Re: radgroupcheck attributes and test client
On Sun, May 5, 2013 at 6:51 PM, ch2...@arcor.de wrote: Von: Russell Mike radius@gmail.com You said same setup is working with Coovachilli, same groups / profiles? Else cross chech your reply check items, if in place. If FR groups are same check NAS side. Thanks I'll check reply and check items when I'm in office again, but I'm quite sure they are the same. How can I check NAS side? Documentation will tell One is Coovachilli, the other is a radius test client (NTRadPing and Radius Test Rig Utily) you need to create NAS entry in MySQL or File for the ip address of the machine. The machine from where you would run NTRadping. Thank you! Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupcheck attributes and test client
You said same setup is working with Coovachilli, same groups / profiles? Else cross chech your reply check items, if in place. If FR groups are same check NAS side. Thanks On Friday, May 3, 2013, wrote: Hi, Von: Russell Mike radius@gmail.com javascript:; FR should be able to know if the allowed time used / consumed before it can deny request. have you setup rlm_sqlcounter ? Yes. The same setup is working with a Coova Chilli WLAN Router, so I guess it is a client issue. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupcheck attributes and test client
Von: Russell Mike radius@gmail.com You said same setup is working with Coovachilli, same groups / profiles? Else cross chech your reply check items, if in place. If FR groups are same check NAS side. Thanks I'll check reply and check items when I'm in office again, but I'm quite sure they are the same. How can I check NAS side? One is Coovachilli, the other is a radius test client (NTRadPing and Radius Test Rig Utily) Thank you! Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radgroupcheck attributes and test client
All, I'm a newbie in radius. I've setup freeradius with mySQL and max-daily-session. When I set max-daily-session := 10 in radgroupcheck table, a user of this group can login (accept packet after authentication), even if he already has been logged in for 10 seconds before. I'm using NTRadPing and Radius Test Rig Utily as a client. I've sent accounting packages. Radacct table got populated (beginning and end of session, no octets). Is it a client issue? Must NTRadPing send any additional parameters? Any help is appreciated. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupcheck attributes and test client
FR should be able to know if the allowed time used / consumed before it can deny request. have you setup rlm_sqlcounter ? Thanks RM -- On Fri, May 3, 2013 at 7:49 AM, ch2...@arcor.de wrote: All, I'm a newbie in radius. I've setup freeradius with mySQL and max-daily-session. When I set max-daily-session := 10 in radgroupcheck table, a user of this group can login (accept packet after authentication), even if he already has been logged in for 10 seconds before. I'm using NTRadPing and Radius Test Rig Utily as a client. I've sent accounting packages. Radacct table got populated (beginning and end of session, no octets). Is it a client issue? Must NTRadPing send any additional parameters? Any help is appreciated. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Aw: Re: radgroupcheck attributes and test client
Hi, Von: Russell Mike radius@gmail.com FR should be able to know if the allowed time used / consumed before it can deny request. have you setup rlm_sqlcounter ? Yes. The same setup is working with a Coova Chilli WLAN Router, so I guess it is a client issue. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Have anyone test the performance about FreeRADIUS+jRadius on authentication?
Okis Chuang wrote: Yes, I'm under this slow performance trouble now Actually I tried let it not going into jradius and completing my easy job only in FreeRADIUS yesterday. And it did it well. It can finish 1 auth request in 13 sec. Exactly. However, our goal is more than that ... the brief situation is that user will be redirected to our captive portal during pre-auth if they got IP address, then doing UAM authentication by web portal to our policy manager server(built in FreeRADIUS+JRadius). If your requirement is more than 30 authentications per second, then you can't do a java policy manager. Java is nice for some things. It's *not* the right choice for fast network traffic. We'll do some policy based control with our WiFi gateway like CoA request. Then would do subscribers' accounting processing(identify some attributes in accounting packet then modify its value then send to backend acct server). The server can originate CoA packets. See Fajar's message. So supposed I stop using jradius, what kinds of module would you recommend me to fulfill these jobs such as that? It depends on what you want to do. Or actually FreeRADIUS can satisfy it by itself? Can it send CoA request to WiFi gateway after receiving some predefined attribute value with web portal while it sending access request to FreeRADIUS? I plan to make it become a policy manager. FreeRADIUS *is* a policy manager. That's what it does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Have anyone test the performance about FreeRADIUS+jRadius on authentication?
Hi all,Have anyone test the performance about FreeRADIUS+jRadius on authentication?I recently did several numbers of load test with radclient in FreeRADIUS.I used radclient -c 1 to attack my radius server(with jradius), and found that the results are pretty bad...The call per second was approximately under 50...however I tried without jradius, just files in FreeRADIUS for auth, then result is 1 request with 13 seconds. Honestly, the gap shocks me..my environment is:FreeRADIUS 2.2.0JRadius 1.1.4jdk 1.7rlm_jradius TCP Socket: 128jradius threads: 100The test was just for authentication load test from gateway to radius server. My jradius handler would just do some easy string splitng for one VSA.Does this be the most probable factor causing the slow processing? Even through I doubt it...Then I did some interesting test later... I left my handler empty but still let traffic get into jradius handler through rlm_jradius by TCP socket. The result has improved a bit even though not at our level of acceptance.. Its TPS (Transaction Per Seconds) improved from 30 to 300 approximately. Hence, I'm guessing the bottleneck may be the process of rlm_jradius communication. Does anyone get any help or recommendation??Or any other performance tuning tips I can do? Thanks in advance! Okis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Have anyone test the performance about FreeRADIUS+jRadius on authentication?
Chuang Okis wrote: Have anyone test the performance about FreeRADIUS+jRadius on authentication? Not me. The test was just for authentication load test from gateway to radius server. My jradius handler would just do some easy string splitng for one VSA. Use Perl. It's integrated into the server, and should be much faster. Or, use a regex. See man unlang. Or, write a C module to do it. Does this be the most probable factor causing the slow processing? Even through I doubt it... Yes. It's jradius. Then I did some interesting test later... I left my handler empty but still let traffic get into jradius handler through rlm_jradius by TCP socket. The result has improved a bit even though not at our level of acceptance.. Its TPS (Transaction Per Seconds) improved from 30 to 300 approximately. 300 is still MUCH slower than 10,000. Hence, I'm guessing the bottleneck may be the process of rlm_jradius communication. Does anyone get any help or recommendation?? Or any other performance tuning tips I can do? Don't use jradius. It's very slow. Use pretty much anything else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Have anyone test the performance about FreeRADIUS+jRadius on authentication?
Thanks for Alan's quick and kindly reply! Yes, I'm under this slow performance trouble now Actually I tried let it not going into jradius and completing my easy job only in FreeRADIUS yesterday. And it did it well. It can finish 1 auth request in 13 sec. However, our goal is more than that ... the brief situation is that user will be redirected to our captive portal during pre-auth if they got IP address, then doing UAM authentication by web portal to our policy manager server(built in FreeRADIUS+JRadius). We'll do some policy based control with our WiFi gateway like CoA request. Then would do subscribers' accounting processing(identify some attributes in accounting packet then modify its value then send to backend acct server). So supposed I stop using jradius, what kinds of module would you recommend me to fulfill these jobs such as that? Or actually FreeRADIUS can satisfy it by itself? Can it send CoA request to WiFi gateway after receiving some predefined attribute value with web portal while it sending access request to FreeRADIUS? I plan to make it become a policy manager. Cheers, Okis --- Chuang Okis wrote: Have anyone test the performance about FreeRADIUS+jRadius on authentication? Not me. The test was just for authentication load test from gateway to radius server. My jradius handler would just do some easy string splitng for one VSA. Use Perl. It's integrated into the server, and should be much faster. Or, use a regex. See man unlang. Or, write a C module to do it. Does this be the most probable factor causing the slow processing? Even through I doubt it... Yes. It's jradius. Then I did some interesting test later... I left my handler empty but still let traffic get into jradius handler through rlm_jradius by TCP socket. The result has improved a bit even though not at our level of acceptance.. Its TPS (Transaction Per Seconds) improved from 30 to 300 approximately. 300 is still MUCH slower than 10,000. Hence, I'm guessing the bottleneck may be the process of rlm_jradius communication. Does anyone get any help or recommendation?? Or any other performance tuning tips I can do? Don't use jradius. It's very slow. Use pretty much anything else. Alan DeKok. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Have anyone test the performance about FreeRADIUS+jRadius on authentication?
On Wed, Apr 24, 2013 at 9:34 AM, Okis Chuang okischu...@outlook.com wrote: Thanks for Alan's quick and kindly reply! Yes, I'm under this slow performance trouble now Actually I tried let it not going into jradius and completing my easy job only in FreeRADIUS yesterday. And it did it well. It can finish 1 auth request in 13 sec. However, our goal is more than that ... the brief situation is that user will be redirected to our captive portal during pre-auth if they got IP address, then doing UAM authentication by web portal to our policy manager server(built in FreeRADIUS+JRadius). Since you seem to have some specific requirement, I'd recommend you engage with someone with experience in freeradius implementation and integration in your area. Most people here won't have the time to go thru your detailed request one-by-one and designing a best solution for you. Remember, those who contribute on this list do so on their free time, out of their good will. Some comments though Then would do subscribers' accounting processing(identify some attributes in accounting packet then modify its value then send to backend acct server). FR has all sorts of module that can modify radius packets on proxy scenarios. Unlang is perfect for simple and static rules (e.g. add attribute X with value Y to every packet) while for complex rules (e.g. get value of attribute X, lookup value in db, then create attribute Y based on that value) mod_perl is probably more suitable. Can it send CoA request to WiFi gateway after receiving some predefined attribute value with web portal while it sending access request to FreeRADIUS? Try reading raddb/sites-available/originate-coa -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Have anyone test the performance about FreeRADIUS+jRadius on authentication?
Thanks Fajar your speedy response and really helpful for me. Yeah..I'm pretty grateful about all contributions here for sure! And I'm definitely not insist on desiring the best solution here. I just want to listen some opinions or advice from all those experienced. Anyway, I'll keep learning and contributing here in one day. About your kind advice, I will take a serious consideration absolutely. Thanks for you helpful recommendations again! -- Okis - Since you seem to have some specific requirement, I'd recommend you engage with someone with experience in freeradius implementation and integration in your area. Most people here won't have the time to go thru your detailed request one-by-one and designing a best solution for you. Remember, those who contribute on this list do so on their free time, out of their good will. Some comments though Then would do subscribers' accounting processing(identify some attributes in accounting packet then modify its value then send to backend acct server). FR has all sorts of module that can modify radius packets on proxy scenarios. Unlang is perfect for simple and static rules (e.g. add attribute X with value Y to every packet) while for complex rules (e.g. get value of attribute X, lookup value in db, then create attribute Y based on that value) mod_perl is probably more suitable. Can it send CoA request to WiFi gateway after receiving some predefined attribute value with web portal while it sending access request to FreeRADIUS? Try reading raddb/sites-available/originate-coa -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd starts but rejects test user
Hi, I am new to radius. I have installed the freeradius to my linux and after starting radiusd -X I executed radtest tool for testing as below but it could not get authenticated and Access-Reject returned. $ radtest testing password localhost 0 testing123 Can any one plz help me in fixing this issue? below is radtest and radiusd log in debug mode. /rootradtest testing password 127.0.0.1 0 testing123 Sending Access-Request of id 251 to 127.0.0.1 port 1812 User-Name = testing User-Password = password NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=251, length=20 I *assume* that you put testing Cleartext-Password := password at the top of the $RADDB/users file? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd starts but rejects test user
On Fri, Feb 15, 2013 at 3:50 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, I am new to radius. I have installed the freeradius to my linux and after starting radiusd -X I executed radtest tool for testing as below but it could not get authenticated and Access-Reject returned. $ radtest testing password localhost 0 testing123 Can any one plz help me in fixing this issue? below is radtest and radiusd log in debug mode. /rootradtest testing password 127.0.0.1 0 testing123 Sending Access-Request of id 251 to 127.0.0.1 port 1812 User-Name = testing User-Password = password NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=251, length=20 I *assume* that you put testing Cleartext-Password := password at the top of the $RADDB/users file? alan - Hi, might you would have see the error in debug. As Alan indicated, it is authentication problem. He has also told the solution. [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type REJECT Thanks RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd starts but rejects test user
Read the docs. Really, start from the beginning! In this case, this is the second hurdle ..getting another device to talk to your server. Add that system to your clients.conf file with a correct/matching shared secret. This isn't rocket science but you must read the documentation in the first place! alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd starts but rejects test user
On 02/15/2013 12:30 PM, temp sha wrote: thanks Alan/RM it is working now after addingtesting Cleartext-Password := password but now i trying to test the same using NTRadPing Test utility which is installing in my windows Gee, why is folks have such trouble reading debug/error messages. It says no response from server (timed out) over and over. Clearly this has nothing to do with Radius and is a networking problem. Fix your network. (Hint: the firewall on one of your boxes is blocking port 1812, probably the box with your Radius server). -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd starts but rejects test user
thanks it is working now. On Fri, Feb 15, 2013 at 11:43 PM, Alan Buxey a.l.m.bu...@lboro.ac.ukwrote: Read the docs. Really, start from the beginning! In this case, this is the second hurdle ..getting another device to talk to your server. Add that system to your clients.conf file with a correct/matching shared secret. This isn't rocket science but you must read the documentation in the first place! alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stess test
Qasim, Your problem is with your MySQL Database. It is too slow to process the queries it is receiving. You've already been told, on this list (multiple times), fix your Database or hire a DBA who can. On Wed, Feb 13, 2013 at 10:59 AM, QASIM RAO qasim2...@hotmail.com wrote: Hi, i am using free radius for billing perpose of my application... i m am facing problem in stress testing on my local RADIUS server. that when i send 100 suncurent accounting request. in non-debug mode. but when i moniter mysql connections by using mysql adminstrator mysql connections suddenly increases arround hundred. which causes increase in process time of each time . pelase help me in this. Qasim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
test
My Apologize for this email. I made confirmation days ago but not sure if I can send email to this group Sincerely -bino- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to test a user in db from free-radius server
Hi All, I have configured freeradius server + oracle database 11g. I send user1 in the Access-Request from radclient to the free-radius server. I need to check whether user1 is exists in user_test table, which is in oracle database 11g. The table contains username - 'user1' and status--'valid' If user found in user_test table Access-Accept else Access-Reject should return to the radclient. Note : should not use 'users' file Please help me how can do that? Lakshmi narayana | Prod Engineering | Tech Mahindra #9/7 Hosur Road,Bangalore-560029 /Office: +91 80 40243000, Extn: 3486 | Mobile: +91 9060867386 Email:lb0074...@techmahindra.com www.techmahindra.com Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at a href=http://www.techmahindra.com/Disclaimer.html;http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/tim/disclaimer.html;http://tim.techmahindra.com/tim/disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to test a user in db from free-radius server
On Tue, Jan 15, 2013 at 7:37 PM, Lakshmi Narayana Baliah lb0074...@techmahindra.com wrote: Hi All, I have configured freeradius server + oracle database 11g. I send user1 in the Access-Request from radclient to the free-radius server. I need to check whether user1 is exists in user_test table, which is in oracle database 11g. The table contains username - 'user1' and status--'valid' If user found in user_test table Access-Accept else Access-Reject should return to the radclient. Note : should not use 'users' file Please help me how can do that? There are several parts to your question: (1) How to use only db, and not use users file. Short answer: Just leave the users file as it is, don't add anything there. Users file also contains some default reply items which might be useful, even when your user data is stored on db. You could also remove files module from authorize section, but I wouldn't recommend it. (2) What to do to reject the user if a user is not found in whatever-user-backend-that-you-use Short answer: Nothing. FR already does that by default, no need to do anything special. (3) How to use a custom table structure and names Short answer: modify the sql queries (sql/*/dialup.conf) If you've read Arran's earlier response to your other question, he wrote ... one row per attribute that needs to be added to the reply, with the columns: id, username, attribute, value, op Id and username aren't used IIRC so they can be anything. Just modify the queries to do what you want while still returning those output. Some times this is as simple as changing table and column names, other times a JOIN is sufficient, while on some cases it might be as complex as having to write a special view or stored procedure. You CAN do that, right? If not, better hire someone who can implement it for you. It's not rocket science, but don't expect people to do your work for you. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with test aaa-server in ciscoasa
As previously mentioned, only add that user/pass to the users file... nothing else. Don't add all that stuff that you did alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with test aaa-server in ciscoasa
...oh, and make sure you are editing the CORRECT users file ;) alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with test aaa-server in ciscoasa
Hi,all
I have install freeradius-server-2.2.0, and make test such as ./ratest test
test 127.0.0.1 0 testing123.
the result is ok.
so i ass user tsb to users file as following format.
tsb Auth-Type := Local, User-Password == 12345678
and add asa ip to clients.
client X.X.X.X{
secret = testvpn
shortname =asa5520 }
complete this I do testing in asa5520 like this
test asa-server authencation RadiusVPN host X.X.X.X username tsb password
12345678
hint Authentication Rejected: AAA failure
I debug it. the folloing is details.
FO: Attempting Authentication test to IP address 192.168.4.145 (timeout: 12
seconds)
radius mkreq: 0xbeaf
alloc_rip 0x74e172b4
new request 0xbeaf -- 68 (0x74e172b4)
got user 'tsb'
got password
add_req 0x74e172b4 session 0xbeaf id 68
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--
Raw packet data (length = 61).
01 44 00 3d 96 17 04 ed 22 b3 70 e9 6e 0f 9c a5| .D.=.p.n...
7a 2b 88 21 01 05 74 73 62 02 12 c1 64 1a 52 c7| z+.!..tsb...d.R.
3f 73 72 16 82 39 8a 0a e0 24 20 04 06 c0 a8 1e| ?sr..9...$ .
fe 05 06 00 00 00 3c 3d 06 00 00 00 05 | ..=.
Parsed packet data.
Radius: Code = 1 (0x01)
Radius: Identifier = 68 (0x44)
Radius: Length = 61 (0x003D)
Radius: Vector: 961704ED22B370E96E0F9CA57A2B8821
Radius: Type = 1 (0x01) User-Name
Radius: Length = 5 (0x05)
Radius: Value (String) =
74 73 62 | tsb
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
c1 64 1a 52 c7 3f 73 72 16 82 39 8a 0a e0 24 20| .d.R.?sr..9...$
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.30.254 (0xC0A81EFE)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x3C
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 192.168.4.145/1812
rip 0x74e172b4 state 7 id 68
rad_vrfy() : response message verified
rip 0x74e172b4
: chall_state ''
: state 0x7
: reqauth:
96 17 04 ed 22 b3 70 e9 6e 0f 9c a5 7a 2b 88 21
: info 0x74e173ec
session_id 0xbeaf
request_id 0x44
user 'tsb'
response '***'
app 0
reason 0
skey 'testvpn'
sip 192.168.4.145
type 1
RADIUS packet decode (response)
--
Raw packet data (length = 20).
03 44 ERROR: Authentication Rejected: AAA failure
TSBA6-5520-Int# 00 14 35 f4 1a 63 3a 45 ca bd 4f 52 85 73| .D..5..c:E..OR.s
5c e2 f2 22| \..
Parsed packet data.
Radius: Code = 3 (0x03)
Radius: Identifier = 68 (0x44)
Radius: Length = 20 (0x0014)
Radius: Vector: 35F41A633A45CABD4F5285735CE2F222
rad_procpkt: REJECT
RADIUS_DELETE
remove_req 0x74e172b4 session 0xbeaf id 68
free_rip 0x74e172b4
radius: send queue empty
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with test aaa-server in ciscoasa
On Fri, Nov 23, 2012 at 06:47:44PM +0800, studyfordo wrote:
I have install freeradius-server-2.2.0, and make test such as ./ratest
test test 127.0.0.1 0 testing123.
the result is ok.
so i ass user tsb to users file as following format.
tsb Auth-Type := Local, User-Password == 12345678
That's very out of date, and wrong. Where did you read that you
should do it that way? It should probably be:
tsbCleartext-Password := 12345678
It needs to be at the top of the users file.
and add asa ip to clients.
client X.X.X.X{
secret = testvpn
shortname =asa5520 }
complete this I do testing in asa5520 like this
test asa-server authencation RadiusVPN host X.X.X.X username tsb password
12345678
hint Authentication Rejected: AAA failure
I debug it. the folloing is details.
...
This is the FreeRADIUS list. You are likely to get more help if
you send the debug output from FreeRADIUS (radiusd -X).
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with test aaa-server in ciscoasa
Hi, tsb Auth-Type := Local, User-Password == 12345678 tsb Cleartext-Password := 12345678 thats all you need. dont use User-Password (as the docs and radiusd -X output will tell you!) and you dont set auth-type either - the server understands I debug it. the folloing is details. snip dotn send your client output. we dont care...really, we dont. please send the output of 'radiusd -X' as per the written words for this mailing list and the freeradius.org website instructions for help. many thanks alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with test aaa-server in ciscoasa
firstly, thanks Mathew Newton and alan buxey.
I run freeradius -X and run test in ciso asa5520. details as follows.
rad_recv: Access-Request packet from host 192.168.30.254 port 1025, id=72,
length=61
User-Name = tsb
User-Password = 123456
NAS-IP-Address = 192.168.30.254
NAS-Port = 64
NAS-Port-Type = Virtual
# Executing section authorize from file
/opt/freeadius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = tsb, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
user
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /opt/freeadius/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - tsb
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 72 to 192.168.30.254 port 1025
Waking up in 4.9 seconds.
Cleaning up request 1 ID 72 with timestamp +430
Ready to process requests.
I have add user such as following format
cat users | sed -n '/^[^#]/p'
tsbCleartext-Password := 123456
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == CSLIP
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == SLIP
Framed-Protocol = SLIP
So I still problem with user fomat in file users? pls give me some advice.
thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Test Client which supports PAP Access-Challenge
Hello, I'm interested in a radius test client which supports pap ACCESS-Challenge. Can anyone point me to one or to a library which allows me to easily write on preferrably in perl? Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
On Mon, May 21, 2012 at 02:17:30PM +0200, Thomas Glanzmann wrote: I'm interested in a radius test client which supports pap ACCESS-Challenge. Can anyone point me to one or to a library which You should not be getting a challenge with PAP, so there is no need for a test client for it. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
Hello Matthew, You should not be getting a challenge with PAP, so there is no need for a test client for it. for Citrix Netscaler and VMware View 5.1 if you want to support two-factor authentication for example with rlm_smsotp this is necessary. However there is currently no test client for it that I'm aware of. The Net::Radius::Packet perl library is probably the quickest approch to get something working, I'll post it here, if I got one. See also: http://wiki.freeradius.org/Rlm_smsotp http://thread.gmane.org/gmane.comp.dial-up.freeradius.user/86365 Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
Hi Thomas,
On Mon, May 21, 2012 at 02:41:26PM +0200, Thomas Glanzmann wrote:
You should not be getting a challenge with PAP, so there is no need
for a test client for it.
for Citrix Netscaler and VMware View 5.1 if you want to support
two-factor authentication for example with rlm_smsotp this is necessary.
Hmm interesting - thanks. New one to me.
However there is currently no test client for it that I'm aware of. The
Net::Radius::Packet perl library is probably the quickest approch to get
something working, I'll post it here, if I got one.
Looks like radclient has support:
radclient.c:1007
} else if (strcmp(argv[2], challenge) == 0) {
if (server_port == 0) server_port = getport(radius);
if (server_port == 0) server_port = PW_AUTH_UDP_PORT;
packet_code = PW_ACCESS_CHALLENGE;
So use 'challenge' instead of acct, auth, status, etc.
Cheers,
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
On Mon, May 21, 2012 at 02:23:12PM +0100, Matthew Newton wrote: Looks like radclient has support: Forget that - I've not had enough coffee yet today :) You need to respond to the challenge, not send one yourself... Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
Hello Matthew,
Forget that - I've not had enough coffee yet today :) You need to
respond to the challenge, not send one yourself...
exactly, however the Authen::Radius perl module saved my day:
#!/usr/bin/perl -w
# Thomas Glanzmann 16:06 2012-05-21
# First Argument is username, second argument is password
# Authen::Radius requires a legacy dictionary without advanced
# keywords like encrypted or $INCLUDEs
use strict;
use warnings FATAL = 'all';
use Authen::Radius;
my $r = new Authen::Radius(Host = '127.0.0.1', Secret = 'testing123');
Authen::Radius-load_dictionary('/home/sithglan/work/smsotpd/dictionary');
$r-add_attributes (
{ Name = 'User-Name', Value = $ARGV[0] },
{ Name = 'User-Password', Value = $ARGV[1] },
);
$r-send_packet(ACCESS_REQUEST) || die;
my $type = $r-recv_packet();
print server response type = $type\n;
my $state = undef;
for $a ($r-get_attributes()) {
if ($a-{Name} eq 'State') {
$state = $a-{RawValue};
}
}
print Enter otp: ;
my $otp = STDIN;
chomp($otp);
$r-add_attributes (
{ Name = 'User-Name', Value = $ARGV[0] },
{ Name = 'User-Password', Value = $otp },
);
$r-send_packet(ACCESS_REQUEST) || die;
$type = $r-recv_packet();
print server response type = $type\n;
# Execution:
(minisqueeze) [~/work/smsotpd] ./pap_challenge_request.pl
'administra...@directory.gmvl.de' 'password'
server response type = 11
Enter otp: 82701
server response type = 2
# radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1 port 49189, id=40, length=71
User-Name = administra...@directory.gmvl.de
User-Password = password
# Executing section authorize from file
/local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess]expand: %{User-Name} - administra...@directory.gmvl.de
[preprocess]expand: %{User-Name} - administra...@directory.gmvl.de
[preprocess] hints: Matched DEFAULT at 4
[preprocess]expand: %{1}@DIRECTORY.GMVL.DE -
administra...@directory.gmvl.de
++[preprocess] returns ok
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[smsotp] returns ok
Found Auth-Type = smsotp
# Executing group from file
/local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default
+- entering group smsotp {...}
rlm_krb5: verify_krb_v5_tgt: host key not found : Configuration file does not
specify default realm
++[krb5] returns ok
rlm_smsotp: Generate OTP
rlm_smsotp: Uniq id is 5500455282
rlm_smsotp: Sending Access-Challenge.
++[smsotp] returns handled
Sending Access-Challenge of id 40 to 127.0.0.1 port 49189
Reply-Message = Enter Mobile PIN:
State = 0x35353030343535323832
Finished request 18.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 49189, id=41,
length=102
Reply-Message = Enter Mobile PIN:
State = 0x35353030343535323832
User-Name = administra...@directory.gmvl.de
User-Password = 82701
# Executing section authorize from file
/local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess]expand: %{User-Name} - administra...@directory.gmvl.de
[preprocess]expand: %{User-Name} - administra...@directory.gmvl.de
[preprocess] hints: Matched DEFAULT at 4
[preprocess]expand: %{1}@DIRECTORY.GMVL.DE -
administra...@directory.gmvl.de
++[preprocess] returns ok
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
rlm_smsotp: Found reply to access challenge (AUTZ), Adding Auth-Type
'smsotp-reply'
++[smsotp] returns ok
Found Auth-Type = smsotp-reply
# Executing group from file
/local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default
+- entering group smsotp-reply {...}
rlm_smsotp: Found reply to access challenge
rlm_smsotp: SocketReply is OK
++[smsotp] returns ok
# Executing section post-auth from file
/local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 41 to 127.0.0.1 port 49189
Finished request 19.
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
Hello everyone, find attached the new and improved version for checking pap access challenge: (minisqueeze) [~/work/smsotpd] ./pap_challenge_request.pl Enter username: directory\Administrator Enter password: server response type = Access-Reject (3) (minisqueeze) [~/work/smsotpd] ./pap_challenge_request.pl Enter username: directory\Administrator Enter password: server response type = Access-Challenge (11) Enter otp: 97350 server response type = Access-Accept (2) Cheers, Thomas pap_challenge_request.pl Description: Perl program ATTRIBUTE User-Name 1 string ATTRIBUTE User-Password 2 string ATTRIBUTE CHAP-Password 3 octets ATTRIBUTE NAS-IP-Address 4 ipaddr ATTRIBUTE NAS-Port5 integer ATTRIBUTE Service-Type6 integer ATTRIBUTE Framed-Protocol 7 integer ATTRIBUTE Framed-IP-Address 8 ipaddr ATTRIBUTE Framed-IP-Netmask 9 ipaddr ATTRIBUTE Framed-Routing 10 integer ATTRIBUTE Filter-Id 11 string ATTRIBUTE Framed-MTU 12 integer ATTRIBUTE Framed-Compression 13 integer ATTRIBUTE Login-IP-Host 14 ipaddr ATTRIBUTE Login-Service 15 integer ATTRIBUTE Login-TCP-Port 16 integer ATTRIBUTE Reply-Message 18 string ATTRIBUTE Callback-Number 19 string ATTRIBUTE Callback-Id 20 string ATTRIBUTE Framed-Route22 string ATTRIBUTE Framed-IPX-Network 23 ipaddr ATTRIBUTE State 24 octets ATTRIBUTE Class 25 octets ATTRIBUTE Vendor-Specific 26 octets ATTRIBUTE Session-Timeout 27 integer ATTRIBUTE Idle-Timeout28 integer ATTRIBUTE Termination-Action 29 integer ATTRIBUTE Called-Station-Id 30 string ATTRIBUTE Calling-Station-Id 31 string ATTRIBUTE NAS-Identifier 32 string ATTRIBUTE Proxy-State 33 octets ATTRIBUTE Login-LAT-Service 34 string ATTRIBUTE Login-LAT-Node 35 string ATTRIBUTE Login-LAT-Group 36 octets ATTRIBUTE Framed-AppleTalk-Link 37 integer ATTRIBUTE Framed-AppleTalk-Network38 integer ATTRIBUTE Framed-AppleTalk-Zone 39 string ATTRIBUTE CHAP-Challenge 60 octets ATTRIBUTE NAS-Port-Type 61 integer ATTRIBUTE Port-Limit 62 integer ATTRIBUTE Login-LAT-Port 63 string - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any body here?Please help me to test my server.
2012/3/17 ZhenJoey snan4l...@hotmail.com: Hello every body: I just set up a freeradius server right now, Please help me to test it by run $radtest snan4love 123456 119.127.12.6 1812 12345678 I will be waiting here. BTW,i do a test my self via a NAS not radtest, it doesnt work. And what makes you think it will work when other test it? Don't be lazy. Do your own homework. Some things to check: - make sure there's no firewall active in the server (e.g. make sure iptables is disabled, or that the default rule is ACCEPT). It simplifies things a lot. - make sure the NAS can communicate with the radius serer (ping will be a good start) - run the server in debug mode (radiusd -X) If you need another host to run radtest, use virtualbox/kvm/whatever, have it use bridged networking and assign the guest an IP address in the same network segment as the host. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Any body here?Please help me to test my server.
Thank YOu Fajar: Thank you for ur advice,the problem soloved. the probelm is i forgot to set up the NAS's gateway IP address, so it still a two layer device,the request message could not get out of the device. Than k you very much Joey Date: Sat, 17 Mar 2012 14:47:03 +0700 Subject: Re: Any body here?Please help me to test my server. From: l...@fajar.net To: freeradius-users@lists.freeradius.org 2012/3/17 ZhenJoey snan4l...@hotmail.com: Hello every body: I just set up a freeradius server right now, Please help me to test it by run $radtest snan4love 123456 119.127.12.6 1812 12345678 I will be waiting here. BTW,i do a test my self via a NAS not radtest, it doesnt work. And what makes you think it will work when other test it? Don't be lazy. Do your own homework. Some things to check: - make sure there's no firewall active in the server (e.g. make sure iptables is disabled, or that the default rule is ACCEPT). It simplifies things a lot. - make sure the NAS can communicate with the radius serer (ping will be a good start) - run the server in debug mode (radiusd -X) If you need another host to run radtest, use virtualbox/kvm/whatever, have it use bridged networking and assign the guest an IP address in the same network segment as the host. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Any body here?Please help me to test my server.
Hello every body: I just set up a freeradius server right now, Please help me to test it by run $radtest snan4love 123456 119.127.12.6 1812 12345678 I will be waiting here. BTW,i do a test my self via a NAS not radtest, it doesnt work. is there something like TimeOut in NAS when it try to connect the radius server? Thank you very much Joey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Test Environment: Can PEAPv0 and PEAPv1 be setup together on the default instance?
Hi Alan, FreeRADIUS does this in the default install, and contains EAP tests (src/tests) for all major EAP types. I actually went and re-read the RFC for PEAP. I noted that a server that supports PEAP will reply with the highest supported version and the negotiation will go from there. So it should not be a matter of having to configure eap versus eap2. If I go with eap2 and get v1 working, it should support both v1 and v0. This is where I got confused, I missed the foot notes that PEAPv1 was only available in the experimental build with the eap2 module. Don't use PEAPv1. It's even less documented than PEAPv0. It's used by pretty much no one. This unfortunately is not by choice on my part. I am required to provide lab setups for testing our products, based on what is in the product requirement documents. This falls into what our product managers want to support. Don't use LEAP. It's insecure. Don't put it into new products, and don't allow people to configure it. As above, not really my choice, but I can't agree more. Fortunately this protocol seems to be for legacy support. I have been and continue to make recommendations to our product managers to remove support for unused and unsecure protocols. Then the client is broken, and should be fixed. The client is not falling back to PEAPv0 as one might expect, and when I questioned the developers on this they told me it was working as designed. They want to ensure that when it gets configured for a specific protocol, that it fails unless it meets the requirements. Since our products go into controlled install environments, they wanted to tighten up the authentication requirements. Not robust, or quite following the RFC, but as designed. In this case refer above as the client was expecting v1. Not really. By the time that the client has sent a PEAPv1 request, the EAP session has started. You can't switch EAP sessions from the eap module to the eap2 module. Again refer above, if I get eap2 module running with PEAPv1 support, it should support both PEAPv0 and PEAPv1. I am assuming that configuring the eap2 module should replace the eap module with regards to protocols (ie. don't configure a protocol in both only in one or the other). It is a matter of getting FR setup to support a higher level of PEAP using the eap2 module. The protocol should then negotiate to the lower protocol if the client requests PEAPv0 instead of PEAPv1. Read eap.conf. Look for gtc. This is documented. It works in the default install. Noted. Also based on the RFC it was a miss-understanding of the protocols by me. Once I re-read the RFC, I now understand that I was using GTC and PEAPv1 interchangeably when I should not have been. GTC is available under PEAPv0 and PEAPv1. I needed to refer to PEAPv1 not just GTC. Our product is designed to use PEAPv1/GTC or PEAPv0/MSCHAP, and that was where I got confused. Thanks for the info Alan. I will be working on the hostapd compile and recompile of FR to support PEAPv1. I hope that if anyone else stumbles across this thread they leave with a better understanding of how PEAP is supported in FreeRADIUS, and how a PEAP implementation should work with the client to negotiate the connection. -Ward Hopeman This message is intended only for the named recipient. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action based on the contents of this information is strictly prohibited. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Environment: Can PEAPv0 and PEAPv1 be setup together on the default instance?
Hopeman, Ward wrote: This is where I got confused, I missed the foot notes that PEAPv1 was only available in the experimental build with the eap2 module. Yes. FR doesn't support PEAPv1 natively. Don't use PEAPv1. It's even less documented than PEAPv0. It's used by pretty much no one. This unfortunately is not by choice on my part. I am required to provide lab setups for testing our products, based on what is in the product requirement documents. This falls into what our product managers want to support. I'm familiar with product managers. Unfortunately, all I can do here is to talk about reality. Product managers live in another world. Don't use LEAP. It's insecure. Don't put it into new products, and don't allow people to configure it. As above, not really my choice, but I can't agree more. Fortunately this protocol seems to be for legacy support. I have been and continue to make recommendations to our product managers to remove support for unused and unsecure protocols. Adding LEAP is like saying use insecure protocol that allows anyone to access my network. I think that's bad. Product managers don't care. The client is not falling back to PEAPv0 as one might expect, and when I questioned the developers on this they told me it was working as designed. They want to ensure that when it gets configured for a specific protocol, that it fails unless it meets the requirements. Since our products go into controlled install environments, they wanted to tighten up the authentication requirements. Not robust, or quite following the RFC, but as designed. In this case refer above as the client was expecting v1. That makes sense. But it should be an option. Again refer above, if I get eap2 module running with PEAPv1 support, it should support both PEAPv0 and PEAPv1. I am assuming that configuring the eap2 module should replace the eap module with regards to protocols (ie. don't configure a protocol in both only in one or the other). It is a matter of getting FR setup to support a higher level of PEAP using the eap2 module. The protocol should then negotiate to the lower protocol if the client requests PEAPv0 instead of PEAPv1. Be aware that the eap2 module has *minimal* integration with the rest of the server. The inner-tunnel virtual server won't work, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Environment: Can PEAPv0 and PEAPv1 be setup together on the default instance?
whopeman wrote: I am fairly new to FreeRADIUS, so pelase bear with me a bit. I have searched the forums and websites to find an implementation that allows me to configure my server to process BOTH PEAP MSCHAP and PEAP/EAP-GTC (v0 and v1). I have not found anyone trying to do this, but I am not working on a production system this is for test purposes. Don't use PEAPv1. It's even less documented than PEAPv0. It's used by pretty much no one. My GOAL: I am working to setup a test environment that allows us to test our products using EAP-TLS, EAP-TTLS, LEAP, PEAP/MSChap, and PEAP/EAP-GTC. Don't use LEAP. It's insecure. Don't put it into new products, and don't allow people to configure it. CURRENT: What I have so far is a working system that processes everything except PEAP/EAP-GTC. All authentication is performed through a local LDAP solution (setup with CLEAR-TEXT again testing not production). FreeRADIUS does this in the default install, and contains EAP tests (src/tests) for all major EAP types. I have run wireshark and grabbed the packet traces as well, when my client connects it requests PEAP as the preferred auth type but FR seems to be pushing v0 as the request type and does not seem to be allowing for v1. My client does not handle this gracefully. Then the client is broken, and should be fixed. My QUESTION: Is there an easy way to configure FR to allow for both types of requests? Not really. By the time that the client has sent a PEAPv1 request, the EAP session has started. You can't switch EAP sessions from the eap module to the eap2 module. I have been looking at the virtual server options without much luck in understanding how to configure a secondary virtual server to provide a GTC interface. If that is a recommendation, any guidance on setting up a straight EAP-GTC via LDAP virtual server would be appreciated. Read eap.conf. Look for gtc. This is documented. It works in the default install. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Environment: Can PEAPv0 and PEAPv1 be setup together on the default instance?
On Fri, Mar 2, 2012 at 2:10 AM, Matthew Newton m...@leicester.ac.uk wrote: Hi, On Thu, Mar 01, 2012 at 10:25:13AM -0800, whopeman wrote: I have run wireshark and grabbed the packet traces as well, when my client connects it requests PEAP as the preferred auth type but FR seems to be pushing v0 as the request type and does not seem to be allowing for v1. My client does not handle this gracefully. Last I saw (looking at the comments in the FR rlm_eap_peap source), PEAPv1 is not supported, only v0. Is there any documentation on where you need v1? IIRC both PEAP-GTC and PEAP-MSCHAP should work just fine -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Environment: Can PEAPv0 and PEAPv1 be setup together on the default instance?
Yep use some unlang to detect peapv1 and direct the request to eap2 module. (never used eap2 myself...though its the only way to EAP-FAST nirvana ;) ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Environment: Can PEAPv0 and PEAPv1 be setup together on the default instance?
On 01/03/12 18:25, whopeman wrote: Hi, I am fairly new to FreeRADIUS, so pelase bear with me a bit. I have searched the forums and websites to find an implementation that allows me to configure my server to process BOTH PEAP MSCHAP and PEAP/EAP-GTC (v0 and v1). I have not found anyone trying to do this, but I am not working on a production system this is for test purposes. Virtually nothing uses PEAPv1, so it's not well supported. Do you really need PEAPv1? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Environment: Can PEAPv0 and PEAPv1 be setup together on the default instance?
Hi Matthew, Thanks for the update. I do see now that it is listed as experimental. It is not very clear on that fact when looking at the wiki sites http://wiki.freeradius.org/EAP as they list it as a supported EAP type. I suppose I need to read foot notes more closely. Once I started searching on the eap2 module I noticed several comments about PEAPv1 support and that hostapd libraries need to be built. I guess it is off to go grab hostapd and work on getting that built so that I can recompile FR. Thanks for the pointer. Consider this question answered. --Ward PS. If i get a working solution I will post my steps for anyone else who is willing to work with the experimental eap2 feature. That is one thing I noted is lacking in most of the other posts. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Test-Environment-Can-PEAPv0-and-PEAPv1-be-setup-together-on-the-default-instance-tp5528728p5530922.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Environment: Can PEAPv0 and PEAPv1 be setup together on the default instance?
On Thu, Mar 01, 2012 at 10:25:13AM -0800, whopeman wrote: connects it requests PEAP as the preferred auth type but FR seems to be pushing v0 as the request type and does not seem to be allowing for v1. My I was slightly wrong - the rlm_eap2 module does support it, but it's experimental and not recommended for production use. http://freeradius.org/features/eap.html So you need to look at configuring eap2, rather than eap. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Environment: Can PEAPv0 and PEAPv1 be setup together on the default instance?
Hi, On Thu, Mar 01, 2012 at 10:25:13AM -0800, whopeman wrote: I have run wireshark and grabbed the packet traces as well, when my client connects it requests PEAP as the preferred auth type but FR seems to be pushing v0 as the request type and does not seem to be allowing for v1. My client does not handle this gracefully. Last I saw (looking at the comments in the FR rlm_eap_peap source), PEAPv1 is not supported, only v0. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I test a perl script?
ok I tried to configure freeRadius with perl sopport in the Rlm_perl doc says: In the users file comment the 'DEFAULT Auth-Type = System' lines, and then add:DEFAULT Auth-Type = Perl Fall-Through = yes but when I start the server (radiusd -X) it returns me: /etc/raddb/users[208]: Parse error (check) for entry DEFAULT: Unknown value Perl for attribute Auth-Type Errors reading /etc/raddb/users /etc/raddb/modules/files[7]: Instantiation failed for module files /etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. /etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. what i must do? El 26 de febrero de 2012 16:51, Fabricio Flores fabriflor...@gmail.comescribió: Ok i will try this... thanks El 26/02/2012 16:49, Alan Buxey a.l.m.bu...@lboro.ac.uk escribió: Hi, Thanks for your answer. I want to test my perl script with freeradius. In the command line it works but i want to test with radtest (or something) at freeradius. Ia there any test for it? if you want to use radtest, then that means you are testing the FreeRADIUS server - so simply enable PERL in the FreeRADIUS server (edit the perl module config and then edit the enabled virtual servers to use the perl module wherever you need it - eg in authenticate section) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Fabricio A. Flores G. Egresado en Ingeniería en Sistemas MSN: fabri_flor...@hotmail.com Google: fabriflor...@gmail.com Twitter: fabricioflores Skype: fabriciofloresgallardo Blog Personal http://fabricioflores.wordpress.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I test a perl script?
Hi, ok I tried to configure freeRadius with perl sopport in the Rlm_perl doc says:� ignore. dont add anything to the users file - simply call the perl module where you need it to be called - if using the default name, simply add the word 'perl' to eg your inner-tunnel authentication section alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can I test a perl script?
I have a perl script that obtains username and password from a pg database. I'm new at freeradius, so I only can do a radtest with a localhost user. Can I test my perl script with an user from the pg database? how y do the radtest? -- Fabricio A. Flores G. Egresado en Ingeniería en Sistemas Blog Personal http://fabricioflores.wordpress.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I test a perl script?
Hi, I have a perl script that obtains username and password from a pg database. I'm new at freeradius, so I only can do a radtest with a localhost user. Can I test my perl script with an user from the pg database? how y do the radtest? yes. you can either have the script as a normal perl script and launch it from the command line, or you can have the script as something that FreeRADIUS uses, call it within the authenticate section and ensure the perl module is enabled/named...you can then just use eg radtest alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I test a perl script?
Thanks for your answer. I want to test my perl script with freeradius. In the command line it works but i want to test with radtest (or something) at freeradius. Ia there any test for it? El 26/02/2012 16:03, Alan Buxey a.l.m.bu...@lboro.ac.uk escribió: Hi, I have a perl script that obtains username and password from a pg database. I'm new at freeradius, so I only can do a radtest with a localhost user. Can I test my perl script with an user from the pg database? how y do the radtest? yes. you can either have the script as a normal perl script and launch it from the command line, or you can have the script as something that FreeRADIUS uses, call it within the authenticate section and ensure the perl module is enabled/named...you can then just use eg radtest alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I test a perl script?
Hi, Thanks for your answer. I want to test my perl script with freeradius. In the command line it works but i want to test with radtest (or something) at freeradius. Ia there any test for it? if you want to use radtest, then that means you are testing the FreeRADIUS server - so simply enable PERL in the FreeRADIUS server (edit the perl module config and then edit the enabled virtual servers to use the perl module wherever you need it - eg in authenticate section) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: test suite simulating NAS for development?
Hi, Would it be possible to provide an estimate for when the next version of radperf is to be released? Using radperf with the -A parameter is also causing me segmentation faults. This is what I get (using only 50 test Sims with sequential IPs, first one being 123.123.0.1, i.e. it only gets as fas as 29th): radperf -A 10,60 -x -n 5 -s -f sims.csv -T radperf-1.1a/nas.rad localhost auth testing123 [...] Sending Access-Request of id 209 to 127.0.0.1 port 1812 User-Name = 4412231228 User-Password = NAS-IP-Address = 127.0.0.1 NAS-Identifier = radperf-localhost Called-Station-Id = OperatorAPN rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=209, length=44 Framed-IP-Address = 123.123.0.29 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.0.0.0 Program received signal SIGSEGV, Segmentation fault. 0x0804b934 in send_accounting_start () (gdb) bt #0 0x0804b934 in send_accounting_start () #1 0x0804c303 in recv_packet () #2 0x00128fdd in fr_event_loop (el=0x81368f8) at event.c:400 #3 0x0804d585 in main () Obviously I can't get any more Regards, VT -- View this message in context: http://freeradius.1045715.n5.nabble.com/test-suite-simulating-NAS-for-development-tp2757526p5483068.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to test FreeRADIUS on CentOS from a remote windows PC using NTRadPing
Hi, I have successfully installed and tested freeRADIUS on centOS with MySQL database. But I wanted to test if the freeRADIUS is accessible from remote machines as well so I tried to test it using NTRadPing on my windows PC, but it always say no response from the server. I have added my PC IP to clients.conf. I even tried to telnet 1812 on localhost but it says connection refused. Please can someone help me in this regard. chezang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to test FreeRADIUS on CentOS from a remote windows PC using NTRadPing
Hi, I have successfully installed and tested freeRADIUS on centOS with MySQL database. But I wanted to test if the freeRADIUS is accessible from remote machines as well so I tried to test it using NTRadPing on my windows PC, but it always say no response from the server. I have added my PC IP to clients.conf. first question would be why? end clients never talk to the RADIUS server directly - the NAS (wireless AP, switch, VPN, RAS etc) do. however if this is for eg testing another server can talk to it, then simply add the client to clients.conf, restart FR and ensure the client is allowed to talk to the RADIUS server (firewall) I even tried to telnet 1812 on localhost but it says connection refused. yep. firewall. adjust your CentOS default firewall settings - /etc/sysconfig/iptables so that your client can talk to the server on UDP 1812 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to test FreeRADIUS on CentOS from a remote windows PC using NTRadPing
On Mon, Feb 13, 2012 at 6:48 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: I even tried to telnet 1812 on localhost but it says connection refused. yep. firewall. adjust your CentOS default firewall settings - /etc/sysconfig/iptables so that your client can talk to the server on UDP 1812 While firewall is most likely the culprit, you can't use telnet to test UDP connection. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server Starts, but rejects test user
I set up the server with gracious help from the community, and now it starts without errors. The problem comes in trying to get the test user to work. The server simply replies with Access-Reject and awaits the next user. Here is the dump from radtest: DeepBlue:~ michaelaldridge$ radtest testing password localhost 0 testing123 Sending Access-Request of id 227 to 127.0.0.1 port 1812 User-Name = testing User-Password = password NAS-IP-Address = 192.168.25.1 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=227, length=20 DeepBlue:~ michaelaldridge$ radtest bob bob localhost 0 testing123 Sending Access-Request of id 241 to 127.0.0.1 port 1812 User-Name = bob User-Password = bob NAS-IP-Address = 192.168.25.1 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=241, length=20 __ And here are the contents of the users file: bob Cleartext-Password := bob Reply-Message = Hello, bob All help is appreciated Also, as a side note, what is the proper way to stop the server gracefully? Normally I just kill the associated PID#... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server Starts, but rejects test user
On Wed, Dec 28, 2011 at 11:45 AM, Michael Aldridge aldridge@gmail.com wrote: I set up the server with gracious help from the community, and now it starts without errors. The problem comes in trying to get the test user to work. The server simply replies with Access-Reject and awaits the next user. ... and what is the output of radiusd -X? Also, as a side note, what is the proper way to stop the server gracefully? Depending on how you install it, there should be an init script. For example, on Ubuntu, you'd do /etc/init.d/freeradius stop Normally I just kill the associated PID#... That's basically it. The init script does additional checks though (e.g. check for PID file, try SIGTERM first, then if it doesn't respond, try SIGKILL). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server Starts, but rejects test user
As requested:
DeepBlue:raddb michaelaldridge$ radiusd -X
FreeRADIUS Version 2.1.9, for host i386-apple-darwin10.8.0, built on Dec 9
2011 at 18:58:07
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /opt/local/etc/raddb/radiusd.conf
including configuration file /opt/local/etc/raddb/proxy.conf
including configuration file /opt/local/etc/raddb/clients.conf
including files in directory /opt/local/etc/raddb/modules/
including configuration file /opt/local/etc/raddb/modules/acct_unique
including configuration file /opt/local/etc/raddb/modules/always
including configuration file /opt/local/etc/raddb/modules/attr_filter
including configuration file /opt/local/etc/raddb/modules/attr_rewrite
including configuration file /opt/local/etc/raddb/modules/chap
including configuration file /opt/local/etc/raddb/modules/checkval
including configuration file /opt/local/etc/raddb/modules/counter
including configuration file /opt/local/etc/raddb/modules/cui
including configuration file /opt/local/etc/raddb/modules/detail
including configuration file /opt/local/etc/raddb/modules/detail.example.com
including configuration file /opt/local/etc/raddb/modules/detail.log
including configuration file /opt/local/etc/raddb/modules/digest
including configuration file /opt/local/etc/raddb/modules/echo
including configuration file /opt/local/etc/raddb/modules/etc_group
including configuration file /opt/local/etc/raddb/modules/exec
including configuration file /opt/local/etc/raddb/modules/expiration
including configuration file /opt/local/etc/raddb/modules/expr
including configuration file /opt/local/etc/raddb/modules/files
including configuration file /opt/local/etc/raddb/modules/inner-eap
including configuration file /opt/local/etc/raddb/modules/ippool
including configuration file /opt/local/etc/raddb/modules/krb5
including configuration file /opt/local/etc/raddb/modules/ldap
including configuration file /opt/local/etc/raddb/modules/linelog
including configuration file /opt/local/etc/raddb/modules/logintime
including configuration file /opt/local/etc/raddb/modules/mac2ip
including configuration file /opt/local/etc/raddb/modules/mac2vlan
including configuration file /opt/local/etc/raddb/modules/mschap
including configuration file /opt/local/etc/raddb/modules/ntlm_auth
including configuration file /opt/local/etc/raddb/modules/otp
including configuration file /opt/local/etc/raddb/modules/pam
including configuration file /opt/local/etc/raddb/modules/pap
including configuration file /opt/local/etc/raddb/modules/passwd
including configuration file /opt/local/etc/raddb/modules/perl
including configuration file /opt/local/etc/raddb/modules/policy
including configuration file /opt/local/etc/raddb/modules/preprocess
including configuration file /opt/local/etc/raddb/modules/radutmp
including configuration file /opt/local/etc/raddb/modules/realm
including configuration file /opt/local/etc/raddb/modules/smbpasswd
including configuration file /opt/local/etc/raddb/modules/smsotp
including configuration file /opt/local/etc/raddb/modules/sql_log
including configuration file
/opt/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /opt/local/etc/raddb/modules/sradutmp
including configuration file /opt/local/etc/raddb/modules/unix
including configuration file /opt/local/etc/raddb/modules/wimax
including configuration file /opt/local/etc/raddb/eap.conf
including configuration file /opt/local/etc/raddb/policy.conf
including files in directory /opt/local/etc/raddb/sites-enabled/
including configuration file
/opt/local/etc/raddb/sites-enabled/control-socket
including configuration file /opt/local/etc/raddb/sites-enabled/default
including configuration file /opt/local/etc/raddb/sites-enabled/inner-tunnel
including dictionary file /opt/local/etc/raddb/dictionary
main {
prefix = /opt/local
localstatedir = /opt/local/var
logdir = /opt/local/var/log/radius
libdir = /opt/local/lib
radacctdir = /opt/local/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /opt/local/var/run/radiusd/radiusd.pid
checkrad = /opt/local/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = status-server
ping_interval
Re: Server Starts, but rejects test user
On Wed, Dec 28, 2011 at 11:55 AM, Michael Aldridge
aldridge@gmail.com wrote:
DeepBlue:raddb michaelaldridge$ radiusd -X
FreeRADIUS Version 2.1.9, for host i386-apple-darwin10.8.0, built on Dec 9
including configuration file /opt/local/etc/raddb/radiusd.conf
so your configuration files are on /opt/local/etc/raddb
Module: Instantiating files
files {
usersfile = /opt/local/etc/raddb/users
... and that is your users file
rad_recv: Access-Request packet from host 127.0.0.1 port 53898, id=241,
length=55
User-Name = bob
User-Password = bob
+- entering group authorize {...}
++[files] returns noop
files module says it doesn't find anything for that user
[pap] WARNING! No known good password found for the user. Authentication
... and neither does any other module in authorize section.
Verify that:
- the location of users file that you edit is correct
- the syntax is correct. See man 5 users. Probably tab vs space issue
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server Starts, but rejects test user
I feel stupid now, I was editing the wrong users file... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Request for Radius Test Client to test the following call flow
Hi, I require to simulate and test the RADIUS ACCESS_REQUEST message with PPAC, Update Reason Service Type Parameters in the packet and ACCESS_ACCEPT with PPAQ(VQ/DQ, VT/DT). Any radius client which supports setting these two parameters and send ACCESS_REQUEST message how to set the response ACCESS_ACCEPT with PPAQ(VQ/DQ, VT/DT). Regards, Ratnesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request for Radius Test Client to test the following call flow
Ratnesh Sinha wrote: I require to simulate and test the RADIUS ACCESS_REQUEST message with PPAC, Update Reason Service Type Parameters in the packet and ACCESS_ACCEPT with PPAQ(VQ/DQ, VT/DT). Any radius client which supports setting these two parameters and send ACCESS_REQUEST message Yes. radclient has full WiMAX support. how to set the response ACCESS_ACCEPT with PPAQ(VQ/DQ, VT/DT). Read the documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TEST
some problem with this mail list, trying to test sorry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Test
Is the list down, or are people quiet? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test
.. or is freeradius too much stable ? On 15/set/2011, at 16:49, Alan DeKok wrote: Is the list down, or are people quiet? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Paolo Barbato Consorzio RFX corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test
On 15/09/2011 15:49, Alan DeKok wrote: Is the list down, or are people quiet? I think we're all just being quiet today. Paul. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test
On 2011/09/15 04:49 PM, Alan DeKok wrote: Is the list down, or are people quiet? Suspect they're quiet. Freeradius works too well!! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test
people are quiet :) Le jeu 15/09/11 16:49, Alan DeKok al...@deployingradius.com a écrit: Is the list down, or are people quiet? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Test
I received your message Alan -Message d'origine- De : freeradius-users-bounces+nicolas.fourel=adipsys@lists.freeradius.org [mailto:freeradius-users-bounces+nicolas.fourel=adipsys.com@lists.freeradius .org] De la part de Alan DeKok Envoyé : jeudi 15 septembre 2011 16:50 À : FreeRadius users mailing list Objet : Test Is the list down, or are people quiet? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Test
You're right, it was an unusually quiet night... but you're coming through loud and clear, Alan. Steve -Original Message- From: freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org [mailto:freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, September 15, 2011 8:50 AM To: FreeRadius users mailing list Subject: Test Is the list down, or are people quiet? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test
Am I going to catch hell for SPAMMING? On Thu, Sep 15, 2011 at 11:00, Imad Soltani solt...@imad.fr wrote: people are quiet :) Le jeu 15/09/11 16:49, Alan DeKok al...@deployingradius.com a écrit: Is the list down, or are people quiet? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test
List is down. On 9/15/2011 07:49, Alan DeKok wrote: Is the list down, or are people quiet? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test
Its UP !! On Fri, Sep 16, 2011 at 12:24 AM, Christ Schlacta li...@aarcane.org wrote: List is down. On 9/15/2011 07:49, Alan DeKok wrote: Is the list down, or are people quiet? - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log test?
hi, All seems well besides this. It started happening a day ago every 30 seconds. Anyone understand what this is? check your changelog or revision control notes to see waht was done a day ago? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radius.log test?
Thanks for that, rather odd, I ran radius -X and found the location the request was coming from, it was one of our pc's which must have been running a test in the background, a reboot turned it off. cheers Regards Carl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius.log test?
Hi all, I have suddenly started seeing this in the radius.log ( 2.2) Mon Jul 18 11:36:23 2011 : Auth: Login incorrect: [TEST/+\253\362\023\213\223-~\272\257]$\003\033\211] (from client localhost port 0) All seems well besides this. It started happening a day ago every 30 seconds. Anyone understand what this is? Regards Carl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to test raduis is working.. can't find radtest
I have just installed FreeRADIUS 2.07 i think it is.. anyways. i followed a tutorial on how to install in with MySQL on Centos 5 and when i get to the part about testing the database using radtest.. it doesnt work. radtest is not where it should be, have looked on google to try and work out where esactly this 'radtest' lives, but all the locations it i supposed to be.. it isnt! So, where should it be and why isnt it there? do i have to install it separately? Also, how do i test that my radius is working and accepting logins without it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to test raduis is working.. can't find radtest
On 05/25/2011 10:06 PM, Luke Hammond wrote: I have just installed FreeRADIUS 2.07 i think it is.. anyways. i followed a tutorial on how to install in with MySQL on Centos 5 and when i get to the part about testing the database using radtest.. it doesnt work. radtest is not where it should be, have looked on google to try and work out where esactly this 'radtest' lives, but all the locations it i supposed to be.. it isnt! So, where should it be and why isnt it there? do i have to install it separately? Also, how do i test that my radius is working and accepting logins without it? This isn't really a FreeRADIUS question; it's either a basic unix question, or one specific to the distribution of Linux you're using. Anyway: How did you install FreeRADIUS. If you installed it from the RPM, are you sure you installed all the RPMs you needed? Perhaps the server and client tools are split into separate RPMs? I see Fedora has freeradius-utils RPM - maybe Centos has that too? If you installed it from source - have you looked into the directory you installed it into (/usr/local usually) Try: locate radtest Or : find / | fgrep radtest Try: yum provides '*/radtest' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to test raduis is working.. can't find radtest
Thanks for the reply, i installed it from the Package Manager in Gnome, centos 5.6. Ill try what you suggested, thankyou. On 25/05/2011 6:28 PM, Phil Mayers wrote: On 05/25/2011 10:06 PM, Luke Hammond wrote: I have just installed FreeRADIUS 2.07 i think it is.. anyways. i followed a tutorial on how to install in with MySQL on Centos 5 and when i get to the part about testing the database using radtest.. it doesnt work. radtest is not where it should be, have looked on google to try and work out where esactly this 'radtest' lives, but all the locations it i supposed to be.. it isnt! So, where should it be and why isnt it there? do i have to install it separately? Also, how do i test that my radius is working and accepting logins without it? This isn't really a FreeRADIUS question; it's either a basic unix question, or one specific to the distribution of Linux you're using. Anyway: How did you install FreeRADIUS. If you installed it from the RPM, are you sure you installed all the RPMs you needed? Perhaps the server and client tools are split into separate RPMs? I see Fedora has freeradius-utils RPM - maybe Centos has that too? If you installed it from source - have you looked into the directory you installed it into (/usr/local usually) Try: locate radtest Or : find / | fgrep radtest Try: yum provides '*/radtest' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ERROR in the EAP/PEAP test of eapol_test
Hi ! I meet a ERROR in the test of EAP/PEAP
radtest sqluser 123 localhost 1812 testing123 is OK
,I just delete the # before 'eap' in radiusd.conf and default files.
the test eapol_test -c peap.txt -s testing123
my peap.txt is
network={
eap=PEAP
eapol_flags=0
key_mgmt=IEEE8021X
identity=sqluser
password=123
ca_cert=/usr/local/freeradius/etc/raddb/certs/ca.pem
phase2=auth=MSCHAPV2
anonymous_identity=anonymous
}
The result is(too long I cut it,all the messages which contain
'fail'and'warning' are here)
rad_recv: Access-Request packet from host 127.0.0.1 port 40004, id=0,
length=126
User-Name = anonymous
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x020e01616e6f6e796d6f7573
Message-Authenticator = 0x028746a6804037ea96543cd3853748ca
# Executing section authorize from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = anonymous, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} - anonymous
[sql] sql_set_user escaped user -- 'anonymous'
rlm_sql (sql): Reserving sql socket id: 3
……
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 40004
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0x2e0cc3a22f0eda51cc2cadc82e7658db
Finished request 2.
Going to the next request
……
Found Auth-Type = EAP
# Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: sqluser
[mschap] Told to do MS-CHAPv2 for sqluser with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = \010E=691 R=1
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = \010E=691 R=1
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 8 to 127.0.0.1 port 40004
EAP-Message =
0x0109003b190017030100302ab43a32e6ec7ff42289efbdfda591f3a3562799d9559589146b128457125284645e7d72ef66bb121d8dbb003bdab8ab
Message-Authenticator = 0x
State = 0x2e0cc3a22605da51cc2cadc82e7658db
Finished request 9.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 40004, id=9,
length=226
User-Name = anonymous
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message =
0x0209006019001703010020b314a72f4acdfaf2dd08dcf94fd6c7082929e8fd0472499fb3f0ba7b79cae39517030100300bbd73ce8691181df7af8f7caabe39c7c75fa967f055a40ba68caf2780dbcf60a2f6b8be08e9d789e433758deacb3e88
State = 0x2e0cc3a22605da51cc2cadc82e7658db
Message-Authenticator = 0x6b7fca3ade7064bc39fb78dc05a9d319
# Executing section authorize from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = anonymous, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP
Re: ERROR in the EAP/PEAP test of eapol_test
Hi, Hi ! I meet a ERROR in the test of EAP/PEAP radtest sqluser 123 localhost 1812 testing123 is OK �,I just delete the # before 'eap' in radiusd.conf and default files. the test �eapol_test -c peap.txt -s testing123 you are using SQL as the user storage? you havent enabled the sql in the inner-tunnel virtual server (which gets used when EAP is active) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ERROR in the EAP/PEAP test of eapol_test
Hi ! I meet a ERROR in the test of EAP/PEAP
radtest sqluser 123 localhost 1812 testing123 is OK
,I just delete the # before 'eap' in radiusd.conf and default files.
the test eapol_test -c peap.txt -s testing123
my peap.txt is
network={
eap=PEAP
eapol_flags=0
key_mgmt=IEEE8021X
identity=sqluser
password=123
ca_cert=/usr/local/freeradius/etc/raddb/certs/ca.pem
phase2=auth=MSCHAPV2
anonymous_identity=anonymous
}
The result is(too long I cut it,all the messages which contain
'fail'and'warning' are here)
rad_recv: Access-Request packet from host 127.0.0.1 port 40004, id=0, length=126
User-Name = anonymous
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x020e01616e6f6e796d6f7573
Message-Authenticator = 0x028746a6804037ea96543cd3853748ca
# Executing section authorize from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = anonymous, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} - anonymous
[sql] sql_set_user escaped user -- 'anonymous'
rlm_sql (sql): Reserving sql socket id: 3
……
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 40004
EAP-Message = 0x010100160410d8844619dd6d7c77c5de455754592c0b
Message-Authenticator = 0x
State = 0x2e0cc3a22e0dc751cc2cadc82e7658db
Finished request 1
.……
rlm_sql (sql): Released sql socket id: 2
[sql] User anonymous not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 40004
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0x2e0cc3a22f0eda51cc2cadc82e7658db
Finished request 2.
Going to the next request
……
Found Auth-Type = EAP
# Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] TLS 1.0 Handshake [length 005a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 127.0.0.1 port 40004
EAP-Message =
0x0103040019c00ab41603010031022d03014da1adfaa31490e821fdfa4885df0c8fc2d0ddd363a209a6143ab7d68062c39739010005ff01000100160301085e0b00085a0008570003a6308203a23082028
……
[eap] EAP packet type response id 5 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
Re: ERROR in the EAP/PEAP test of eapol_test
/usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: sqluser
[mschap] Told to do MS-CHAPv2 for sqluser with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
How could this be more clear?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: test suite simulating NAS for development?
Fajar A. Nugraha wrote: ./radperf -A 1,10 -s -f test-users.csv 127.0.0.1 auth testing123 (the short values to -A is just for testing purposes). However, if the test file contains more than 7 lines, radperf dies with Segmentation fault. Is this a known bug? No. I should release a new version of radperf soon, with a few useful more features. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: test suite simulating NAS for development?
On Sat, Mar 19, 2011 at 9:19 PM, Alan DeKok al...@deployingradius.com wrote: Fajar A. Nugraha wrote: ./radperf -A 1,10 -s -f test-users.csv 127.0.0.1 auth testing123 (the short values to -A is just for testing purposes). However, if the test file contains more than 7 lines, radperf dies with Segmentation fault. Is this a known bug? No. I should release a new version of radperf soon, with a few useful more features. Thanks :D Currently with PAP auth-only test to MySQL-backed freeradius I get about 2000 succesful authentications per second. It'd be great if I can get the maximum number of supported users on this system with a typical auth - acct-start - interim-update - acct-stop cycle. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: test suite simulating NAS for development?
Hi, Currently with PAP auth-only test to MySQL-backed freeradius I get about 2000 succesful authentications per second. It'd be great if I can get the maximum number of supported users on this system with a typical auth - acct-start - interim-update - acct-stop cycle. you should get much faster than that - but some of that will be tweaks to MySQL - use a better engine like InnoDB, use buffers/cache etc for what its worth I've been chucking 10,000 users in CVS file through radperf with no issues - not sure why yours is barfing at 7 lines I've tested multiple proxy paths wih various backend systems...the fasteest I have acheived was with local 'fastusers' file and the result was stupidly high speeds... 10,000 users all dealt with in less than 100msec with no issues - thats with logging etc...i was happyits only when you rely on external services - AD/LDAP/SQL etc that things start getting slower alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: test suite simulating NAS for development?
Fajar A. Nugraha wrote: Currently with PAP auth-only test to MySQL-backed freeradius I get about 2000 succesful authentications per second. It'd be great if I can get the maximum number of supported users on this system with a typical auth - acct-start - interim-update - acct-stop cycle. The next rev of radperf will support that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: test suite simulating NAS for development?
On Sat, Mar 19, 2011 at 10:14 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: for what its worth I've been chucking 10,000 users in CVS file through radperf with no issues - not sure why yours is barfing at 7 lines with or without -A? its only when you rely on external services - AD/LDAP/SQL etc that things start getting slower I know. But sometimes you're stuck with using those. So it'd be better if we can quantify the consoquences, something like you can add users easily, but performance will drop by an order of magnitude. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: test suite simulating NAS for development?
If some environment REALLY needs 10,000 tps, maybe you could write some sort of replication/sync engine between LDAP and fast users? And of course there's always mutiple methods of load balancing. - Original Message - From: Fajar A. Nugraha [mailto:l...@fajar.net] Sent: Saturday, March 19, 2011 10:59 AM To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: test suite simulating NAS for development? On Sat, Mar 19, 2011 at 10:14 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: for what its worth I've been chucking 10,000 users in CVS file through radperf with no issues - not sure why yours is barfing at 7 lines with or without -A? its only when you rely on external services - AD/LDAP/SQL etc that things start getting slower I know. But sometimes you're stuck with using those. So it'd be better if we can quantify the consoquences, something like you can add users easily, but performance will drop by an order of magnitude. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: test suite simulating NAS for development?
On Sat, Jan 23, 2010 at 12:47 AM, Alan DeKok al...@deployingradius.com wrote: Mark McWiggins wrote: We're developing an application to capture log data from Radius, but we don't have a NAS to test with to generate the logs. Is there some test suite available to do this? radclient comes with the server. It can generate traffic if you feed it data. There's also radperf (http://networkradius.com). It's similar to radclient, but it does a lot more (synthesize accounting traffic, etc.). I just do some testing with radperf, and the something like this fits my requirement to generate dummy load with bouth Auth and Acct packets to radius ./radperf -A 1,10 -s -f test-users.csv 127.0.0.1 auth testing123 (the short values to -A is just for testing purposes). However, if the test file contains more than 7 lines, radperf dies with Segmentation fault. Is this a known bug? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to test authentication process using Access-Challenge response
Thanks Alan and Peter for your fast answers. After doing some tests with the suggested tools I found no ready to use simulator for testing 2 step authentication with challenge response messages. I tried Jradius simulator which also seems not to have this feature. I will try to code myself something with the suggested libraries and tools. Thanks, Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to test authentication process using Access-Challenge response
Hi, I'm currently playing around with freeradius to implement a two-way authentication using smsotp. Is there a way to test the whole authentication process, including access-challenge packets without using a real radius client device? Many thanks and best regards, Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to test authentication process using Access-Challenge response
You can use TinyRadius with JMeter to bulk load queries. There are a number of different radius client tools you can use. On Sat, Feb 5, 2011 at 1:30 PM, Gregor Bruhin g...@11g.ch wrote: Hi, I'm currently playing around with freeradius to implement a two-way authentication using smsotp. Is there a way to test the whole authentication process, including access-challenge packets without using a real radius client device? Many thanks and best regards, Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to test authentication process using Access-Challenge response
Gregor Bruhin wrote: Is there a way to test the whole authentication process, including access-challenge packets without using a real radius client device? Use radclient. You will likely need to hack the source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA2 Enterprise, Freeradius/Mysql Test Data
Is there a reference for test data given default Ubuntu freeradius/freeradius-mysql packages modified to mysql back end (successfully verified with trivial radtest test case)? Any other config changes required to demonstrate WPA2 Entrprise authentication? TIA, D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA2 Enterprise, Freeradius/Mysql Test Data
Dirk Leas wrote: Is there a reference for test data given default Ubuntu freeradius/freeradius-mysql packages modified to mysql back end (successfully verified with trivial radtest test case)? Any other config changes required to demonstrate WPA2 Entrprise authentication? Read http://deployingradius.com It has complete instructions for 802.1X Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius crashed on loading test.
Konstantin Chekushin wrote: Good day. I want to continue Dinh Pham Cong topic ((FreeRadius crashed on accounting load tests with 1000 concurrent clients - Tue, 10 Nov 2009 01:39:30 -0800 )) I use freeradius 2.1.9 Linux myhost 2.6.26-2-amd64 Some info from radiusd.conf : sigh This isn't requested, and isn't necessary. I'm using rlm_sql for my own ippool module: database = mysql num_sql_socks = 32 And it can't keep up with the load. I've started ./radius -xxx -f radius? Not radiusd? And why not radiusd -X as documented *everywhere* ? I've prepared huge file with auth requests for sending: Which no one asked for, and isn't necessary. my module process requests too slow (I will discover this problem in few days, this is mysql-db-cluster issues), but this test causes radiusd segmentation fault. I've grabbed the core and look what it shows: This should be fixed in 2.1.10. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius crashed on loading test.
Quoting *Alan DeKok al...@deployingradius.com*: Konstantin Chekushin wrote: I've started ./radius -xxx -f radius? Not radiusd? And why not radiusd -X as documented *everywhere* ? -X = -sfxx -l stdout . But, I didn't wanted single mode for my loading test. So I used ./radiusd -xxx -f (the letter was missed in a previous mail) And I've used -xxx to make my my own debug3 visible with timestamp (without changing your log.c). In fact, your logging architecture logic is rather strange. But this is another topic. I've prepared huge file with auth requests for sending: Which no one asked for, and isn't necessary. my module process requests too slow (I will discover this problem in few days, this is mysql-db-cluster issues), but this test causes radiusd segmentation fault. I've grabbed the core and look what it shows: This should be fixed in 2.1.10. Good. Thanks for the answer.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius crashed on loading test.
Good day. I want to continue Dinh Pham Cong topic ((FreeRadius
crashed on accounting load tests with 1000 concurrent clients - Tue,
10 Nov 2009 01:39:30 -0800 ))
I use freeradius 2.1.9
Linux myhost 2.6.26-2-amd64
Some info from radiusd.conf :
--
max_request_time = 30
cleanup_delay = 5
max_requests = 2048
hostname_lookups = no
allow_core_dumps = yes
regular_expressions#160;#160;#160;#160; = yes
extended_expressions#160;#160;#160; = yes
log {
#160;#160;#160;#160;#160;#160;#160; destination = files
#160;#160;#160;#160;#160;#160;#160; file =
${logdir}/radius.log
#160;#160;#160;#160;#160;#160;#160; syslog_facility = daemon
#160;#160;#160;#160;#160;#160;#160; stripped_names = no
#160;#160;#160;#160;#160;#160;#160; auth = yes
#160;#160;#160;#160;#160;#160;#160; auth_badpass = yes
#160;#160;#160;#160;#160;#160;#160; auth_goodpass = yes
}
checkrad = ${sbindir}/checkrad
security {
#160;#160;#160;#160;#160;#160;#160; max_attributes = 200
#160;#160;#160;#160;#160;#160;#160; reject_delay = 1
#160;#160;#160;#160;#160;#160;#160; status_server = yes
}
proxy_requests#160; = no
$INCLUDE clients.conf
thread pool {
#160;#160;#160;#160;#160;#160;#160; start_servers = 5
#160;#160;#160;#160;#160;#160;#160; max_servers = 32
#160;#160;#160;#160;#160;#160;#160; min_spare_servers = 3
#160;#160;#160;#160;#160;#160;#160; max_spare_servers = 10
#160;#160;#160;#160;#160;#160;#160; max_requests_per_server =
0
}
--
I'm using rlm_sql for my own ippool module:
database = mysql
num_sql_socks = 32
I've started
./radius -xxx -f
I've prepared huge file with auth requests for sending:
Packet-Type = Access-Request
NAS-Identifier = nas1
User-Name = test
User-Password = test
NAS-IP-Address = 212.93.99.126
NAS-Port-Type = Virtual
Called-Station-Id = 1000
Calling-Station-Id = 3712911
Service-Type = Framed-User
Framed-Protocol = GPRS-PDP-Context
Acct-Session-Id = d45d637e72d54736
Acct-Multi-Session-Id = d45d637e396391a1
Packet-Type = Access-Request
NAS-Identifier = nas1
User-Name = test2
User-Password = test2
NAS-IP-Address = 212.93.99.126
NAS-Port-Type = Virtual
Called-Station-Id = 3
Calling-Station-Id = 3712622
Service-Type = Framed-User
Framed-Protocol = GPRS-PDP-Context
Acct-Session-Id = d45d637e5b97ac8e
Acct-Multi-Session-Id = d45d637e2dc41c4e
and so on
then, I've run radclient:
cat auth-det.log |/usr/local/freeradius2.1.9/bin/radclient -c 1 -p
500 -q localhost:1812 auth testkey
my module process requests too slow (I will discover this problem in
few days, this is mysql-db-cluster issues), but this test causes
radiusd segmentation fault. I've grabbed the core and look what it
shows:
Core was generated by `./radiusd -xxx -f'.
Program terminated with signal 11, Segmentation fault.
[New process 7173]
[New process 7180]
[New process 7181]
[New process 7182]
[New process 7183]
[New process 7185]
[New process 7187]
[New process 7188]
[New process 7191]
[New process 7193]
[New process 7196]
[New process 7197]
[New process 7174]
[New process 7199]
[New process 7177]
[New process 7202]
[New process 7203]
[New process 7205]
[New process 7176]
[New process 7175]
[New process 7184]
[New process 7186]
[New process 7189]
[New process 7190]
[New process 7192]
[New process 7194]
[New process 7195]
[New process 7198]
[New process 7200]
[New process 7201]
[New process 7204]
[New process 7206]
[New process 7107]
#0#160; request_pre_handler (request=0xb493fc20) at event.c:1769
1769#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
if (request-packet-dst_port == 0) {
(gdb) bt
#0#160; request_pre_handler (request=0xb493fc20) at event.c:1769
#1#160; 0x0806e404 in radius_handle_request (request=0xb493fc20,
fun=0x804ef20 rad_authenticate) at event.c:3728
#2#160; 0x08066970 in request_handler_thread (arg=0xae9cbf8) at
threads.c:493
#3#160; 0xb780e4c0 in start_thread () from
/lib/i686/cmov/libpthread.so.0
#4#160; 0xb75b684e in clone () from /lib/i686/cmov/libc.so.6
And here is last breath of my radius (from radius.log)
Tue Sep 14 16:44:43 2010 : Info: WARNING: Child is hung for request
16359 in component#160; module .
Tue Sep 14 16:44:43 2010 : Info: WARNING: Child is hung for request
16366 in component#160; module .
Tue Sep 14 16:44:43 2010 : Info: WARNING: Child is hung for request
16369 in component#160; module .
Tue Sep 14 16:44:43 2010 : Info: WARNING: Child is hung for request
16383 in component#160; module .
Tue Sep 14 16:44:43 2010 : Debug: Waking up in 0.1 seconds.
Tue Sep 14 16:44:43 2010 : Info: Cleaning up request 16169 ID 189
with timestamp +952
Tue Sep 14 16:44:43 2010 : Info: Child is finally responsive for
request 14864
Tue Sep 14 16:44:43 2010 : Info: WARNING: Child is hung for request
16165 in component post-auth module lmtsqlippool1.
Tue Sep 14 16:44:43 2010 : Info: WARNING: Child is hung for request
16186 in component post-auth module lmtsqlippool1.
Tue Sep 14 16:44:43
