Using multiple authentication modules.
Hello everyone, I am trying to authenticate users using client certificates and when that is verified I intend to use perl module for checking other attributes and verify that from database. Till now I was trying to configure freeradius to do EAP-TLS and then execute the perl module(rlm_perl). Both of them work perfectly fine independently but I donot know if we can put them together. I believe I can do something similar(checking certificate using EAP and then execute a script) using exec-program-wait but considering its depricability and per thread overhead will like the rlm_perl. Any help is appreciated. Regards, Kumar Mrinal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to conf VLAN assign,mac-auth-bypass, and redirect url?
hi all, can anyone show me how to conf VLAN assign,mac-auth-bypass, and redirect url?thank you very much- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementing SQL Insert/logging for SoH.
On 2 Aug 2011, at 16:09, Palmer J.D.F. wrote: Didn't think xlat could do inserts and updates? I wrote the patch to add the functionality and its been in the server code for about the past three years :) Good stuff. :) The source of rlm_sql.c still states only ... * sql xlat function. Right now only SELECTs are supported. Yeah its just to scare off the uninitiated. I guess I should really fix it :) Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Forwarding Accounting Packets
Hi Alan, I installed freeradius 2.1.11 as you suggested and tried to use the replicate module. It seems that it is not working for me, maybe I am not configuring it properly... In the replicate module I have the following: replicate { update control { Replicate-To-Realm := AL_realm } } And in the accounting section in the 'default' file I have 'replicate' entered. Is there something I'm doing wrong? The proxy.conf file seems fine since, Proxy-To-Realm works just fine. Thanks and regards, Andrew -Original Message- From: freeradius-users-bounces+andrew.tonna=vodafone@lists.freeradius.org [mailto:freeradius-users-bounces+andrew.tonna=vodafone.com@lists.freerad ius.org] On Behalf Of Alan DeKok Sent: Tuesday, August 02, 2011 1:53 PM To: FreeRadius users mailing list Subject: Re: Forwarding Accounting Packets Tonna, Andrew, VF-MT wrote: I am trying to set up the radius server so that it forwards all accounting packet to a remote radius server without having to wait for reply. Use version 2.1.11 (or git v2.1.x branch), and see src/modules/replicate Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Vodafone - This email is intended only for the use of individuals to whom it is addressed, as it may contain confidential or privileged information. If you are not a named addressee, intended recipient, or the person responsible for delivering the message to the named addressee, be advised that you have received this email in error and that you should not disseminate, distribute, print, copy this mail or otherwise divulge its contents. In such instances, please notify Vodafone Malta Limited on telephone number +356 9247 and delete this email from your system. Since this transmission was affected via email, Vodafone Malta Limited cannot guarantee that it is secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Vodafone Malta Limited does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Save the environment for our children - Print e-mail only when necessary. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using multiple authentication modules.
Mrinal K sinha.mri...@gmail.com wrote: I am trying to authenticate users using client certificates and when that is verified I intend to use perl module for checking other attributes and verify that from database. Till now I was trying to configure freeradius to do EAP-TLS and then execute the perl module(rlm_perl). Both of them work perfectly fine independently but I donot know if we can put them together. I believe I can do something similar(checking certificate using EAP and then execute a script) using exec-program-wait but considering its depricability and per thread overhead will like the rlm_perl. Without including your FreeRADIUS configuration there is very little anyone here can do to help you other than ask have you just tried using both modules? authorize { ... eap perl ... } authenticate { eap perl } Cheers -- Alexander Clouter .sigmonster says: Yow! Is my fallout shelter termite proof? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forwarding Accounting Packets
Um... why are you... nevermind. Ok so you need to set the realm you want to replicate to then call 'replicate'. Something like: preacct { update control { Replicate-To-Realm := 'AL_realm' } } accounting { replicate } I've tested this very recently on 3.x (master) and it works fine. -Arran On 4 Aug 2011, at 12:05, Tonna, Andrew, VF-MT wrote: Hi Alan, I installed freeradius 2.1.11 as you suggested and tried to use the replicate module. It seems that it is not working for me, maybe I am not configuring it properly... In the replicate module I have the following: replicate { update control { Replicate-To-Realm := AL_realm } } And in the accounting section in the 'default' file I have 'replicate' entered. Is there something I'm doing wrong? The proxy.conf file seems fine since, Proxy-To-Realm works just fine. Thanks and regards, Andrew -Original Message- From: freeradius-users-bounces+andrew.tonna=vodafone@lists.freeradius.org [mailto:freeradius-users-bounces+andrew.tonna=vodafone.com@lists.freerad ius.org] On Behalf Of Alan DeKok Sent: Tuesday, August 02, 2011 1:53 PM To: FreeRadius users mailing list Subject: Re: Forwarding Accounting Packets Tonna, Andrew, VF-MT wrote: I am trying to set up the radius server so that it forwards all accounting packet to a remote radius server without having to wait for reply. Use version 2.1.11 (or git v2.1.x branch), and see src/modules/replicate Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Vodafone - This email is intended only for the use of individuals to whom it is addressed, as it may contain confidential or privileged information. If you are not a named addressee, intended recipient, or the person responsible for delivering the message to the named addressee, be advised that you have received this email in error and that you should not disseminate, distribute, print, copy this mail or otherwise divulge its contents. In such instances, please notify Vodafone Malta Limited on telephone number +356 9247 and delete this email from your system. Since this transmission was affected via email, Vodafone Malta Limited cannot guarantee that it is secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Vodafone Malta Limited does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Save the environment for our children - Print e-mail only when necessary. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to conf VLAN assign,mac-auth-bypass, and redirect url?
can anyone show me how to conf VLAN assign,mac-auth-bypass, and redirect url? For VLAN assignment see http://www.rfc-editor.org/rfc/rfc3580.txt, the other features you mentioned are specific to your NAS model and vendor, so I suggest you contact their support centre or read through the manuals included with your NAS. If you want information on inserting or modifying attributes see `man unlang` -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change my submission
Hi, I will like to receive individuals email from this list but how?? as already said - http://lists.freeradius.org/mailman/listinfo/freeradius-users (if you follow the link thats on the bottom of the list sig or look at the mailing list headers you'll get the same info) right a the bottom, you will see a bit that says To unsubscribe from Freeradius-Users, get a password reminder, or change your subscription options enter your subscription email address: ..do that. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forwarding Accounting Packets
On Thu, Aug 4, 2011 at 5:18 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: Um... why are you... nevermind. Ok so you need to set the realm you want to replicate to then call 'replicate'. Something like: preacct { update control { Replicate-To-Realm := 'AL_realm' } } accounting { replicate } ... and in case it's not obvious already, do NOT edit raddb/modules/replicate. The changes should be in raddb/sites-available/default (or whatever file your virtual server is on). Also, since 2.1.11 is known to have some bugs, better upgrade to latest v2.1.x snapshot from git. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forwarding Accounting Packets
Tonna, Andrew, VF-MT wrote: I installed freeradius 2.1.11 as you suggested and tried to use the replicate module. It seems that it is not working for me, See the FAQ for it doesn't work Really. Posting the debug output is *infinitely* more useful than saying it doesn't work Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Forwarding Accounting Packets
Thanks Fajar, it's working fine now. Andrew -Original Message- From: freeradius-users-bounces+andrew.tonna=vodafone@lists.freeradius.org [mailto:freeradius-users-bounces+andrew.tonna=vodafone@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: Thursday, August 04, 2011 1:28 PM To: FreeRadius users mailing list Subject: Re: Forwarding Accounting Packets On Thu, Aug 4, 2011 at 5:18 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: Um... why are you... nevermind. Ok so you need to set the realm you want to replicate to then call 'replicate'. Something like: preacct { update control { Replicate-To-Realm := 'AL_realm' } } accounting { replicate } ... and in case it's not obvious already, do NOT edit raddb/modules/replicate. The changes should be in raddb/sites-available/default (or whatever file your virtual server is on). Also, since 2.1.11 is known to have some bugs, better upgrade to latest v2.1.x snapshot from git. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Vodafone - This email is intended only for the use of individuals to whom it is addressed, as it may contain confidential or privileged information. If you are not a named addressee, intended recipient, or the person responsible for delivering the message to the named addressee, be advised that you have received this email in error and that you should not disseminate, distribute, print, copy this mail or otherwise divulge its contents. In such instances, please notify Vodafone Malta Limited on telephone number +356 9247 and delete this email from your system. Since this transmission was affected via email, Vodafone Malta Limited cannot guarantee that it is secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Vodafone Malta Limited does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Save the environment for our children - Print e-mail only when necessary. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
num_answers_to_alive
Hi, the configuration of 2.1.10 has the parameter num_answers_to_alive in proxy.conf. Looking at the source code, I found that instead, in realms.c, the config option num_pings_to_alive is used. num_answers is read from the config, but never referenced. If that's the case, then the config option in proxy.conf should be changed to be num_pings_to_alive, otherwise people will likely fail to tweak the value. Speaking of tweaking the value, I also found if (home-num_pings_to_alive 3) home-num_pings_to_alive = 3; if (home-num_pings_to_alive 10) home-num_pings_to_alive = 10; The documentation says that 3..10 are *useful* ranges, but doesn't mention that everything else is forbidden. In particular, I would like to use 1, not 3. The idea is: the server was dead before, but now it managed to send a reply back - so it must have been fixed. I would like to mark it alive immediately. Is that unreasonable? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accept a number of MAC address per login
Hello, I would like to authorize a user to connect to the freeradius server with a maximum of 3 PC. I added a counter, an attribute for the check-name and a line in radcheck table but for my counter I'd like a query like this : select (COUNT(distinct CallingStationId)) FROM radcheck WHERE UserName='user_login' AND CallingStationId !='MAC_client' But there is I think, only one key and I need two. How can I do it ? Thank for your help ! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Accept-a-number-of-MAC-address-per-login-tp4666354p4666354.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: num_answers_to_alive
Stefan Winter stefan.win...@restena.lu wrote: The documentation says that 3..10 are *useful* ranges, but doesn't mention that everything else is forbidden. In particular, I would like to use 1, not 3. The idea is: the server was dead before, but now it managed to send a reply back - so it must have been fixed. I would like to mark it alive immediately. Is that unreasonable? Similar to 'link flapping' (think OSPF/BGP), you should use heuristics as things are not just black and white. If a service simply had two states up and down then that probably would be okay, but we also have 'unstable'. Imagine this state coming from: * overloaded RADIUS server (or backend DB) * link congestion between RADIUS servers Having a value of three, says not just alive but also alive and has been for a while; this could be further interpreted that the service is stable as well as alive. If the system briefly came back and died then on attempt two or three you would have likely seen a failure. Hope I am explaining myself well :) Cheers -- Alexander Clouter .sigmonster says: BOFH excuse #256: You need to install an RTFM interface. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: num_answers_to_alive
Yup. Typically once something fails I consider it questionable / unstable until it proves itself to me again. The routing / circuit analogy is a perfect example. Many HA things allow the user to configure preemption or not - such that once the primary node fails and the secondary takes over, when the primary is believed to be healthy again, does it automatically become the primary again - OR - must the admin manually make it the primary again? Personally preemption is disabled in all my HA routers, firewalls, etc. Once something fails I want to review / analyze the failure and validate it's stable before I trust it again and start running traffic through it! G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Alexander Clouter Sent: Thursday, August 04, 2011 9:20 AM To: freeradius-users@lists.freeradius.org Subject: Re: num_answers_to_alive Stefan Winter stefan.win...@restena.lu wrote: The documentation says that 3..10 are *useful* ranges, but doesn't mention that everything else is forbidden. In particular, I would like to use 1, not 3. The idea is: the server was dead before, but now it managed to send a reply back - so it must have been fixed. I would like to mark it alive immediately. Is that unreasonable? Similar to 'link flapping' (think OSPF/BGP), you should use heuristics as things are not just black and white. If a service simply had two states up and down then that probably would be okay, but we also have 'unstable'. Imagine this state coming from: * overloaded RADIUS server (or backend DB) * link congestion between RADIUS servers Having a value of three, says not just alive but also alive and has been for a while; this could be further interpreted that the service is stable as well as alive. If the system briefly came back and died then on attempt two or three you would have likely seen a failure. Hope I am explaining myself well :) Cheers -- Alexander Clouter .sigmonster says: BOFH excuse #256: You need to install an RTFM interface. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help: There is a way to make radius let all clients autenticate?
Hi Friends, I'd like some help with the following situation:- I have an infraestruture with about 2.000 clients, autenticating on a radius server, which is fed by an third-part CRM. Although the radius is working to autenticating people, it isn´t having the expected performance. Due to that We will change hardware and software, but we have to do this in a produce environment. In order to avoid trouble and get a lot of clients not autenticating, during the process of changes, there is a way to make radius allow all clients autenticate with a default bandwidth and configuration, but not checking MAC or username and password? Thanks- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Virtual Servers, the Realms Module, and Proxying
Our goal here is to use a variety of virtual servers in our FreeRADIUS instance to allow us to isolate handling of a variety of different sorts of users. As such, there's a fair bit of proxying going on, but much is just going to the virtual servers, and we'd like to be able to use the behavior of the realms module to make this work for us. Unfortunately, I haven't seen any way to get some of those attributes that the Realm module inserts to continue through after being proxied, as they're 'internal' attributes and not wire attributes. I'd like for the Stripped-User-Name and Realm attributes to be available to the far side of the proxy (so I send it from the default virtual server to, say, the generic_realm virtual server), so that it can make decisions based on that information. I obviously can't use the realms module for parsing again in the first layer of virtual server, as I'll just end up creating a loopback on itself, but at the same time, I'd like to avoid having to do all that parsing and thinking in unlang. Since there seems to be some special config for virtual servers, is there any way to achieve this behavior (not stripping the 'internal' attributes when proxying to virtual servers) without a patch? It seems to be consistent with the idea behind virtual servers, but I may be misinterpreting it. Thoughts? I feel like we're trying a little too hard to get what we want, here, but I'm not seeing how to do it the 'right' way. Jacob M. Dawson Network Research Engineer Virginia Tech --- For context: I have an arbitrary number of FreeRADIUS servers providing my AAA service. I have an arbitrary number of NASs all talking to the FreeRADIUS servers, and they all provide the same suite of services to all possible users, so I can't do this proxying based on what client it comes in on (like this page suggests: http://freeradius.org/features/virtual_servers.html). My realm module is short and sweet: realm suffix { format = suffix delimiter = @ ignore_null = yes } realm prefix { format = prefix delimiter = \\ } I have the following virtual servers linked in sites-enabled: ad.vt.edu default ed.vt.edu generic-realm proxy-inner-tunnel ad.vt.edu is to handle our Domain users ed.vt.edu is to handle folks authenticating against our Enterprise Directory default is, of course, where they come in to start with generic-realm is intended to handle people who come in with SOME non-vt realm. Could be guests (authenticated against our AAA-related database, access via the sql module), could be eduroam folks. proxy-inner-tunnel is used largely by the ad.vt.edu module to handle proxying the MS-CHAPv2 part of PEAP to our IAS machines. default is simple: authorize { update request{ User-Name := %{tolower:%{User-Name}} } preprocess auth_log chap mschap perl suffix prefix eap { ok = return } expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } ldap eap } other stanzas don't seem relevant In proxy, we defined these home_servers: home_server ed.vt.edu { type = auth ipaddr = 127.0.0.1 port = 1816 secret = redacted } home_server ad.vt.edu { type = auth ipaddr = 127.0.0.1 port = 1815 secret = redacted } home_server generic_realm { type = auth ipaddr = 127.0.0.1 port = 1817 secret = redacted } home_server_pool ad_virtual_pool { home_server = ad.vt.edu } home_server_pool ed_virtual_pool { home_server = ed.vt.edu } home_server_pool generic_virtual_pool { home_server = generic_realm } realm ~HOKIES { auth_pool = ad_virtual_pool nostrip } realm DomainUser { auth_pool = HOKIES_authen nostrip } realm ~.*w2k\\.vt\\.edu$ { auth_pool = ad_virtual_pool nostrip } realm ~vt.edu$ { auth_pool = ed_virtual_pool } realm LOCAL { } realm NULL { auth_pool = ed_virtual_pool } realm DEFAULT { auth_pool = generic_virtual_pool } Our virtual servers then start off like this, and then include the usual appropriate stanzas: listen { ipaddr = 127.0.0.1 port = 1815 type = auth } client 127.0.0.1 { secret = redacted } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: There is a way to make radius let all clients autenticate?
On Fri, Aug 5, 2011 at 2:03 AM, Rodrigo Yoshioka ro_yoshioka2...@yahoo.com.br wrote: there is a way to make radius allow all clients autenticate with a default bandwidth and configuration, but not checking MAC or username and password? Sort of. See http://wiki.freeradius.org/FAQ#How+do+I+permit+access+to+any+user+regardless+of+password%3F You can add reply attributes that you need on that file as well, see man 5 users for the format. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual Servers, the Realms Module, and Proxying
On Fri, Aug 5, 2011 at 2:39 AM, Jacob Dawson daw...@vt.edu wrote: I obviously can't use the realms module for parsing again in the first layer of virtual server, as I'll just end up creating a loopback on itself, but at the same time, I'd like to avoid having to do all that parsing and thinking in unlang. Since there seems to be some special config for virtual servers, is there any way to achieve this behavior (not stripping the 'internal' attributes when proxying to virtual servers) without a patch? It seems to be consistent with the idea behind virtual servers, but I may be misinterpreting it. Thoughts? I feel like we're trying a little too hard to get what we want, here, but I'm not seeing how to do it the 'right' way. Try raddb/modules/attr_filter -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual Servers, the Realms Module, and Proxying
The whole realms/ suffix/ prefix methodology has been obsoleted by Unlang. If you load up policy.conf in the master branch (use GitHub) there's an example of proxying using unlang. Just re-parse the User-Name string each time a request comes into one of the Virtual Servers. Incidentally, been down that route many years ago. I think you're maybe the second or third person on the list who's asked about this. Yes it's a brilliant way to organise the server. No it won't work out like you want it to. FreeRADIUS does not have unlimited internal proxy hops. So if you have an outer listen server, which proxies to another outer server, with un-encapsulates EAP and proxies to an inner server, which proxies to another inner server, somewhere in that line of proxying you'll hit a random error and the request will fail. I keep poking Alan to fix it, but he says its hard. -Arran Our goal here is to use a variety of virtual servers in our FreeRADIUS instance to allow us to isolate handling of a variety of different sorts of users. As such, there's a fair bit of proxying going on, but much is just going to the virtual servers, and we'd like to be able to use the behavior of the realms module to make this work for us. Unfortunately, I haven't seen any way to get some of those attributes that the Realm module inserts to continue through after being proxied, as they're 'internal' attributes and not wire attributes. I'd like for the Stripped-User-Name and Realm attributes to be available to the far side of the proxy (so I send it from the default virtual server to, say, the generic_realm virtual server), so that it can make decisions based on that information. I obviously can't use the realms module for parsing again in the first layer of virtual server, as I'll just end up creating a loopback on itself, but at the same time, I'd like to avoid having to do all that parsing and thinking in unlang. Since there seems to be some special config for virtual servers, is there any way to achieve this behavior (not stripping the 'internal' attributes when proxying to virtual servers) without a patch? It seems to be consistent with the idea behind virtual servers, but I may be misinterpreting it. Thoughts? I feel like we're trying a little too hard to get what we want, here, but I'm not seeing how to do it the 'right' way. Jacob M. Dawson Network Research Engineer Virginia Tech --- For context: I have an arbitrary number of FreeRADIUS servers providing my AAA service. I have an arbitrary number of NASs all talking to the FreeRADIUS servers, and they all provide the same suite of services to all possible users, so I can't do this proxying based on what client it comes in on (like this page suggests: http://freeradius.org/features/virtual_servers.html). My realm module is short and sweet: realm suffix { format = suffix delimiter = @ ignore_null = yes } realm prefix { format = prefix delimiter = \\ } I have the following virtual servers linked in sites-enabled: ad.vt.edu default ed.vt.edu generic-realm proxy-inner-tunnel ad.vt.edu is to handle our Domain users ed.vt.edu is to handle folks authenticating against our Enterprise Directory default is, of course, where they come in to start with generic-realm is intended to handle people who come in with SOME non-vt realm. Could be guests (authenticated against our AAA-related database, access via the sql module), could be eduroam folks. proxy-inner-tunnel is used largely by the ad.vt.edu module to handle proxying the MS-CHAPv2 part of PEAP to our IAS machines. default is simple: authorize { update request{ User-Name := %{tolower:%{User-Name}} } preprocess auth_log chap mschap perl suffix prefix eap { ok = return } expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } ldap eap } other stanzas don't seem relevant In proxy, we defined these home_servers: home_server ed.vt.edu { type = auth ipaddr = 127.0.0.1 port = 1816 secret = redacted } home_server ad.vt.edu { type = auth ipaddr = 127.0.0.1 port = 1815 secret = redacted } home_server generic_realm { type = auth ipaddr = 127.0.0.1 port = 1817 secret = redacted } home_server_pool ad_virtual_pool { home_server = ad.vt.edu } home_server_pool ed_virtual_pool { home_server = ed.vt.edu } home_server_pool generic_virtual_pool { home_server = generic_realm } realm ~HOKIES { auth_pool = ad_virtual_pool nostrip } realm DomainUser { auth_pool = HOKIES_authen nostrip }
Re: Virtual Servers, the Realms Module, and Proxying
Well, we can certainly finagle that in Unlang, with a little thinking. I played with that earlier in this project. Happy to leave module/realm if that's the best route, and that means I can probably pull all of that out of proxy.conf, too. I don't think we'll run into the internal proxy chain problem, since we're sending the inner tunnel off to IAS. I'll keep this in mind if it seems to be randomly breaking, though. Thanks for the prompt response. - Jacob On 4 Aug 2011, at 15:54, Arran Cudbard-Bell wrote: The whole realms/ suffix/ prefix methodology has been obsoleted by Unlang. If you load up policy.conf in the master branch (use GitHub) there's an example of proxying using unlang. Just re-parse the User-Name string each time a request comes into one of the Virtual Servers. Incidentally, been down that route many years ago. I think you're maybe the second or third person on the list who's asked about this. Yes it's a brilliant way to organise the server. No it won't work out like you want it to. FreeRADIUS does not have unlimited internal proxy hops. So if you have an outer listen server, which proxies to another outer server, with un-encapsulates EAP and proxies to an inner server, which proxies to another inner server, somewhere in that line of proxying you'll hit a random error and the request will fail. I keep poking Alan to fix it, but he says its hard. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: num_answers_to_alive
Stefan Winter wrote: the configuration of 2.1.10 has the parameter num_answers_to_alive in proxy.conf. Looking at the source code, I found that instead, in realms.c, the config option num_pings_to_alive is used. num_answers is read from the config, but never referenced. No. Both reference the same entry in the home server structure. The proxy.conf file is correct, and it works. If that's the case, then the config option in proxy.conf should be changed to be num_pings_to_alive, otherwise people will likely fail to tweak the value. But they're not pings. The name ping existed for a short time in 2.0, and was quickly removed. It's still there for backwards compatibility, and will be removed in 3.0 Speaking of tweaking the value, I also found if (home-num_pings_to_alive 3) home-num_pings_to_alive = 3; if (home-num_pings_to_alive 10) home-num_pings_to_alive = 10; The documentation says that 3..10 are *useful* ranges, but doesn't mention that everything else is forbidden. In particular, I would like to use 1, not 3. The idea is: the server was dead before, but now it managed to send a reply back - so it must have been fixed. I would like to mark it alive immediately. Is that unreasonable? If you want... but it's really not a good idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Authentication failure issue
Hello Friends, I met a issue regarding password/authentication with FreeRadius, Could anybody help for the issue, Thanks! User-Password = ?\210\365@\263\t\306\343\243iT?\311C\t\002 [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user The details in below mails. Regards, Charles Forwarded conversation Subject: Authentication failure issue From: *fieldpeak* fieldp...@gmail.com Date: 2011/8/4 To: freeradius-users@lists.freeradius.org Dear Friends, I'm trying integrate Freeswitch with Freeradius, I met below issue, can anyone help, thanks in adance. Freeradius server log: rad_recv: Access-Request packet from host 127.0.0.1 port 52684, id=49, length=111 User-Name = 1001 User-Password = ?\210\365@\263\t\306\343\243iT?\311C\t\002 Called-Station-Id = 888 h323-conf-id = 749d2b5a-16ad-48e4-af58- 24011949d1b5 Calling-Station-Id = 1001 NAS-Port = 0 NAS-IP-Address = 127.0.0.1 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20110803 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20110803 [auth_log] expand: %t - Wed Aug 3 12:06:33 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = 1001, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} - 1001 [sql] sql_set_user escaped user -- '1001' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1001' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = '1001' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User 1001 not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 1001 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 49 to 127.0.0.1 port 52684 Waking up in 4.9 seconds. Cleaning up request 8 ID 49 with timestamp +7674 Ready to process requests. WARNING! No known good password found for the user Regards, Charles -- From: *fieldpeak* fieldp...@gmail.com Date: 2011/8/4 To: freeradius-users@lists.freeradius.org Hello Gurus, I've double checked the shared secret on both server and NAS are the same, the problem still exist, it trouble me a few days, can anyone kindly help? nas: /usr/local/etc/radiusclient/servers localhost/localhosttesting123 server: /usr/local/etc/raddb/clients.conf secret= testing123 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html