Re: account activate datetime
There is rlm_logintime module. It uses Login-Time control attribute. Login-Time attribute format is: login-times ::= login-time | login-times,login-time login-time ::= days | daystime days ::= day | daysday day ::= day-of-week | day-of-week-day-of-week | Wk | Al | Any day-of-week ::= Su | Mo | Tu | We | Th | Fr | Sa time ::= hhmm | hhmm-hhmm hh ::= 00 .. 24 mm ::= 00 .. 59 For example, allow logins from Monday till Friday, from 9:00 till 20:00: Login-Time := Mo-Fr0900-2000 You can set Login-Time control attribute using rlm_files or rlm_sql (or whatever backend module). For example, using rlm_files: # raddb/files joe Cleartext-Password := ToPsEcReT, Login-Time := Mo-Fr0900-2000 rlm_logintime module should be called from authorize section. SkyDiablo wrote: hiho, i search a solution to set a activate datetime for a account? in the end, i want a possebility to set a timespan where the account is active? from - datetime to - dateime any tips for me ? greez thx, sky... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Hi, until today, I have been running FreeRADIUS 2.2.0 successfully with a system-supplied openSSL. Today, I compiled with --with-openssl --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib the path is in ld.so.conf, and ldd shows that linking against this new version works. However, when running PEAP on this version, I get a segmentation fault now: [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept User-Name = test.edur...@education.lu Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Segmentation fault The repetition of that attribute is NOT an error; it's there to inflate the packet beyond 1500 bytes to trigger UDP fragmentation (this is our Nagios testing). In 2.2.0 against the old openSSL version, everything works fine - Access-Accept. Any hints? Greetings, Stefan winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Stefan Winter wrote: until today, I have been running FreeRADIUS 2.2.0 successfully with a system-supplied openSSL. Today, I compiled with --with-openssl --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib the path is in ld.so.conf, and ldd shows that linking against this new version works. Are you sure? The openssl SEGV problem is almost always because you have two versions of OpenSSL installed. What is likely happening is that the compile stage is picking up the system-supplied OpenSSL include files. The way to test this is to rename / move them, do the build, and then the install. If it now works, it was picking up OpenSSL X, and linking against OpenSSL Y. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy and requests queue
Hi everybody I've a question about the management of the queue in freeradius 2.1.12. Let's assume my server are used for local authentication for the realm mydomanin.org and proxy the request for the realm remote.org (a pool with a single home server). Let's assume also that max_servers and max_spare_server are sets correctly. What happens if the home server for the proxy takes too long to respond? The requests for the local side are ignored or have their own queue? And if my proxy are used for different realm (remote1.org, remote2.org etc...) all with their own single home_server what happens if a remote home server takes too long to respond? To make a long story short it's possible that a problem on a remote home server (that receives a huge number of requests) blocks the requests for my local server? Thanks I know this can be a stupid question but I didn't find an answer in the wiki or in the docs (probably I've searched in the wrong place or the wrong terms sorry) PS: sorry for my English - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy and requests queue
AemNet wrote: I've a question about the management of the queue in freeradius 2.1.12. Upgrade. Let's assume my server are used for local authentication for the realm mydomanin.org and proxy the request for the realm remote.org (a pool with a single home server). Let's assume also that max_servers and max_spare_server are sets correctly. Those thread settings have NOTHING to do with proxying. You can proxy requests even in single-threaded mode. What happens if the home server for the proxy takes too long to respond? The server handles it gracefully. The requests for the local side are ignored or have their own queue? The inputs outputs are completely decoupled. It would be a bad design to tightly couple them. And if my proxy are used for different realm (remote1.org, remote2.org etc...) all with their own single home_server what happens if a remote home server takes too long to respond? The server handles it gracefully. Each request is handled separately from each other request, no matter where it came from, and no matter where it was proxied to. Each home server is handled separately from each other home server. To make a long story short it's possible that a problem on a remote home server (that receives a huge number of requests) blocks the requests for my local server? No. I know this can be a stupid question but I didn't find an answer in the wiki or in the docs (probably I've searched in the wrong place or the wrong terms sorry) The short answer is that the server works, and doesn't do anything stupid. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Hi, Today, I compiled with --with-openssl --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib the path is in ld.so.conf, and ldd shows that linking against this new version works. Are you sure? The openssl SEGV problem is almost always because you have two versions of OpenSSL installed. What is likely happening is that the compile stage is picking up the system-supplied OpenSSL include files. The way to test this is to rename / move them, do the build, and then the install. If it now works, it was picking up OpenSSL X, and linking against OpenSSL Y. Hm, okay... will do. Stefan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
On Mon, Sep 17, 2012 at 4:05 PM, QASIM RAO qasim2...@hotmail.com wrote: hi, i want to test performance of my radius server. can any body give me suggestion how i can perform performance test of my radius server. i have check some performance testing tools like (radlogin,radtest,Evolynx RADIUS Load Test tool) but they are not working according to my requirement i want to send bulk number of request including additional attributes i have included in my server. There's radclient, included in the server. Handy when you want highly customized attributes for each request. There's also radperf: http://networkradius.com/radperf.html -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Hi, --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl Are you sure? The openssl SEGV problem is almost always because you have two versions of OpenSSL installed. What is likely happening is that the compile stage is picking up the system-supplied OpenSSL include files. The way to test this is to rename / move them, do the build, and then the install. If it now works, it was picking up OpenSSL X, and linking against OpenSSL Y. Hm, okay... will do. That was it indeed. Had to change the include path above to --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include because configure adds the openssl/ sub-path on its own. Now it works like a charm (as usual :-) ). Thanks! Stefan Stefan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users file case sensitive
Hi, Background: FreeRadius Version: 2.1.1-7.10.1 Users are stored in LDAP, I am using the users file to assign static IP Addresses to certain users. It seems that the users file is case sensitive, I found a few articles on the net regarding this, but none really supplied a definitive answer. Is there a way to prevent the users file from being case sensitive ? If not, what is the recommended method to elegantly avoid this problem. Regards Gregg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
On 17 Sep 2012, at 10:34, Stefan Winter stefan.win...@restena.lu wrote: Hi, --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl Are you sure? The openssl SEGV problem is almost always because you have two versions of OpenSSL installed. What is likely happening is that the compile stage is picking up the system-supplied OpenSSL include files. The way to test this is to rename / move them, do the build, and then the install. If it now works, it was picking up OpenSSL X, and linking against OpenSSL Y. Hm, okay... will do. That was it indeed. Had to change the include path above to --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include because configure adds the openssl/ sub-path on its own. Now it works like a charm (as usual :-) ). Thanks! Also you have a typo in your config, should be earli, assuming the Reply-Message is meant to be read with a piratey accent. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file case sensitive
On 09/17/2012 11:00 AM, Gregg Douglas wrote:
Hi,
Background:
FreeRadius Version: 2.1.1-7.10.1
Users are stored in LDAP, I am using the users file to assign static
IP Addresses to certain users.
It seems that the users file is case sensitive, I found a few articles
on the net regarding this, but none really supplied a definitive answer.
Is there a way to prevent the users file from being case sensitive ? If
not, what is the recommended method to elegantly avoid this problem.
files myfiles {
key = %{lower:%{User-Name}}
...
}
...or something similar.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
max_queue_size 65536
A friendly heads up. The bug fixes item Use max_queue_size in threading code refers to an issue in the threading code where the value used to initialise the request queue, was different to the value used to check when the max entries had been added into the queue, thus if you'd set the config item max_queue_size to something larger than 65536 and actually used more than that number of queue slots the server would crash. This config item was previously undocumented so hopefully few people have altered it. If you have and you're using a version 2.2.0, please remove the config item to set it back to defaults, or set it to a value less than 65536. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: generating ssl certs in debian squeeze
did the trick, thanks :D (had been making a silly mistake with one of the cert files) On Sat, Sep 15, 2012 at 3:05 AM, Alan DeKok al...@deployingradius.comwrote: austin wonderly wrote: hello, thanks for the tip, although unfortunately im am still getting problems Google EAP-TLS freeradius gets you this link: http://freeradius.org/doc/EAPTLS.pdf Follow it, and it WILL WORK. The Wiki also contains documentation, and points to my web site: http://deployingradius.com/documents/configuration/eap.html Follow the instructions, and it will work. You've missed a step somewhere. eapol_test is providing a client cert, signed by a CA unknown to FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Customization of RADIUS reply
Hello
I’m configuring the FreeRADIUS together with the Oracle DB. I need to get the user
authenticated and in the reply provide the parameter mailbox_fullname from
the DB.
The Oracle DB has for my purpose only one view which contains the following
columns.
mailbox_id,mailbox_email,mailbox_fullname,mailbox_password
I created new attribute in dictionary:
ATTRIBUTE Full-Mailbox-Name 3000string
And customized the SQL queries as following (dialup.conf):
authorize_check_query = SELECT
mailbox_id,mailbox_email,'Cleartext-Password',mailbox_password,':=' FROM
${authcheck_table} WHERE mailbox_email = '%{SQL-User-Name}' ORDER BY mailbox_id
authorize_reply_query = SELECT
mailbox_id,mailbox_email,'Full-Mailbox-Name',mailbox_fullname,':=' FROM
${authreply_table} WHERE mailbox_email = '%{SQL-User-Name}' ORDER BY mailbox_id
The user authentication works, however I need to have in the reply the value of
“mailbox_fullname” from DB query. Instead of it, there is nothing. Could you
please advise how to get in the reply “mailbox_fullname” for the corresponding
mailbox_email?
Here is the sample radtest output and in attachment full output from debug mode.
radtest -x a0012 password localhost 0 testing123
Sending Access-Request of id 26 to 127.0.0.1 port 1812
User-Name = a0012
User-Password = password
NAS-IP-Address = 10.7.96.25
NAS-Port = 0
Message-Authenticator = 0x
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=26, length=20
Thanks a lot!
Vaclav
# radiusd -X
FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu, built on Sep 13
2012 at 13:34:43
Copyright (C) 1999-2012 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/radrelay
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/dhcp_sqlippool
including configuration file /usr/local/etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/smbpasswd
Re: Customization of RADIUS reply
Václav Pernica wrote: I’m configuring the FreeRADIUS together with the Oracle DB. I need to get the user authenticated and in the reply provide the parameter mailbox_fullname from the DB. Does the RADIUS client understand that attribute? The Oracle DB has for my purpose only one view which contains the following columns. mailbox_id,mailbox_email,mailbox_fullname,mailbox_password I created new attribute in dictionary: ATTRIBUTE Full-Mailbox-Name 3000string You need to read the comments in raddb/dictionary. It explains how to send new attributes in a RADIUS packet. Hint: you're doing it wrong. This is documented. The user authentication works, however I need to have in the reply the value of “mailbox_fullname” from DB query. Instead of it, there is nothing. Could you please advise how to get in the reply “mailbox_fullname” for the corresponding mailbox_email? Read the file you edited: raddb/dictionary Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed login lockout protection in FreeRADIUS
For edification, what its worth.. Heres the question asked by the author of the article, I was referring to, and the answer from Alan D. -- Here’s my question and response from Alan T DeKok al...@freeradius.org about this. You can check with him on more details if needed or send to the mailing list. ** ** Does FR support an account lockout feature to block users after so many failed password attempts? ** ** Yes. It's not enabled in the default configuration, but you can make *any* policy decision based on *any* data source, including logs. Cheers - On Fri, Sep 14, 2012 at 10:25 AM, Marinko Tarlać mangi...@gmail.com wrote: Nice option but please keep in mind that suspended routers can behave like a brute force attacker and you'll lock them too. On 14.9.2012 15:36, Phil Mayers wrote: On 14/09/12 13:57, mr. s wrote: Hello, I was reading an article in computer world comparing a few RADIUS servers. It said that FreeRADIUS had failed login lockout protection, however I can't find that particular verbiage in the FreeRADIUS documentation, FAQ or HowTos. What are you asking here? How to lock out a user after X failed logins? - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
