Re: Testing pre-2.2.0
Hi, On Wed, Aug 08, 2012 at 09:26:55PM +0200, Alan DeKok wrote: Stefan Winter wrote: It's running only since a few minutes, so hard to make a long-term prediction, but at least there's no immediate problem in sight. Thanks. I'll try to get the release out this week. (finally) Just noticed, this fix needs cherry-picking from master into v2.1.x: commit a412df0e29a4ee75a754434daa6285e2fcac8ec4 Author: Matthew Newton m...@leicester.ac.uk Date: Sun Apr 8 22:02:55 2012 +0100 don't chgrp syslog Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing pre-2.2.0
Matthew Newton wrote: Just noticed, this fix needs cherry-picking from master into v2.1.x: Done, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH to Cisco Devices
Michael Schwartzkopff wrote: I know it is possible to use FreeRADIUS to authenticate SSH access to Cisco devices with username/password scheme. Cisco's IOS in version 15 also offers the private/public key authentication scheme. That is not standardized in RADIUS. Is is possible to authenticate the key scheme in FreeRADIUS? Sure, send a patch. :) Or does anybody know if that is possible in Cisco's ACS? Ask Cisco. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SSH to Cisco Devices
You definitely can. The Cisco configuration would look like this: ! version 15.0 ! aaa new-model aaa group server radius FreeRadius server 192.168.0.1 auth-port 1812 acct-port 1813 ip radius source-interface Vlan10 aaa authentication login default group FreeRadius local aaa authorization exec default group FreeRadius local radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key * In clients.conf you have a section that looks like this: DEFAULT Group==netadmins,Auth-type := System Service-Type = Administrative-User, Fall-Through = No Then whomever is in your netadmins group on the FreeRadius system will be allowed administrative access to the devices. -Original Message- From: freeradius-users-bounces+jsmith=windmobile...@lists.freeradius.org [mailto:freeradius-users-bounces+jsmith=windmobile...@lists.freeradius.org] On Behalf Of Michael Schwartzkopff Sent: August-09-12 12:25 AM To: freeradius-users@lists.freeradius.org Subject: SSH to Cisco Devices Hi, I know it is possible to use FreeRADIUS to authenticate SSH access to Cisco devices with username/password scheme. Cisco's IOS in version 15 also offers the private/public key authentication scheme. Is is possible to authenticate the key scheme in FreeRADIUS? Or does anybody know if that is possible in Cisco's ACS? Thanks for any hint. -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Online Users
Shawky Skaff wrote: On the online users gui page of dialup admin, there are serveral columns, one of the columns states “name”, which is after the caller ID column. I would like to know where this comes from, I have set the name on the user info page, but it doesn’t seem like that works. List of online users contains the list of users who are online. Setting something on the user info page doesn't work. Because user information is not online users. The NAS needs to send accounting packets. Once that happens, the online users should be updated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql_log and Accounting On/Off
Hello, I'm currently migrating a number of direct accounting sql module calls to delayed writes using sql_log. I noticed that sql_log has statements for Start, Stop, Alive (and Post-Auth, about which I don't care at that point). The real SQL modules have accounting_on_off_query, too. I wonder how to send stuff to sql_log when an On/Off arrives... guessing that I'm simply overlooking something. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log and Accounting On/Off
Hi, I wonder how to send stuff to sql_log when an On/Off arrives... guessing that I'm simply overlooking something. Looking at the code: could it be that I can just use Accounting-On and Accounting-Off as keys, because the code seems to reference the values of Acct-Status-Type? That would be cute; but it's hard to find - one has to go into the code. So if I'm right with that, could the documentation in modules/sql_log be updated for 2.2.0? At least adding it as an example like the others would be nice. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log and Accounting On/Off
Hi, That would be cute; but it's hard to find - one has to go into the code. So if I'm right with that, could the documentation in modules/sql_log be updated for 2.2.0? At least adding it as an example like the others would be nice. Ah, man 5 rlm_sql_log. Right. Sorry for the noise. Anyway, adding an example would still be nice :-) Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log and Accounting On/Off
On Thu, Aug 9, 2012 at 7:53 PM, Stefan Winter stefan.win...@restena.lu wrote: Hi, That would be cute; but it's hard to find - one has to go into the code. So if I'm right with that, could the documentation in modules/sql_log be updated for 2.2.0? At least adding it as an example like the others would be nice. Ah, man 5 rlm_sql_log. Right. Sorry for the noise. Anyway, adding an example would still be nice :-) Submit a patch, or edit the wiki? :D -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault in rlm_pap
Hi,
I'm new to the list. I'm currently migrating from Radiator to Freeradius with
MySQL Database Backend for Authentication
and Accounting. User-passwords are stored in mysql db with SMD5.
I have installed latest freeradius from debian squeeze repositories:
ii freeradius 2.1.10+dfsg-2a
high-performance and highly configurable RADIUS server
ii freeradius-common 2.1.10+dfsg-2FreeRADIUS
common files
ii freeradius-dbg 2.1.10+dfsg-2debug symbols
for the FreeRADIUS packages
ii freeradius-mysql2.1.10+dfsg-2MySQL module
for FreeRADIUS server
ii freeradius-utils2.1.10+dfsg-2FreeRADIUS
client utilities
ii libfreeradius2 2.1.10+dfsg-2FreeRADIUS
shared library
If I start freeradius in daemon mode it runs without any problems.
After some hours freeradius segfaults without any visible reason. Until this
time users can authenticate
without problems. No error messages in the logfile.
So I tried to run freeradius in debug mode with -X and when it craches i get
the following after some hours:
...
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing SMD5-Password from base64 encoding
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password 232nr4Cs
[pap] Using SMD5 encryption.
[pap] Normalizing SMD5-Password from base64 encoding
Segmentation fault
The Kernel logs the message:
kernel: [10466122.427567] freeradius[20622]: segfault at 7f2ed32e1000 ip 7f2ed8cbaa4b sp 7f2ed32debd8 error 4 in
libc-2.11.3.so[7f2ed8c3b000+159000]
After the crash above I tried to run freeradius with gdb. When it crashes I got
the following in gdb shell:
...
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing SMD5-Password from base64 encoding
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password 232nr4Cs
[pap] Using SMD5 encryption.
[pap] Normalizing SMD5-Password from base64 encoding
Program received signal SIGSEGV, Segmentation fault.
0x76859a4b in memcpy () from /lib/libc.so.6
(gdb) bt
#0 0x76859a4b in memcpy () from /lib/libc.so.6
#1 0x75392572 in normify (request=0x8d2920, vp=0x8d3100,
min_length=16) at rlm_pap.c:272
#2 0x75392f7e in pap_authenticate (instance=value optimized out,
request=0x8d2920) at rlm_pap.c:655
#3 0x0041b6e3 in call_modsingle (component=value optimized out,
c=value optimized out, request=0x8d2920) at modcall.c:297
#4 modcall (component=value optimized out, c=value optimized out,
request=0x8d2920) at modcall.c:670
#5 0x0078ac50 in ?? ()
#6 0x02cc in ?? ()
#7 0xf7bd7a3a in ?? ()
#8 0x7fffd720 in ?? ()
#9 0x in ?? ()
Other installed packages:
ii libc6 2.11.3-3 Embedded GNU C
Library: Shared libraries
ii libmysqlclient165.1.58-1 MySQL database
client library
I also tried to compile freeradius version 2.1.12 from latest git, but it's
always the same.
After some hours it crashes too.
Have you any idea what could cause this strange crashes?
If you need any further info please let me know.
Many thanks and regards
Urban
Base-Config:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = no
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE
Re: Segmentation fault in rlm_pap
Urban Loesch wrote: [pap] login attempt with password 232nr4Cs [pap] Using SMD5 encryption. [pap] Normalizing SMD5-Password from base64 encoding Segmentation fault Oops. My guess is that the SMD5 password isn't correctly formed. Can you share it? After the crash above I tried to run freeradius with gdb. When it crashes I got the following in gdb shell: OK. That helps. I still don't see why it's a problem. I also tried to compile freeradius version 2.1.12 from latest git, but it's always the same. After some hours it crashes too. Have you any idea what could cause this strange crashes? The SMD5 password is probably in a weird format. If you need any further info please let me know. A copy of the SMD5 password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault in rlm_pap
Hi Alan, thanks for your fast reply. If you need any further info please let me know. A copy of the SMD5 password. This is the whole raw data from db: id usernameattribute op value 4105urban@1 SMD5-Password := kB49X7B1aX5kzg6+OD6L12ZxRGRmcUM8bDY4N2ZBPXA= Alan DeKok. - The strange thing is, that the crash does not happen every time a user tries to authenticate. Many thanks Urban - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault in rlm_pap
On 08/09/2012 09:34 AM, Urban Loesch wrote: Hi, I'm new to the list. I'm currently migrating from Radiator to Freeradius with MySQL Database Backend for Authentication and Accounting. User-passwords are stored in mysql db with SMD5. FWIW, we've gotten a couple of bug reports of segfaults using EAP, they are described in this bugzilla (which includes a stacktrace and debug output). https://bugzilla.redhat.com/show_bug.cgi?id=827858 HTH, John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault in rlm_pap
John Dennis wrote: FWIW, we've gotten a couple of bug reports of segfaults using EAP, they are described in this bugzilla (which includes a stacktrace and debug output). https://bugzilla.redhat.com/show_bug.cgi?id=827858 This is typically caused by having discordant versions of OpenSSL installed. i.e. the server was built using version X, and the current OpenSSL library is version Y. There's really no solution, other than to re-build re-link the server. I can put some hacks in, but all they'll do is ensure that the server doesn't crash. It WON'T cause authentication to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco integration with priv-lvl=15 vs. priv-lvl=0
Basically, how does one go about configuring the radius server to forward requests to the Redhad LDAP server with these attributes. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
