Usefull values from documentation are hardcoded
Hi, I'm using the latest freeradius2.2.0 built from source. I have one simple question about Useful values that are given in documentation of freeradius proxy.conf file. Especially ones considering alive/zombie/dead times. I was trying to set up server to have 1 second revive_interval but to my surprise it was always 60 secs. Then I checked the source code and in realms.c file I've found: if (home-revive_interval 60) home-revive_interval = 60; if (home-revive_interval 3600) home-revive_interval = 3600; So the Useful values aren't really useful but mandatory values. Is it possible these restrictions would be removed? It would allow the user to set revive_interval (or any other variable value) to 1 sec if he chooses, without the need to build from edited source every time new version of freeradius is released. Best regards, Dario - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS performance Issue
Hi, I am performing performance test on may RADIUS server and having a problem in result... i am using java code for sending 100 concrent requests on my RADIUS server in log i got some chunks taking so much time more than 3 seconds and remaing requests are tacking normal time les than 1 minut. i test after redusing no of request... over all time reduces but chucks are still there.. :( and also mysql is establishing too many connection arround 60 to 70 connections... :( Please help me in this.. Regards: Rao Qasim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius output attributes configuration
Hi All, How can configure output attributes in free-radius? How do i do that ??? please help Thanks Lakshmi Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at a href=http://www.techmahindra.com/Disclaimer.html;http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/tim/disclaimer.html;http://tim.techmahindra.com/tim/disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pb with realm
On 06/02/13 10:03, Hocine M wrote:
Hi ,
I have a problem with some user proxied.
In the accounting-request the username is stripped and realm is NULL.
Why le realm is lost?
The User-Name in the accounting packets is overridden by the User-Name
in the Access-Accept. In your case, your upstream proxy is returning a
bare username in the Accept:
rad_recv: Access-Accept packet from host 193.51.224.109 port 1812,
id=223, length=182
User-Name = pierre.dupont\000
...which you then send back to the NAS:
Sending Access-Accept of id 13 to 192.168.58.5 port 20007
User-Name = pierre.dupont\000
You can (and indeed, should) use a piece of unlang to re-insert /
validate the realm in the case; we have this config:
post-proxy {
# Clean up the reply username
if (proxy-reply:User-Name =~ /^(.*)@.*/) {
# rewrite user@anything to user@theauthrealm
# i.e. we don't trust the reply realm
update proxy-reply {
User-Name := %{1}@%{Realm}
}
}
elsif (proxy-reply:User-Name) {
# no @ i.e. realm in the reply username
# append the realm used for forwarding
update proxy-reply {
User-Name := %{proxy-reply:User-Name}@%{Realm}
}
}
else {
# no reply username at all. add one
update proxy-reply {
User-Name := %{request:User-Name}
}
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius output attributes configuration
what is output attributes ? On Wed, Feb 6, 2013 at 10:19 AM, Lakshmi Narayana Baliah lb0074...@techmahindra.com wrote: Hi All, How can configure output attributes in free-radius? How do i do that ??? please help Thanks Lakshmi Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at a href= http://www.techmahindra.com/Disclaimer.html; http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/tim/disclaimer.html; http://tim.techmahindra.com/tim/disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius output attributes configuration
rlm_sql does not support sql parameter binding, neither input, nor
output. Specifically rlm_sql xlat (i.e. %{sql: ...}) return number of
rows affected for insert/update/delete, and return result of single-row
and single-column select.
So your only option is a function called inside select from dual:
if ({sql: select func('%{User-Name}') from dual}) {
...
}
On 06.02.2013 14:19, Lakshmi Narayana Baliah wrote:
Hi All,
How can configure output attributes in free-radius?
How do i do that ??? please help
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius accounting of cdr and quotes for string attributes
On Tue, Feb 05, 2013 at 05:18:13PM +, Kelly Roestel wrote:
If you look at the detailed format, these string attributes are
enclosed. But there seems to be no option in linelog module.
linelog {
...
format = \%{Client-IP-Address}\,\%{Calling-Station-Id}\,\%{User-Name}\
...
}
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Degradation of service when authentication fails with Windows AD
Hi, I'm having random authentication failures and I think they are due to a Radius server internal failure. I use Radius for authenticating the email of users in Windows Active Directory via PAM. Before I used NTLM and Kerberos together, and now I use PAM. This is confusing. FreeRADIUS is calling the pam module, yes? So what is the PAM stack calling? That's correct. I need RADIUS for authenticating POSTFIX users because the authentication depends on the POSTFIX users, via PAM (WINDOWS AD) or UNIX account. I also have many WINDOWS Domain and we need send the credentials to the correct one. In short: the problem you are experiencing with FreeRADIUS is because your authentication mechanism (PAM) is taking too long to respond. This is consuming all threads in the pool, which explains the log messages you see. Fix the PAM stack to fail over properly, and this problem will go away. I understand that the PAM mechanism is slow, some domains more than others. But, I don't understand why RADIUS doesn't clean this request with some timeout mechanisms. It's very simple to create a script for crashing the server with a DoS attack. I need a configuration parameter to deny the request if PAM module doesn't respond on time. Why es RADIUS server accepting duplicate requests for queries that have already been sent to it? This is the cause of all threads are busy, correct? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Degradation of service when authentication fails with Windows AD
On 06/02/13 12:19, Antonio Alberola wrote: I understand that the PAM mechanism is slow, some domains more than others. But, I don't understand why RADIUS doesn't clean this request with some timeout mechanisms. It's very simple to create a script for crashing the server with a DoS attack. I need a configuration parameter to deny the request if PAM module doesn't respond on time. The PAM APIs are synchronous, and don't offer timeout options. It's not possible to timeout a PAM call; FreeRADIUS is entirely at the mercy of PAM. Don't use PAM, it's not suitable for your needs. Use ntlm_auth, and FreeRADIUS can timeout the call. Why es RADIUS server accepting duplicate requests for queries that have already been sent to it? This is the cause of all threads are busy, correct? No. FreeRADIUS is *logging* that duplicates arrived. It doesn't process them, because they're duplicates. But it logs them, because duplicates are a symptom of too-slow authentication. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS performance Issue
QASIM RAO wrote: I am performing performance test on may RADIUS server and having a problem in result... i am using java code for sending 100 concrent requests on my RADIUS server in log i got some chunks taking so much time more than 3 seconds It's not a problem with FreeRADIUS. If you configure FreeRADIUS with only the users file, it can easily do 50K to 100K packets per second. and also mysql is establishing too many connection arround 60 to 70 connections... :( The problem is your database. Fix it. You probably don't have indexes, or something else is wrong. You've made FreeRADIUS depend on MySQL, and then made MySQL slow. So when FreeRADIUS can't do it's job, don't blame FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: session management
Suresh Kumar Subramanian wrote: I am newbie and I have couple of questions in the free radius. Your questions were already answered. See the list archives. If you're going to post questions here, it helps to read the replies. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Usefull values from documentation are hardcoded
Dario Šafar wrote: Hi, I'm using the latest freeradius2.2.0 built from source. I have one simple question about Useful values that are given in documentation of freeradius proxy.conf file. Especially ones considering alive/zombie/dead times. I was trying to set up server to have 1 second revive_interval Why? That is the same as *never* marking it dead. but to my surprise it was always 60 secs. Then I checked the source code and in realms.c file I've found: if (home-revive_interval 60) home-revive_interval = 60; if (home-revive_interval 3600) home-revive_interval = 3600; So the Useful values aren't really useful but mandatory values. Yes. Is it possible these restrictions would be removed? It would allow the user to set revive_interval (or any other variable value) to 1 sec if he chooses, without the need to build from edited source every time new version of freeradius is released. I would ask why you need this change. The goal of the default configuration is to ensure that the RADIUS system as a whole is stable. Sure, you can butcher it to cause the server to do all kinds of crazy things. But that usually will destroy *other* RADIUS servers. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius accounting of cdr and quotes for string attributes
Matthew,
Yes that works. However, if the attribute is empty there will still be
quotes in the csv file.
Example.
using format =
\%{Client-IP-Address}\,\%{Calling-Station-Id}\,\%{User-Name}\
would yield, x.x.x.x,station-x,Kelly
if %{Calling-Station-Id} was null this format would yield.
x.x.x.x,,Kelly.
I would like to have blank attribute not insert quotes. So my desired
format would be x.x.x.x,,Kelly
Thank for the help so far.
Kelly
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius accounting of cdr and quotes for string attributes
Kelly Roestel wrote: Yes that works. However, if the attribute is empty there will still be quotes in the csv file. If you want generic string manipulation code, use a real programming language. Or, write a csv module to do what you want. The linelog module is intended to write *lines of text*. That is, strings. It is *not* intended to write carefully formatted CSV files. It cannot be made to that, as CSV files are not simple text strings. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS authentication using MS-CHAP - no cleartext password configured error
I have a windows client trying to set up L2TP tunnel with my linux router.
The linux router talks with the RADIUS server. The authentication is
failing because the request is using MS-CHAP and my server cannot handle
MS-CHAP. I am not sure what is missing from the configuration on the
server. I have the cleartext password in the users file for the temp user
I am trying to authenticate. Following is the debug output -
rad_recv: Access-Request packet from host 10.1.0.33 port 46487, id=142,
length=140
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = temp
MS-CHAP-Challenge = 0xa71f9d0753274da79dfe6f0eb2c1b693
MS-CHAP2-Response =
0xea00de5395669cc1880bf8b0020b2b96b423fada537f1a8f3b12453fc739d08219f28644ccfb11ba0225
Calling-Station-Id = l2tp
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = temp, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: temp
[mschap] Told to do MS-CHAPv2 for temp with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect: [temp] (from client temp-radius port 0 cli l2tp)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - temp
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 142 to 10.1.0.33 port 46487
Waking up in 4.9 seconds.
Cleaning up request 4 ID 142 with timestamp +1310
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS authentication using MS-CHAP - no cleartext password configured error
Deepti kulkarni wrote: I have a windows client trying to set up L2TP tunnel with my linux router. The linux router talks with the RADIUS server. The authentication is failing because the request is using MS-CHAP and my server cannot handle MS-CHAP. I am not sure what is missing from the configuration on the server. I have the cleartext password in the users file for the temp user I am trying to authenticate. No, you don't. Read the debug output: [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok What's on line 172? The FAQ contains instructions for adding test accounts to the users file. Follow the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
