Re: Freeradius the right tool as Windows Authentication Proxy?
Hello Helen, thank you for your informative answer! It's possible, but I don't think RADIUS is the right tool. Which one or which technics do you think ist the right solution for my problem? Greetings, Tom Stieglitz FreeRadius users mailing list freeradius-users@lists.freeradius.org schrieb am 07.11.05 18:38:23: Thomas Stieglitz [EMAIL PROTECTED] wrote: We're running an apache 1.X webserver, which is located at an external provider. My problem is, that we need to authenticate webusers against our Windows 2000 Active Directory, which is located in our companies' local network. I would recommend using an Apache module for this task. Maybe mod_ntlm, or mod_smb would be appropriate. 1) Is this idea a possible solution ... the right use of an radius-server? And, if yes: is freeradius the right tool for it? It's possible, but I don't think RADIUS is the right tool. 2) If yes: Is it also possible, to gain group information about a user. (i. e. Is Fred Member of Group Foo? Which groups is Fred member of?) Yes, but you can't use RADIUS to send that information to Apache. 3) if yes: how do I find an entry point for further information about this special subject? If the documentation doesn't already contain the information you need, use google to search mailing list archives. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Verschicken Sie romantische, coole und witzige Bilder per SMS! Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius the right tool as Windows Authentication Proxy?
System pocztowy Galtex S.A. informuje, iz Twoja wiadomosc zostala dostarczona Wiadomosc wygenerowana automatycznie przez system pocztowy uzytkownika belskia Prosze na ta wiadomosc nie odpowiadac. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius the right tool as Windows Authentication Proxy?
System pocztowy Galtex S.A. informuje, iz Twoja wiadomosc zostala dostarczona Wiadomosc wygenerowana automatycznie przez system pocztowy uzytkownika belskia Prosze na ta wiadomosc nie odpowiadac. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql.sock moved and cannot be found by freeradius !
Jason Clifford wrote: On Mon, 7 Nov 2005, Nicolas Baradakis wrote: If you are going to make a change in freeradius to cope with this don't waste time trying to read the my.cnf file as you wont know where it is with any certainty. This is a one-line-change in FreeRADIUS: we just tell to the libmysqlclient to search and read the file my.cnf in its own predefined locations. There is no predefined location. That's the problem that the original poster has run into - you can have the files anywhere you like and people do. This is just not true. MySQL programs read startup options from the following files: /etc/my.cnf, /var/lib/mysql/my.cnf, ~/.my.cnf http://dev.mysql.com/doc/refman/4.1/en/option-files.html Instead have a section in the sql.conf to specify the mysql socket file. We may run into the same problem later with a different option: I don't want to have an entry for each and every Mysql specific option in the file sql.conf. And how many sql options are appropriate? It's only those needed for a client connection and other than socket file location they are already all present as options in the sql.conf file. There are many options for a client connection. For example, the timeout options would be very useful, too. http://dev.mysql.com/doc/refman/4.1/en/mysql-options.html It seems counter to good practice (ie keep it simple) to make things more complicated than simply adding an option to the file you already use to configure the sql connection and options. I think we have enough options in sql.conf for normal use. More options will confuse the users, or confuse the people who are using a database server different from MySQL. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin problems
Hello I have some problems with dialup_admin1.62. i use freeradius-1.0.1 with mysql on Fermi Linux LTS Release 3.0.1 - first, I have a problem in showing the online user in dialup_admin. in fact, when i use a telnet user to connect on NAS , it appears in online user but when it 's a ppp user, there is nothing. I think the problem is the radacct table because nothing is writing into this table when it 's a ppp user and i don't know why. - Second, I have a problem with failed logins and users statistic. dialup_admin start with sql debug. the request is ok but nothing is writing into the board. cdt -- Ce message et toutes les pieces jointes (ci-apres le message) sont confidentiels et etablis a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite. Tout message etant susceptible d'alteration, l'emetteur decline toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie. --- This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. As e-mails are susceptible to alteration, the issuer shall not be liable for the message if altered, changed or falsified. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap truncating output
Sorry for the late reply. Thanks for the info, i'll give it a try. Best Regards, Pedro Marcolino On Mon, 07 Nov 2005 14:27:28 +0100 Nicolas Baradakis [EMAIL PROTECTED] wrote: Pedro Marcolino wrote: Ldapsearch show the following: (...) ispRadiusCiscoAVPair: lcp:interface-config#1=ip vrf forwarding v24:xxx ispRadiusCiscoAVPair: lcp:interface-config#2=ip unnumbered loopback14 (...) Anyone got the same problem? Thanks for the time. It's a known bug in rlm_ldap. You can get the patch here: http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_ldap/rlm_ldap.c.diff?r1=1.122.2.7r2=1.122.2.8 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- PEDRO MARCOLINO OPERAÇÕES DE REDE __ AR TELECOM | Grupo SGC Telefone: (+351) 210 301 397 Telemóvel: (+351) 969 572 548 Fax: (+351) 210 301 464 E-mail: [EMAIL PROTECTED] Edifício Diogo Cão, Doca de Alcântara 1350-352 Lisboa www.artelecom.pt __ Esta mensagem (e eventuais ficheiros anexos) destina-se exclusivamente aos destinatários nela indicados e pode conter matéria confidencial e legalmente protegida. Se recebeu esta mensagem por engano, a AR Telecom agradece que informe de imediato o remetente e que elimine a mensagem e os ficheiros sem os reproduzir. This message (and any files attached) is intended only for the named addressees and may contain confidential and privileged information. If you have received this message in error, AR Telecom appreciates you contact the sender and delete the message and any files attached without reproduction. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-Route and proxying
Jason Frisvold wrote: Hi there, I'm looking for a way to force certain users through a proxy. I *think* Framed-Routes are the way to go. Can someone help me out a little? Framed-Route instructs the NAS to install a route as described by the value, to the dialed up user. (at least that what my nas's do) So in and of itself, I do not think it will accomplish any sort of forced proxying. When you say force do you mean * does not work unless they are configured to use proxy X This would generally be a function of ACL which can be configured in different ways. Using Framed-Route or Framed-IP-Address may be usefull to you for that. * transparent proxying If you combine Framed-Route and/or Framed-IP-Address with policy routing (or natting) or vrf tables, you will probably achieve your goal. But your use of Framed-Route may not be required at all. Our users either dial in via a Patton RAS unit, or a Redback SMS-500. Any help would be appreciated. Thanks! -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange issue.
A while ago I upgraded our freeradius server to 1.0.2 from a 0.9.x version, and ever since our ISDN dial-up users can not gain access when their login type in radcheck is Crypt-Password. If I change them to a User-Password attribute and the cleartext password, it works. I've compiled a debug log at http://tenchi.systemec.nl/~shadur/radlog.txt with the SQL query outputs added below the queries where they are made. This exact setup worked with 0.9.x ; I've ru -- Rens Houben |opinions are mine Resident linux guru and sysadmin | if my employers have one Systemec Internet Services. |they'll tell you themselves PGP key at http://marduk.systemec.nl/~shadur/shadur.key.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth commandline ok, radius not ok
Title: Nachricht
Yohoo!
I've a (for me)
strange problem mit ntlm_auth.
I want to use
freeradius as an proxy for authentication against ActiveDirectory. So I've
installed winbind. "wbinfo -u" and "wbinfo -g" shows me the User and Grouplists.
Nice :)
I've configured
freeradius like Alan DeKok showed in his posting from Tue Jul 12 18:33:05 CEST
2005:
---snip---modules
{ ... exec win_domain { wait =
yes input_pairs =
request output_pairs =
reply program = "ntlm_auth
--username=\"%{User-Name}\" --password=\'%{User-Password}\'
--domain=mydomain" } ...} Now list "win_domain" in the
"authenticate" section, and add thefollowing entry to the "users"
file:DEFAULT Auth-Type = win_domain
---snip---
When I start ntlm_auth on command
line:
server:/#
/usr/bin/ntlm_auth --username='_web' --password='X!'
--domain=mydomainNT_STATUS_OK: Success (0x0)
All is ok.
:)
Trying the same with
radtest:
ldaptest02:/etc/raddb# radtest "_web" 'X!' localhost 10
testing123
Sending
Access-Request of id 75 to
127.0.0.1:1812 User-Name =
"_web" User-Password =
"X!" NAS-IP-Address =
ldaptest NAS-Port =
10rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=75,
length=20
Nothing is ok
:-(
Logfiles:
---snip---Nov
8 13:58:57 ldaptest radiusd: modcall: group authorize returns ok for request
8Nov 8 13:58:57 ldaptest radiusd:
rad_check_password: Found Auth-Type win_domainNov 8 13:58:57
ldaptest radiusd: auth: type "win_domain"Nov 8 13:58:57 ldaptest
radiusd: Processing the authenticate section of
radiusd.confNov 8 13:58:57 ldaptest radiusd: modcall: entering group
Auth-Type for request 8Nov 8 13:58:57 ldaptest radiusd:
radius_xlat: '/usr/bin/ntlm_auth --username='_web' --password='X!'
--domain=central'Nov 8 13:58:57 ldaptest radiusd: Exec-Program:
/usr/bin/ntlm_auth --username='_webman' --password='X!'
--domain=central
Nov 8 13:58:57
ldaptest radiusd: Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user
(0xc064)Nov 8 13:58:57 ldaptest radiusd: Exec-Program-Wait:
plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc064)Nov 8
13:58:57 ldaptest radiusd: Exec-Program: returned: 1Nov 8 13:58:57
ldaptest radiusd: rlm_exec (win_domain): External script failedNov 8
13:58:57 ldaptest radiusd: modcall[authenticate]: module
"win_domain" returns fail for request 8
---snip---
The line in the log is the same as I enter
it at command line. Why is the answer different?
Thanks for your help and/ or ideas for
problem solution!
Greets from Germany
Christian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius died, restarting
i use radwatch to check the status of the radiusd, but it keeps sending Radius died, restarting mail to me, but radiusd runs well if i donnot run radwatch. pls tell why, thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-Route and proxying
On 11/8/05, Joe Maimon [EMAIL PROTECTED] wrote: Framed-Route instructs the NAS to install a route as described by the value, to the dialed up user. (at least that what my nas's do) So in and of itself, I do not think it will accomplish any sort of forced proxying. Right.. the framed route itself doesnt, but you can use this to force a new default route on the user, cant you? When you say force do you mean * does not work unless they are configured to use proxy X This would generally be a function of ACL which can be configured in different ways. Using Framed-Route or Framed-IP-Address may be usefull to you for that. No, I don't care what proxy the do or do not have set up on their machine... * transparent proxying If you combine Framed-Route and/or Framed-IP-Address with policy routing (or natting) or vrf tables, you will probably achieve your goal. But your use of Framed-Route may not be required at all. I *think* that's more what I'm looking for.. The idea is to put a user in a suspended group that will only allow them to go to the payment server. By using a proxy, I can intercept all port 80 traffic and redirect them to the proper location. Does that make more sense? -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco AP Vlan assignment when proxying EAP-PEAP?
Hi, Can anyone tell me if it's possible to proxy EAP-PEAP from a Cisco Aironet to an IAS server via FreeRADIUS (I can do this bit), then, set the user's VLAN information within FreeRADIUS in the access-accept packet returned to the AP? Also, is there a way to return an access-accept with a 'dirty' VLAN ID, even if the IAS server rejects the user? The idea being that the user would be put into a dead end VLAN so they could get info on how to register to use the service. Many thanks, Jezz Palmer. Jezz Palmer. Internet Systems Officer. Library and Information Services University of Wales, Swansea Singleton Park Swansea SA2 8PP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP Vlan assignment when proxying EAP-PEAP?
Hi Jezz,
Palmer J.D.F. wrote:
Hi,
Can anyone tell me if it's possible to proxy EAP-PEAP from a Cisco Aironet
to an IAS server via FreeRADIUS (I can do this bit), then, set the user's
VLAN information within FreeRADIUS in the access-accept packet returned to
the AP?
Yes - write a script that outputs the relevant attributes to stdout, and
specify it in an exec clause in radiusd.conf, making sure you set
packet_type = access-accept. Invoke the exec clause by placing it in
post-proxy section. For example (assuming you've got the proxying working):
assign-vlan.sh:
#!/bin/bash
VLAN = 123
# We can also grab the RADIUS username attribute from the environment.
# USER = $USER_NAME
# This might be useful if you wanted to drop users
# into different VLANs.
# if ( $USER == [EMAIL PROTECTED] ); then
# VLAN = 666
# fi
echo Tunnel-Medium-Type = 802
echo Tunnel-Type = VLAN
echo Tunnel-Private-Group-ID = $VLAN
exit 0
radiusd.conf:
exec assign-vlan {
program = /path/to/assign-vlan.sh
input_pairs = proxy-reply
output_pairs = proxy-reply
wait = yes
packet_type = Access-Accept
}
authorize {
...
# Make sure you put this AFTER the clause that invokes proxying
assign-vlan
...
}
Also, is there a way to return an access-accept with a 'dirty' VLAN ID, even
if the IAS server rejects the user? The idea being that the user would be
put into a dead end VLAN so they could get info on how to register to use
the service.
No; only a couple of attributes are permitted in Access-Reject packets.
I don't think it would be possible to catch Access-Rejects from IAS
and cunningly turn them into Access-Accepts, either :-/ (well, it would
be possible, but you'd need to hack FR to do this).
josh.
Many thanks,
Jezz Palmer.
Jezz Palmer.
Internet Systems Officer.
Library and Information Services
University of Wales, Swansea
Singleton Park
Swansea
SA2 8PP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius the right tool as Windows Authentication Proxy?
Thomas Stieglitz [EMAIL PROTECTED] wrote: Hello Helen, ? It's possible, but I don't think RADIUS is the right tool. Which one or which technics do you think ist the right solution for my problem? ? Did you read the text you quoted? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-Route and proxying
Jason Frisvold [EMAIL PROTECTED] wrote: I *think* that's more what I'm looking for.. The idea is to put a user in a suspended group that will only allow them to go to the payment server. By using a proxy, I can intercept all port 80 traffic and redirect them to the proper location. That's more of a NAS-specific filter rule. See your NAS documentation for how to do it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco AP Vlan assignment when proxying EAP-PEAP?
Cheers Josh. :)
That's pretty much the way we do the Roanmode stuff.
Just wasn't sure being EAP whether you could mess around with the return
packet.
Do you have any cunning solutions to how you might get around the reject
issue?
I'd imagine it's quite a common scenario, IE wanting to let users know that
they are doing something wrong as opposed to just rejecting them.
This must be one of the only redeeming features of web redirect. :-D
Thanks,
Jezz.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Josh
Howlett
Sent: 08 November 2005 16:30
To: FreeRadius users mailing list
Subject: Re: Cisco AP Vlan assignment when proxying EAP-PEAP?
Hi Jezz,
Palmer J.D.F. wrote:
Hi,
Can anyone tell me if it's possible to proxy EAP-PEAP from a Cisco Aironet
to an IAS server via FreeRADIUS (I can do this bit), then, set the user's
VLAN information within FreeRADIUS in the access-accept packet returned to
the AP?
Yes - write a script that outputs the relevant attributes to stdout, and
specify it in an exec clause in radiusd.conf, making sure you set
packet_type = access-accept. Invoke the exec clause by placing it in
post-proxy section. For example (assuming you've got the proxying working):
assign-vlan.sh:
#!/bin/bash
VLAN = 123
# We can also grab the RADIUS username attribute from the environment.
# USER = $USER_NAME
# This might be useful if you wanted to drop users
# into different VLANs.
# if ( $USER == [EMAIL PROTECTED] ); then
# VLAN = 666
# fi
echo Tunnel-Medium-Type = 802
echo Tunnel-Type = VLAN
echo Tunnel-Private-Group-ID = $VLAN
exit 0
radiusd.conf:
exec assign-vlan {
program = /path/to/assign-vlan.sh
input_pairs = proxy-reply
output_pairs = proxy-reply
wait = yes
packet_type = Access-Accept
}
authorize {
...
# Make sure you put this AFTER the clause that invokes proxying
assign-vlan
...
}
Also, is there a way to return an access-accept with a 'dirty' VLAN ID,
even
if the IAS server rejects the user? The idea being that the user would be
put into a dead end VLAN so they could get info on how to register to use
the service.
No; only a couple of attributes are permitted in Access-Reject packets.
I don't think it would be possible to catch Access-Rejects from IAS
and cunningly turn them into Access-Accepts, either :-/ (well, it would
be possible, but you'd need to hack FR to do this).
josh.
Many thanks,
Jezz Palmer.
Jezz Palmer.
Internet Systems Officer.
Library and Information Services
University of Wales, Swansea
Singleton Park
Swansea
SA2 8PP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Solaris Make Problems
I finally got freeradius to make without errors. However to do this I had to manually change the Makefile (in src/modules/rlm_sql/drivers/rlm_sql_mysql)and take out these options -x03 -mt and -xarch=v8, but I am not sure if this will affect the stability or useage of freeradius. -xarch=v8 sounds like a Sun cc option. It's a good idea to work just withone compiler, sun or gnu. Adjust the PATH that ./configure and make justsee on compiler.I dont have the sun compiler. I am using GCC version 3.3.2 and the gnu linker version 2.14both of these are located in /usr/local/bin and that is the first directory in my path. I am new to freeradius. I have a Solaris 8 machine with OpenSSL version 0.9.8 and MySQL version 5.0.15 (max). Configure completes without any problems however make fails. I have read many suggestions on the list, and tries all of them. Such as setting the LD_LIBRARY_PATH, I even tried to configure and make with just static libraries. Could there be a problem with freeradius and MySQL5? Here is a copy of the make output errors: mak! e[10]: Entering directory `/export/home/nicholas/freeradius-1.0. 5/src/modules/rlm_sql/drivers/rlm_sql_mysql' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith - Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes - Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W - Wredundant-decls -Wundef -I../.. -I../../../../include - I/usr/local/mysql/include -xO3 -mt -D_FORTEC_ -xarch=v8 -c sql_mysql.c -o sql_mysql.o gcc: language arch=v8 not recognized gcc: sql_mysql.c: linker input file unused because linking not done-xarch=v8 sounds like a Sun cc option. It's a good idea to work just withone compiler, sun or gnu. Adjust the PATH that ./configure and make justsee on compiler. /export/home/nicholas/freeradius-1.0.5/libtool --mode=link ld - module -static -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith - Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes - Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W - Wredundant-decls -Wundef -I../.. -I../../../../include - I/usr/local/mysql/include -xO3 -mt -D_FORTEC_ -xarch=v8 sql_mysql.o -o rlm_sql_mysql.a (cd . ln -s sql_mysql.lo sql_mysql.o) ln: cannot create sql_mysql.o: File exists make[10]: *** [rlm_sql_mysql.a] Error 2 Yahoo! FareChase - Search multiple travel sites in one click. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Solaris Make Problems
Nicholas Thompson [EMAIL PROTECTED] wrote: I finally got freeradius to make without errors. However to do this I had to manually change the Makefile (in src/modules/rlm_sql/drivers/rlm_sql_mysql)and take out these options -x03 -mt and -xarch=v8, but I am not sure if this will affect the stability or useage of freeradius. No. Those flags are added by configure, for reasons only it understands. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange issue.
[EMAIL PROTECTED] (Rens Houben) wrote: A while ago I upgraded our freeradius server to 1.0.2 from a 0.9.x version, and ever since our ISDN dial-up users can not gain access when their login type in radcheck is Crypt-Password. If I change them to a User-Password attribute and the cleartext password, it works. It should still work. If all else fails, set Auth-Type := Crypt in the same place you set Crypt-Password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
JRadius
Hello Does anyone have ever tried JRadius (jradius.sf.net)? As I'm more familiar whith Java than C, I wonder if I'm not going to use it to handle EAP-SIM (I am not completly sure I can do so, but if it is possible I will do so). Any experience is welcome. __ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-Route and proxying
Jason Frisvold wrote: I *think* that's more what I'm looking for.. The idea is to put a user in a suspended group that will only allow them to go to the payment server. By using a proxy, I can intercept all port 80 traffic and redirect them to the proper location. Does that make more sense? Lets say you used cisco gear (where I use this concept in different ways fairly often) You would do something like this, without any loss of performance. Default Hint == Suspended Cisco-Avpair+= lcp:interface-config=ip vrf forwarding suspended, Cisco-Avpair+= lcp:interface-config=ip unnumbered l10, Cisco-Avpair+= ip:addr-pool=suspended On the cisco you would config it like this, aside from the normal aaa config and whatnot ip vrf suspended rd 1:1 int l10 ip vrf forwarding suspended ip address 10.1.1.1 255.255.255.255 int fa0.10 description proxy server encapsulation dot1q 10 ip vrf forwardin suspended ip address 10.2.2.1 255.255.255.0 ip local pool suspended 10.10.0.1 10.10.10.255 ip route vrf suspended 0.0.0.0 0.0.0.0 10.2.2.1 -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compile issues with freeradius 1.0.5 on solaris 10
Hello, I was having problems compiling freeradius-1.0.5 on Solaris 10 (sparc) that were rather difficult to troubleshoot. I managed to get the compilation completed successfully, but it seems that maybe there could be some changes to improve the experience others have with compiling freeradius on Solaris 10 in the future. The problem I had, and another poster had, centers around configuring freeradius to compile with openssl. The full set of configure options I used were as follows: ./configure \ --prefix=/usr/local/freeradius \ --with-threads \ --with-ldap \ --with-openssl-includes=/usr/sfw/include/openssl \ --with-openssl-libraries=/usr/sfw/lib \ --with-rlm-ldap-include-dir=/usr/local/openldap/include \ --with-rlm-ldap-lib-dir=/usr/local/openldap/lib \ With no changes to my environment I get the following error: gcc -L../lib -o radwho radwho.o util.o log.o conffile.o -L/usr/sfw/lib -lssl -L/usr/sfw/lib -lcrypto -lnsl -lresolv -lsocket -lposix4 -lpthread -lradius -lcrypt Undefined first referenced symbol in file MD5Init ../lib/libradius.a(radius.o) (symbol belongs to implicit dependency /usr/lib/libmd5.so.1) MD5Final ../lib/libradius.a(radius.o) (symbol belongs to implicit dependency /usr/lib/libmd5.so.1) MD5Update ../lib/libradius.a(radius.o) (symbol belongs to implicit dependency /usr/lib/libmd5.so.1) ld: fatal: Symbol referencing errors. No output written to radwho ... The error does not occur when I run the configure from above leaving out the two openssl options. This was fixed by adding the following to my environment: LIBS=-lmd5 export LIBS * - This issue and workaround was mentioned by a previous poster. Should md5 be added to the list of libraries automatically defined during the configure process for the above? Then I get the following error: ... gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I/usr/sfw/include/openssl -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../include -DHOSTINFO=\\ -DRADIUSD_VERSION=\1.0.5\ -c radclient.c radclient.c: In function `main': radclient.c:788: error: `RADIUS_DICTIONARY' undeclared (first use in this function) radclient.c:788: error: (Each undeclared identifier is reported only once radclient.c:788: error: for each function it appears in.) gmake[4]: *** [radclient.o] Error 1 gmake[4]: Leaving directory `/tmp/freeradius-1.0.5/src/main' ... This was a rather perplexing error as upon investigation of the radclient.c source and the freeradius-1.0.5/src/include directory, RADIUS_DICTIONARY is defined in ../include/conf.h and radclient.c has an include statement for conf.h. It is even more perplexing when investigating the gcc command from above, clearly the conf.h should be findable through the -I../include portion of the command. Following a suggestion, I set my CFLAGS env variable to CFLAGS=-I../include -I/usr/local/openldap/include to force the -I../include to appear further up in the gcc command. To my surprise that allowed the compilation to finish successfully. After further investigation we discovered that there is also a conf.h file in the /usr/sfw/include/openssl directory which appears before the -I../include in the gcc command formed above. Therefore the radclient.c sees the openssl conf.h which does not have the `RADIUS_DICTIONARY' defined, thus the error. I checked the openssl source not from Sun and they have a conf.h as well. I could imagine a couple of possible fixes for this issue: 1) Modify configure to place the -I/usr/sfw/include/openssl (the ssl include path) to be after the -I../include? or 2) Change the name of conf.h to something more descriptive and specific to freeradius to avoid conflicts like this? Another interesting aspect is that with 1.0.4, it seems as if the --with-openssl-lib= option wasn't really working, because even with that set it wouldn't find ssl or libcrypt unless I set LD_LIBRARY_PATH. Now with 1.0.5 I don't have to set LD_LIBRARY_PATH. -Garrett Marks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying a PEAP request to an IAS server
Hi all.I've done my best to try and figure this out myself, but am really stuck. First the basics: An enterasys C2 switch setup to do 802.1x authentication. This switch points to my freeradius server. Attached to the swich is my XP notebook, which is setup to do 802.1x via PEAP. On the back end is a Win2k3 server which is running IAS. The idea is to have all the network switches send the authentication requests to the freeradius server, which will then decide if it needs to go to the windows box (for staff) or a different box (for students). Also, the Win2k3 IAS server has a limit of 50 clients unless you scale up to the advanced server, which I find just sad that they have done this. Anyway, I have tested from the freeradius box to the IAS box using radtest, and everything is working, so I am being seen as a client. The problem is when I try and have the notebook authenticate. I see rlm_eap: Request is supposed to be proxied to Realm NULL. Not doing EAP. in the debug output, which I gather is normal, but somehow part of the problem.Basically, the IAS server seems to ignore whatever is coming across from the freeradius box.My (uneducated) guess is that this is because it has the EAP parms in it, but is not eap???However, a normal clear-text attempt via radtest works fine. I have found this post by Alan DeKok - http://thread.gmane.org/gmane.comp.dial-up.freeradius.user/26170 which sounds very similar to what I am doing First, configure the server to terminate the tunnel, and authenticate the inner session locally. Once that works, configure the server to proxy the inner session only. I guess where I am really lost is how to follow the above suggestion. This is what it is sending to the IAS box, which is being ignored. Sending Access-Request of id 1 to 172.25.8.114:1812 User-Name = CCSU\\dan Called-Station-Id = 00-11-88-12-6e-70 Calling-Station-Id = 00-0f-1f-43-c8-38 NAS-Identifier = 00-11-88-12-6e-5d NAS-IP-Address = 172.25.7.11 NAS-Port = 19 Framed-MTU = 1500 NAS-Port-Type = Ethernet EAP-Message = 0x0202001201434353555c646e6577636f6d63 Message-Authenticator = 0x Proxy-State = 0x3432 Thanks for any help...I'm really stuck on this part! -Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compile issues with freeradius 1.0.5 on solaris 10
[EMAIL PROTECTED] wrote: Should md5 be added to the list of libraries automatically defined during the configure process for the above? No. src/lib/md5.c includes an MD5 implementation. The build SHOULD use it. It's used on all other platforms, anfd I don't know why Solaris doesn't work. After further investigation we discovered that there is also a conf.h file in the /usr/sfw/include/openssl directory which appears before the -I../include in the gcc command formed above. Therefore the radclient.c sees the openssl conf.h which does not have the `RADIUS_DICTIONARY' defined, thus the error. I checked the openssl source not from Sun and they have a conf.h as well. I've never seen that on any other platform. I could imagine a couple of possible fixes for this issue: 1) Modify configure to place the -I/usr/sfw/include/openssl (the ssl include path) to be after the -I../include? Sure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying a PEAP request to an IAS server
Okay...one step closer. I had been using a debian version of freeradius 1.0.2 and hacked in the eap-tls. I have since followed Ben Kenobi's advice and use the source. It appears to be sending packets to the IAS box now, and I can cut the stuff out and use radclient and have IAS respond, however it doesn't seem to be responding to the server process. One step closer - miles away! :) Dan Newcombe wrote: Hi all.I've done my best to try and figure this out myself, but am really stuck. First the basics: An enterasys C2 switch setup to do 802.1x authentication. This switch points to my freeradius server. Attached to the swich is my XP notebook, which is setup to do 802.1x via PEAP.On the back end is a Win2k3 server which is running IAS. The idea is to have all the network switches send the authentication requests to the freeradius server, which will then decide if it needs to go to the windows box (for staff) or a different box (for students). Also, the Win2k3 IAS server has a limit of 50 clients unless you scale up to the advanced server, which I find just sad that they have done this. Anyway, I have tested from the freeradius box to the IAS box using radtest, and everything is working, so I am being seen as a client. The problem is when I try and have the notebook authenticate. I see rlm_eap: Request is supposed to be proxied to Realm NULL. Not doing EAP. in the debug output, which I gather is normal, but somehow part of the problem.Basically, the IAS server seems to ignore whatever is coming across from the freeradius box.My (uneducated) guess is that this is because it has the EAP parms in it, but is not eap??? However, a normal clear-text attempt via radtest works fine. I have found this post by Alan DeKok - http://thread.gmane.org/gmane.comp.dial-up.freeradius.user/26170 which sounds very similar to what I am doing First, configure the server to terminate the tunnel, and authenticate the inner session locally. Once that works, configure the server to proxy the inner session only. I guess where I am really lost is how to follow the above suggestion. This is what it is sending to the IAS box, which is being ignored. Sending Access-Request of id 1 to 172.25.8.114:1812 User-Name = CCSU\\dan Called-Station-Id = 00-11-88-12-6e-70 Calling-Station-Id = 00-0f-1f-43-c8-38 NAS-Identifier = 00-11-88-12-6e-5d NAS-IP-Address = 172.25.7.11 NAS-Port = 19 Framed-MTU = 1500 NAS-Port-Type = Ethernet EAP-Message = 0x0202001201434353555c646e6577636f6d63 Message-Authenticator = 0x Proxy-State = 0x3432 Thanks for any help...I'm really stuck on this part! -Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP/TLS and XP SP2
On 11/8/05, Michael Griego [EMAIL PROTECTED] wrote:
Ben Walding wrote: We've found in testing that the XP supplicant (with certain patches) will read the certificate and send a User-Name that is constructed from the certificate CN (host/ + cert CN); thus rendering the whole
checking the CN process fairly pointless for XP supplicants.This is only true when a certificate is used for machine authentication,not for user authentication.Ahh, this explains a thing or two! We knew we'd seen behaviour where it sent the machine name rather than the name of the certificate earlier in our testing. But couldn't replicate it (since we had locked everything down to machine auth by the final stages).
To get around the the problem stated above, all you have to do is createtwo instances of the EAP module.In cases where the User-Name attribute
begins with host/, just send those authentications to the second EAPmodule, and have the check_cert_cn parameter set to check forhost/%{User-Name}.This way you can still be assured of proper
authorization.We added a few lines into hints - DEFAULT Prefix == host/ Hint = Wireless-WorkstationDEFAULT Prefix == host\\
Hint = Wireless-WorkstationDEFAULT Prefix == \\ Hint = Wireless-PDAThis resolved the issues we saw with prefixes and let us identify PDAs as they authenticated into the system (not that we do anything with this piece of information).
Cheers,Ben
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: JRadius
On 11/9/05, Raoul Demour [EMAIL PROTECTED] wrote: Does anyone have ever tried JRadius (jradius.sf.net)?As I'm more familiar whith Java than C, Iwonder if I'm not going to use it to handleEAP-SIM (I am not completly sure I can do so, but if it is possible I will do so).As I understand it, JRADIUS works with FreeRADIUS (it plugs into the back of FreeRADIUS)Also, I believe FreeRADIUS already supports EAP-SIM, but you might want to check on that. I've only ever used JRADIUS as an EAP-TLS client for load testing FreeRADIUS.Cheers,Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: return ALL the AVPs for a username that belongs multiple groups
Lenir wrote: Can anyone please help me with this? Thanks, Lenir Just a thought. Create a 3rd group with the attributes you need? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lenir Sent: Wednesday, November 02, 2005 7:34 PM To: 'FreeRadius users mailing list' Subject: RE: return ALL the AVPs for a username that belongs multiple groups Here's the rest of my config. Notice, that username 3000 belongs to group Dialin and Dialin2. The user can register fine, however in this case the Access-Accept packet only returns the AVPs related to group Dialin (I'm guessing is because it's the first one that it matches). mysql select * from radcheck; ++--+---++--+ | id | UserName | Attribute | op | Value| ++--+---++--+ | 1 | Jhassell | Password | == | changeme | | 2 | Rneis| Password | == | changeme | | 3 | 1000 | Password | == | 1000 | | 4 | 2000 | Password | == | 2000 | | 5 | 3000 | Password | == | 3000 | ++--+---++--+ 5 rows in set (0.00 sec) mysql select * from radreply; Empty set (0.00 sec) mysql select * from usergroup; ++--++ | id | UserName | GroupName | ++--++ | 1 | Jhassell | Dialin | | 2 | Rneis| Staticdial | | 3 | 1000 | Dialin | | 4 | 2000 | Dialin | | 5 | 3000 | Dialin | | 6 | 3000 | Dialin2| ++--++ 6 rows in set (0.00 sec) mysql select * from radgroupcheck; Empty set (0.00 sec) mysql select * from radgroupreply; ++---+---++--+-- ---+ | id | GroupName | Attribute | op | Value| prio | ++---+---++--+-- + | 1 | Dialin| Reply-Message | = | Authenticated by group Dialin | 0 | | 2 | Dialin2 | SIP-AVP | = | Cust-AVP:feat_2 | 0 | | 3 | Dialin| SIP-AVP | = | Cust-AVP:feat_1 | 0 | ++---+---++--+-- + 3 rows in set (0.00 sec) mysql select * from radpostauth; Empty set (0.00 sec) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, October 28, 2005 1:34 PM To: FreeRadius users mailing list Subject: Re: return ALL the AVPs for a username that belongs multiple groups Lenir [EMAIL PROTECTED] wrote: Radius replies with the AVPs of the first group that it matches that the user belongs to. Instead of returning all the AVPs for all the groups that the user belongs to. The example you posted didn't include groups or reply AVP's. So I guess the question is, can a user belong to multiple groups? If so, how can radius reply with all the AVPs that correspond to ALL the groups that the user belongs to? Yes, and you configure the server to do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD anyone?
Hi Dusty, Now, I'm running freeradius 1.0.5 on freebsd 5.4. We handle about 75,000 logins per day between 3 servers and are using openldap as a backend, which stores about 400,000 users. We use radrelay to push all the accounting into a mysql db. Can you comment on the accounting record rate that you're achieving? We're currently testing FreeRadius and I'm seeing a performance ceiling of about 200 accounting records per second. Matthew. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD anyone?
Hi Dusty, Now, I'm running freeradius 1.0.5 on freebsd 5.4. We handle about 75,000 logins per day between 3 servers and are using openldap as a backend, which stores about 400,000 users. We use radrelay to push all the accounting into a mysql db. Can you comment on the accounting record rate that you're achieving? We're currently testing FreeRadius and I'm seeing a performance ceiling of about 200 accounting records per second. Matthew. I will have to take a look tomorrow to see what kind of data is coming in. But, I will let you know the architecture I am using, in case it interests you. Our billing system pulls from our accounting database periodically, so we don't need real-time information on all our accounting records. We have three main radius servers. We setup each of the radius servers to log all accounting to a detail file and we then use radrelay to push the data to our sql servers. This makes the accounting part of our AAA much quicker between the NAS and the radius server. The radius server just has to log it to a file and move on, so the accounting response comes very quickly. This is especially apparent during high loads as we don't need to wait for an sql resource to come available. The sql servers are two mysql 4.1 servers on freebsd 5.4. They are running in a multi-master setup. The two servers share an IP with CARP, which is built into freebsd. CARP will setup one server as the master and that server will answer all ARP requests for that IP. If the interface goes down (or if carp is shutdown by script/manual invervention), then the other machine will automatically take over that IP and then become the master sql server. The whole point of this setup is for reliability of our data rather than availability of the sql server. If one of the sql servers goes down, the other will take over the master role. When the dead server comes back up, it will assume the slave role and will update itself to be current with the master or we can manually update it if we wish. If both sql servers go down, or a small transition time between switching masters, or perhaps the radius load is just too high to accept all the requests we are getting, then the detail file on the radius servers will begin to grow. When the radius accounting server comes back up or the packets coming in slow down to an rate lower than the sql server can accept it, radrelay will then catch up the accounting server. We do occassionally see times where there was too much data coming in at once and the accounting server will post warnings to the log file and the detail files will begin to grow. However, its never been more than a few minutes and radrelay quickly catches the servers back up to date when the rates return to a lower level. Our authentication structure is quite different as we are looking more for availability. But in the accounting world, we can afford to delay the records if needed. I'll take a look at the data coming in tomorrow and let you know what kind of numbers we are seeing. If you'd like I can also send you any information you'd like about CARP or our mysql setup. I've also tested using another method which we chose not to implement. With this method I setup the accounting in a configurable-failover scenario. First we would send the accounting data directly to the sql server. If that failed, then the data would be populated into the detail file to quickly return an accounting response and radrelay would pick it up and deliver to the accounting server when it can. This worked quite well, but we chose to go with just radrelay instead. By doing just radrelay we could make the radius accounting server open up a large number of connections to itself vs spreading out the connection pool among our main radius servers. Hope that is helpful. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy not sending out packets (was Re: Proxying a PEAP request to an IAS server)
Dan Newcombe [EMAIL PROTECTED] wrote: The short of it is I'm trying to get 802.1x with PEAP to be proxied by freeradius to an ias radius server. Start simple. Use PAP, and radtest to send the packets. If that makes FreeRADIUS proxy the packets, then go to PEAP. Otherwise, you're test is just too complicated, and you don't know what's going wrong. It appears I have everything working with one small exception - freeradius seems to be unwilling to send a packet to the ias radius server. I will put more of the logs below, but the gist of it is at this part of the process: Sending Access-Request of id 1 to 172.28.240.114:1812 (where 172.28.240.114 is the ias box) no packet appears to be dropped on the network. This is really an issue with the kernel, I think. If FreeRADIUS calls the kernel send packet function, it should work. best deduction is that for some reason in proxying, freeradius does not want to send a packet. Can you ping the IAS server from 172.28.240.73? Can you use radtest on 172.28.240.73 to send packets to IAS? If radtest doesn't send packets to IAS, then 172.28.240.73 has firewall rules that block outgoing RADIUS traffic. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD anyone?
Dusty Doris [EMAIL PROTECTED] wrote: Our authentication structure is quite different as we are looking more for availability. But in the accounting world, we can afford to delay the records if needed. That's a great description. It should be a howto, or whitepaper. In the CVS head, rlm_sql_log does something similar, with explanations that may not be as detailed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD anyone?
Matthew Horoschun [EMAIL PROTECTED] wrote: Can you comment on the accounting record rate that you're achieving? We're currently testing FreeRadius and I'm seeing a performance ceiling of about 200 accounting records per second. That's really a function of the back-end database. If you have a slow database, accounting will be slow. In my tests, logging to detail, FreeRADIUS easily handles 1000's of accounting packets per second. So the difference between 1000s/s, and 200/s is the difference between local files external DB. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
