date:20120628

Hi,

 I have been running my FreeRADIUS server with out problem for several
 years, identifying to an openLdap backend.
 
 I managed to configure a test WiFi access point to identify with
 802.1x against that same radius/ldap server.
 
 But I have a problem to configure eduroam, so I would be glad if I
 could see a working example.

you need to look at the output of 'radiusd -X' so see what is going on with 
your server
and why it is failing.

regarding eduroam - if you already have working 802.1X locally (which I'm not 
sure from your message
as your OpenLDAP/RADIUS combo could have been just PAP authentication) - then 
all you need to do
for eduroam is have some unlang which checks the realm and if its not your 
realm, then send it
to a proxy pool  (configure proxy.conf)  - which will send the request to 
remote RADIUS servers
that you will be told about by your federation operator.and for you to add 
those remote RADIUS
servers as clients (clients.conf or NAS table in SQL) so that requests for you 
can be sent to you.

you might want to also look at the eduroam confluence WIKI for 
help/advice/pointers


https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Questions on the finer points of CUI

2012-06-28 Thread Stefan Winter

On 28.06.2012 09:07, Scott Armitage wrote:
 All,
 
 I was after some clarification about the implementation of CUI in freeRADIUS. 
  
 
 My first point is the use of Client IP Address. I notice that client IP 
 Address makes a regular appearance but I'm wondering whether it should.  
 Looking at the cui.conf the post-auth insert adds the Client IP Address.
 
 postauth_query = INSERT IGNORE INTO ${cui_table} \
   (clientipaddress, callingstationid, username, cui, lastaccounting) \
 VALUES \
   ('%{Client-IP-Address}', '%{Calling-Station-Id}', '%{User-Name}', 
 '%{reply:Chargeable-User-Identity}', NULL) ON DUPLICATE KEY UPDATE 
 lastaccounting='-00-00 00:00:00', 
 cui='%{reply:Chargeable-User-Identity}';
 
 likewise the schema (in cui.sql) even has the Client IP Address as a primary 
 key which to me seems wrong.  In the world of eduroam my RADIUS server can 
 proxy off to one of 3 National Proxies each will have a different Client IP 
 Address, therefore a single client could have 3 entries in the cui table 
 depending upon which National proxy dealt with the request.  I don't see the 
 point of the Client IP Address being in there.  If each home server is using 
 a salt (together with the operator name) then even the same username and 
 calling station id will return a different CUI for different home servers.  
 Maybe some could explain what I'm missing and why the Client IP Address is 
 there?

The $cui_table is merely a helper table to bind returned
CUI values from the home server during the *authentication* phase to a
possible subsequent Accounting packet for that same session. It is
logically maintained at the SP side of the transactions (i.e. towards
Access Points and Controllers).

When doing auth, Calling-Station-Id and a User-Name are present in the
request. The response contains the associated Chargeable-User-Identity,
and may or may not contain a User-Name, and that User-Name may or may
not be the same as the request had.

If the NAS doesn't bin auth-CUI to acct-CUI itself (which is true for
most NASes), the SP-side RADIUS server needs to do guesswork to add the
CUI attribute to the outgoing accounting request (for all such requests:
starts, interims and stops).

It can see the binding primarily by observing that the calling-station
ID is the same.

It can not use the User-Name in Accounting because some NASes use the
value of an Access-Accept instead of the original value.

In principle, one could stop here. However, if a user moves from one NAS
to another, he needs to reauthenticate and has the same
Calling-Station-Id. This new authentication might get the same CUI or
another (as you rightly note, the next request can go to a different
home server, who might calculate his own CUI).

In that case, there are two entries for the same Calling-Station-Id with
different CUIs, and the server won't know which one to attach to the
next outgoing Accounting-Request - BAD.

That's why the Client-IP-Address is a secondary key: since we're talking
SP-side, the client is the Access-Point or Controller, and the tuple of
(CSI;Client-IP) makes the CUI value unique: This device *on this client*
at a particular point in time.

You might argue that the user could close the session and then re-auth
on the *same* NAS. That's true, but it is not a problem: if that
previous session was closed in order with an Accounting-Stop, the
temporary entry in $cui_table gets deleted, and the new session gets the
new one. If not, since the key of CSI and Client-IP is identical, the
new session overwrites the CUI value of the previous one.

This should also explain your subsequent queries below.

Greetings,

Stefan Winter

 
 Staying with the Client IP Address, my next point surrounds the Accounting.  
 The cui.conf shows that accounting updates the table using Client IP Address 
 in the search:
 
 accounting_start_query = UPDATE ${cui_table} \
   SET \
 lastaccounting = CURRENT_TIMESTAMP \
   WHERE clientipaddress = '%{Client-IP-Address}' \
 AND callingstationid = '%{Calling-Station-Id}' \
 AND username = '%{User-Name}' \
   AND cui = '%{Chargeable-User-Identity}';
 
 How would this work?  The NAS doesn't know what the Client IP Address is and 
 doesn't send it in Accounting packets.  
 
 Finally, why does the Accounting stop for cui remove the cui from the 
 database:
 
 accounting_stop_query = DELETE FROM ${cui_table} WHERE \
   clientipaddress = '%{Client-IP-Address}' \
   AND callingstationid = '%{Calling-Station-Id}' \
   AND username = '%{User-Name}' \
   AND cui = '%{Chargeable-User-Identity}';
 
 
 Surely I'd want to keep this?  If 2 weeks later I get a copyright 
 infringement notice for a client, I'd want the CUI when contacting the home 
 site of the user.
 
 
 Thanks
 
 
 Scott Armitage
 
 
 
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA

Re: Help needed to configure FreeRADIUS for eduroam

2012-06-28 Thread Olivier Nicole

Hi,

Thank you to Stefan, Scot and Alan who took time to reply to me.

For some reason, it is working now, I did only tiny changes though.

What I still don't understand:

- the differences between the WiKi
https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus
and the cookbook
http://www.eduroam.org/downloads/docs/GN2-08-230-DJ5.1.5.3-eduroamCookbook.pdf.
The configuration files are slightly different.

- the inner logic behind the virtual servers eduroam and server
eduroam-inner-tunnel; how it is working; how packets are passed from
one to the other.

- how to implement anonymous outer identity? What to configure in
Radius? Is there any configuration needed in the suplicant?

Best regards,

Olivier

On Thu, Jun 28, 2012 at 1:21 PM, Stefan Winter stefan.win...@restena.lu wrote:
Hi,

I am struggling to configure my FreeRADIUS server for eduroam
(www.eduroam.org), as I understood that some subscribers have done the
configuration successfully, I come here to get help.

I have been running my FreeRADIUS server with out problem for several
years, identifying to an openLdap backend.

I managed to configure a test WiFi access point to identify with
802.1x against that same radius/ldap server.

But I have a problem to configure eduroam, so I would be glad if I
could see a working example.

It would help if you told us *what* the problem is. Looking at what you
write, you have a working FreeRADIUS, working openLDAP backend, and have
configured it to do IEEE 802.1X on a WiFi access point.

That is 99% of what eduroam needs. So, what's missing?

Greetings,

Stefan Winter

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed to configure FreeRADIUS for eduroam

Hi,

For some reason, it is working now, I did only tiny changes though.

well..you made changes... obviously they were beneficial

the wiki is up to date. the cookbook is printed material...and is from GEANT2
days - so older

- the inner logic behind the virtual servers eduroam and server
eduroam-inner-tunnel; how it is working; how packets are passed from
one to the other.

eduroam server passes EAP stuff into eduroam inner-tunnel - just like, by
default, the default server passes
things into the inner-tunnel..
how does stuff go into eduroam VS? well, usually via an entry in client.conf
which says
to put traffic from a particular NAS into a particualr virtual server

- how to implement anonymous outer identity? What to configure in
Radius? Is there any configuration needed in the suplicant?

the RADIUS server will just handle it - it will get to the EAP part and open
the tunnel
to see the good stuff inside. be aware that if you have made ANY assumptions
about ID based
on the outerID then those can be abused/miscontrued.

anonymous ID ability is based on the supplicant - some supplicants can set it,
others cant. some
can set a different realm ini the outer ID, some cant.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS SQl Ippool problem -

2012-06-28 Thread Taz Manian




Hi Guys, Im having a problem with Ippools with freeradius2 and i cant seem to 
get any username to get an address from the pool.90% of the usernames will have 
static IP's but i want a few to be in a pool but i really am stumped - i tried 
putting  username@realm
Framed-Pool
:=
EZPOOL   into the radreply section and it gives me a reply when i test it # 
Standard  Framed-PoolEZPOOL so i know is readying that - i then have 
a pool set up in 
radippool   pool_name=EZPOOLFramedIPAddress=192.168.1.200  (i have more)  and 
my radiusd -X reply is  :  # Executing group from file 
/etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password 111
[pap] Using clear text password 111
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[sql]   expand: %{User-Name} - user@realm
[sql] sql_set_user escaped user -- 'username@realm'
[sql]   expand: %{User-Password} - 111
[sql]   expand: INSERT INTO radpostauth   (username, 
pass, reply, authdate)   VALUES (   
'%{User-Name}',   
'%{%{User-Password}:-%{Chap-Password}}',   
'%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth
   (username, pass, reply, authdate)   VALUES ( 
  'username@realm',   '111',
   'Access-Accept', '2012-06-28 10:59:37')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth 
  (username, pass, reply, authdate)   VALUES (  
 'username@realm',   '111', 
  'Access-Accept', '2012-06-28 10:59:37')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 51 to 192.168.1.100 port 52433
Framed-Pool := EZPOOL
Cisco-AVPair := lcp:interface-config=ip vrf forwarding BLAH
Cisco-AVPair += lcp:interface-config=ip unnumbered Loopback1
Cisco-AVPair += lcp:interface-config=mtu 1492
Service-Type := Framed-User
Framed-Protocol := PPP
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 51 with timestamp +5
Ready to process requests.
  
  

  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS SQl Ippool problem -

On Thu, Jun 28, 2012 at 7:03 PM, Taz Manian djta...@hotmail.com wrote:
 Hi Guys,



 Im having a problem with Ippools with freeradius2 and i cant seem to get any
 username to get an address from the pool.

 90% of the usernames will have static IP's but i want a few to be in a pool
 but i really am stumped - i tried putting



 username@realm Framed-Pool := EZPOOL



 into the radreply section and it gives me a reply when i test it #


Please check the wiki, IIRC you should put it in radcheck, not
radreply. And the attribute is Pool-Name, not Framed-Pool.

 so i know is readying that - i then have a pool set up in radippool

Also, IMHO you should just use rlm_sqlipool. It's easier to setup and debug.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS SQl Ippool problem -

On Thu, Jun 28, 2012 at 7:08 PM, Fajar A. Nugraha l...@fajar.net wrote:
 On Thu, Jun 28, 2012 at 7:03 PM, Taz Manian djta...@hotmail.com wrote:

 so i know is readying that - i then have a pool set up in radippool

 Also, IMHO you should just use rlm_sqlipool. It's easier to setup and debug.

Sorry, I somehow read radippool as rlm_ippool. If you use that
table then you should use (or at least try to use) rlm_sqlippool
already.

You probably just need to read the wiki:
http://wiki.freeradius.org/Rlm_sqlippool

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Would like to stop Interim Accounting being proxied


Hi all,

I need to stop proxying Interim Accounting for a particular domain on 
our legacy Freeradius 1.1.2 platform.


Reading the unlang man page, I've tried:

accounting {

   if ( (%{Acct-Status-Type} = Interim-Update)  
(%{User-Name} =~ /@domain/) ) {

   update control {
   Proxy-To-Realm := LOCAL
   }
   }
}

But that causes the daemon to error out with 
/etc/raddb/radiusd.conf[1433]: Line is not in 'attribute = value' format



What have I misunderstood?

Steve
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS SQl Ippool problem -

2012-06-28 Thread Michell

Hello,

to some time ago informed me that the ippool not work properly with mysql.
As it is now?
I'm not sure what the problems were occurring, but informed me that it
worked better and smoothly only in postgres.

They try to succeed in this scenario freeradius / mysql?

Thanks for listening,

Michell

2012/6/28 Fajar A. Nugraha l...@fajar.net

 On Thu, Jun 28, 2012 at 7:03 PM, Taz Manian djta...@hotmail.com wrote:
  Hi Guys,
 
 
 
  Im having a problem with Ippools with freeradius2 and i cant seem to get
 any
  username to get an address from the pool.
 
  90% of the usernames will have static IP's but i want a few to be in a
 pool
  but i really am stumped - i tried putting
 
 
 
  username@realm Framed-Pool := EZPOOL
 
 
 
  into the radreply section and it gives me a reply when i test it #


 Please check the wiki, IIRC you should put it in radcheck, not
 radreply. And the attribute is Pool-Name, not Framed-Pool.

  so i know is readying that - i then have a pool set up in radippool

 Also, IMHO you should just use rlm_sqlipool. It's easier to setup and
 debug.

 --
 Fajar
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Would like to stop Interim Accounting being proxied

Steve Brown wrote:
 Reading the unlang man page, I've tried:
 
 accounting {
 
if ( (%{Acct-Status-Type} = Interim-Update) 
 (%{User-Name} =~ /@domain/) ) {

  That's wrong on a number of levels.  The documentation says you can
just refer to an attribute by name.  And use '==':

  if ((Acct-Status-Type == Interim-Update)  (User-Name =~ /@domain/)) {
...
  }


 But that causes the daemon to error out with
 /etc/raddb/radiusd.conf[1433]: Line is not in 'attribute = value' format

 What have I misunderstood?

  Double-check line 1433?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Probmels with sqlcounter module in FreeRADIUS 2.1.12

2012-06-28 Thread Andrei Petru Mura

I'm running FreeRADIUS in conjunction with PostgreSQL 9.1. Snippet from
radiusd.conf:

modules {

...
$INCLUDE sql/postgresql/counter.conf
...

}

in my sql/postgresql/counter.conf, I have the following:

sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = hourly

query = SELECT SUM(AcctSessionTime - GREATER((%b -
AcctStartTime::ABSTIME::INT4), 0)) FROM radacct WHERE UserName='%{%k}'
AND AcctStartTime::ABSTIME::INT4 + AcctSessionTime  '%b'
}

Attention!!! The dailycounter has an hourly reset.

in the sites-available/default, under authorize section:

authorize {

...
dailycounter
...
}

Now in my database. I have in radcheck table two rows:

   id  | username  | attribute| op |   value

-++++
 167 | test1 | Password  | := | test1
 168 | test1 | Max-Daily-Session | := | 60

The problem is that every time when I authenticate for the first time per
hour (because the sqlcounter is resetted hourly), with username test1, I
can access the services given by freeradius an unlimited time. The
sqlcounter is ebanled only if after I log in first time, log out and log in
again. If I exceed the time specified in the radcheck table in the first
log in, at the second login (in the same hour), I cannot login again due to
the sqlcounter that says that the time is up.

Question: can anyone help me how to put the right settings in database or
FR' files so that the sqlcounter module will work from the first login?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS SQl Ippool problem -

Michell wrote:
 to some time ago informed me that the ippool not work properly with
 mysql. As it is now?

  someone somewhere said something.  That's not helpful.

  Read the documentation and examples distributed with FreeRADIUS.  They
give you the CORRECT answers.

  In this case, raddb/sql/mysql/ippool.*

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Would like to stop Interim Accounting being proxied


Hi Alan,

Thanks for the pointer. This is actually what I started with :(

I still get the error Error: /etc/raddb/radiusd.conf[1433]: Line is not 
in 'attribute = value' format; line 1433 is this actual 'if ((' line.


accounting {
   if ((Acct-Status-Type == Interim-Update)  (User-Name =~ 
/@docomo/)) {

   update control {
   Proxy-To-Realm := LOCAL
   }
   }
}


On 28/06/12 13:32, Alan DeKok wrote:

   That's wrong on a number of levels.  The documentation says you can
just refer to an attribute by name.  And use '==':

   if ((Acct-Status-Type == Interim-Update)  (User-Name =~ /@domain/)) {
...
   }



Steve
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS SQl Ippool problem -

On Thu, Jun 28, 2012 at 7:26 PM, Michell bill.c...@gmail.com wrote:
 Hello,

 to some time ago informed me that the ippool not work properly with mysql.

It works just fine

 As it is now?
 I'm not sure what the problems were occurring, but informed me that it
 worked better and smoothly only in postgres.

IIRC from the discussion, postgres should perform better compared to
mysql on the DEFAULT setup due to locking (or lack of it).
Function-wise, both work fine.

If your load is pretty light, OR you know how to adjust your mysql
setup to avoid the locking issue, it should be irrelevant.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Probmels with sqlcounter module in FreeRADIUS 2.1.12

Andrei Petru Mura wrote:
 Now in my database. I have in radcheck table two rows: 
 
id  | username  | attribute| op |   value
  
 -++++
  167 | test1 | Password  | := | test1

  Please fix that.  Really.  It's been ~6 years that Password := has
been *documented* as being wrong.

  See the FAQ.

  168 | test1 | Max-Daily-Session | := | 60
 
 The problem is that every time when I authenticate for the first time
 per hour (because the sqlcounter is resetted hourly), with username
 test1, I can access the services given by freeradius an unlimited time.

  Blame the NAS.

 The sqlcounter is ebanled only if after I log in first time, log out and
 log in again. If I exceed the time specified in the radcheck table in
 the first log in, at the second login (in the same hour), I cannot login
 again due to the sqlcounter that says that the time is up.
 
 Question: can anyone help me how to put the right settings in database
 or FR' files so that the sqlcounter module will work from the first login?

  Read the debug output.  If the correct Session-Timeout is being
returned, blame the NAS.

  As *always* read the debug output.  We really can't say that enough.
Perhaps putting that in the you have subscribed notice to the list
would make a difference?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Probmels with sqlcounter module in FreeRADIUS 2.1.12

On Thu, Jun 28, 2012 at 7:34 PM, Andrei Petru Mura mapand...@gmail.com wrote:
    id  |     username      |     attribute            | op |   value

 -++++
  167 | test1                 | Password              | := | test1
  168 | test1                 | Max-Daily-Session | := | 60

 The problem is that every time when I authenticate for the first time per
 hour (because the sqlcounter is resetted hourly), with username test1, I can
 access the services given by freeradius an unlimited time.

That's not right.
- Did you read the wiki?
- Did you try to run FR in debug mode? Did it send Session-Timeout
attribute? Was it calculated correctly?
- Does your NAS honor Session-Timeout attribute?

IIRC some NAS (e.g. chillispot) ignores some attributes (e.g.
Acct-Interim-Interval) if it's too small (e.g = 60 seconds). That
might be the case in your setup (although the attribute here is
different).

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Would like to stop Interim Accounting being proxied

Steve Brown wrote:
 Thanks for the pointer. This is actually what I started with :(
 
 I still get the error Error: /etc/raddb/radiusd.conf[1433]: Line is not
 in 'attribute = value' format; line 1433 is this actual 'if ((' line.

  It works for me.

  Check that you're using version 2?  It looks like you're using version
1.  Unlang is only supported in version 2.

  Upgrade.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRADIUS SQl Ippool problem -

2012-06-28 Thread Taz Manian


I did check the wiki , i have been on it for the last 3 days trying to figure 
this out  I did a search for Pool-Name and i got 4 different results as below  
http://wiki.freeradius.org/search?q=Pool-Name
http://wiki.freeradius.org/Rlm_sqlippool
http://wiki.freeradius.org/Rlm_ippool
http://wiki.freeradius.org/Users
http://wiki.freeradius.org/Ippool%20and%20radius%20clients
I checked each one of them and not one said anything about radcheck or 
radreply. I checked on Google and found some pages that said TO USE Framed-Pool 
, and i could see that when i ran radiusd -XI just tried using Pool-Name and it 
doesnt work nor does it show when i try it with radiusd -X.  I appreciate your 
input , im really stuck on this one. Im also not sure how to use rlm_sqlipool ? 
Taz 
Date: Thu, 28 Jun 2012 19:08:25 +0700
 Subject: Re: FreeRADIUS SQl Ippool problem -
 From: l...@fajar.net
 To: dj...@iol.ie; freeradius-users@lists.freeradius.org
 
 On Thu, Jun 28, 2012 at 7:03 PM, Taz Manian djta...@hotmail.com wrote:
  Hi Guys,
 
 
 
  Im having a problem with Ippools with freeradius2 and i cant seem to get any
  username to get an address from the pool.
 
  90% of the usernames will have static IP's but i want a few to be in a pool
  but i really am stumped - i tried putting
 
 
 
  username@realm Framed-Pool := EZPOOL
 
 
 
  into the radreply section and it gives me a reply when i test it #
 
 
 Please check the wiki, IIRC you should put it in radcheck, not
 radreply. And the attribute is Pool-Name, not Framed-Pool.
 
  so i know is readying that - i then have a pool set up in radippool
 
 Also, IMHO you should just use rlm_sqlipool. It's easier to setup and debug.
 
 -- 
 Fajar
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius crash during EAP-TTLS authentication

2012-06-28 Thread Thomas Fagart


Hello,

After three month having stable situation, the ISP home servers has 
started again to loose packet and to have slow response time, then our 
freeradius proxies has began to crash again.


We've reproduced the crash with the Git version.

Here's the output that I got with gdb


Going to the next request
rad_recv: Accounting-Request packet from host X.X.X.X port 1812, id=124, 
length=520
Received conflicting packet from client bas-man72-02 port 1812 - ID: 124 
due to unfinished request 715241.  Giving up on old request.

ASSERT FAILED event.c[2773]: request-ev != NULL

Program received signal SIGABRT, Aborted.
[Switching to Thread 8012021c0 (LWP 100143)]
0x000800fb978c in kill () from /lib/libc.so.7
(gdb)


(gdb) thread apply all bt full

Thread 2 (Thread 8012021c0 (LWP 100143)):
#0  0x000800fb978c in kill () from /lib/libc.so.7
No symbol table info available.
#1  0x000800fb858b in abort () from /lib/libc.so.7
No symbol table info available.
#2  0x00420cd4 in rad_assert_fail (file=Variable file is not 
available.

) at util.c:366
No locals.
#3  0x00429d9a in received_request (listener=0x801fdcac0, 
packet=0x8051c1900, prequest=0x7fffe4d0, client=0x801fdaa80) at 
event.c:2773

when = {tv_sec = 1340876260, tv_usec = 138114}
packet_p = Variable packet_p is not available.

Is there enough information for this bug ?
Do you want me to get some more information ?

I can provide smokeping graphs that shows packet loss and slow response 
time (3 seconds)


Many thanks

Thomas


Le 29/03/2012 23:04, Thomas Fagart a écrit :

Many thanks, I will test it when available.


Thomas

Le 28/03/2012 17:15, Alan DeKok a écrit :

Thomas Fagart wrote:

Here's the debug output this happens specialy when we add a virtual
server as a fallback server.
   OK... it looks like the proxy_reply doesn't exist.  I'll push a 
patch.


   Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS SQl Ippool problem -

Taz Manian wrote:
 I checked each one of them and not one said anything about radcheck or
 radreply.

  Because they give examples for the users file.  They don't give
examples for SQL, LDAP, external programs, Perl, Python, etc.

  The users file example has the Pool-Name on the first line.  The
documentation for the users file says that this makes it a check item.
 The documentation for the SQL module describes how to map users file
entries to SQL.

  It *is* documented.

  We expect that *some* independent understanding is necessary.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Would like to stop Interim Accounting being proxied


On 28/06/12 14:03, Alan DeKok wrote:

   Check that you're using version 2?  It looks like you're using version
1.  Unlang is only supported in version 2.


I'm not, and that would explain it nicely; I mentioned in my initial 
message legacy Freeradius 1.1.2 platform. Is there any way of 
achieving the same end result in v1.x without Unlang?


Upgrade is some time away, so this is is what we have to work with.

Steve
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS SQl Ippool problem -

On Thu, Jun 28, 2012 at 8:22 PM, Taz Manian djta...@hotmail.com wrote:
 I did check the wiki , i have been on it for the last 3 days trying to
 figure this out

 I did a search for Pool-Name and i got 4 different results as below

 http://wiki.freeradius.org/search?q=Pool-Name

 http://wiki.freeradius.org/Rlm_sqlippool

Did you notice I specifically mentioned that page?

 http://wiki.freeradius.org/Rlm_ippool
 http://wiki.freeradius.org/Users
 http://wiki.freeradius.org/Ippool%20and%20radius%20clients

 I checked each one of them and not one said anything about radcheck or
 radreply.

Did you read this paragraph?


To assign a user an IP from a pool you simply need to have a Pool-Name
Attribute (Keep in mind that it is a CONTROL attribute, not a reply
attribute) in the required configuration file, which is either in
files(users), sql or any other type of configuration schema.


It should be clear enough that Pool-Name should not be in
rad(group)reply (since that table holds reply attributes).

If you don't know where to put CONTROL attribute (which is in
rad(group)check, btw), then we might need to add an entry for that.

 I checked on Google and found some pages that said TO USE Framed-Pool , and
 i could see that when i ran radiusd -X

Your primary source of information should be the included
documentation (comments on the config file, man pages, etc).

After that, the wiki.

After that, this list.

If you decide to follow some random page, then no wonder you get random result.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Would like to stop Interim Accounting being proxied


On 28/06/12 14:34, Steve Brown wrote:


Is there any way of achieving the same end result in v1.x without Unlang?



If there was a way to simply respond to an accounting request with an 
'Accept', like you can with Auth, could I do something like:


acct_users:
DEFAULT Acct-Status-Type == Interim-Update, User-Name =~ /@domain/
Acct-Type := IGNORE


radiusd.conf:
accounting {
Acct-Type IGNORE {
   Accept
}
}

Can't find a method like 'Accept' in the docs though so maybe that's not 
possible.


Steve
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP fails when proxying to a realm

2012-06-28 Thread Christopher Manigan

}}/detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
  }
 Module: Linked to module rlm_radutmp
 Module: Instantiating module radutmp from file /etc/raddb/modules/radutmp
  radutmp {
filename = /var/log/radius/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
  }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module attr_filter.accounting_response from file 
/etc/raddb/modules/attr_filter
  attr_filter attr_filter.accounting_response {
attrsfile = /etc/raddb/attrs.accounting_response
key = %{User-Name}
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module reply_log from file 
/etc/raddb/modules/detail.log
  detail reply_log {
detailfile = 
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
  }
 Module: Instantiating module attr_filter.access_reject from file 
/etc/raddb/modules/attr_filter
  attr_filter attr_filter.access_reject {
attrsfile = /etc/raddb/attrs.access_reject
key = %{User-Name}
  }
 } # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd:  Opening IP addresses and Ports 
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
listen {
type = control
 listen {
socket = /var/run/radiusd/radiusd.sock
 }
}
listen {
type = auth
ipaddr = 127.0.0.1
port = 18120
}
 ... adding new socket proxy address * port 41620
 ... adding new socket proxy address * port 46995
 ... adding new socket proxy address * port 43755
 ... adding new socket proxy address * port 35210
 ... adding new socket proxy address * port 53936
 ... adding new socket proxy address * port 60364
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.






rad_recv: Access-Request packet from host 69.38.220.74 port 33457, id=25, 
length=227
User-Name = myrealm/chris
Calling-Station-Id = 78-D6-F0-9B-62-97
NAS-IP-Address = 69.38.220.74
NAS-Port = 1
Called-Station-Id = 74-91-1A-63-49-58:My Wi-Fi
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = 74-91-1A-63-49-58
Connect-Info = CONNECT 802.11g/n
WISPr-Location-Name = Lab
EAP-Message = 0x021101737072696e742f6368726973
Vendor-25053-Attr-3 = 0x537072696e742057692d4669
Message-Authenticator = 0x41f70f465513dc906b544110465b80ad
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]  expand: 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - 
/var/log/radius/radacct/69.38.220.74/auth-detail-20120628
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to /var/log/radius/radacct/69.38.220.74/auth-detail-20120628
[auth_log]  expand: %t - Thu Jun 28 12:19:22 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[IPASS] Looking up realm myrealm for User-Name = myrealm/chris
[IPASS] Found realm myrealm
[IPASS] Adding Stripped-User-Name = chris
[IPASS] Adding Realm = myrealm
[IPASS] Proxying request from user chris to realm myrealm
[IPASS] Preparing to proxy authentication request to realm myrealm
++[IPASS] returns updated
[eap] Request is supposed to be proxied to Realm myrealm.  Not doing EAP.
++[eap] returns noop
++[files] returns noop
[sql]   expand: %{User-Name} - myrealm/chris
[sql] sql_set_user escaped user -- 'myrealm/chris'
rlm_sql (sql): Reserving sql socket id: 48
[sql]   expand: SELECT id, username, attribute, value, op   FROM 
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY id - 
SELECT id, username, attribute, value, op   FROM radcheck   
WHERE username = 'myrealm/chris'   ORDER BY id
[sql]   expand: SELECT groupname   FROM radusergroup

EAP does not work with realms

2012-06-28 Thread Christopher Manigan

) to clients list
rlm_sql (sql): Read entry nasname=127.0.0.1,shortname=localhost,secret=secret
rlm_sql (sql): Adding client 127.0.0.1 (localhost, server=none) to clients 
list
rlm_sql (sql): Released sql socket id: 49
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module acct_unique from file 
/etc/raddb/modules/acct_unique
  acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, 
NAS-Port
  }
 Module: Instantiating module suffix from file /etc/raddb/modules/realm
  realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
  }
 Module: Checking accounting {...} for more modules to load
 Module: Instantiating module detail from file /etc/raddb/modules/detail
  detail {
detailfile = 
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
  }
 Module: Linked to module rlm_radutmp
 Module: Instantiating module radutmp from file /etc/raddb/modules/radutmp
  radutmp {
filename = /var/log/radius/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
  }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module attr_filter.accounting_response from file 
/etc/raddb/modules/attr_filter
  attr_filter attr_filter.accounting_response {
attrsfile = /etc/raddb/attrs.accounting_response
key = %{User-Name}
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module reply_log from file 
/etc/raddb/modules/detail.log
  detail reply_log {
detailfile = 
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
  }
 Module: Instantiating module attr_filter.access_reject from file 
/etc/raddb/modules/attr_filter
  attr_filter attr_filter.access_reject {
attrsfile = /etc/raddb/attrs.access_reject
key = %{User-Name}
  }
 } # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd:  Opening IP addresses and Ports 
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
listen {
type = control
 listen {
socket = /var/run/radiusd/radiusd.sock
 }
}
listen {
type = auth
ipaddr = 127.0.0.1
port = 18120
}
 ... adding new socket proxy address * port 41620
 ... adding new socket proxy address * port 46995
 ... adding new socket proxy address * port 43755
 ... adding new socket proxy address * port 35210
 ... adding new socket proxy address * port 53936
 ... adding new socket proxy address * port 60364
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.






rad_recv: Access-Request packet from host 192.168.100.150 port 33457, id=25, 
length=227
User-Name = myrealm/chris
Calling-Station-Id = 78-D6-F0-9B-62-97
NAS-IP-Address = 192.168.100.150
NAS-Port = 1
Called-Station-Id = 74-91-1A-63-49-58:myrealm Wi-Fi
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = 74-91-1A-63-49-58
Connect-Info = CONNECT 802.11g/n
WISPr-Location-Name = LAB
EAP-Message = 0x021101737072696e742f6368726973
Vendor-25053-Attr-3 = 0x537072696e742057692d4669
Message-Authenticator = 0x41f70f465513dc906b544110465b80ad
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]  expand: 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - 
/var/log/radius/radacct/192.168.100.150/auth-detail-20120628
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to /var/log/radius/radacct/192.168.100.150/auth-detail-20120628
[auth_log]  expand: %t - Thu Jun 28 12:19:22 2012
++[auth_log] returns ok
++[chap] returns noop

Re: Would like to stop Interim Accounting being proxied

2012-06-28 Thread Phil Mayers


On 28/06/12 17:13, Steve Brown wrote:

On 28/06/12 14:34, Steve Brown wrote:


Is there any way of achieving the same end result in v1.x without Unlang?



If there was a way to simply respond to an accounting request with an
'Accept', like you can with Auth, could I do something like:


You might be able do use the configurable_failover in 1.x to achieve 
this. Something like:


preacct {
  files {
ok = return
  }
  ... rest of modules ...
}

...and in your files module, something like you had:

DEFAULT Acct-Status-Type == Interim-Update, User-Name =~ @domain
Fall-Through = No

See doc/configurable_failover - from the version of the server you are 
running, obviously.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP fails when proxying to a realm

2012-06-28 Thread Phil Mayers


On 28/06/12 17:33, Christopher Manigan wrote:

I am trying to use MSCHAPv2 to authenticate users.  This works ok, except when 
I try to proxy to a realm.  Pasted below is the debug of a user trying to 
authenticate.  The realm is a prefix of the username.  What I see buried in the 
debug is:


# radiusd -X
FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jun 28 2012 at 
11:37:39


Upgrade to 2.1.12 if possible


Sending Access-Request of id 22 to 127.0.0.1 port 1812


Why on earth are you proxying back to yourself, to the same virtual 
server no less?


I suspect this is confusing the server, since it fails inside the 
handler further down.



[eap] Identity does not match User-Name, setting from EAP Identity.


You are rewriting the username. This doesn't work with EAP. Don't do that.

If you need to strip realms etc. use Stripped-User-Name. Leave the 
original username alone.



[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Update control with redundant sql query

2012-06-28 Thread lscrlstld

Hi,

I use the policy configs to provide redundant and load-balance to update
the pool-name.

It´s work fine! But I have same questions...
- Is it the correct way to do it? Is it the better way, considering a
performance in high usage?
- Why the virtual module created in the policy and control update always
return notfound ?

+- entering group authorize {...}
++- entering policy update_ctlr_PN {...}
+++- entering redundant-load-balance group redundant-load-balance {...}
- entering policy update01_Pool-Name {...}
...
expand: select poolname from radpoolname where
nasipaddress=%{NAS-IP-Address} -select poolname from radpoolname where
nasipaddress=X.X.X.X
rlm_sql (sql01): Reserving sql socket id: 4
sql_xlat finished
rlm_sql (sql01): Released sql socket id: 4
expand: %{sql01:select poolname from radpoolname where
nasipaddress=%{NAS-IP-Address}} -pool01
+[control] returns notfound
- policy update_ctlr_PN1 returns notfound
+++- redundant-load-balance group redundant-load-balance returns notfound
++- policy update_ctlr_PN returns notfound

The policy.conf
policy {
update_ctlr_PN1 {
update control {
Pool-Name := %{sql01:select poolname from
radpoolname where nasipaddress=\%{NAS-IP-Address}\}
}
}
update_ctlr_PN2 {
update control {
Pool-Name := %{sql02:select poolname from
radpoolname where nasipaddress=\%{NAS-IP-Address}\}
}
}
update_ctlr_PN {
redundant-load-balance {
update_ctlr_PN1
update_ctlr_PN2
}
}
}

Server conf:
...
authorize {
update_ctlr_PN
pap
chap
sql01
}
...

Thank you.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP fails when proxying to a realm

2012-06-28 Thread Christopher Manigan

Thanks for pointing those things out to me.  I am no longer proxying back to 
myself like that, and I've told the sql module to use stripped user name when 
possible and it looks like it's all working now.

Best wishes,
Chris

From: freeradius-users-bounces+cmanigan=towerstream@lists.freeradius.org 
[freeradius-users-bounces+cmanigan=towerstream@lists.freeradius.org] on 
behalf of Phil Mayers [p.may...@imperial.ac.uk]
Sent: Thursday, June 28, 2012 12:49 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: EAP fails when proxying to a realm

On 28/06/12 17:33, Christopher Manigan wrote:
 I am trying to use MSCHAPv2 to authenticate users.  This works ok, except 
 when I try to proxy to a realm.  Pasted below is the debug of a user trying 
 to authenticate.  The realm is a prefix of the username.  What I see buried 
 in the debug is:


 # radiusd -X
 FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jun 28 2012 
 at 11:37:39

Upgrade to 2.1.12 if possible

 Sending Access-Request of id 22 to 127.0.0.1 port 1812

Why on earth are you proxying back to yourself, to the same virtual
server no less?

I suspect this is confusing the server, since it fails inside the
handler further down.

 [eap] Identity does not match User-Name, setting from EAP Identity.

You are rewriting the username. This doesn't work with EAP. Don't do that.

If you need to strip realms etc. use Stripped-User-Name. Leave the
original username alone.

 [eap] Failed in handler
 ++[eap] returns invalid
 Failed to authenticate the user.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco WLC - Freeradius Vlan assigment problem

2012-06-28 Thread Martin Silvero

 ++- if (!Huntgroup-Name) returns ok ++? if (Huntgroup-Name == list)
 (Attribute Huntgroup-Name was not found)

the problem seems to be your huntgroup.. Can you post your huntgroup
definitions?

--
Jens Weibler
IT-Services

Hi,

In huntgroup I just have:

...
# Usuario = xxx xxx
list  Calling-Station-Id == 0221.6ae0.cef8


Them in sites-available/inner-tunnel I have a script:


if(!Huntgroup-Name) {
#reject
  update reply  {
  Tunnel-Type = VLAN
  Tunnel-Medium-Type = IEEE-802
  Tunnel-Private-Group-Id = 249
 }
}
if(Huntgroup-Name == list) {
  if( Ldap-Group == WIFI-Direccion) {
  update reply  {
  Tunnel-Type = VLAN
  Tunnel-Medium-Type = IEEE-802
  Tunnel-Private-Group-Id = 200
 }


seems ok. What do you think?

Thanks a lot.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Update control with redundant sql query

On Fri, Jun 29, 2012 at 12:09 AM, lscrlstld lscrls...@gmail.com wrote:
 Hi,

 I use the policy configs to provide redundant and load-balance to update
 the pool-name.

 It´s work fine!

Does it?

 The policy.conf
 policy {
        update_ctlr_PN1 {
                update control {
                        Pool-Name := %{sql01:select poolname from
 radpoolname where nasipaddress=\%{NAS-IP-Address}\}
                }
        }
        update_ctlr_PN2 {
                update control {
                        Pool-Name := %{sql02:select poolname from
 radpoolname where nasipaddress=\%{NAS-IP-Address}\}
                }
        }
        update_ctlr_PN {
                redundant-load-balance {
                                update_ctlr_PN1
                                update_ctlr_PN2
                }
        }
 }

last time I check the %{sql block does NOT return an error if the
sql server is dead. So your load-balance part definitely works, but
I wouldn't be so sure about the redundant part. Try killing one of
the sql servers and see what happens.

IIRC I had to explicitly hack a query so it would return some value
(e.g. NOTFOUND, or whatever) when it would usually return zero rows.
That way, if the %{sql block returns an empty string, I know
something is wrong and I need to ask the next server. That method
works, but it doesn't provide load balance.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP fails when proxying to a realm

Hi,

upgarde to 2.1.12 - it has fixes for proxy errors

as for username - you cannot play with User-Name with EAP - use 
Stripped-User-Name - see examples

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco WLC - Freeradius Vlan assigment problem

Hi,

are you running the preprocess module? if not, then Huntgroups arent looked at 
or populated


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Would like to stop Interim Accounting being proxied