Re: Why is the default DH keysize only 512 bits?
Jason Wittlin-Cohen [EMAIL PROTECTED] wrote:
I noticed that the default DH keysize in FreeRadius 1.1.3 is 512 bits.
If you're talking about the key length in the EAP-TLS module, it
looks like those aren't being used for anything. See the source.
It does look like the EAP-TLS code is setting a 512-bit ephemeral
RSA key, but my reading of the OpenSSL docs indicates it won't be
used, because SSL_OP_EPHEMERAL_RSA isn't being set. So that code
could be deleted entirely.
I originally thought that the DH
keysize would be determined by the DH parameter file and only realized
that it was still using 512 bit keys when I ran freeradius in debug
mode.
Which prints out configuration entries that aren't being used.
$ cd src/modules/rlm_eap
$ grep -r key_length .
./libeap/mppe_keys.c: PRF(s-session-master_key,
s-session-master_key_length,
./libeap/mppe_keys.c: PRF(s-session-master_key,
s-session-master_key_length,
./types/rlm_eap_tls/rlm_eap_tls.c: { rsa_key_length, PW_TYPE_INTEGER,
./types/rlm_eap_tls/rlm_eap_tls.c:offsetof(EAP_TLS_CONF,
rsa_key_length), NULL, 512 },
./types/rlm_eap_tls/rlm_eap_tls.c: { dh_key_length, PW_TYPE_INTEGER,
./types/rlm_eap_tls/rlm_eap_tls.c:offsetof(EAP_TLS_CONF,
dh_key_length), NULL, 512 },
./types/rlm_eap_tls/rlm_eap_tls.h: int rsa_key_length;
./types/rlm_eap_tls/rlm_eap_tls.h: int dh_key_length;
See? They're config options that aren't used. They should be deleted.
Also, it might be a good idea to put a comment in the TLS cipher suite
comment section that the Microsoft Windows supplicant in Windows XP SP2
uses RC4-MD5 by default (TLS_RSA_WITH_RC4_128_MD5).
OK... the cipher_list configuration entry can be edited to force
particular methods, if you so desire.
OpenSSL's 'HIGH' setting is probably the best for a Windows XP user
as it uses EDH-RSA-DES-CBC3-SHA (TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA),
so SHA1 is used for integrity, and DH is used for key exchange.
OK. That's good to note in the comments.
Windows XP SP2 and earlier versions of Windows do not support AES
for use in any of the EAP modes. Apparently, if you want to use AES
you need to upgrade to Vista (See Security in Vista
OK...
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to add group in freeradius
Hello,Can someone explain how to add groups in freeradius. And how to add the user in that group.Thanks. Try the new Yahoo! Philippines Front Page!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dumb humble question about sqlippool
On Fri 29 Sep 2006 01:02, Guilherme Franco wrote: Thank you very much for your kindness. I'm sorry, again, for posting too much questions about this. It's correct that I'm trying to put this in production as this is the only module that does not worked for me. I'm happy with dialup_admin, AAA and everything else in Oracle! The only missing thing is sqlippool :( I know that it is an experimental module and I also have limited time to work on this module as it's not for me, it's for another company. In the mean time, I'm using regular ippool db in a NFS with just 1 radius active per time (to prevent lockups). That was the only way I've managed to do ippools with 2 servers (is there any alternatives?). As you see I can't abandon oracle, nor install postgre as it would break up some dependencies with other oracle databases that we have. I'm being such a pain for you guys because the sqlippool module is almost working! If I saw that it wouldn't work at all, I would never took the time to work in it as I'm taking now :) I appreciate your concerns and as I'm out of time to deliver the solution to the client, I think I can't try sqlippool anymore. That's a shame because I'm almost there! Now that I've managed to change somethings it's doing all the selects without any errors (that return ie: ip 1.1.1.1 in sqlplus) but it's stating sqlippool_query1: row[0] returned NULL in radiusd -X ( how can it be null if the select was successful? ). It's the only [EMAIL PROTECTED] thing that is preventing the user to get an IP!! That kind of things just take time to debug... Besides that, if I don't set pool_name = name_of_the_pool in sqlippool.conf, allocate-find tries to select from ippool (wich does not exists) instead of the one I've set in radippool table. I would double check this behaviour. It should not select at all if there is no pool-name. NONE of the ippool modules let you set the pool name. You HAVE to set Pool-Name = whatever as a check item Other issue is related to multiple pools, one with dynamic IP's and other with fixed ones (actually it's not possible to do that with only just one sqlippool.conf file without modifying rlm_sqlippool.c). IT IS!! Run two copies of the module! Another thing lies in proxy - if the proxy returns IP 255.255.255.254 for me, sqlippool does not overrides it and do nothing (it doesn't have the override = yes option like ippool). This can be added. Although why would you return an IP like that when you dont need to? Just return the Pool-Name and let the module do its job. So, to close this out, I would REALLY LIKE to make this work and help you guys as well, but because of lack of time, the only way would do this as an enhancement to the already deployed solution for the client, thanks. Do you have sqlippool working with Postgresql?? it seems to me that you do not quite understand how it works which tells me that you dont have a working installation to compare with. IF YOU DO NOT HAVE A WORKING INSTALLATION OF SQLIPPOOL ON POSTGRESQL DO THAT RIGHT NOW BEFORE DOING ANY MORE TESTING WITH ORACLE! PLEASE!!! Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpYSJ8SHPLUo.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login-Time and Session-Time Conflict
We are using both Login-Time and Session-Time attributes with a rlm_sql configuration and the Login-Time attribute is always overriding the Session-Time. Meaning that if the Session-Time attribute value is less than the timeSpan difference of the Login-Time, the Login-Time timespan difference is still returned as the Session-Time value. I remember reading somewhere that in cases of both attributes being used, the most restrictive should be returned, however this is not happening. Can someone confirm what the real implementation is? We are running freeradius 1.1.1 on a Gentoo linux platform.BTW -- If this is the desired functionality does anyone know a way to get our desired functionality of the smallest Session-Time being used instead of Login-Time?Thank you, Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Deny user based on MAC-address
Hi, How can I deny a user from freeradius based on the MAC-address on the PC? I use users file only. Do I need MAC Authentication for that ? Regards, Torkel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: repeat until success?
-Original Message- From: freeradius-users-bounces+proft=medizin.uni- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, September 28, 2006 6:43 PM To: FreeRadius users mailing list Subject: Re: repeat until success? Proft, Michael [EMAIL PROTECTED] wrote: is it possible to configure freeradius to do something like repeat until success. Im trying to authenticate local users at the same system freeradius is running on and I proxy requests to another radius server. I want to do this _without_ using realms. So if asking for local user and no success I want to continue proxying requests to another radius server. Is this possible in some way? That sounds more like look up in /etc/passwd, and if not found, proxy to X. That should be easy. Configure the passwd module to read /etc/passwd. Read doc/configurable_failover to see how to run the files module only if the passwd module returns notfound. Then in the users file, do: Hmm i cant get it to work :( How would the configuration part for passwd module look (linux) ? I read the configurable_failover but cant get this to work, or I just don't understand. Could you give some example Alan? Thanks DEFAULT Proxy-To-Realm := realm Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Deny user based on MAC-address
You can use in the users file some like that DEFAULT Fall-Through = Yes # === 00:13:96:00:D3:7F == 00139600D37F Auth-Type := Local, [Some_Input_Attribute] [Some_Output_Attribute_1], [Some_Output_Attribute_2] DEFAULT Auth-Type := Reject Germn P. Santilln Administrador de Redes Jefe delDpto. Tcnico DESETech Argentina S.A. San Martn 133 - CP: B8000FIC Baha Blanca - Argentina Tel/Fax: +54 (291) 456-5642 [EMAIL PROTECTED] http://www.desetech.com.ar From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Torkel Mathisen Sent: Friday, September 29, 2006 4:53 AM To: FreeRadius users mailing list Subject: Deny user based on MAC-address Hi, How can I deny a user from freeradius based on the MAC-address on the PC? I use users file only. Do I need MAC Authentication for that ? Regards, Torkel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dumb humble question about sqlippool
Thanks for all the answers Mr. Peter! To clarify some things: NONE of the ippool modules let you set the pool name. You HAVE to set Pool-Name = whatever as a check item The radcheck table already have Pool-Name := whatever as a attribute, op, value for all users, but that's ok because I can set it manually in sqlippool.conf and the select DOES run in the correct table then (xlat outputs correctly then and I did a network sniff that shows the query is ok). Other issue is related to multiple pools, one with dynamic IP's and other with fixed ones (actually it's not possible to do that with only just one sqlippool.conf file without modifying rlm_sqlippool.c). IT IS!! Run two copies of the module! Sorry, i meant that I think that it is not possible without loading 2 or more modules (just with one module and one sqlippool.conf) dumb question, sorry. Another thing lies in proxy - if the proxy returns IP 255.255.255.254 for me, sqlippool does not overrides it and do nothing (it doesn't have the override = yes option like ippool). This can be added. Although why would you return an IP like that when you dont need to? Just return the Pool-Name and let the module do its job. I didn't think about it, thanks. Besides that I had to remove the BEGIN statement of allocate-begin (and all other begins) because oracle does not need it, and if you need to specify begin, then it needs to be in a different way (through the sniff, I saw that the begin was stated, then 4 space chars and then a / which is the same as doing BEGIN;/ in sqlplus, generating ORA end-of-file errors) Don't know from where that / came from thought. To solve this, I had to change BEGIN in allocate-begin for commit (a normal oracle operation before any query). About the postgresql installation, I was thinking in installing it. I will do that just to see it's behaviour, thanks. THANKS A LOT AGAIN! On 9/29/06, Peter Nixon [EMAIL PROTECTED] wrote: On Fri 29 Sep 2006 01:02, Guilherme Franco wrote: Thank you very much for your kindness. I'm sorry, again, for posting too much questions about this. It's correct that I'm trying to put this in production as this is the only module that does not worked for me. I'm happy with dialup_admin, AAA and everything else in Oracle! The only missing thing is sqlippool :( I know that it is an experimental module and I also have limited time to work on this module as it's not for me, it's for another company. In the mean time, I'm using regular ippool db in a NFS with just 1 radius active per time (to prevent lockups). That was the only way I've managed to do ippools with 2 servers (is there any alternatives?). As you see I can't abandon oracle, nor install postgre as it would break up some dependencies with other oracle databases that we have. I'm being such a pain for you guys because the sqlippool module is almost working! If I saw that it wouldn't work at all, I would never took the time to work in it as I'm taking now :) I appreciate your concerns and as I'm out of time to deliver the solution to the client, I think I can't try sqlippool anymore. That's a shame because I'm almost there! Now that I've managed to change somethings it's doing all the selects without any errors (that return ie: ip 1.1.1.1 in sqlplus) but it's stating sqlippool_query1: row[0] returned NULL in radiusd -X ( how can it be null if the select was successful? ). It's the only [EMAIL PROTECTED] thing that is preventing the user to get an IP!! That kind of things just take time to debug... Besides that, if I don't set pool_name = name_of_the_pool in sqlippool.conf, allocate-find tries to select from ippool (wich does not exists) instead of the one I've set in radippool table. I would double check this behaviour. It should not select at all if there is no pool-name. NONE of the ippool modules let you set the pool name. You HAVE to set Pool-Name = whatever as a check item Other issue is related to multiple pools, one with dynamic IP's and other with fixed ones (actually it's not possible to do that with only just one sqlippool.conf file without modifying rlm_sqlippool.c). IT IS!! Run two copies of the module! Another thing lies in proxy - if the proxy returns IP 255.255.255.254 for me, sqlippool does not overrides it and do nothing (it doesn't have the override = yes option like ippool). This can be added. Although why would you return an IP like that when you dont need to? Just return the Pool-Name and let the module do its job. So, to close this out, I would REALLY LIKE to make this work and help you guys as well, but because of lack of time, the only way would do this as an enhancement to the already deployed solution for the client, thanks. Do you have sqlippool working with Postgresql?? it seems to me that you do not quite understand how
peap client constantly re-authenticating
Dear list, This may not be the right place to discuss this issue, but radiusd -X is the only info i've got to go on. The windows PEAP client re-authenticates every 10-20 seconds or so. Has anybody else seen this? is it normal behavour? I have a cisco wlan controller, and freeradius 1.1.2. my OS X 802.1x client doesn't do this. Cheers for any pointers, Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why is the default DH keysize only 512 bits?
Alan DeKok wrote:
Jason Wittlin-Cohen [EMAIL PROTECTED] wrote:
I noticed that the default DH keysize in FreeRadius 1.1.3 is 512 bits.
If you're talking about the key length in the EAP-TLS module, it
looks like those aren't being used for anything. See the source.
It does look like the EAP-TLS code is setting a 512-bit ephemeral
RSA key, but my reading of the OpenSSL docs indicates it won't be
used, because SSL_OP_EPHEMERAL_RSA isn't being set. So that code
could be deleted entirely.
I originally thought that the DH
keysize would be determined by the DH parameter file and only realized
that it was still using 512 bit keys when I ran freeradius in debug
mode.
Which prints out configuration entries that aren't being used.
$ cd src/modules/rlm_eap
$ grep -r key_length .
./libeap/mppe_keys.c: PRF(s-session-master_key, s-session-master_key_length,
./libeap/mppe_keys.c: PRF(s-session-master_key, s-session-master_key_length,
./types/rlm_eap_tls/rlm_eap_tls.c: { "rsa_key_length", PW_TYPE_INTEGER,
./types/rlm_eap_tls/rlm_eap_tls.c: offsetof(EAP_TLS_CONF, rsa_key_length), NULL, "512" },
./types/rlm_eap_tls/rlm_eap_tls.c: { "dh_key_length", PW_TYPE_INTEGER,
./types/rlm_eap_tls/rlm_eap_tls.c: offsetof(EAP_TLS_CONF, dh_key_length), NULL, "512" },
./types/rlm_eap_tls/rlm_eap_tls.h: int rsa_key_length;
./types/rlm_eap_tls/rlm_eap_tls.h: int dh_key_length;
See? They're config options that aren't used. They should be deleted.
So, if dh_key_length is being ignored, how is the DH key size
determined? By the DH parameter file?
Jason
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dumb humble question about sqlippool
On Fri 29 Sep 2006 15:23, Guilherme Franco wrote: Thanks for all the answers Mr. Peter! To clarify some things: NONE of the ippool modules let you set the pool name. You HAVE to set Pool-Name = whatever as a check item The radcheck table already have Pool-Name := whatever as a attribute, op, value for all users, but that's ok because I can set it manually in sqlippool.conf and the select DOES run in the correct table then (xlat outputs correctly then and I did a network sniff that shows the query is ok). If you set it in sqlippool.conf it is ignored by the module It will make no difference to the operation at all. Other issue is related to multiple pools, one with dynamic IP's and other with fixed ones (actually it's not possible to do that with only just one sqlippool.conf file without modifying rlm_sqlippool.c). IT IS!! Run two copies of the module! Sorry, i meant that I think that it is not possible without loading 2 or more modules (just with one module and one sqlippool.conf) dumb question, sorry. OK. We we specifically designed the module so you can run more than one instance of it (like most other radius modules) and the different instances may have different queries, tables and sql connections (Completely different database types if you wish) Another thing lies in proxy - if the proxy returns IP 255.255.255.254 for me, sqlippool does not overrides it and do nothing (it doesn't have the override = yes option like ippool). This can be added. Although why would you return an IP like that when you dont need to? Just return the Pool-Name and let the module do its job. I didn't think about it, thanks. You are welcome :-) Infact we have added today the capability to detect an ip address of 255.255.255.254 but this makes no sense except for when you are acting as a proxy and wish to add an ip address from a pool to an accept packet comming from a home server. Just use Pool-Name for all local users. Besides that I had to remove the BEGIN statement of allocate-begin (and all other begins) because oracle does not need it, and if you need to specify begin, then it needs to be in a different way (through the sniff, I saw that the begin was stated, then 4 space chars and then a / which is the same as doing BEGIN;/ in sqlplus, generating ORA end-of-file errors) Don't know from where that / came from thought. To solve this, I had to change BEGIN in allocate-begin for commit (a normal oracle operation before any query). Please send me a copy (privately if you wish) of your existing sqlippool.conf and working source code (or patch) so that we can integrate it into the existing code. About the postgresql installation, I was thinking in installing it. I will do that just to see it's behaviour, thanks. OK. I assumed that you had done this long ago. Please do it as a test. THANKS A LOT AGAIN! Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpilHV4TWstI.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
My FreeRadius don't log anything
Hi everybody,
I am a real newbie to FreeRadius, I am migrating from an existing
Livington radius.
My concern here is this one : I am unable to configure my server to log
auth requests.
The two Auth-Type I use here are either Local or System, the server
doesn't log neither.
Here a run with only one request. The log file and the pid file doesn't
exists after this run.
The directories used for logging are writable for the user under which
the server is running.
Any clue ?
# /usr/local/radius/ppp/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/radius/ppp/etc/raddb/clients.conf
Config: including file: /usr/local/radius/ppp/etc/raddb/snmp.conf
main: prefix = /usr/local/radius/ppp
main: localstatedir = /usr/local/radius/ppp/var
main: logdir = /usr/local/radius/ppp/var/log/radius
main: libdir = /usr/local/radius/ppp/lib
main: radacctdir = /usr/local/radius/ppp/var/log/radius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = /usr/local/radius/ppp/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/radius/ppp/var/run/radiusd/radiusd.pid
main: user = radiusppp
main: group = radiusppp
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/radius/ppp/sbin/checkrad
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/radius/ppp/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded System
unix: cache = no
unix: passwd = /usr/local/radius/ppp/etc/raddb/passwd
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/radius/ppp/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/radius/ppp/etc/raddb/huntgroups
preprocess: hints = /usr/local/radius/ppp/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
files: usersfile = /usr/local/radius/ppp/etc/raddb/users
files: acctusersfile = /usr/local/radius/ppp/etc/raddb/acct_users
files: preproxy_usersfile =
/usr/local/radius/ppp/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded detail
detail: detailfile =
/usr/local/radius/ppp/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /usr/local/radius/ppp/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:35846, id=185, length=47
User-Name = demogw
CHAP-Password = 0xb9f4107bffcf854f69e8eec05eb04cd67f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for request 0
users: Matched entry demogw at line 54
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied CHAP-Password matches local User-Password
Login OK: [demogw] (from client localhost port 0)
Sending Access-Accept of id 185 to 127.0.0.1 port 35846
User-Service-Type = Framed-User
NAS-Port-Type = ISDN
Port-Limit = 8
Re: My FreeRadius don't log anything
On Fri 29 Sep 2006 17:08, Didier Benza wrote: Hi everybody, I am a real newbie to FreeRadius, I am migrating from an existing Livington radius. My concern here is this one : I am unable to configure my server to log auth requests. The two Auth-Type I use here are either Local or System, the server doesn't log neither. Here a run with only one request. The log file and the pid file doesn't exists after this run. The directories used for logging are writable for the user under which the server is running. Any clue ? If you run in debug mode (-X) the server logs to the screen instead of the disk. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpJZ8hINitsV.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl behaviour
When I call a perl module via rlm_perl and dont undef
%RAD_CHECK and %RAD_REPLY before exiting, rlm_perl duplicates some attributes
contained within the hashes. For instance:
At entry to rlm_perl instance:
$RAD_CHECK{Ldap-Group} is an ARRAY: (GroupA,
GroupB)
After exiting the script, Added pair Ldap-Group
messages appear in debug output. If I call another perl script to dump
the %RAD_CHECK hash, it shows:
$RAD_CHECK{Ldap-Group } is an ARRAY: (GroupA,
GroupB, GroupA, GroupB)
If I undef %RAD_CHECK before exiting from the
first perl module, the values are not duplicated. I did some analysis of
the sequence of events and I believe this is whats happening:
- rlm_ldap creates the Ldap-Group attributes on the check
list with operator T_OP_CMP_EQ during authorize (Ldap-Group is a checkItem in
my ldap.attrmap)
- upon return from the perl script, rlm_perl calls pairmove
to move the attributes from the RAD_CHECK, RAD_REPLY and RAD_PROXY_REPLY hashes
back to the respective pairlist.
- pairmove adds attributes to the destination list for
operator T_OP_CMP_EQ (takes default case) which creates duplicates
Is this expected behaviour of rlm_perl? If so, can it
be put on the to do list for rlm_perl documentation updates (or
is it there already and I missed it)? Also, this seems to imply that its
not possible to change or remove, at least, some types of check or reply attributes
from within rlm_perl?
Also, the wiki for rlm_perl states that it passes configuration
pairs in %RAD_CONFIG. I dont believe this is true (the hash is
empty and I checked the source for 1.1.2, 1.1.3 and the latest snapshot and it
doesnt create that hash). Is this a feature that is in the
works or is the wiki incorrect?
I can supply debug output, radiusd.conf and scripts if necessary..
Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql radacct table no query
Hmm, i was testing the mysql backend with freeradius 1.1.3. looks good at first glance, but i bumped into something essential (for us that is). We like to link MAC addresses with the user account's. what did i do: I added a user in table radcheck. worked! next step, added same user in table: radacct. username:gebruiker CalledStationId: 00166f980e79 did not work! I change the MAC address to a wrong one, and i still get in.?? also in debug (radiusd -X) no radacct query is done?, so no attribute checkings are done !!?? So my question is, how can i make the attributes work with the mysql backend.. are we missing some mysql queries in the sql.conf ?? (btw, this all did worked with the 'users' file from freeradius) Cheers Collen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql radacct table no query
you should be putting it in radcheck, so it's checked when you log in. radacct is used to store accounting information (like session times etc :)) Hope this helps, Jan Mulders On 29/09/06, Collen Blijenberg [EMAIL PROTECTED] wrote: Hmm, i was testing the mysql backend with freeradius 1.1.3. looks good at first glance, but i bumped into something essential (for us that is). We like to link MAC addresses with the user account's. what did i do: I added a user in table radcheck. worked! next step, added same user in table: radacct. username:gebruiker CalledStationId: 00166f980e79 did not work! I change the MAC address to a wrong one, and i still get in.?? also in debug (radiusd -X) no radacct query is done?, so no attribute checkings are done !!?? So my question is, how can i make the attributes work with the mysql backend.. are we missing some mysql queries in the sql.conf ?? (btw, this all did worked with the 'users' file from freeradius) Cheers Collen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions about latest CVS
Hi,all Ijust installed the radiusd on CVS successfully. There are twoquestions: Does the radiusd server listen on IPv6 address by default?How to use the radclient in Ipv6 ? Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help to pass a local variable from Freeradius to exec program
Hi All I am trying to pass a integer value from Free radius to exec program . I have tryed to add as a value pair using paircreate() and then added the same to the request-packet-vps using pairadd. Set the lvalue , strvalue etc and passed to the radius_exec_program from rad_accounting module. Also set the tmp-name = Atribute-Name-Format . Still the attribute and value is not getting printed in the exec - progrm . Any help in this regard whould really help me. Thanks and regards Shankar ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about latest CVS
=?GB2312?B?uN/h1A==?= [EMAIL PROTECTED] wrote: Does the radiusd server listen on IPv6 address by default? No. You have to configure it. How to use the radclient in Ipv6 ? Send the request to an IPv6 address? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius is not restarting properly (fails to quit and becomes a zombie process)
Jason Wittlin-Cohen [EMAIL PROTECTED] wrote: Over the last few days I've been having a recurring problem. Whenever I start Freeradius either with radiusd in a terminal or as a service in Debian, I can not restart/kill radiusd properly if it's authenticated any clients. Restarting the service says it's successful but the radius log states that port 1812 is already in use. top shows 100% cpu usage It looks like http://bugs.freeradius.org/show_bug.cgi?id=365 The solution is to not re-initialize the modules on HUP. It works in *most* cases, because the code handling the HUP tries to wait until all of the modules have stopped. But if your back-end DB's are slow, it doesn't have much choice but to proceed with handling the HUP. Most people don't see it because the modules respond quickly. I'd say the first step to a work-around is to make sure none of the modules you're using are blocking the server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add group in freeradius
William A. Peroche [EMAIL PROTECTED] wrote: Can someone explain how to add groups in freeradius. And how to add the user in that group. See the FAQ, or man rlm_passwd Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time and Session-Time Conflict
Adam Tybor [EMAIL PROTECTED] wrote: I remember reading somewhere that in cases of both attributes being used, the most restrictive should be returned, however this is not happening. Can someone confirm what the real implementation is? We are running freeradius 1.1.1 on a Gentoo linux platform. If you set Session-Time *before* Login-Time, the Login-Time code does the right thing. If you set Session-Time *after* Login-Time, then you have to check the values manually. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting stopped
[EMAIL PROTECTED] wrote: Since a power cut last Sunday FreeRadius has stopped writing to its log files and updating radacct in MySQL. It is continuing to authenticate users. It gives no error messages running radiusd -X. I've tried upgrading from 1.0.3 to 1.1.3 with no effect. I would suggest that something else on the machine broke when the power failed, like maybe the MySQL client libraries. Install a new OS on a new machine, and copy the configuration there... making sure that the configuration is OK. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: repeat until success?
Proft, Michael [EMAIL PROTECTED] wrote: Hmm i cant get it to work :( How would the configuration part for passwd module look (linux) ? Why not post what you did here? That would be the easiest way to solve the problem. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why is the default DH keysize only 512 bits?
Jason Wittlin-Cohen [EMAIL PROTECTED] wrote: So, if dh_key_length is being ignored, how is the DH key size determined? By the DH parameter file? Apparently. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time and Session-Time Conflict
Alan,I tried that prior and I just confirmed it.I have the following two rows in my radcheck table and I made sure the natural sort, without the id, that Session-Timeout comes before Login-Time and I still always get the Login-Time timespan diff as my Session-Timeout value. Interestingly enough when I debug on the server I see no debug output for rlm_logintime module. Was this module not included in 1.1.1 because when I look at the cvs source code I see where the check is made and see tons of DEBUG statements that are not showing up on my console.Below is an example from my database and test.radcheck id user attrib op value3 freeunlimited Session-Timeout := 1204 freeunlimited Login-Time := Thu-2030-2130,Fri-1300-1600radtestresponse: Access-Accept--- attrib dump--Session-Timeout=9060 AdamOn 9/29/06, Alan DeKok [EMAIL PROTECTED] wrote: Adam Tybor [EMAIL PROTECTED] wrote: I remember reading somewhere that in cases of both attributes being used, the most restrictive should be returned, however this is not happening.Can someone confirm what the real implementation is? We are running freeradius 1.1.1 on a Gentoo linux platform.If you set Session-Time *before* Login-Time, the Login-Time codedoes the right thing.If you set Session-Time *after* Login-Time, then you have to check the values manually.Alan DeKok.--http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VSA and other attributes in Access-Accept
Hi: Could anyone please provide me some advice on my question below. Currently I am seeing VSAs in my reply messages from freeRADIUS being passed in Access-Accept, Access-Challenge. I would like to limit certain VSAs to only Accepts, or Challenge. Is this possible - because according to the RFCs for 3GPP/3GPP2 only some of them are possible in certain type of responses. Thx.Regards, Mohammed. Date: Thu, 30 Mar 2006 14:06:02 -0800 (PST)From: Mohammed Petiwala [EMAIL PROTECTED]Subject: VSA and other attributes in Access-AcceptTo: freeradius-users@lists.freeradius.org Hi: First thanks to the freeRADIUS team - this is one of the most flexibile and powerful AAA available...I've 2 questions: 1. I've set up my clients to authenticate using EAP-TTLS with MSCHAPv2 as the inner authentication protocol. This works fine with the wpa_suppicant with intel 2200b/g as well as the Cisco Aironet 350. I've created my own dictionary file with VSAs that are useful for my NAS once Access-Accept is returned. The 'users' file has the VSAs Attrib = Value listed after each user entry and I do see the attributes being returned correctly on Access-Accept. My question is (please correct me if I am wrong) - I see the VSAs being returned during the intermediate Access-Challenge messages too even before authentication is complete. Is this the normal behavior, is there a way to setup the freeRADIUS server so that the VSAs are only returned on Access-Accept and not during the Access-Challenge. The NAS does ignore the VSAs in any case during the challenge - but would be good if there was a way to limit the message size for the Access-Challenge messages (only if this is valid from RADIUS RFC perspective - if someone could clarify).2. How can I set users in the 'users' file (an example would be very helpful if someone can send) so that some users are only allowed to authenticate using EAP-TTLS while others are only allowed to use PEAP. Once I create an entry into the users file (and both authentications are EAP types) - the user can authenticate using any eap type - I would like to limit this per user. Is it possible?? Thx.Regards, Mohammed. All-new Yahoo! Mail - Fire up a more powerful email and get things done faster.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time and Session-Time Conflict
Adam Tybor [EMAIL PROTECTED] wrote: I have the following two rows in my radcheck table and I made sure the natural sort, without the id, that Session-Timeout comes before Login-Time OK... looking at src/main/auth.c, the Login-Time update of Session-Timeout is done just before the Access-Accept is returned, so that should be working. Interestingly enough when I debug on the server I see no debug output for rlm_logintime module. Was this module not included in 1.1.1because when I look at the cvs source code I see where the check is made and see tons of DEBUG statements that are not showing up on my console. The module is not in 1.1.1. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Stopped
Hi Alan, Thanks for taking the time to respond. I've already fixed the problem. It only took a bit of lateral thinking. The ADSL modem wasn't exchanging any information on port 1813. For the life of me I can't understand how it could re-boot and only loose a bit of it's setup. It would have been much better if it had lost everything. I wasted the best part of a week testing syslogd, reinstalling FreeRadius, MySQL and setting up a new test server. Anyway, once again thanks. I really appreciate the time and effort you take to give support to end users. Regards, Sean -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with undocumented attributes
Andrew Long [EMAIL PROTECTED] wrote: I am working with an inherited system (freeradius 0.9.0 on RH). The system is running but as a new user/admin I am having trouble getting info on the actual setup. I do 'rpm -qv freeradius' and it returns freeradius is not installed, yet it IS. Someone built it from source. You *really* should upgrade. /usr/local/etc/raddb is populated, as is /usr/local/share/freeradius. How can I get info on the running version? man radiusd says radiusd -v Also, I am having trouble finding info on attributes that do not seem to be documented which limit some of our user's sessions. Examples are 'Max-Acct-Age', 'Max-Daily-Session', and 'Check-Login-Day'. I need to get a better understanding of how this session management is done. They're local to your configuration, which is why they aren't documented. Good documentation on the web seems hard to come by. Any help most appreciated. Try the wiki. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:Re: Questions about latest CVS
Hi,all Does the radiusd server listen on IPv6 address by default?No. You have to configure it. Could you tell me how to configure it listen on IPv6 address? How to use the radclient in Ipv6 ?Send the request to an IPv6 address? Yes,send the request to the Radius server listening on IPv6 address. Thank you very much. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
