Radius to Diameter Gateway
Dear, Is there any way to make Freeradius to work as Radius/Diameter gateway? If not is there any recommended software that can do that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (Solved) Re: MAC authorisation (but not authentication) via LDAP
we a trying to add mac authentication to our wireless aps radius request
comes in like so.
rad_recv: Access-Request packet from host 10.250.100.3:1038, id=119,
length=95
Service-Type = Framed-User
NAS-Port-Id = wlan1
User-Name = 00:0B:6B:56:1D:48
User-Password =
NAS-Identifier = ballyvaughan_ap_1
NAS-IP-Address = 10.250.100.3
the mac address is in a field in the ldap so i created a second
ldap.attrib.map and a new ldap autz-type. the problem is that the
user-password that is sent i blank so i added this to the users file.
like so.
DEFAULT Huntgroup-Name == test, Autz-Type := ldapMAC, User-Password ==
, Simultaneous-Use := 1
Fall-Through = 0
great now the user with authorise and authenticate from files. but what
i had hoped would happen was if they failure authorisation they would
not continue, i can see this is not the default proceedure. how can i
make this work this way.
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
users: Matched entry DEFAULT at line 4
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
Found Autz-Type ldapMAC
Processing the authorize section of radiusd.conf
modcall: entering group ldapMAC for request 0
modcall: entering group redundant for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 00:0B:6B:56:1D:48
radius_xlat: '(rdwaveuserWirelessMac=00:0B:6B:56:1D:48)'
radius_xlat: 'o=clients,dc=radiowave,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as cn=admin,dc=radiowave,dc=net/xxx to 127.0.0.1:389
radiustest:/etc/freeradius/config-clients#
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with
filter (rdwaveuserWirelessMac=00:0B:6B:56:1D:48)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldapmac1 returns notfound for request 0
modcall: leaving group redundant (returns notfound) for request 0
modcall: leaving group ldapMAC (returns notfound) for request 0
but when the authentication starts this stilll happens, below was an
idea someone had in respect to this issue or a similar one but i have no
idea how to deploy this look forward to your replys.
auth: type Local
auth: user supplied User-Password matches local User-Password
Processing the session section of radiusd.conf
modcall: entering group session for request 0
modcall: entering group redundant for request 0
modcall[session]: module sql2 returns noop for request 0
modcall: leaving group redundant (returns noop) for request 0
modcall: leaving group session (returns noop) for request 0
Login OK: [00:0B:6B:56:1D:48/] (from client ballyvaughan port 0)
Sending Access-Accept of id 119 to 10.250.100.3 port 1038
On Sun, 2007-02-25 at 20:05 +, Martin Whinnery wrote:
Martin Whinnery wrote:
Markus Krause wrote:
Zitat von Martin Whinnery [EMAIL PROTECTED]:
Hi.
Probly just me not understanding...
What I want is for our switches to only allow access to MAC addresses in
our LDAP database.
I don't want to store passwords on our LDAP host entries.
I'm set up to check LDAP during authorisation, and it correctly returns
authorised / not authorised depending on whether the appropriate
attribute contains the right value.
The trouble comes with authentication - either I set Auth-Type :=
Accept, in which case and failed authorisation is overridden, or I allow
authentication to carry on against LDAP ( or System, or whatever ), in
which case it fails always and access is denied, even for authorised MACs.
Is there a way to make the Authorisation part final and authoritative?
As I say, probly just being stoopid.
Mart
don't no if it is a good solution, but i just do this by setting the
following in radiusd.conf:
authenticate {
...
Auth-Type LdapMAC {
ok
}
...
}
the Auth-Type is set in users file depending on huntgroups:
DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type :=
LdapMAC
i assume there are better/smarter sollutions as one can read don't
set Auth-Type on many places but it works here ;-)
regards
markus
Thanks Markus,
the problem seems to be that the authorisation pass returns notfound,
whereas I want it to reject, as if it found an entry in LDAP without
the appropriate attribute.
Mart
This was exactly the problem.
Re: Version 2.0 is a lot closer to reality...
Alan DeKok wrote: Arran Cudbard-Bell wrote: Assertion failed in event.c, line 669 ... Happens after all the home servers have been marked as dead, and you have an incoming request... though could be when it's firing off a ping check event. Either way it's repeatable, and *only* happens when all home servers are dead. OK. I've gone over the code again, and fixed up a few corner cases of the state machine. That test case now works for me. Yep works for me too, reaches end of list of possible servers and starts rejecting all users assigned to that realm. :) Also little one with access-reject when home server fails to respond. Not sent through access reject filter, though that's probably because it never passes through post-auth. That will be fixed on another commit. Cool, Thanks. I'll let you know if I find any more weirdness. Thanks, Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Arran Cudbard-Bell wrote: Yep works for me too, reaches end of list of possible servers and starts rejecting all users assigned to that realm. :) Thanks. Also little one with access-reject when home server fails to respond. Not sent through access reject filter, though that's probably because it never passes through post-auth. That will be fixed on another commit. It turns out the easiest way to fix that was to remove the multiple places that called Post-Auth-Type Reject, and move it to one central location. Simpler, less code, does exactly the same thing as before, and adds the call to Post-Auth-Type Reject when the home servers fail to respond. We should probably have a Post-Proxy-Type = Fail, that gets called when a home server fails to respond to a request. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadiusExpert Wiki
On Tue 10 Apr 2007, Mike McCauley wrote: Hi all, Open System Consultants (OSC) has established a free resource for the RADIUS user community to collect and share information about configuring and implementing RADIUS protocol devices and software. RadiusExpert:Community Portal at http://www.open.com.au/wiki/index.php/Main_Page will become the repository for all the information that often resides only in the heads of system administrators who manage and maintain the security access and authentication requirements of their networks. We welcome contributions about such topics as configuring various RADIUS devices, load balancing with RADIUS servers and wireless authentication tips from our very active user community. If you can contribute any information on any RADIUS topic to the benefit of the entire community, please feel free. This is not a trawl for customers by OSC, but a genuine attempt to assist everyone in the RADIUS community. The wiki is vendor-neutral and covers all free and commercial RADIUS servers and compatible devices. This message was posted with the assent of Alan DeKok Hi Mike Welcome to the FreeRADIUS community. Many of us here have bought, sold, used, and continue to use Radiator and we appreciate OSC's contribution to the RADIUS world. We also recognise the lack of comprehensive documentation about RADIUS, which is one of the reasons we started the FreeRADIUS Wiki mid last year at: http://wiki.freeradius.org/ I have taken a quick look at: http://www.open.com.au/wiki/index.php/RadiusExpert:Community_Portal It is pretty sparse at present and doesn't mention FreeRADIUS Server or Client at all (Before posting to our list, it would be nice if you would consider listing us as a member of the RADIUS comunity on the wiki you are asking us to contribute to :-) I also wanted to confirm one thing before contributing. You list at the bottom of your wiki that Content is available under GNU Free Documentation License 1.2.. As this is the default theme and footer for mediawiki, could you please confirm that this is actually the license you intended the wiki content to be under? (This would allow us to share content if we were to license under the same license..) Best Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius to Diameter Gateway
Ashraf Al-Basti wrote: Dear, Is there any way to make Freeradius to work as Radius/Diameter gateway? No. If not is there any recommended software that can do that? OpenDiameter is probably your only choice. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
Arran Cudbard-Bell schrieb: rlm_realm instances do much the same job as the Proxy-To-Realm reply item, just they also handle splitting the username into it's component parts. Usually you would use one or the other, but not both. Okay I tested both ways: 1st with suffix disabled in authorize section of radiusd.conf and: DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm = realm User-Name = [EMAIL PROTECTED] 2nd with suffix enabled and: DEFAULT NAS-IP-Address == 10.0.0.1 User-Name = [EMAIL PROTECTED] In both cases the request didn't reach the home server. Erm I thought your original question was, how do I proxy a user to a realm based on the NAS-IP-Address and how do I rewrite that username with that realm name If thats the case ... why are you using [EMAIL PROTECTED] as your test user??? I logged on with [EMAIL PROTECTED] to proof the proxy function of the proxy server. For the other tests my login was only abc... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadiusExpert Wiki
Hello Peter, On Wednesday 11 April 2007 19:12, Peter Nixon wrote: On Tue 10 Apr 2007, Mike McCauley wrote: Hi all, Open System Consultants (OSC) has established a free resource for the RADIUS user community to collect and share information about configuring and implementing RADIUS protocol devices and software. RadiusExpert:Community Portal at http://www.open.com.au/wiki/index.php/Main_Page will become the repository for all the information that often resides only in the heads of system administrators who manage and maintain the security access and authentication requirements of their networks. We welcome contributions about such topics as configuring various RADIUS devices, load balancing with RADIUS servers and wireless authentication tips from our very active user community. If you can contribute any information on any RADIUS topic to the benefit of the entire community, please feel free. This is not a trawl for customers by OSC, but a genuine attempt to assist everyone in the RADIUS community. The wiki is vendor-neutral and covers all free and commercial RADIUS servers and compatible devices. This message was posted with the assent of Alan DeKok Hi Mike Welcome to the FreeRADIUS community. Many of us here have bought, sold, used, and continue to use Radiator and we appreciate OSC's contribution to the RADIUS world. We also recognise the lack of comprehensive documentation about RADIUS, which is one of the reasons we started the FreeRADIUS Wiki mid last year at: http://wiki.freeradius.org/ I have taken a quick look at: http://www.open.com.au/wiki/index.php/RadiusExpert:Community_Portal It is pretty sparse at present and doesn't mention FreeRADIUS Server or Client at all (Before posting to our list, it would be nice if you would consider listing us as a member of the RADIUS comunity on the wiki you are asking us to contribute to :-) Fair enough. Done. Anyone is welcome to add any topic they think is helpful. We especially think there is not enough documentation on the various RADIUS compatible devices like Wireless Access Points, how to configure them and their oddities I also wanted to confirm one thing before contributing. You list at the bottom of your wiki that Content is available under GNU Free Documentation License 1.2.. As this is the default theme and footer for mediawiki, could you please confirm that this is actually the license you intended the wiki content to be under? (This would allow us to share content if we were to license under the same license..) That is indeed the license we intend. Cheers. Best Regards -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: returning VSA from exec-prog-wait
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users-bounces+m- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, April 11, 2007 12:20 AM To: FreeRadius users mailing list Subject: Re: returning VSA from exec-prog-wait Murray Hooper wrote: Can I return VSA(106) from a script called from exec-prog-wait? I am trying to echo H323-redirect-number= but the NAS does not see this as VSA 106 If you run the serber in debugging mode, as suggested in the FAQ, README, and INSTALL, you will see the results of exec-program-wait, and what the server is doing with it. I never understand why people look at the NAS to see what the server is doing. Alan DeKok. -- After running the server in debugging mode as suggested I did see everything that I expected FreeRadius to be doing and that is why I originally wrote the inquiry. This unfortunately was not triggering the NAS to respond as recognizing the variable. The expected line from exec-prog-wait ended up being echo 'vsa106 vsa106=string' that was needed in the script being called from exec-prog-wait. Unfortunately, I must have missed this in the examples and FAQ's. Again thanks for the help murray - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql_unixodbc: Connection failed
hi, I try to use MSSQL as database for my Freeradius server, but the connection is failed ? i have unixodbc succefly installed. so by typing radiusd -X i see this : rlm_sql_unixodbc: Connection failed so any user can connected! helps or tipps please ! Abdelghani ELMALHI Devesestr. 1 45897 Gelsenkirchen Deutschland Tel. 00 49 176 65 84 38 50 - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: returning VSA from exec-prog-wait
After running the server in debugging mode as suggested I did see everything that I expected FreeRadius to be doing Including sending the attribute back to the NAS? and that is why I originally wrote the inquiry. This unfortunately was not triggering the NAS to respond as recognizing the variable. You may be confusing two separate issues: 1) Get the server to respond to the NAS with the attribute you want 2) Get the NAS to understand the attribute, and use it. If you have (1) working, but (2) doesn't, the answer is to read the NAS documentation to see what attribute it expects... which aren't the ones you're sending. The expected line from exec-prog-wait ended up being echo 'vsa106 vsa106=string' that was needed in the script being called from exec-prog-wait. I find that more than a little surprising. The server doesn't parse attributes in that format from exec-program-wait. Unfortunately, I must have missed this in the examples and FAQ's. I think there's something else going on. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
Alan DeKok wrote: Alexander Papenburg wrote: Okay I tested both ways: 1st with suffix disabled in authorize section of radiusd.conf and: DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm := realm User-Name = [EMAIL PROTECTED] In the users file? That sets the User-Name used in the reply, not the one being sent to the home server. 2nd with suffix enabled and: DEFAULT NAS-IP-Address == 10.0.0.1 User-Name = [EMAIL PROTECTED] DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm := realm Ah yes, still the top entry should have worked, username would have to be rewritten in hints file. Or with attr_rewrite. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log on device directly in priviledged mode
Molteni Davide wrote: Finally I successfully managed to log into the cisco switch (thanks to your help) using freeradius. Now I want that the radius users can directly enter into enable mode of the cisco device. I set this in the users file test Auth-Type := Local, User-Password == test Cisco-AVPair = shell:priv-lvl=15 but it doesn't work, the user test log into the cisco as unpriviledged. Is there something missing in the config? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi, you need something like that in your switch config: aaa authorization exec default group [YOURSERVERGROUPHERE] local - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
On 4/11/07, Alan DeKok [EMAIL PROTECTED] wrote: To back up a bit, *why* are you HUPing the server? I usually HUP servers to force them to re-read their configuration without forcing the server to restart. I'm glad I found the earlier commentary that HUPping radiusd is considered harmful. I did it myself when I was writing my first config last month, and ran across the segfault, too. Maybe we can add features that prevent the need for the HUP, and then remove support for HUP. That would be best, I think. Do you have in mind a favorite technique for signaling daemons that the config files have changed? HUP is a common way to do it, but I'm sure there are other ways. -ethan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm := realm Ah yes, still the top entry should have worked, username would have to be rewritten in hints file. Or with attr_rewrite. Yippiieee, the request has been sent through to the home-server. Still need to work on the username but i don't expect big problems with that. Thanks to both of you A word of warning with the username, if your using EAP then the username is also sent within the EAP tunnel. If the username sent in the eap tunnel and the username sent in the access request packet don't match, then the user will be rejected. So if you rewrite the username at the proxying server, be sure to have the relevant hint on the home_server to rewrite the username back into it's original form :) And sorry your were having problems, I forgot the : in the Proxy-To-Realm. :( -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about 3Com 4500 series and Freeradius + Ldap
Hi, Is somebody configure 3Com switch series 4500 with Freeradius + Ldap auth. ? I have some problem: In debug mode i see: ---CUT--- Sending Access-Accept of id 18 to 192.168.2.201 port 5001 MS-MPPE-Recv-Key = 0x3c9698b69511f27c53657389c3994d28fa0c2db70bd6c671dc211ba697f92a09 MS-MPPE-Send-Key = 0xb571bf6045f094fa846995c6a3e89160e6eb476cc597d4dd0c6d90cd3341ca15 EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = rka --- But on switch and on computer, I have unauth. user :( And i don't know why ? Maybe null Message-Authenticator is wrong ? Thanks, Kamyk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
Ethan Dicks wrote: On 4/11/07, Alan DeKok [EMAIL PROTECTED] wrote: To back up a bit, *why* are you HUPing the server? I usually HUP servers to force them to re-read their configuration without forcing the server to restart. Well, yes. But *what* are you changing? Clients? Realms? Comments? Do you have in mind a favorite technique for signaling daemons that the config files have changed? HUP is a common way to do it, but I'm sure there are other ways. A command-line tool that uses some other method to update the server configuration. It means that the server gets told X has changed, or delete client Y, which is hugely less intrusive than a HUP. HUPs are like kicking the server in the head, and then expecting it to be nice to you. It can be done, but it takes work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
Hi Alan, On Wed, Apr 11, 2007 at 03:45:18PM +0200, Alan DeKok wrote: Milan Holub wrote: somewhere in this list there was already mentioned that current CVS version causes segmentation fault when received HUP signal(kill -HUP pid) - depending on the configuration it may survive 1st HUP and then it dies with 1st radius request/2nd HUP). To back up a bit, *why* are you HUPing the server? == main reason for HUP is for me when the configuration gets updated == yes it could be restarted as well but consider following: - we are keeping NAS entries in DB. - these entries are edited by operation guys via web interface - when a new NAS entry is added then we need to reload/restart freeradius - we reload freeradius using SNMP write query(can be done via web interface as well; without need of ssh to radius server) == using this approach simplifies daily configuration tasks on freeradius and I believe it's secure enough(snmp write allowed only from management machine) and elegant(as opposed to executing remote commands from within management server using ssh for example) In general when restarting the server you might loose some radius packets(especially on high loaded server), don't you? Thus I thing from this point of view HUP feature is useful and should be kept. Maybe we can add features that prevent the need for the HUP, and then remove support for HUP. That would be best, I think. == what do you imagine under these features? Basically I thought HUP is good for reloading config files when one does not want to bring the server down but wants to bring into effect some minor config change. == is there any other use of HUP? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Please advise. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
Maybe we can add features that prevent the need for the HUP, and then remove support for HUP. That would be best, I think. Do you have in mind a favorite technique for signaling daemons that the config files have changed? HUP is a common way to do it, but I'm sure there are other ways. hi, I'm glad Milan Holub replied with a patch, thank you! Going back to the subject, a useful feature would be a periodical reload of certificate revocation lists and the users list. These two lists are prone to changing frequently in production environments: a production server usually has an otherwise stable configuration. I think nobody is willing to experiment on radiusd.conf during peak hours, on the other hand he will be busy adding/removing users or eventually certificate revocations if using EAP-TLS in the most advanced way. As for me, I was planning a CRL reload during off peak hours, so I guess I'll stick with just a full nighttime restart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
Hi Alan, On Wed, Apr 11, 2007 at 04:02:15PM +0200, Alan DeKok wrote: Do you have in mind a favorite technique for signaling daemons that the config files have changed? HUP is a common way to do it, but I'm sure there are other ways. A command-line tool that uses some other method to update the server configuration. It means that the server gets told X has changed, or delete client Y, which is hugely less intrusive than a HUP. HUPs are like kicking the server in the head, and then expecting it to be nice to you. It can be done, but it takes work. == I've found really useful the idea of telling freeradius to reload via snmp - could be such functionality easily kept when using your proposed approach? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault for SNMP query
Hi all, when I've compiled in snmp support (--with-snmp) on current cvs head I got following segmentation fault(does not matter whether NAS are stored in DB or in clients.conf): DEBUG OUTPUT START ... Ready to process requests. Nothing to do. Sleeping until we see a request. SMUX read start SMUX read len: 12 SMUX message received type: 67 rest len: 4 SMUX_RRSP SMUX_RRSP value: 0 errstat: 0 --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. SMUX read start SMUX read len: 40 SMUX message received type: 161 rest len: 36 SMUX_GETNEXT SMUX GET message parse: len 36 SMUX GET reqid: 182 len: 32 SMUX GET errstat 0 len: 29 SMUX GET errindex 0 len: 26 SMUX var parse: len 26 SMUX var parse: type 48 len 22 SMUX var parse: type must be 48 Request OID: 1.3.6.1.2.1.67.1.1.1.1.15.1.2.1 SMUX val_type: 5 ASN_NULL SMUX function call index is 2 SMUX function call index is 3 Segmentation fault DEBUG OUTPUT END when debugging(I can attach the gdb output if needed) I've found that it fails somewhere on reading internal nas clients data structure. As I'm not interested in nas clients obtained via snmp(I keep them in mysql DB) following is the little patch which basically just ads return NULL when snmp asks for next nas client: Index: src/main/radius_snmp.c === RCS file: /source/radiusd/src/main/radius_snmp.c,v retrieving revision 1.31 diff -u -r1.31 radius_snmp.c --- src/main/radius_snmp.c 10 Apr 2007 14:21:24 - 1.31 +++ src/main/radius_snmp.c 11 Apr 2007 14:41:08 - @@ -194,6 +194,8 @@ RADCLIENT *c; int i, len; + return NULL; + len = *objid_len - v-namelen; if (!mainconfig.clients) Hope this helps someone. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: log on device directly in priviledged mode
-Messaggio originale- Da: [EMAIL PROTECTED] per conto di Alexander Papenburg Inviato: mer 11/04/2007 15.41 A: FreeRadius users mailing list Oggetto: Re: log on device directly in priviledged mode Molteni Davide wrote: Finally I successfully managed to log into the cisco switch (thanks to your help) using freeradius. Now I want that the radius users can directly enter into enable mode of the cisco device. I set this in the users file test Auth-Type := Local, User-Password == test Cisco-AVPair = shell:priv-lvl=15 but it doesn't work, the user test log into the cisco as unpriviledged. Is there something missing in the config? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi, you need something like that in your switch config: aaa authorization exec default group [YOURSERVERGROUPHERE] local I have tried but with the line you suggested Authorization fails and device won't let me in winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Connection failed
hi, I want to use MSSQL as a database for my Freeradius,so i have unixodbc installed. but the connection is failed ? by debug modus i can see this : rlm_sql_unixodbc: Connection failed any help? Regards, Abdelghani ELMALHI Devesestr. 1 45897 Gelsenkirchen Deutschland Tel. 00 49 176 65 84 38 50 - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql, readclients=yes: multiple NASes with same IP
Hi all,
with currect cvs head I've observed following behaviour:
- I'm using rlm_sql
- clients stored in mysql DB(standard DB scheme)
- in sql.conf I have readclients=yes(to read the nas table)
We are having multiple NASes on the same IP distinguished only by
different port(eg. multiple instances of nocat wlangw running on
differet ports).
This result in following DB records(for example):
+-++---+---+---+--+---+-+
| id | nasname| shortname | type | ports | secret |
community | description |
+-++---+---+---+--+---+-+
| 123 | valid_IP | wlan-gw51 | other | 5281 | secret | NULL
| off |
| 117 | same_valid_IP | wlan-gw51 | other | 5280 | secret | NULL
| off |
+-++---+---+---+--+---+-+
(the only difference is in the ports)
We are using nas table as a bind table to another table for usage
view. Basically such NASes can serve completely different physical
locations and what really determinates the location is combination of nasname
and ports.
Now: freeradius refuses to start with the above configuration:
DEBUG OUTPUT START
rlm_sql (sql): Read entry
nasname=valid_IP,shortname=wlan-gw51,secret=secret
rlm_sql (sql): Adding client valid_IP (wlan-gw51) to clients list
rlm_sql (sql): Read entry
nasname=same_valid_IP,shortname=wlan-gw51,secret=secret
rlm_sql (sql): Adding client same_valid_IP (wlan-gw51) to clients list
rlm_sql (sql): generate_sql_clients() returned error
rlm_sql (sql): Closing sqlsocket 4
rlm_sql (sql): Closing sqlsocket 3
rlm_sql (sql): Closing sqlsocket 2
rlm_sql (sql): Closing sqlsocket 1
rlm_sql (sql): Closing sqlsocket 0
radiusd.conf[10]: sql: Module instantiation failed.
radiusd.conf[1896] Failed to find module sql.
radiusd.conf[1819] Failed to parse authorize section.
Errors setting up modules
DEBUG OUTPUT END
I believe that for communication of the NAS with radius only the IP is
deciding for radius. I know this can be solved outside radius by
creating another bind table in DB(binding multiple ports to one unique
nas record) and changing existing applications for viewing accounting
data(php+mysql). For me at the moment it's easier to persuade freeradius
just to ignore such duplicities when reading clients by following simple
patch:
Index: src/main/client.c
===
RCS file: /source/radiusd/src/main/client.c,v
retrieving revision 1.53
diff -u -r1.53 client.c
--- src/main/client.c 10 Apr 2007 14:21:24 - 1.53
+++ src/main/client.c 11 Apr 2007 15:36:19 -
@@ -225,7 +225,7 @@
* Duplicate?
*/
if (!rbtree_insert(clients-trees[client-prefix], client)) {
- return 0;
+ return 1;
}
#ifdef WITH_SNMP
I hope it helps someone.
Milan Holub
holub (at) thenet (dot) ch
--
TheNet-Internet Services AG,
im Bernertechnopark, Morgenstr. 129
CH-3018, Bern, Switzerland
031 998 4333, Fax 031 998 4330
http://www.thenet.ch
http://wlan.thenet.ch
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
Milan Holub wrote: == I've found really useful the idea of telling freeradius to reload via snmp - could be such functionality easily kept when using your proposed approach? Reloading via SNMP is exactly the same as HUP. Configuring a server by doing SNMP writes is very hard. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
Milan Holub wrote: - we are keeping NAS entries in DB. Then the server should re-load them via reading the DB. - these entries are edited by operation guys via web interface - when a new NAS entry is added then we need to reload/restart freeradius - we reload freeradius using SNMP write query(can be done via web interface as well; without need of ssh to radius server) If the server automatically discovers NAS changes from the DB, then the server doesn't need to be reloaded. i.e. You're changing *one* thing: a NAS. You're then telling the server to reload *everything*. That's where the expense and complexity comes in. In general when restarting the server you might loose some radius packets(especially on high loaded server), don't you? It's possible. == what do you imagine under these features? Basically I thought HUP is good for reloading config files when one does not want to bring the server down but wants to bring into effect some minor config change. I am trying to say that there are OTHER ways to perform some minor config change than HUP. HUP should be the *last* resort. == is there any other use of HUP? No. HUP is *only* to notify the server of configuration changes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
inverse wrote: Going back to the subject, a useful feature would be a periodical reload of certificate revocation lists and the users list. These two lists are prone to changing frequently in production environments: a production server usually has an otherwise stable configuration. That can be done with a fair amount of work. As for me, I was planning a CRL reload during off peak hours, so I guess I'll stick with just a full nighttime restart. For now, it's probably safest. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
Milan Holub wrote: Hi all, when I've compiled in snmp support (--with-snmp) on current cvs head I got following segmentation fault(does not matter whether NAS are stored in DB or in clients.conf): I just committed fixes for SNMP. I haven't tested it, but the code that was obviously wrong isn't there any more. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: log on device directly in priviledged mode
Molteni Davide wrote: -Messaggio originale- Da: [EMAIL PROTECTED] per conto di Alexander Papenburg Inviato: mer 11/04/2007 15.41 A: FreeRadius users mailing list Oggetto: Re: log on device directly in priviledged mode Molteni Davide wrote: Finally I successfully managed to log into the cisco switch (thanks to your help) using freeradius. Now I want that the radius users can directly enter into enable mode of the cisco device. I set this in the users file test Auth-Type := Local, User-Password == test Cisco-AVPair = shell:priv-lvl=15 but it doesn't work, the user test log into the cisco as unpriviledged. Is there something missing in the config? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi, you need something like that in your switch config: aaa authorization exec default group [YOURSERVERGROUPHERE] local I have tried but with the line you suggested Authorization fails and device won't let me in Oh I am sorry, seems like this will work only on cisco router, for switches you need tacacs for exec mode. cisconfusion %) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql, readclients=yes: multiple NASes with same IP
Milan Holub wrote: We are having multiple NASes on the same IP distinguished only by different port(eg. multiple instances of nocat wlangw running on differet ports). No. NASes are distinguished by IP. Nothing else. There is no way in RADIUS to have multiple NASes on the same IP with different ports. I believe that for communication of the NAS with radius only the IP is deciding for radius. Yes. I know this can be solved outside radius by creating another bind table in DB(binding multiple ports to one unique nas record) and changing existing applications for viewing accounting data(php+mysql). I have no idea what you mean by that. FreeRADIUS will look up the NAS by IP, and never by port. What you put in the DB for ports is irrelevant, and will never affect server behavior. i.e. What you use the ports for is up to you, and does not affect the server. For me at the moment it's easier to persuade freeradius just to ignore such duplicities when reading clients by following simple patch: No. Your DB configuration is wrong, and needs to be fixed. Maybe you need to put your NAS IP + port combination into a different table. But whatever the case, duplicate NAS IP's are wrong, and will not be supported. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius-apache authentication problem
FWIW, I have had a chance to test this on 2.2.3 and it did not work for me either. Not sure if it is a bug in apache or a change has been made and the mod_auth modules need updating. On 3/29/07, Nick Owen [EMAIL PROTECTED] wrote: On 3/28/07, Ramazan Ulker [EMAIL PROTECTED] wrote: Hi these are error lines in apache error log and apache conf files. thanks for your assistance No problem. The fewer passwords the better :). I don't see anything that stands out. However, when I set up apache with our two-factor I did everything inside of httpd.conf inside the vhost listing: VirtualHost Location /WiKIDBlog/*/cbentry_view AuthType Basic AuthName WiKID Two-factor + Apache AuthXRadiusAddServer wikid_server:1812 radius_secret AuthXRadiusTimeout 7 AuthXRadiusRetries 2 require valid-user /Location /VirtualHost So, perhaps apache is getting confused about what mechanism to use where, putting it all in one place might clarify things. HTH, Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
That will be fixed on another commit. It turns out the easiest way to fix that was to remove the multiple places that called Post-Auth-Type Reject, and move it to one central location. Simpler, less code, does exactly the same thing as before, and adds the call to Post-Auth-Type Reject when the home servers fail to respond. We should probably have a Post-Proxy-Type = Fail, that gets called when a home server fails to respond to a request. That would make sense, then you can trigger a script to email admins ... etc... And well done :) Coincidently started testing the 2.00 pre code in a proper environment today instead of just using radclient. All seems to stand up pretty well, no random crashes or weirdness... apart from of course the dreaded HUP which results in a segfault. The main things that will change on our implementation will be the SQL based client list (which could change hourly). as we have a well used equipment database which the NAS list is being derived from. Techs will also want to test switches in new installs , and they won't like waiting a day for configuration changes to take effect like users won't like the service going down every hour , although we could stagger the server restarts What would be really useful, is to be able to force the server to reload any of the 'file' based configuration files ... like users huntgroups files. ...and the sql based clients list, and the easiest way to do this would be via snmp. I think this would satisfy most users requirements... if they need any more than this then they either have very strange requirements or a very poorly configured server :S. Other options would be a cron like function, than reloads selected things periodically, or automatic change detection (which would be the neatest). Thanks, Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pool for dynamic users
Hi all I am using two radius servers for our DSL clients. but our client has ip conflict issue. it looks like the first radius issues the ip to the A DSL client. but seondary radius doesn't know this ip already allocated and issue this ip to B DSL client. Then two clients have the same ip address and cause the ip conflict. How can we avoid this problem? Thank you Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains. http://farechase.yahoo.com/promo-generic-14795097 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Current Opensource radius accounting details parser
Are there any open source programs that parse the accounting logs produced by freeradius? I can find a couple in Google, but they appear to have been left behind in 1999. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: (Solved) Re: MAC authorisation (but not authentication) via LDAP
this looks great for my purpose as well thanks very much for your help
Alan,
The problem for me was that when the ldapsearch failed to find the MAC
address, freeradius didn't reject authorisation.
The solution for me, ( I'm sure the big boys can point out how it's
wrong ), was the following script..
---snip---
#!/bin/sh
if $( echo $MODULE_FAILURE_MESSAGE | grep not found /dev/null ); then
echo Auth-Type := reject;
exit 0;
fi
---snip---
and the following clause in radiusd.conf
---snip---
exec rejectOnNotFound {
wait = yes
program = /usr/local/etc/raddb/rejectOnNotFound.sh
input_pairs = request
output_pairs = config
}
---snip---
which is used in the authorise section thus
---snip---
Autz-Type LdapMAC {
ldapMAC
rejectOnNotFound
}
---snip---
As I said, works for me.
Hope it helps..
Mart
Alan Walters wrote:
we a trying to add mac authentication to our wireless aps radius request
comes in like so.
rad_recv: Access-Request packet from host 10.250.100.3:1038, id=119,
length=95
Service-Type = Framed-User
NAS-Port-Id = wlan1
User-Name = 00:0B:6B:56:1D:48
User-Password =
NAS-Identifier = ballyvaughan_ap_1
NAS-IP-Address = 10.250.100.3
the mac address is in a field in the ldap so i created a second
ldap.attrib.map and a new ldap autz-type. the problem is that the
user-password that is sent i blank so i added this to the users file.
like so.
DEFAULT Huntgroup-Name == test, Autz-Type := ldapMAC, User-Password ==
, Simultaneous-Use := 1
Fall-Through = 0
great now the user with authorise and authenticate from files. but what
i had hoped would happen was if they failure authorisation they would
not continue, i can see this is not the default proceedure. how can i
make this work this way.
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
users: Matched entry DEFAULT at line 4
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
Found Autz-Type ldapMAC
Processing the authorize section of radiusd.conf
modcall: entering group ldapMAC for request 0
modcall: entering group redundant for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 00:0B:6B:56:1D:48
radius_xlat: '(rdwaveuserWirelessMac=00:0B:6B:56:1D:48)'
radius_xlat: 'o=clients,dc=radiowave,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as cn=admin,dc=radiowave,dc=net/xxx to 127.0.0.1:389
radiustest:/etc/freeradius/config-clients#
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with
filter (rdwaveuserWirelessMac=00:0B:6B:56:1D:48)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldapmac1 returns notfound for request 0
modcall: leaving group redundant (returns notfound) for request 0
modcall: leaving group ldapMAC (returns notfound) for request 0
but when the authentication starts this stilll happens, below was an
idea someone had in respect to this issue or a similar one but i have no
idea how to deploy this look forward to your replys.
auth: type Local
auth: user supplied User-Password matches local User-Password
Processing the session section of radiusd.conf
modcall: entering group session for request 0
modcall: entering group redundant for request 0
modcall[session]: module sql2 returns noop for request 0
modcall: leaving group redundant (returns noop) for request 0
modcall: leaving group session (returns noop) for request 0
Login OK: [00:0B:6B:56:1D:48/] (from client ballyvaughan port 0)
Sending Access-Accept of id 119 to 10.250.100.3 port 1038
On Sun, 2007-02-25 at 20:05 +, Martin Whinnery wrote:
Martin Whinnery wrote:
Markus Krause wrote:
Zitat von Martin Whinnery [EMAIL PROTECTED]:
Hi.
Probly just me not understanding...
What I want is for our switches to only allow access to MAC addresses in
our LDAP database.
I don't want to store passwords on our LDAP host entries.
I'm set up to check LDAP during authorisation, and it correctly returns
authorised / not authorised depending on whether the appropriate
attribute contains the right value.
The trouble comes with authentication - either I set Auth-Type :=
Accept, in which case and failed authorisation is overridden, or I allow
authentication to carry on against LDAP ( or
Re: Current Opensource radius accounting details parser
Murray Hooper wrote: Are there any open source programs that parse the accounting logs produced by freeradius? I can find a couple in Google, but they appear to have been left behind in 1999. Accounting detail file formats haven't changed in years, so they probably work fine. I recall radiusContext was quite good when I last used it, and it's written in python so should be very easy to extend. They reason you probably didn't find many is that often people push the accounting into an SQL server, either directly using rlm_sql, relayed using rlm_sql_log or via radrelay and a 2nd server, which obviously makes most of these packages redundant for parsing purposes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
