl: Added pair UPSTREAMPROVIDER-Access-Type = DIAL rlm_perl: Added pair Proxy-State = 0x3139 rlm_perl: Added pair Proxy-State = 0x3239393537 rlm_perl: Added pair Proxy-State = 0x3930 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Acct-Unique-Session-Id = 0639689086600ad6 rlm_perl: Added pair Called-Station-Id = 0300 rlm_perl: Added pair Acct-Authentic = RADIUS rlm_perl: Added pair Acct-Status-Type = Start rlm_perl: Added pair Connect-Info = 45333/26400 V90/V42bis/LAPM rlm_perl: Added pair Realm = IPASS rlm_perl: Added pair NAS-IP-Address = *NAS-IP-ADDRESS* rlm_perl: Added pair NAS-Port-Id = Async1/57 rlm_perl: Added pair SQL-User-Name = IPASS/*USERNAME* rlm_perl: Added pair Calling-Station-Id = 0123454229 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair User-Name = IPASS/*USERNAME* rlm_perl: Added pair Framed-IP-Address = *FRAMED-IP-ADDRESS* rlm_perl: Added pair NAS-Port = 273 rlm_perl: Added pair Acct-Delay-Time =
ASCII NUL in NAS-Filter-Rule
Hi All My nas box can use attribute NAS-Filter-Rule from radius server to construct filter rules per subscriber on the fly. Accodingly to rfc 4849 this attribute should contain ascii NUL (0x00) as a delimiter between individual filter rules and at the end of rules. Freeradius define this attribute as a string and I do not know how to create valid string with nul character. I changed attribute type to octets and successfully add null character but a whole string converted to hex also and attribute was not readable. How to send nul character without changing attribute type ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I limit the maximum number of simultaneous logins on a per-user basis?
Hi, There is simultaneous-use attribute. if you want to set maximum number of simultaneous logins to 1 for user john, you must write: john simultaneous-use := 1 From: Götz Reinicke - IT-Koordinator goetz.reini...@filmakademie.de To: freeradius-users@lists.freeradius.org Sent: Fri, April 15, 2011 11:42:19 AM Subject: How can I limit the maximum number of simultaneous logins on a per-user basis? Hi, I do have a basic understanding of Freeradius. We have a cisco wlan controller and an open ldap server working together with our freeradius server. (Users can authenticate and can accesss our wlan) Now, we'd like to limit the maximum number of simultaneous logins on a per-user and I saw some information, that that should be possible. But how? Where to start? Thanks for any hint to the doc or some examples! Best regards . Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I limit the maximum number of simultaneous logins on a per-user basis?
Hi and thanks, what about all my users in ldap? I tried to set DEFAULT Simultaneous-Use := 1 Fall-Through = 1 in /etc/raddb/users, but with no success. /usr/share/doc/freeradius-2.1.9/Simultaneous-Use is a little bit confusing and 'short' for me Regards . Götz Am 15.04.11 10:50, schrieb ziko: Hi, There is simultaneous-use attribute. if you want to set maximum number of simultaneous logins to 1 for user john, you must write: john simultaneous-use := 1 From: Götz Reinicke - IT-Koordinator goetz.reini...@filmakademie.de To: freeradius-users@lists.freeradius.org Sent: Fri, April 15, 2011 11:42:19 AM Subject: How can I limit the maximum number of simultaneous logins on a per-user basis? Hi, I do have a basic understanding of Freeradius. We have a cisco wlan controller and an open ldap server working together with our freeradius server. (Users can authenticate and can accesss our wlan) Now, we'd like to limit the maximum number of simultaneous logins on a per-user and I saw some information, that that should be possible. But how? Where to start? Thanks for any hint to the doc or some examples! Best regards . Götz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay and off-server accounting
Hello List, [IPASS] Looking up realm IPASS for User-Name = IPASS/*USERNAME* [IPASS] Found realm IPASS [IPASS] Adding Realm = IPASS [IPASS] Proxying request from user *USERNAME* to realm IPASS [IPASS] Preparing to proxy accounting request to realm IPASS There is no packet that leaves this server (tcpdump agrees), which is correct since it is a radrelayed packet. The server that radrelayed the request never receives a response from the server whose freeradius -X dump is attached in the previous email. Kind Regards, Etienne Pretorius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy state attribute in accounting
Hello Community, I am doing store and proxy accounting to different servers, Now I want to remove the proxy-state attribute from the proxied packet. The problem is that other accounting servers that are not FreeRadius are not accepting proxy-state attribute. So they are not sending the acccounting response back. This makes the detail file size increase. I am using FreeRadius version 2.1.10 with roubust-accounting configuration. the proxy servers are being load-balanced. and detail file is being created correctly Thank you Waqas Toor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address and Username Binding on FreeRADIUS - Resolved
Hi, Thanking each and everyone who helped me with their useful hints and suggestions in implementing FreeRADIUS for authenticating, accounting and authorizing my WiFi clients. I used the huntgroups to bind the username and mac addresses. Special thanks to Alan. Regards, Syed -- View this message in context: http://freeradius.1045715.n5.nabble.com/MAC-Address-and-Username-Binding-on-FreeRADIUS-tp4297874p4305313.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay and off-server accounting
Hello List, When I change the REALM to the following: realm IPASS { nostrip #pool = IPASS Proxy-To-Realm := LOCAL } It works, but now this server can not authenticate for IPASS. So I am sure that something is wrong with radrelaying to a realm that needs to acct off another server... Kind Regards, Etienne Pretorius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WildCard/Subject Alternative Names Cert Question
Hello. I have a FreeRADIUS setup using PEAP/MSCHAPv2 to authenticate wireless clients against an Active Directory environment. We've recently purchased a new wildcard certificate from DigiCert for our organization. The RADIUS server is not covered by the wildcard common name on the certificate, however I have a subject alternative name specifying the RADIUS server hostname on it as well. On my new cert, connection to the system fails when I try validating the new cert (I have all the possible cert authorities checked off.) If I uncheck validate the cert, I am then able to connect. As soon as I place the old cert back in place validation works fine. The old cert was a free signal name cert from IPS CA. The new cert is a wildcard duplicate issued from DigiCert that has the server name as a subject alternative name as it is not covered by the wild card common name we are using - I generated the CSR for this certificate copy using the tools in freeradius (XPExtensions and whatnot.) Should this kind of a cert work, or does 802.1x/PEAP/mschapv2 not support validating by subject alternative names. I tried including the CA Cert in a chain file and not including it and had the same results either way. I know the CA is trusted by Microsoft as this same wildcard cert works in our web applications. Tom Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University (413) 572-8245 Red Hat Certified Technician (RHCT) Cisco Certified Network Associate (CCNA) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WildCard/Subject Alternative Names Cert Question
On 04/15/2011 08:42 PM, Casartello, Thomas wrote: whatnot.) Should this kind of a cert work, or does 802.1x/PEAP/mschapv2 not support validating by subject alternative names. This isn't really a FreeRADIUS question; it's down to the supplicant to permit or deny the cert. Anyway... Section 3.2.7.1 of MS-WSH says: If the isValidateServerNameEnabled is set to TRUE, then verify that the subject name (Section 4.1.2.6 of [RFC5280]) or subject alternative name (section 4.2.1.6 of [RFC5280]) of the server certificate exists in ServerNames. i.e. it should honour subjectAltName. But Microsoft have a habit of ignoring their own standards, so if you're sure your certificate is good, then the only way to be sure is turn on client EAP tracing and dig in the logs to see why it's being refused. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
error on SQL HOWTO page
Hello All, the SQL HOWTO page at: http://wiki.freeradius.org/SQL_HOWTO Has an is incorrect instruction. where it says: Your radiusd.conf should then look something like this: it should be: Your default file should then look something like this: Thanks, Rich -- Using Opera's revolutionary email client: http://www.opera.com/mail/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP session ... did not finish! with VPN connections
Hi, it is my another attempt to know, how to cope with `EAP session ... did not finish' warning ... i have: OS: FreeBSD-8.x amd64 FreeRADIUS v.2.1.10 core freeradius configured with eap-tls, devices in my lan Symbian (Nokia E51,E52,E71,E72,E90) Android (HTC DesireS) Maemo (Nokia N900) xNIX (ASUS EeePC900) WindowsXP (various hardware) receiving authorization and ip address via dhcp without any problem but remote symbian devices behind vpn sometimes experience troubles ... in `radiusd -X' output, the problem looks this way: Going to the next request Waking up in 4.9 seconds. Cleaning up request 44 ID 6 with timestamp +3088 WARNING: !! WARNING: !! EAP session for state 0x3866e92b3b62e4aa did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! Ready to process requests. the same remote symbian device which experienced problems via vpn, is experiencing no problem if i try to get authorization for it from lan or if i install clone (the same version with the same configuration) of core freeradius locally at the remote vpn side, than i can get authorization for the device which was unable to get it with core freeradius remotely so, what can be the cause of this weird behaviour? -- Zeus V. Panchenko IT Dpt., IBS ltdGMT+2 (EET) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WildCard/Subject Alternative Names Cert Question
When you say client EAP tracing do you mean on the Microsoft side, or is there something you can do on the freeradius side? When I lookup eap tracing I get information about generating Microsoft EAP host tracing files, but it's an in unreadable format (.etl) that only Microsoft can decode and I can't seem to find a way to make any sense of it. Do you mean some other kind of tracing? Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University -Original Message- From: freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, April 15, 2011 4:14 PM To: freeradius-users@lists.freeradius.org Subject: Re: WildCard/Subject Alternative Names Cert Question On 04/15/2011 08:42 PM, Casartello, Thomas wrote: whatnot.) Should this kind of a cert work, or does 802.1x/PEAP/mschapv2 not support validating by subject alternative names. This isn't really a FreeRADIUS question; it's down to the supplicant to permit or deny the cert. Anyway... Section 3.2.7.1 of MS-WSH says: If the isValidateServerNameEnabled is set to TRUE, then verify that the subject name (Section 4.1.2.6 of [RFC5280]) or subject alternative name (section 4.2.1.6 of [RFC5280]) of the server certificate exists in ServerNames. i.e. it should honour subjectAltName. But Microsoft have a habit of ignoring their own standards, so if you're sure your certificate is good, then the only way to be sure is turn on client EAP tracing and dig in the logs to see why it's being refused. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Apply Exception in Accounting Packets
Hello, Is it possible to NOT count Accounting packets (Input/Output) from a user to special destination? (I don't want to charge a PPPOE User who downloads a file from local Network.) I know that FreeRadius just uses the information that NAS have sent, but want to know that does anybody has any idea? Regards, Nasser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html