Re: [ANN] Version 3.0.0-rc0
Hi, If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behaviour changes you notice. Here's one thing during make install that used to work, but now ceased. In 2.x.x, there was an easy mechanism to prevent make install from generously copying config files into the target config directory. This worked by doing a mv raddb raddb-somestring. make install would not find the raddb directory and ignore it during install. That was quite cool; I have a config dir which only contains files which are actually in use; like I don't have a users file. If raddb is in place during a make install, this would copy the default config files (a.k.a. random junk) into my production config. Now, with 3.0.0 if I try the same trick, I get: # mv raddb raddb-noinst # make install scripts/boiler.mk:552: raddb/all.mk: No such file or directory make: *** No rule to make target `raddb/all.mk'. Stop. I understand that the urgency of preserving existing config dirs is lower; due to the server not creating new modules in modules/ any more; these days, it can mess with mods-available as it likes. But still, the hygiene I could apply to my config previously was nice. Any chance to get this back? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Stefan Winter wrote: Now, with 3.0.0 if I try the same trick, I get: # mv raddb raddb-noinst # make install scripts/boiler.mk:552: raddb/all.mk: No such file or directory make: *** No rule to make target `raddb/all.mk'. Stop. I understand that the urgency of preserving existing config dirs is lower; due to the server not creating new modules in modules/ any more; these days, it can mess with mods-available as it likes. But still, the hygiene I could apply to my config previously was nice. Any chance to get this back? It's not simple. You can do: # mv raddb raddb-noinst # mkdir raddb # touch raddb/all.mk # make install Two more commands, and it will still work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 dhcp: regression
On 12.07.2013 19:07, Alan DeKok wrote: OK. But I'm not aware of any change in any code which will limit the number of sockets. 2.1.12 has not this issue with same Perl. OK. The rlm_perl module changed. It added some locks to avoid issues with Perl Clone and threads. Maybe you're running into lock contention. i.e. it worked in 2.1.12 by magic, because thread-specific structures were not locked properly. Adding locks makes it *correct*, but at the price of performance. I've realized that my perl code is not supposed to open distinct syslog connection for each thread, as syslog() function is thread-safe per POSIX. The code connects to syslog in CLONE_SKIP() in hope it should be called only once per whole radiusd process life time. I've added more debug to CLONE_SKIP and see it's called hundreds times in my case. I've modified my code to call openlog() only once using private flag and solved my problem - every thread uses creates only one file descriptor (persistent DB connection) and I do not hit the limit of 1024. Basically, I solved our problem but one question persists: why is CLONE_SKIP called many times at radiusd start time? Eugene Grosbein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behaviour changes you notice. The errors for people upgrading from 2.x are a bit cryptic. Of course reading README.rst will solve it, but the initial complaints when just starting with -X are: (I have user,group, and allow_core_dumps both on the top-level AND in the security subsection to have a config for 2.x and 3.x - this used to be okay, with the top-level entries simply ignored) main { security { user = radiusd group = radiusd allow_core_dumps = no } /usr/local/freeradius/config/raddb/radiusd.conf[0]: Configuration item user is deprecated /usr/local/freeradius/config/raddb/radiusd.conf[0]: Replace user with group } Here it complained about the top-level user - but suggesting to replace it with group? Afer commenting out the user and group ones, I got to allow_core_dumps: main { security { user = radiusd group = radiusd allow_core_dumps = no } /usr/local/freeradius/config/raddb/radiusd.conf[0]: Configuration item allow_core_dumps is deprecated /usr/local/freeradius/config/raddb/radiusd.conf[0]: Replace allow_core_dumps with (null) Replace with null makes it look like the config parameter doesn't exist any more; while it simply moved into security { }. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 dhcp: regression
Eugene Grosbein wrote: Basically, I solved our problem but one question persists: why is CLONE_SKIP called many times at radiusd start time? Because the rlm_perl module changed. It added code to *correctly* handle threads. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, On 15.07.2013 10:24, Alan DeKok wrote: # mv raddb raddb-noinst # mkdir raddb # touch raddb/all.mk # make install that's easy enough, thanks! Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
On 15 Jul 2013, at 09:30, Stefan Winter stefan.win...@restena.lu wrote: Hi, If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behaviour changes you notice. The errors for people upgrading from 2.x are a bit cryptic. Of course reading README.rst will solve it, but the initial complaints when just starting with -X are: Ah! CONF_PARSER structs also have a data pointer, as well as the offset! Joy. I'll fix that. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to get vendor-specific attribute value pairs
As a short update on this topic - I thought it might be worth sharing the update since I've been successfull in getting authorized via FR to privileged exec mode on a Netgear GSM7224P (F/W 1.0.1.21). Netgear is based on Broadcom FASTPATH (MIBs tell so) - as do some Dell PowerConnect's and fortunately both CLI and behaviour are very close - they also behave quite similar to Cisco IOS CLI. Some documentation exists on the net how to get SSH login working with PowerConnects but I've not found real examples for Netgears. I was successfully authorized to level 15 when I added a update reply section sending either / or: - Cisco-AVPair:= shell:priv-lvl=15 - Service-Type = Administrative-User It worked with both messages, I've once read that some newer Dells started preferring the second, less Cisco-centric, message but with Netgear's (currently) latest Firmware is seems working with both. On the switch I had to configure radius server address and auth lists (actually Web UI have their own, httplist / httpslist) for Console/Telnet/SSH I also had to set following line to get privilege level 15: aaa authorization exec default radius local * That apparently was helping the switch to understand the message sent by FreeRADIUS. I'll have to clean up things a little but at least this seems to be working now, not more clunky shared $enab15$ user required :-) -- Mathieu * Which is similar to Cisco's 'aaa authorization exec default group radius none' I found here - kudos to: http://lists.freeradius.org/pipermail/freeradius-users/2008-July/029800.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
On 15 Jul 2013, at 10:04, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 15 Jul 2013, at 09:30, Stefan Winter stefan.win...@restena.lu wrote: Hi, If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behaviour changes you notice. The errors for people upgrading from 2.x are a bit cryptic. Of course reading README.rst will solve it, but the initial complaints when just starting with -X are: Ah! CONF_PARSER structs also have a data pointer, as well as the offset! Joy. I'll fix that. Ok, fix pushed. The deprecated items stuff is pretty dumb. If the current config item is deprecated, it just looks at the next in the CONFIG_PARSER struct and checks to see if the offset and now data pointers are the same, and if they are it prints our the 'Replace x with y' message. It will not, for example, tell you to move config items into new nested sections. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behaviour changes you notice. I must be missing something pretty obvious, so sorry if the below question is just noise... I'll have replace my sql_log instances with rlm_sql_null (*sniff*). So as I was in the process of re-weriting the first instance config, I stumbled over the 2.x parameter: sql_log sql-relay-acct-vpn { path = ${radacctdir}/sql-relay-common ... } Which is useful for knowing where the text file with the queries ends up. And in 3.0.0-rc0 ... there is no such thing?!? Or I just don't get it. mods-available/sql speaks of setting null and dialect to mysql - and the dialect config doesn't have file names. The only filename I see in the sql config is sqltracefile. Maybe that's it, but with that parameter description, the semantics would be a rather horrible mismatch. NB: README.rst doesn't mention the death of sql_log nor that sql (null) is its replacement. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
On 15 Jul 2013, at 10:30, Stefan Winter stefan.win...@restena.lu wrote: Hi, If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behaviour changes you notice. I must be missing something pretty obvious, so sorry if the below question is just noise... I'll have replace my sql_log instances with rlm_sql_null (*sniff*). So as I was in the process of re-weriting the first instance config, I stumbled over the 2.x parameter: sql_log sql-relay-acct-vpn { path = ${radacctdir}/sql-relay-common ... } Which is useful for knowing where the text file with the queries ends up. And in 3.0.0-rc0 ... there is no such thing?!? Or I just don't get it. mods-available/sql speaks of setting null and dialect to mysql - and the dialect config doesn't have file names. The only filename I see in the sql config is sqltracefile. Maybe that's it, but with that parameter description, the semantics would be a rather horrible mismatch. NB: README.rst doesn't mention the death of sql_log nor that sql (null) is its replacement. It's logfile, which google reveals to be a valid portmanteau, despite my dislike for it. Just looking at the code, there's some slightly weird behaviour which i'm going to fix now. If no section logfile was specified it'd default to the main logfile. This would of mean that if you just wanted to log autz queries, you have to specify logfiles for acct and post-auth. The new logic just uses the logfile associated with the section. If you want to log autz queries, use logfile in the main sql instance section, if you want to log acct queries, use logfile in accounting, if you want to log post-auth queries use logfile in post-auth. If you want to use the same logfile for everything, reference it from acct and post-auth. I'll double check the default configs to make sure they list it and update the documentation. Thanks for reporting this. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
On 15 Jul 2013, at 11:10, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 15 Jul 2013, at 10:30, Stefan Winter stefan.win...@restena.lu wrote: Hi, If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behaviour changes you notice. I must be missing something pretty obvious, so sorry if the below question is just noise... I'll have replace my sql_log instances with rlm_sql_null (*sniff*). So as I was in the process of re-weriting the first instance config, I stumbled over the 2.x parameter: sql_log sql-relay-acct-vpn { path = ${radacctdir}/sql-relay-common ... } Which is useful for knowing where the text file with the queries ends up. And in 3.0.0-rc0 ... there is no such thing?!? Or I just don't get it. mods-available/sql speaks of setting null and dialect to mysql - and the dialect config doesn't have file names. The only filename I see in the sql config is sqltracefile. Maybe that's it, but with that parameter description, the semantics would be a rather horrible mismatch. NB: README.rst doesn't mention the death of sql_log nor that sql (null) is its replacement. It's logfile, which google reveals to be a valid portmanteau, despite my dislike for it. Just looking at the code, there's some slightly weird behaviour which i'm going to fix now. If no section logfile was specified it'd default to the main logfile. This would of mean that if you just wanted to log autz queries, you have to specify logfiles for acct and post-auth. The new logic just uses the logfile associated with the section. If you want to log autz queries, use logfile in the main sql instance section, if you want to log acct queries, use logfile in accounting, if you want to log post-auth queries use logfile in post-auth. If you want to use the same logfile for everything, reference it from acct and post-auth. I'll double check the default configs to make sure they list it and update the documentation. Fixes pushed for behaviour, and to fixup the default config files. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: radiusclient-ng in Debian
I just opened this report against radiusclient-ng in Debian (see below), can anybody else comment on the situation, in particular, for compatibility? Is there any urgency for Debian to update to the new client code? I think the wiki page referenced below is not up to date, it refers to a CVS repository but it appears that the client code is not in github Also, is anybody aware of C++ wrappers for this code or a C++ alternative? Original Message Subject:radiusclient-ng in Debian Date: Mon, 15 Jul 2013 14:41:54 +0200 From: Daniel Pocock dan...@pocock.com.au To: Debian Bug Tracking System sub...@bugs.debian.org Package: libradiusclient-ng2 Version: 0.5.6-1.1 Severity: normal I've just read through the wiki at: http://wiki.freeradius.org/glossary/Radiusclient If I understand correctly, a) freeradius-client is the continuation of radiusclient-ng (which was the continuation of a previous project) b) it is not a fork of the previous projects c) it should be compatible (or almost compatible) with code that was built for radiusclient-ng d) it is NOT built from the main FreeRADIUS source tree or repository, it is built from a standalone repository Therefore, this leaves me feeling that Debian should drop the libradiusclient-ng2 package and distribute FreeRADIUS client instead and there will be no significant side-effects of doing so. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
client code for long extended attributes?
Can anybody comment on which client code should be used for long extended attributes? I see that the freeradius-client project predates RFC 6929. Is there any module in the server project that provides a good example of using these long values from requests? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, I'll double check the default configs to make sure they list it and update the documentation. Fixes pushed for behaviour, and to fixup the default config files. Good news! Just wondering: the files being written to are properly locked thread waits for the lock - right? I have several instances of sql_log which all write to the same file, so converting them needs to keep that up. Other than those issues, I now have a server which at least starts up with my half-converted config. A couple of legacy warnings and a non-suggested directory structure, but it works! I'll now start issuing actual requests for all my vservers. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
On 15 Jul 2013, at 15:13, Stefan Winter stefan.win...@restena.lu wrote: Hi, I'll double check the default configs to make sure they list it and update the documentation. Fixes pushed for behaviour, and to fixup the default config files. Good news! Just wondering: the files being written to are properly locked thread waits for the lock - right? Yes. https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_sql/sql.c#L473 I have several instances of sql_log which all write to the same file, so converting them needs to keep that up. That should be fine. Other than those issues, Or non issues :) I now have a server which at least starts up with my half-converted config. A couple of legacy warnings and a non-suggested directory structure, but it works! Excellent, that's good to hear. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: radiusclient-ng in Debian
Daniel Pocock wrote: I just opened this report against radiusclient-ng in Debian (see below), can anybody else comment on the situation, in particular, for compatibility? Is there any urgency for Debian to update to the new client code? It has a number of bugs fixed. The old radiusclient-ng code is no longer maintained. I think the wiki page referenced below is not up to date, it refers to a CVS repository but it appears that the client code is not in github It's on github, as freeradius-client. Also, is anybody aware of C++ wrappers for this code or a C++ alternative? Nope. C++? What's that? :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client code for long extended attributes?
Daniel Pocock wrote: Can anybody comment on which client code should be used for long extended attributes? I see that the freeradius-client project predates RFC 6929. By a LONG ways. There's no client code for the extended attributes. The RFC was just published. So far as I know, FreeRADIUS is the only open source RADIUS system which supports it. Is there any module in the server project that provides a good example of using these long values from requests? src/lib/radius.c is the RADIUS encoder / decoder. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [again] Error [mschap] No Cleartext-Password configured. Cannot create LM-Password.
Holger Wesser wrote: I've googled a while and found different solutions for the error message: [mschap] No Cleartext-Password configured. Cannot create LM-Password. There's only one solution: give the server a known good password. e.g. Cleartext-Password, or NT-Password. What I've done is, to establish the following setup: Debian 7.1, Samba3, OpenLDAP and freeradius 2.1.12 (everything on the same machine). A VPN gateway forwards the authentication requests to the freeradius-server. PLEASE use radiusd -X as suggested everywhere. The additional -x is not needed, and is just annoying. The relevant output is: [ldap] performing search in dc=example,dc=com, with filter (uid=testuser) [ldap] Added User-Password = {SSHA}xx in check items SSHA passwords are fundamentally incompatible with MS-CHAP. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusclient-ng in Debian
can M.I.T. model stats for a regional mental health service to act as a 3d shape that can represent an average that can be super imposed on other 3d models of other health services to check for odd variation. I had a consultant offer me uncompiled raw stats to prove regularity of diagnosis when he thought i could do nothing with them. On Mon, Jul 15, 2013 at 1:48 PM, Daniel Pocock dan...@pocock.com.au wrote: I just opened this report against radiusclient-ng in Debian (see below), can anybody else comment on the situation, in particular, for compatibility? Is there any urgency for Debian to update to the new client code? I think the wiki page referenced below is not up to date, it refers to a CVS repository but it appears that the client code is not in github Also, is anybody aware of C++ wrappers for this code or a C++ alternative? Original Message Subject: radiusclient-ng in Debian Date: Mon, 15 Jul 2013 14:41:54 +0200 From: Daniel Pocock dan...@pocock.com.au dan...@pocock.com.au To: Debian Bug Tracking System sub...@bugs.debian.org sub...@bugs.debian.org Package: libradiusclient-ng2 Version: 0.5.6-1.1 Severity: normal I've just read through the wiki at:http://wiki.freeradius.org/glossary/Radiusclient If I understand correctly, a) freeradius-client is the continuation of radiusclient-ng (which was the continuation of a previous project) b) it is not a fork of the previous projects c) it should be compatible (or almost compatible) with code that was built for radiusclient-ng d) it is NOT built from the main FreeRADIUS source tree or repository, it is built from a standalone repository Therefore, this leaves me feeling that Debian should drop the libradiusclient-ng2 package and distribute FreeRADIUS client instead and there will be no significant side-effects of doing so. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: radiusclient-ng in Debian
On 15/07/13 21:51, Alan DeKok wrote: Daniel Pocock wrote: I just opened this report against radiusclient-ng in Debian (see below), can anybody else comment on the situation, in particular, for compatibility? Is there any urgency for Debian to update to the new client code? It has a number of bugs fixed. The old radiusclient-ng code is no longer maintained. I'm in the pkg-voip group at Debian so I can potentially package this new version of the library I think the wiki page referenced below is not up to date, it refers to a CVS repository but it appears that the client code is not in github It's on github, as freeradius-client. Ok, my mistake, I did see it in github - it was just a wiki issue Also, is anybody aware of C++ wrappers for this code or a C++ alternative? Nope. C++? What's that? :) That's what we use in reSIProcate - we have a very basic wrapper for rlm_digest auth: https://svn.resiprocate.org/viewsvn/resiprocate/main/rutil/RADIUSDigestAuthenticator.cxx?view=markup We have a GSoC student helping us out this summer and he will probably have a go at generalising that code to work with rlm_hmac (for STUN/TURN) as well as existing SIP support. It may be possible for us to contribute the most general part of our solution back to the client library project - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html