Re: Testing pre-2.2.0
Hi, On Wed, Aug 08, 2012 at 09:26:55PM +0200, Alan DeKok wrote: Stefan Winter wrote: It's running only since a few minutes, so hard to make a long-term prediction, but at least there's no immediate problem in sight. Thanks. I'll try to get the release out this week. (finally) Just noticed, this fix needs cherry-picking from master into v2.1.x: commit a412df0e29a4ee75a754434daa6285e2fcac8ec4 Author: Matthew Newton m...@leicester.ac.uk Date: Sun Apr 8 22:02:55 2012 +0100 don't chgrp syslog Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing pre-2.2.0
Matthew Newton wrote: Just noticed, this fix needs cherry-picking from master into v2.1.x: Done, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH to Cisco Devices
Michael Schwartzkopff wrote: I know it is possible to use FreeRADIUS to authenticate SSH access to Cisco devices with username/password scheme. Cisco's IOS in version 15 also offers the private/public key authentication scheme. That is not standardized in RADIUS. Is is possible to authenticate the key scheme in FreeRADIUS? Sure, send a patch. :) Or does anybody know if that is possible in Cisco's ACS? Ask Cisco. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SSH to Cisco Devices
You definitely can. The Cisco configuration would look like this: ! version 15.0 ! aaa new-model aaa group server radius FreeRadius server 192.168.0.1 auth-port 1812 acct-port 1813 ip radius source-interface Vlan10 aaa authentication login default group FreeRadius local aaa authorization exec default group FreeRadius local radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key * In clients.conf you have a section that looks like this: DEFAULT Group==netadmins,Auth-type := System Service-Type = Administrative-User, Fall-Through = No Then whomever is in your netadmins group on the FreeRadius system will be allowed administrative access to the devices. -Original Message- From: freeradius-users-bounces+jsmith=windmobile...@lists.freeradius.org [mailto:freeradius-users-bounces+jsmith=windmobile...@lists.freeradius.org] On Behalf Of Michael Schwartzkopff Sent: August-09-12 12:25 AM To: freeradius-users@lists.freeradius.org Subject: SSH to Cisco Devices Hi, I know it is possible to use FreeRADIUS to authenticate SSH access to Cisco devices with username/password scheme. Cisco's IOS in version 15 also offers the private/public key authentication scheme. Is is possible to authenticate the key scheme in FreeRADIUS? Or does anybody know if that is possible in Cisco's ACS? Thanks for any hint. -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Online Users
Shawky Skaff wrote: On the online users gui page of dialup admin, there are serveral columns, one of the columns states “name”, which is after the caller ID column. I would like to know where this comes from, I have set the name on the user info page, but it doesn’t seem like that works. List of online users contains the list of users who are online. Setting something on the user info page doesn't work. Because user information is not online users. The NAS needs to send accounting packets. Once that happens, the online users should be updated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql_log and Accounting On/Off
Hello, I'm currently migrating a number of direct accounting sql module calls to delayed writes using sql_log. I noticed that sql_log has statements for Start, Stop, Alive (and Post-Auth, about which I don't care at that point). The real SQL modules have accounting_on_off_query, too. I wonder how to send stuff to sql_log when an On/Off arrives... guessing that I'm simply overlooking something. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log and Accounting On/Off
Hi, I wonder how to send stuff to sql_log when an On/Off arrives... guessing that I'm simply overlooking something. Looking at the code: could it be that I can just use Accounting-On and Accounting-Off as keys, because the code seems to reference the values of Acct-Status-Type? That would be cute; but it's hard to find - one has to go into the code. So if I'm right with that, could the documentation in modules/sql_log be updated for 2.2.0? At least adding it as an example like the others would be nice. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log and Accounting On/Off
Hi, That would be cute; but it's hard to find - one has to go into the code. So if I'm right with that, could the documentation in modules/sql_log be updated for 2.2.0? At least adding it as an example like the others would be nice. Ah, man 5 rlm_sql_log. Right. Sorry for the noise. Anyway, adding an example would still be nice :-) Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log and Accounting On/Off
On Thu, Aug 9, 2012 at 7:53 PM, Stefan Winter stefan.win...@restena.lu wrote: Hi, That would be cute; but it's hard to find - one has to go into the code. So if I'm right with that, could the documentation in modules/sql_log be updated for 2.2.0? At least adding it as an example like the others would be nice. Ah, man 5 rlm_sql_log. Right. Sorry for the noise. Anyway, adding an example would still be nice :-) Submit a patch, or edit the wiki? :D -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault in rlm_pap
Hi, I'm new to the list. I'm currently migrating from Radiator to Freeradius with MySQL Database Backend for Authentication and Accounting. User-passwords are stored in mysql db with SMD5. I have installed latest freeradius from debian squeeze repositories: ii freeradius 2.1.10+dfsg-2a high-performance and highly configurable RADIUS server ii freeradius-common 2.1.10+dfsg-2FreeRADIUS common files ii freeradius-dbg 2.1.10+dfsg-2debug symbols for the FreeRADIUS packages ii freeradius-mysql2.1.10+dfsg-2MySQL module for FreeRADIUS server ii freeradius-utils2.1.10+dfsg-2FreeRADIUS client utilities ii libfreeradius2 2.1.10+dfsg-2FreeRADIUS shared library If I start freeradius in daemon mode it runs without any problems. After some hours freeradius segfaults without any visible reason. Until this time users can authenticate without problems. No error messages in the logfile. So I tried to run freeradius in debug mode with -X and when it craches i get the following after some hours: ... rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing SMD5-Password from base64 encoding ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password 232nr4Cs [pap] Using SMD5 encryption. [pap] Normalizing SMD5-Password from base64 encoding Segmentation fault The Kernel logs the message: kernel: [10466122.427567] freeradius[20622]: segfault at 7f2ed32e1000 ip 7f2ed8cbaa4b sp 7f2ed32debd8 error 4 in libc-2.11.3.so[7f2ed8c3b000+159000] After the crash above I tried to run freeradius with gdb. When it crashes I got the following in gdb shell: ... rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing SMD5-Password from base64 encoding ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password 232nr4Cs [pap] Using SMD5 encryption. [pap] Normalizing SMD5-Password from base64 encoding Program received signal SIGSEGV, Segmentation fault. 0x76859a4b in memcpy () from /lib/libc.so.6 (gdb) bt #0 0x76859a4b in memcpy () from /lib/libc.so.6 #1 0x75392572 in normify (request=0x8d2920, vp=0x8d3100, min_length=16) at rlm_pap.c:272 #2 0x75392f7e in pap_authenticate (instance=value optimized out, request=0x8d2920) at rlm_pap.c:655 #3 0x0041b6e3 in call_modsingle (component=value optimized out, c=value optimized out, request=0x8d2920) at modcall.c:297 #4 modcall (component=value optimized out, c=value optimized out, request=0x8d2920) at modcall.c:670 #5 0x0078ac50 in ?? () #6 0x02cc in ?? () #7 0xf7bd7a3a in ?? () #8 0x7fffd720 in ?? () #9 0x in ?? () Other installed packages: ii libc6 2.11.3-3 Embedded GNU C Library: Shared libraries ii libmysqlclient165.1.58-1 MySQL database client library I also tried to compile freeradius version 2.1.12 from latest git, but it's always the same. After some hours it crashes too. Have you any idea what could cause this strange crashes? If you need any further info please let me know. Many thanks and regards Urban Base-Config: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = no $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE
Re: Segmentation fault in rlm_pap
Urban Loesch wrote: [pap] login attempt with password 232nr4Cs [pap] Using SMD5 encryption. [pap] Normalizing SMD5-Password from base64 encoding Segmentation fault Oops. My guess is that the SMD5 password isn't correctly formed. Can you share it? After the crash above I tried to run freeradius with gdb. When it crashes I got the following in gdb shell: OK. That helps. I still don't see why it's a problem. I also tried to compile freeradius version 2.1.12 from latest git, but it's always the same. After some hours it crashes too. Have you any idea what could cause this strange crashes? The SMD5 password is probably in a weird format. If you need any further info please let me know. A copy of the SMD5 password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault in rlm_pap
Hi Alan, thanks for your fast reply. If you need any further info please let me know. A copy of the SMD5 password. This is the whole raw data from db: id usernameattribute op value 4105urban@1 SMD5-Password := kB49X7B1aX5kzg6+OD6L12ZxRGRmcUM8bDY4N2ZBPXA= Alan DeKok. - The strange thing is, that the crash does not happen every time a user tries to authenticate. Many thanks Urban - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault in rlm_pap
On 08/09/2012 09:34 AM, Urban Loesch wrote: Hi, I'm new to the list. I'm currently migrating from Radiator to Freeradius with MySQL Database Backend for Authentication and Accounting. User-passwords are stored in mysql db with SMD5. FWIW, we've gotten a couple of bug reports of segfaults using EAP, they are described in this bugzilla (which includes a stacktrace and debug output). https://bugzilla.redhat.com/show_bug.cgi?id=827858 HTH, John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault in rlm_pap
John Dennis wrote: FWIW, we've gotten a couple of bug reports of segfaults using EAP, they are described in this bugzilla (which includes a stacktrace and debug output). https://bugzilla.redhat.com/show_bug.cgi?id=827858 This is typically caused by having discordant versions of OpenSSL installed. i.e. the server was built using version X, and the current OpenSSL library is version Y. There's really no solution, other than to re-build re-link the server. I can put some hacks in, but all they'll do is ensure that the server doesn't crash. It WON'T cause authentication to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco integration with priv-lvl=15 vs. priv-lvl=0
Basically, how does one go about configuring the radius server to forward requests to the Redhad LDAP server with these attributes. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html