| See the changelog for 2.2.0. The "passwd" module had issues with |older versions of the server. | |You can also reload individual modules. That will be less likely to |have issues. i.e. | |$ radmin -e "hup passwd" |
And from the control-socket code # # Control socket interface. # # HIGHLY experimental! It should NOT be used in production # environments. # The servers are in a production environment. I'd really like to try just reloading the passwd module to see if it makes any difference to the server stability but not at the detriment to any security type issues A On 8 Feb 2013, at 16:09, freeradius-users-requ...@lists.freeradius.org wrote: > Send Freeradius-Users mailing list submissions to > freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > freeradius-users-requ...@lists.freeradius.org > > You can reach the person managing the list at > freeradius-users-ow...@lists.freeradius.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > 1. Re: Issues with Freeradius crashing after a sighup (Alan DeKok) > 2. RE: [EAP/TLS] Authenfication through a certificate > (vazoumana fofana) > 3. Re: Session-Timeout anomalies (Bill Isaacs) > 4. Re: Session-Timeout anomalies (Alan DeKok) > 5. Any interoperability issues with Aruba and Freeradius > (Alex Sharaz) > 6. Re: MAc-Auth with EAP (Tunde Ogedengbe) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 08 Feb 2013 10:10:05 -0500 > From: Alan DeKok <al...@deployingradius.com> > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Subject: Re: Issues with Freeradius crashing after a sighup > Message-ID: <5115154d.5070...@deployingradius.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Alex Sharaz wrote: >> Firstly the 2.1 servers > > <shrug> Upgrade. > >> password files are updated every 15 mins and are followed by a "service >> freeradius reload" command to bring them on line. > > See the changelog for 2.2.0. The "passwd" module had issues with > older versions of the server. > > You can also reload individual modules. That will be less likely to > have issues. i.e. > > $ radmin -e "hup passwd" > >> Anyone else seen serve crashes on a reload? > > Unfortunately I've seen this before. I haven't seen enough > information to track it down and fix it, though. > > Alan DeKok. > > > ------------------------------ > > Message: 2 > Date: Fri, 8 Feb 2013 15:24:53 +0000 > From: vazoumana fofana <zoumlan...@hotmail.com> > To: "freeradius-users@lists.freeradius.org" > <freeradius-users@lists.freeradius.org> > Subject: RE: [EAP/TLS] Authenfication through a certificate > Message-ID: <snt137-w406d40d7e02d3b5d51a487d2...@phx.gbl> > Content-Type: text/plain; charset="iso-8859-1" > > > i begin setting up configuration. bit i got two problems : > > client with good certificate can be authenticated even if they're not in > "users" file. > I assume it's due to my code. Here is under authenticate section of default : > > Auth-Type eap { > eap > if ( "%{TLS-Client-Cert-Subject}" =~ /\/xxxxxxxx\// ) { > if ( "%{TLS-Client-Cert-Subject}" =~ /\/xxxxxxxxxxx\// > ) { > ok > } > else { > fail > } > It's like when condition is checked, it bypassed "users" file. > > Maybe, i must move these lines under authorize ? > anyone to confirm it ? > > cheers > > >> Date: Mon, 4 Feb 2013 10:32:22 -0500 >> From: al...@deployingradius.com >> To: freeradius-users@lists.freeradius.org >> Subject: Re: [EAP/TLS] Authenfication through a certificate >> >> vazoumana fofana wrote: >>> i've got question about EAP/TLS and authentification for a client >>> through a certificate ? >>> I succeed setting up. But , i notice that freeradius matches client >>> login with certificate CNAME. >>> Is it possible to change it in order to match email instead of CNAME ? >> >> Yes. >> >> Read the eap.conf file, and the raddb/sites-available/default. This >> is documented. >> >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130208/f72a3bc9/attachment-0001.html> > > ------------------------------ > > Message: 3 > Date: Fri, 08 Feb 2013 09:35:59 -0600 > From: Bill Isaacs <bill.isa...@island-wifi.com> > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Subject: Re: Session-Timeout anomalies > Message-ID: <51151b5f.6060...@island-wifi.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > > Ok so the question then is: where the hell is radclient getting the > notion that the account has 2366393 seconds left? > >> That is *entirely* the wrong question. It's why you haven't solved >> the problem yet. >> >> Look at the *radius server* debug output. It's the one sending the >> Session-Timeout. You should be able to figure out where the >> session-timeout is coming from. >> >>> Where is >>> "Session-Timeout" getting this information? Why is it only doing it on >>> some accounts and not others? >> Look at the debug output. >> >> Honestly. >> >> We say this DAILY on this list. There is no excuse for refusing to do >> that. >> >> > Alan, take a deep breath. Of course I've looked at the debug output. > Note my opening sentence, ol' pardner. ;) > > > > ------------------------------ > > Message: 4 > Date: Fri, 08 Feb 2013 10:50:17 -0500 > From: Alan DeKok <al...@deployingradius.com> > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Subject: Re: Session-Timeout anomalies > Message-ID: <51151eb9....@deployingradius.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Bill Isaacs wrote: >> Ok so the question then is: where the hell is radclient getting the >> notion that the account has 2366393 seconds left? > > From the RADIUS server. This isn't magic. radclient doesn't invent > attributes in reply packets. It receives them from the RADIUS server. > >> Alan, take a deep breath. Of course I've looked at the debug output. >> Note my opening sentence, ol' pardner. ;) > > Well... your question about "where does radclient get that value from" > is entirely missing the point. It gets it from the RADIUS server. I've > said this. I have no idea how to convince you it's true. > > And the *only* way to debug the RADIUS server is to look at the debug > output. > > And no, your original message did *not* say you had run the server in > debugging mode. There's only a reference to creating an account for > debugging purposes. There's no "radiusd -X" output. > > My frustration here is that the documentation and my messages cannot > possibly be any more clear. Yet you're wandering around doing > everything *but* what the documentation says, and then wondering why I'm > getting annoyed. > > Run the server in debugging mode. Really. Do it. I mean it. > > If you want to track down the issue to a specific module, update the > config to do: > > update reply { > Reply-Message += "A %{reply:Session-Timeout}" > } > > Cut & paste that through various pieces of authorize, post-auth, etc. > Change the "A" to "B", "C", etc. You should see 10-20 Reply-Messages > in the Access-Accept. Each with a value for Session-Timeout. That lets > you track *what* the value is, and *where* in the config the value is > coming from. > > Then once you know it's a particular module, you can figure out how to > fix that module. > > Right now, you're staring at the radclient output, wondering why the > server isn't working. That's a mistake. > > Alan DeKok. > > > ------------------------------ > > Message: 5 > Date: Fri, 8 Feb 2013 16:08:22 +0000 > From: Alex Sharaz <alex.sha...@york.ac.uk> > To: "freeradius-users@lists.freeradius.org" > <freeradius-users@lists.freeradius.org> > Subject: Any interoperability issues with Aruba and Freeradius > Message-ID: <33b79501-6775-4442-b14e-da574f637...@york.ac.uk> > Content-Type: text/plain; charset=us-ascii > > Hi All, > > I'm sure the answer to this is nope, but ... > > At a recent Aruba training course in amongst the documentation supplied to us > were a couple of presentation slides showing different types of eap > authentication against recommended RADIUS servers for use with Aruba > equipment (Just to be sure the slide heading said Aruba RADIUS > Compatibility). > > The surprising bit was the fact that there was a "No" against Freeradius/TTLS > (MD5,TLS,PEAP,LEAP,FAST all were yes) and a coment that said Freeradius also > supports TTLS. > > Now it my well be that the slide is a bit old and just hasn't been updated > but it does beg the question have any people using Freeradius with Aruba kit > experienced any funnies that needed a specific set of "tweaking" for Aruba? I > really can't imaging that it would be the case, but just thought I'd check. > > Rgds > Alex > > > > ------------------------------ > > Message: 6 > Date: Fri, 8 Feb 2013 16:09:34 +0000 > From: Tunde Ogedengbe <tu...@xtracomonline.com> > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Subject: Re: MAc-Auth with EAP > Message-ID: > <CACXXqacFDThXBDnzPbseQnZv=vygkq0pd6oxkxv+q_s3nkq...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Ok. Can you pls help with procedure for configuring pre-login on Windows > for 802.1x? Windows is sending packets to RADIUS as > host/machine-name.domain. I would like to have a dedicated userid/password > configured on windows for pre-login machine authentication. > > 'Tunde Ogedengbe > On 8 Feb 2013 13:18, "Phil Mayers" <p.may...@imperial.ac.uk> wrote: > >> On 08/02/13 12:52, Tunde Ogedengbe wrote: >> >> see from the log that the MAC addresses is checked and OK. But there is >>> an [eap] returns reject just after the mac address was successfully >>> checked. I guess I need a way to get radius to force an EAP accept >>> after successful checking of the MAC addresses. >>> >> >> This doesn't work. You can't "force accept" of an EAP session. The >> protocol is challenge/response and must complete correctly at both ends. >> >> Your approach won't work. >> >> Instead, you must configure pre-login 802.1x authentication correct on the >> Windows side, either using machine credentials or user creds. >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/** >> list/users.html <http://www.freeradius.org/list/users.html> >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130208/6504bf9e/attachment.html> > > ------------------------------ > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > End of Freeradius-Users Digest, Vol 94, Issue 19 > ************************************************ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
