Re: Version 2.0 is a lot closer to reality...
Arran Cudbard-Bell wrote: Coincidently started testing the 2.00 pre code in a proper environment today instead of just using radclient. All seems to stand up pretty well, no random crashes or weirdness... apart from of course the dreaded HUP which results in a segfault. That's good to hear. The HUP issue will have to be addressed before 2.0 comes out, of course. What would be really useful, is to be able to force the server to reload any of the 'file' based configuration files ... like users huntgroups files. ...and the sql based clients list, and the easiest way to do this would be via snmp. The server already supports a reload signal via SNMP, which does the same thing as HUP. Adding the ability to reload the various files may be possible. We'll see. Other options would be a cron like function, than reloads selected things periodically, or automatic change detection (which would be the neatest). And probably the most work, too. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool for dynamic users
ann kok wrote: it looks like the first radius issues the ip to the A DSL client. but seondary radius doesn't know this ip already allocated and issue this ip to B DSL client. You've configured two different RADIUS servers to allocate the same IP to two different people? Why? How can we avoid this problem? Each server should have it's own IP pool. IP pools should not be shared between servers. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Generating AAA message for freeradius.
Hi, I am working on Authentication module in NSIS protocol suite ( http://user.informatik.uni-goettingen.de/~nsis/). The scenario is as follows: User A NSIS server-Radius server User A sends the NSIS request with its keyed hash (generated using User A's key) appended to it to the NSIS server. Now the NSIS server needs to authenticate that request with a Radius server. Is there a way to do this i.e. how to generate a AAA message with the information available i.e. a string, its keyed hash and User A's id ? Assuming that the Radius server has keys of all legitimate users. Regards, Prateek - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql, readclients=yes: multiple NASes with same IP
Hi, On Wed, Apr 11, 2007 at 06:17:13PM +0200, Alan DeKok wrote: For me at the moment it's easier to persuade freeradius just to ignore such duplicities when reading clients by following simple patch: No. Your DB configuration is wrong, and needs to be fixed. Maybe you need to put your NAS IP + port combination into a different table. But whatever the case, duplicate NAS IP's are wrong, and will not be supported. == my apologizes; forget about this silly patch. No matter what's in the nas table. When using mysql we can always give freeradius what he wants. IOW: to make the unique list of nases just change the nas_query in /etc/freeradius/sql/mysql-dialup.conf: default: SELECT id, nasname, shortname, type, secret FROM ${nas_table} unique nases modification: SELECT id, nasname, shortname, type, secret FROM ${nas_table} group by nasname I hope this helps someone. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating AAA message for freeradius.
Hi, On Thu, Apr 12, 2007 at 11:45:37AM +0530, Prateek Gupta wrote: Hi, I am working on Authentication module in NSIS protocol suite ( http://user.informatik.uni-goettingen.de/~nsis/). The scenario is as follows: User A NSIS server-Radius server User A sends the NSIS request with its keyed hash (generated using User A's key) appended to it to the NSIS server. Now the NSIS server needs to authenticate that request with a Radius server. Is there a way to do this i.e. how to generate a AAA message with the information available i.e. a string, its keyed hash and User A's id ? Assuming that the Radius server has keys of all legitimate users. == try to experiment with radclient(part of freeradius suite) - allows you to send radius packets using command line == I believe there are also libraries for various programming languages available(I know at least about php: http://cz2.php.net/manual/en/ref.radius.php) Regards, Prateek - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool for dynamic users
On Wed 11 Apr 2007, ann kok wrote: Hi all I am using two radius servers for our DSL clients. but our client has ip conflict issue. it looks like the first radius issues the ip to the A DSL client. but seondary radius doesn't know this ip already allocated and issue this ip to B DSL client. Then two clients have the same ip address and cause the ip conflict. How can we avoid this problem? Any of the following: * Don't use the same pool range on 2 servers (What made you think that this would work?) * Use a share storage backend (sqlippool with shared database) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem
Dear all, We has the problem regarding the above subject... mysql select * from radgroupcheck; ++---+--++---+ | id | GroupName | Attribute| op | Value | ++---+--++---+ | 1 | POSTPAID | Simultaneous-Use | == | 1 | | 2 | PREPAID | Simultaneous-Use | == | 1 | ++---+--++---+ 2 rows in set (0.01 sec) mysql select * from usergroup; +--+---+--+ | UserName | GroupName | priority | +--+---+--+ | thomas | POSPAID |1 | | christie | POSPAID |1 | +--+---+--+ 2 rows in set (0.01 sec) and at sql.conf.. .. # Uncomment simul_count_query to enable simultaneous use checking # simul_counT_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingSta tionId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 .. But.. the same user id still able to login at the same time on different terminal / pc I already try to change the op on radcheck from '==' become ':=' or '=' but the same problem still persist What could be wrong ? TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use problem
Hi, On Thu, Apr 12, 2007 at 07:14:48AM +, PD wrote: Dear all, We has the problem regarding the above subject... mysql select * from radgroupcheck; ++---+--++---+ | id | GroupName | Attribute| op | Value | ++---+--++---+ | 1 | POSTPAID | Simultaneous-Use | == | 1 | | 2 | PREPAID | Simultaneous-Use | == | 1 | ++---+--++---+ 2 rows in set (0.01 sec) mysql select * from usergroup; +--+---+--+ | UserName | GroupName | priority | +--+---+--+ | thomas | POSPAID |1 | | christie | POSPAID |1 | +--+---+--+ 2 rows in set (0.01 sec) == I believe you have a typo in the tables: radgroupcheck: groupname=POSTPAID usergroup: groupname=POSPAID which means that the Simultaneous-Use check is not performed because the user does not match the requested group... and at sql.conf.. .. # Uncomment simul_count_query to enable simultaneous use checking # simul_counT_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingSta tionId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 .. But.. the same user id still able to login at the same time on different terminal / pc I already try to change the op on radcheck from '==' become ':=' or '=' but the same problem still persist What could be wrong ? TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Current Opensource radius accounting details parser
On Wed 11 Apr 2007, Murray Hooper wrote: Are there any open source programs that parse the accounting logs produced by freeradius? I can find a couple in Google, but they appear to have been left behind in 1999. Hi Murray I have been using some code I wrote called detail2db.pl, which is a modified version of h323detail2db.pl (which is part of FreeRADIUS) which is specific to Cisco H323 VoIP VSAs. This version pretty much uses standard radius attributes. While I have been using it in production for many years I haven't got around to releasing it because I have been planning to rewrite it in python, or in absence of that at least with a separate config file. The code is horrid, and I hardly remember how some bits of it work, but it DOES work. Anyway, for what it's worth, here it is. I guess I will stick it into FreeRADIUS cvs later today also. It does have the advantages of automatically handling detail files compressed with a number of compression formats (I auto compress my detail files from cron to save space), of handling multiple detail files at once, of deleting duplicate records when it finds them in the DB, and of being stupidly difficult to understand and modify :-D Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc detail2db.pl Description: Perl program - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use problem
On 4/12/2007, Milan Holub [EMAIL PROTECTED] wrote: Hi, On Thu, Apr 12, 2007 at 07:14:48AM +, PD wrote: Dear all, We has the problem regarding the above subject... mysql select * from radgroupcheck; ++---+--++---+ | id | GroupName | Attribute| op | Value | ++---+--++---+ | 1 | POSTPAID | Simultaneous-Use | == | 1 | | 2 | PREPAID | Simultaneous-Use | == | 1 | ++---+--++---+ 2 rows in set (0.01 sec) mysql select * from usergroup; +--+---+--+ | UserName | GroupName | priority | +--+---+--+ | thomas | POSPAID |1 | | christie | POSPAID |1 | +--+---+--+ 2 rows in set (0.01 sec) == I believe you have a typo in the tables: radgroupcheck: groupname=POSTPAID usergroup: groupname=POSPAID which means that the Simultaneous-Use check is not performed because the user does not match the requested group... Arrghh... yeah.. I did not reliaze this... thank you for your correction. We will try it again.. TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User never get disconnected (was Re: Simultaneous-Use problem)
On 4/12/2007, Milan Holub [EMAIL PROTECTED] wrote: .cut... == I believe you have a typo in the tables: radgroupcheck: groupname=POSTPAID usergroup: groupname=POSPAID I still have another problem... many of radacct table records are incompleted. We know the user already disconnected (even by click logout botton or just shut his/her computer down), but the information did not saved. At Radacct table, many previous records with the same mac address and user name still get connected. Questions.. + what cause of this problem ? + how to delete this entry daily (perhaps with crontab) TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User never get disconnected (was Re: Simultaneous-Use problem)
On Thu, Apr 12, 2007 at 07:42:16AM +, PD wrote: I still have another problem... many of radacct table records are incompleted. We know the user already disconnected (even by click logout botton or just shut his/her computer down), but the information did not saved. At Radacct table, many previous records with the same mac address and user name still get connected. Questions.. + what cause of this problem ? + how to delete this entry daily (perhaps with crontab) == is Accounting-STOP reaching your radius? you can find out by running in debug mode: freeradius -X == is the correct query run on your database? check accounting_ queries in your sql/mysql-dialup.conf * check your DB log files: eg. with mysql: tail -f /var/log/mysql/mysql.log * try to run the query manually - does it update the radact table? TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use problem
Operator should be :=. Check first that you have sql checking enabled in radiusd.conf: # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { # radutmp # # See Simultaneous Use Checking Querie in sql.conf sql } Then set nastype in clients.conf to other. If it works after that, problem is most likely OID that checkrad uses. You will need to find the correct one for your NAS and alter it in checkrad. Then you can change other to cisco or whatever. Ivan Kalik Kalik Informatika ISP Dana 12/4/2007, PD [EMAIL PROTECTED] piše: Dear all, We has the problem regarding the above subject... mysql select * from radgroupcheck; ++---+--++---+ | id | GroupName | Attribute| op | Value | ++---+--++---+ | 1 | POSTPAID | Simultaneous-Use | == | 1 | | 2 | PREPAID | Simultaneous-Use | == | 1 | ++---+--++---+ 2 rows in set (0.01 sec) mysql select * from usergroup; +--+---+--+ | UserName | GroupName | priority | +--+---+--+ | thomas | POSPAID |1 | | christie | POSPAID |1 | +--+---+--+ 2 rows in set (0.01 sec) and at sql.conf.. ... # Uncomment simul_count_query to enable simultaneous use checking # simul_counT_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingSta tionId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 ... But.. the same user id still able to login at the same time on different terminal / pc I already try to change the op on radcheck from '==' become ':=' or '=' but the same problem still persist What could be wrong ? TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with samba domain, port-access and vlan-assignment
Dear members, Thank you so far for your help, but I guess I have do describe my problem a second time. I try to set up a security solution for a network using freeradius. I want to port authenticate all Clients on a HP Switch and assign a vlan to each port dynamically. The WXPSP2 Hosts are members of a samba Domain, and this is the problem. I'll try to describe what is happening: If i configure the WXPSP2 for using login Username and pwd for network authentication: The host is booting and the switch asks EAP-Request. When I enter the username and pwd, windows opens Can't find the domain controller and finishes. This is logical, due to the fact that the Host is not legal and has no ipadress. There is no EAP Response from the Host to the switch to get an ipadress. So this is not working. I think there has to be a mechanism that reads in username and pwd, answers the eap request, get an ip adress and gain contact to the domain controller. after this the login on the domain could be done with the entered Login-information. Have you any hint how to implement such a mechanism, or have you ever done something like this? I can't imagine that i am the first one, having this problem. The work arround would be to configure network-authentication with the ComputerLogin. In this case, the WXPSP2 Host boots, gets connection to the switch, switch sends eap-request, and the host answeres with the computer information. Now the Host has port access to the switch and could gain ip adress. Now login on samba would be possible. The bad thing is, that every legal domain computer has automaticaly access to the network. ok that would be a minor disadvantage, but I can only authenticate the client one time (the switch asks only one time for authentication). If access to the port is granted, there is no second need for the switch to ask again. But i want to assign a vlan ID dynamically, depending on the USER, not on the Computer. A vlan assignment to the switch by the samba domain controller seems to be impossible because the swich doesn't participate the communication between host and samba domain controller in the same way it does between host and radius. Could you give me a hint how to exit this desaster? Thanks and regards - Christian ___ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating AAA message for freeradius.
Prateek Gupta wrote: User A sends the NSIS request with its keyed hash (generated using User A's key) appended to it to the NSIS server. Now the NSIS server needs to authenticate that request with a Radius server. Can you point to a specification saying how this hashing works? Is there a way to do this i.e. how to generate a AAA message with the information available i.e. a string, its keyed hash and User A's id ? Assuming that the Radius server has keys of all legitimate users. Yes. http://www.freeradius.org/freeradius-client/ Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User never get disconnected (was Re: Simultaneous-Use problem)
Dana 12/4/2007, PD [EMAIL PROTECTED] piše: snip + what cause of this problem ? snip Either NAS thinks that users are still connected or your RADIUS server is not receiving Stop packages. If NAS (NAS not radacct table) shows users as connected you can add Idle-Timeout of about 5 minutes in user (or group) configuration. If RADIUS packets are not being received have a look at your network. NAS needs reliable connection to RADIUS server - you shouldn't have firewalls and such in the way. snip + how to delete this entry daily (perhaps with crontab) snip Don't do that. Fix your server communication and then delete stale entries once. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
Hi Alan, On Wed, Apr 11, 2007 at 05:51:16PM +0200, Alan DeKok wrote: Milan Holub wrote: Hi all, when I've compiled in snmp support (--with-snmp) on current cvs head I got following segmentation fault(does not matter whether NAS are stored in DB or in clients.conf): I just committed fixes for SNMP. I haven't tested it, but the code that was obviously wrong isn't there any more. == I've tested your recent commits. Here are the results: - when query the radiusAcc and radiusAuth everything works fine(no segmentation faults); multiple queries give correct result - when trying to force reload using snmp: `snmpset -m /devel/freeradius/cvs/radiusd/mibs/RADIUS-AUTH-SERVER-MIB.txt -c verysecret localhost radiusAuthServConfigReset.0 i 2` then 1st reload is OK but after then when trying to either run the snmp-read query or the snmp-write query radius seems to ignore it. * there is no debug activity when running with -X flag and the result of the snmp-read query is empty and result of snmp-write query is following: `snmpset -m /devel/freeradius/cvs/radiusd/mibs/RADIUS-AUTH-SERVER-MIB.txt -c verysecret localhost radiusAuthServConfigReset.0 i 2` Error in packet. Reason: (noSuchName) There is no such variable name in this MIB. Failed object: radiusMIB.radiusAuthentication.radiusAuthServMIB.radiusAuthServMIBObjects.radiusAuthServ.radiusAuthServConfigReset.0 Radius itself seems to react on radius packets; only snmp is ignored after the snmp-write query. Completely same behaviour is observed when doing reload via HUP signal(using my memory leakage patch for reload). Please advise. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.0.0-pre0 Out of memory in event.c
Hi. Some problems with FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Apr 12 2007 at 12:58:32 taken from cvs today: rad_recv: Access-Request packet from host 127.0.0.1 port 46565, id=8, length=95 User-Name = carta.skylink.msk.ru User-Password = cisco Calling-Station-Id = 250099013297573 Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = 212.119.97.85 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = carta.skylink.msk.ru, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = carta.skylink.msk.ru rlm_realm: Proxying request from user carta.skylink.msk.ru to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 users: Matched entry DEFAULT at line 106 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 radius_xlat: 'carta.skylink.msk.ru' rlm_sql (sqlauth): sql_set_user escaped user -- 'carta.skylink.msk.ru' rlm_sql (sqlauth): Reserving sql socket id: 3 radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'carta.skylink.msk.ru' ORDER BY id' SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'carta.skylink.msk.ru' ORDER BY id radius_xlat: 'SELECT GroupName FROM usergroup WHERE UserName='carta.skylink.msk.ru' OR CLID='250099013297573' order by priority' SELECT GroupName FROM usergroup WHERE UserName='carta.skylink.msk.ru' OR CLID='250099013297573' order by priority rlm_sql (sqlauth): Released sql socket id: 3 rlm_sql (sqlauth): User carta.skylink.msk.ru not found modcall[authorize]: module sqlauth returns notfound for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user Login incorrect (No password configured for the user): [carta.skylink.msk.ru/cisco] (from client localhost port 0 cli 250099013297573) auth: Failed to validate the user. Login incorrect: [carta.skylink.msk.ru/cisco] (from client localhost port 0 cli 250099013297573) ]event.c:1277] Out of memory Program exited with code 01. (gdb) no core unfortunately. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User never get disconnected (was Re: Simultaneous-Use problem)
On 4/12/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: + what cause of this problem ? Either NAS thinks that users are still connected or your RADIUS server is not receiving Stop packages. If NAS (NAS not radacct table) shows users as connected you can add Idle-Timeout of about 5 minutes in user (or group) configuration. If RADIUS packets are not being received have a look at your network. NAS needs reliable connection to RADIUS server - you shouldn't have firewalls and such in the way. Well... the problem only persist sometime.. let say once or two timeseveryday. The communication between Radius box and NAS using STP cable. Currently we are still on development stage of hotspot system. Before implement them on big area, we found some problem, like explain above. When I log in and log out or shut the notebook down without logout, I can see both start and stop the record on radacct table, I could not find the problem sources.. perhaps someone else has face the same problem ? + how to delete this entry daily (perhaps with crontab) Don't do that. Fix your server communication and then delete stale entries once. Well.. with simultaneous-use:=1, the same user will not be able login anymore because radius see that he / she still online. TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User never get disconnected (was Re: Simultaneous-Use problem)
On 4/12/2007, Milan Holub [EMAIL PROTECTED] wrote: == is Accounting-STOP reaching your radius? you can find out by running in debug mode: freeradius -X == is the correct query run on your database? check accounting_ queries in your sql/mysql-dialup.conf * check your DB log files: eg. with mysql: tail -f /var/log/mysql/mysql.log * try to run the query manually - does it update the radact table? Dear Milan, I am sure both of the above items are correct since the problem only persist sometime... once or two times a day. I can see both start and stop record on radacct table and or radius.log when I log in and log out or just shut the computer down without logout. TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql: read_groups parameter ignored
Hi Alan, although I remember seeing some posts regarding read_groups are in CVS it's not true. You can setup the config parameter in sql.conf but it's ignored! Here is a simple patch which solves the issue: Index: src/modules/rlm_sql/rlm_sql.c === RCS file: /source/radiusd/src/modules/rlm_sql/rlm_sql.c,v retrieving revision 1.165 diff -u -r1.165 rlm_sql.c --- src/modules/rlm_sql/rlm_sql.c 5 Apr 2007 10:52:37 - 1.165 +++ src/modules/rlm_sql/rlm_sql.c 12 Apr 2007 09:34:58 - @@ -57,6 +57,8 @@ offsetof(SQL_CONFIG,tracefile), NULL, SQLTRACEFILE}, {readclients, PW_TYPE_BOOLEAN, offsetof(SQL_CONFIG,do_clients), NULL, no}, + {read_groups, PW_TYPE_BOOLEAN, +offsetof(SQL_CONFIG,read_groups), NULL, yes}, {deletestalesessions, PW_TYPE_BOOLEAN, offsetof(SQL_CONFIG,deletestalesessions), NULL, yes}, {num_sql_socks, PW_TYPE_INTEGER, I believe this could be finally added to CVS... Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.0-pre0 Out of memory in event.c
Alexander Serkin wrote: ... auth: Failed to validate the user. Login incorrect: [carta.skylink.msk.ru/cisco] (from client localhost port 0 cli 250099013297573) ]event.c:1277] Out of memory It looks like you don't have a Post-Auth Reject {} section in radiusd.conf. That's OK. I'll fix the code so that it skips it if not found. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
Milan Holub wrote: - when query the radiusAcc and radiusAuth everything works fine(no segmentation faults); multiple queries give correct result Thanks. - when trying to force reload using snmp: `snmpset -m /devel/freeradius/cvs/radiusd/mibs/RADIUS-AUTH-SERVER-MIB.txt -c verysecret localhost radiusAuthServConfigReset.0 i 2` then 1st reload is OK but after then when trying to either run the snmp-read query or the snmp-write query radius seems to ignore it SNMP stops working after a HUP or reload. It's a known issue. It should be fixed before 2.0. As always, patches are welcome. Reason: (noSuchName) There is no such variable name in this MIB. Yes. It loses the connection to snmpd, and snmpd therefore says that he RADIUS MIBs are unknown. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql: processing radcheck radgroupcheck
Hi all, I'm wondering about procedure of precessing radcheckradgroupcheck database tables. On http://wiki.freeradius.org/Rlm_sql we can read: Group processing then begins if any of the following conditions are met: * The user IS NOT found in radcheck * The user IS found in radcheck, but the check items don't match ... Ok, the first point I can imagine that if the user is not found we still can accept the generic user and give him some reply attributes based on further group processing. But the 2nd point I do not understand. Few lines below on wiki we can read: For any fairly complex setup, it is likely that most of the actual processing will be done in the groups. In these cases, the user entry in radcheck will be of limited use except for things like setting the user's password. In fact in my case(I believe in almost all of the cases) we DO check users against their passwords. If this check fails we should reject the user else we give him reply attributes based on group membership and accept the request. Thus my question is: why to continue in group processing when the check items(password,...) in radcheck do not match? This leads to accepting users giving valid username but incorrect password... Here is my patch which enables read_groups option and targets the issue above(rejects user immediately if it's found that the radcheck failed): Index: src/modules/rlm_sql/rlm_sql.c === RCS file: /source/radiusd/src/modules/rlm_sql/rlm_sql.c,v retrieving revision 1.165 diff -u -r1.165 rlm_sql.c --- src/modules/rlm_sql/rlm_sql.c 5 Apr 2007 10:52:37 - 1.165 +++ src/modules/rlm_sql/rlm_sql.c 12 Apr 2007 09:54:34 - @@ -57,6 +57,8 @@ offsetof(SQL_CONFIG,tracefile), NULL, SQLTRACEFILE}, {readclients, PW_TYPE_BOOLEAN, offsetof(SQL_CONFIG,do_clients), NULL, no}, + {read_groups, PW_TYPE_BOOLEAN, +offsetof(SQL_CONFIG,read_groups), NULL, yes}, {deletestalesessions, PW_TYPE_BOOLEAN, offsetof(SQL_CONFIG,deletestalesessions), NULL, yes}, {num_sql_socks, PW_TYPE_INTEGER, @@ -638,6 +640,11 @@ /* * Only do this if *some* check pairs were returned */ + DEBUG2(rlm_sql (%s): check items, inst-config-xlat_name); + vp_listdebug(check_tmp); + DEBUG2(rlm_sql (%s): items found in packet, inst-config-xlat_name); + vp_listdebug(request-packet-vps); + if (paircompare(request, request-packet-vps, check_tmp, request-reply-vps) == 0) { found = 1; DEBUG2(rlm_sql (%s): User found in group %s, @@ -960,6 +967,11 @@ dofallthrough = fallthrough(reply_tmp); pairxlatmove(request, request-reply-vps, reply_tmp); pairxlatmove(request, request-config_items, check_tmp); + } else { + /* +* check items did not match; do not process groups; return REJECT immediately +*/ + return RLM_MODULE_REJECT; } } Hope this helps someone. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, windows 2003 ADS - authentication fails
Jacob Jarick wrote: Hi I have recently setup freeradius on fedora 6 and I need it to authenticate against windows ADS. Currently the requests come through the AP but are rejected by freeradius. The reason is in the logs. [EMAIL PROTECTED] raddb]# radtest Administrator tfxsol 127.0.0.1:1812 10 testing123 Sending Access-Request of id 40 to 127.0.0.1 port 1812 User-Name = Administrator User-Password = tfxsol NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=40, length=20 Unfortunately, you've showed radtest giving a reject, but have NOT shown the corresponding debugging output from radtest. Instead, the debugging output is from a login via the AP: ... rad_recv: Access-Request packet from host 10.1.1.110:1645, id=117, length=164 User-Name = TFXSCHOOL\\Administrator Which is not the radtest packet you quoted above. rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler Read eap.conf. Also, see which module is mangling the User-Name attribute. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, windows 2003 ADS - authentication fails
Thanks for your prompt reply Alan, My 1st post so forgive the omission, I will clear the logs then post radtest and the log info tomorrow once at work. On 4/12/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Hi I have recently setup freeradius on fedora 6 and I need it to authenticate against windows ADS. Currently the requests come through the AP but are rejected by freeradius. The reason is in the logs. [EMAIL PROTECTED] raddb]# radtest Administrator tfxsol 127.0.0.1:1812 10 testing123 Sending Access-Request of id 40 to 127.0.0.1 port 1812 User-Name = Administrator User-Password = tfxsol NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=40, length=20 Unfortunately, you've showed radtest giving a reject, but have NOT shown the corresponding debugging output from radtest. Instead, the debugging output is from a login via the AP: ... rad_recv: Access-Request packet from host 10.1.1.110:1645, id=117, length=164 User-Name = TFXSCHOOL\\Administrator Which is not the radtest packet you quoted above. rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler Read eap.conf. Also, see which module is mangling the User-Name attribute. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql auth problems with 2.0.0-pre
Gurus, may be i'm pulling some common mistake with my configuration being tested against cvs snapshot, but no idea which one. I've an sql profile telling: some.dotted.user Cleartext-Password = cisco NAS-IP-Address =~ xxx.xxx.97.(85|86) authentication request: User-Name = some.dotted.user User-Password = cisco Calling-Station-Id = 000 Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = xxx.xxx.97.85 gives the access-reject for unknown (for me) reason: rlm_sql (sqlauth): sql_set_user escaped user -- 'some.dotted.user' rlm_sql (sqlauth): Reserving sql socket id: 3 radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'some.dotted.user' ORDER BY id' SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'some.dotted.user' ORDER BY id ... rlm_sql (sqlauth): Released sql socket id: 3 modcall[authorize]: module sqlauth returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user Login incorrect (No password configured for the user): [some.dotted.user/cisco] (from client localhost port 0 cli 00) auth: Failed to validate the user. I've checked the authorization sql query shown in debug - it properly returns the profile configured -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Alexander Serkin wrote: Gurus, may be i'm pulling some common mistake with my configuration being tested against cvs snapshot, but no idea which one. I've an sql profile telling: some.dotted.user Cleartext-Password = cisco NAS-IP-Address =~ xxx.xxx.97.(85|86) Hmm I don't know how Cleartext-Password is mapped, always thought it was a legacy attribute. Try User-Password ? Also it's == not = for check items . authentication request: User-Name = some.dotted.user User-Password = cisco Calling-Station-Id = 000 Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = xxx.xxx.97.85 gives the access-reject for unknown (for me) reason: rlm_sql (sqlauth): sql_set_user escaped user -- 'some.dotted.user' rlm_sql (sqlauth): Reserving sql socket id: 3 radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'some.dotted.user' ORDER BY id' SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'some.dotted.user' ORDER BY id ... rlm_sql (sqlauth): Released sql socket id: 3 modcall[authorize]: module sqlauth returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user Login incorrect (No password configured for the user): [some.dotted.user/cisco] (from client localhost port 0 cli 00) auth: Failed to validate the user. I've checked the authorization sql query shown in debug - it properly returns the profile configured -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Arran Cudbard-Bell wrote: Alexander Serkin wrote: Gurus, may be i'm pulling some common mistake with my configuration being tested against cvs snapshot, but no idea which one. I've an sql profile telling: some.dotted.user Cleartext-Password = cisco NAS-IP-Address =~ xxx.xxx.97.(85|86) Hmm I don't know how Cleartext-Password is mapped, always thought it was a legacy attribute. Try User-Password ? Also it's == not = for check items . Doesn't matter, Arran. Tried User-Password and '==' with the same result: module sqlauth returns ok but then: rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Arran Cudbard-Bell wrote: Hmm I don't know how Cleartext-Password is mapped, always thought it was a legacy attribute. No. It's new in 1.1.4 following. See man rlm_pap. Try User-Password ? Also it's == not = for check items . No. Use Cleartext-Password, and :=. Also check that the pap module is listed last in the authorize section. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Hi Alexander, On Thu, Apr 12, 2007 at 02:52:49PM +0400, Alexander Serkin wrote: Doesn't matter, Arran. Tried User-Password and '==' with the same result: module sqlauth returns ok but then: rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user == post your radiusd.conf; you probably explicitly overrides the result of sqlauth by setting the Auth-Type to Local somewhere in your config... -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Alan DeKok wrote: Arran Cudbard-Bell wrote: Hmm I don't know how Cleartext-Password is mapped, always thought it was a legacy attribute. No. It's new in 1.1.4 following. See man rlm_pap. Try User-Password ? Also it's == not = for check items . No. Use Cleartext-Password, and :=. Oh oops. What was Cleartext-Password introduced for ? To support the output of the Auto header function in pap / ldap ? -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User never get disconnected (was Re: Simultaneous-Use problem)
If you are happy with reliability then fix checkrad and it will clean these random drops. That is the utility that radiusd calls to check stale entries and in sql.conf you can enable deletion of such entries. Just make sure that such users are not listed as active by the hotspot. If NAS thinks they are still loged on, RADIUS can't do anything about it. Ivan Kalik Kalik Informatika ISP Dana 12/4/2007, PD [EMAIL PROTECTED] piše: On 4/12/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: + what cause of this problem ? Either NAS thinks that users are still connected or your RADIUS server is not receiving Stop packages. If NAS (NAS not radacct table) shows users as connected you can add Idle-Timeout of about 5 minutes in user (or group) configuration. If RADIUS packets are not being received have a look at your network. NAS needs reliable connection to RADIUS server - you shouldn't have firewalls and such in the way. Well... the problem only persist sometime.. let say once or two timeseveryday. The communication between Radius box and NAS using STP cable. Currently we are still on development stage of hotspot system. Before implement them on big area, we found some problem, like explain above. When I log in and log out or shut the notebook down without logout, I can see both start and stop the record on radacct table, I could not find the problem sources.. perhaps someone else has face the same problem ? + how to delete this entry daily (perhaps with crontab) Don't do that. Fix your server communication and then delete stale entries once. Well.. with simultaneous-use:=1, the same user will not be able login anymore because radius see that he / she still online. TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Milan Holub wrote: Hi Alexander, On Thu, Apr 12, 2007 at 02:52:49PM +0400, Alexander Serkin wrote: Doesn't matter, Arran. Tried User-Password and '==' with the same result: module sqlauth returns ok but then: rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user == post your radiusd.conf; you probably explicitly overrides the result of sqlauth by setting the Auth-Type to Local somewhere in your config... yes i did. In users file: users: Matched entry DEFAULT at line 106: DEFAULTHuntgroup-Name == MSK, Realm == NULL, Auth-Type := Local Changed the line to DEFAULT Huntgroup-Name == MSK, Realm == NULL and added pap to the end of authorize section. Now with different negative result: modcall[authorize]: module sqlauth returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Arran Cudbard-Bell wrote: What was Cleartext-Password introduced for ? Because putting User-Password in the users file was wrong. User-Password is an attribute that goes in an Access-Request. Cleartext-Password does not go in any packet. Instead, is an internal server configuration, that tells the server what the users known good password is. The server then uses Cleartext-Password to compare to User-Password for PAP. Or, it hashes Cleartext-Password for CHAP. Or, it hashes it a different way for MS-CHAP. To support the output of the Auto header function in pap / ldap ? Partially, yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Alexander Serkin wrote: yes i did. In users file: users: Matched entry DEFAULT at line 106: DEFAULTHuntgroup-Name == MSK, Realm == NULL, Auth-Type := Local Don't set Auth-Type. It's wrong, and it's breaking the server. DO tell the server what the users known good password is. Changed the line to DEFAULT Huntgroup-Name == MSK, Realm == NULL and added pap to the end of authorize section. Now with different negative result: modcall[authorize]: module sqlauth returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. This is because the server didn't find a Cleartext-Password for the request. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, windows 2003 ADS - authentication fails
OK, 1st off here is the document I have been following: http://www.swami.se/swami/space/Categories/EduRoam/Workshop+about+eduroam+implementation/freeRadius_AD_tutorial.pdf I have managed to get all tests and commands working except for radtest (which i found out via google) and having an xpro client login via wireless (as per the guide). Sorry about only posting the debug info from the wireless session and only the results from radtest, as I said earlier I will retest tomorrow and repost correctly. I definitely need to find out what is mangling the user name, the document also mentions something about it (which I did follow). Make sure that the following lines are uncommented and that the value is the same as indicated here. authtype = MS-CHAP with_ntdomain_hack = yes Ntdomain_hack is necessary to correct an error due to the challenge/response and the format in which the user information is sent. I just re read the erd.conf I included, all seems fine (but dont take my word on that) the only bit Im curious about is : # This module is the *Microsoft* implementation of MS-CHAPv2 # in EAP. There is another (incompatible) implementation # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not # currently support. # mschapv2 { } } Its inside the peap { backets. Should mschapv2 brackets have any configuration options ? Ive been doing some more looking @ the config files (I can only read the attached ones atm). Thanks again for the help :) On 4/12/07, Jacob Jarick [EMAIL PROTECTED] wrote: Thanks for your prompt reply Alan, My 1st post so forgive the omission, I will clear the logs then post radtest and the log info tomorrow once at work. On 4/12/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Hi I have recently setup freeradius on fedora 6 and I need it to authenticate against windows ADS. Currently the requests come through the AP but are rejected by freeradius. The reason is in the logs. [EMAIL PROTECTED] raddb]# radtest Administrator tfxsol 127.0.0.1:1812 10 testing123 Sending Access-Request of id 40 to 127.0.0.1 port 1812 User-Name = Administrator User-Password = tfxsol NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=40, length=20 Unfortunately, you've showed radtest giving a reject, but have NOT shown the corresponding debugging output from radtest. Instead, the debugging output is from a login via the AP: ... rad_recv: Access-Request packet from host 10.1.1.110:1645, id=117, length=164 User-Name = TFXSCHOOL\\Administrator Which is not the radtest packet you quoted above. rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler Read eap.conf. Also, see which module is mangling the User-Name attribute. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Alexander Serkin wrote: Gurus, may be i'm pulling some common mistake with my configuration being tested against cvs snapshot, but no idea which one. I've an sql profile telling: some.dotted.user Cleartext-Password = cisco NAS-IP-Address =~ xxx.xxx.97.(85|86) The problem is that regular expression check of NAS-IP-Address =~ xxx.xxx.97.(85|86) does not work. When i delete this check from sql it works, when i change the check to NAS-IP-Address == xxx.xxx.97.85 it works too. What has changed since 1.1.5? The construction NAS-IP-Address =~ xxx.xxx.97.(85|86) did work for me there. In radiusd.conf we have: regular_expressions = yes extended_expressions= yes -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 24, Issue 60
Can you point to a specification saying how this hashing works? A--B(nsis server)-C(radius server) User A generates a large buffer which contains various Authentication Attributes, A hash of this string is generated using MD5 algorithm with a key known to both users A and C, This string is appended to the original string and sent over the network, Node B get this string and it extract various session attributes from this string. The attributes extracted should be used to construct the diameter message using freeradius client library. On 4/12/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:Date: Thu, 12 Apr 2007 10:23:51 +0200 From: Alan DeKok [EMAIL PROTECTED] Subject: Re: Generating AAA message for freeradius. To: FreeRadius users mailing list [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Prateek Gupta wrote: User A sends the NSIS request with its keyed hash (generated using User A's key) appended to it to the NSIS server. Now the NSIS server needs to authenticate that request with a Radius server. Can you point to a specification saying how this hashing works? Is there a way to do this i.e. how to generate a AAA message with the information available i.e. a string, its keyed hash and User A's id ? Assuming that the Radius server has keys of all legitimate users. Yes. http://www.freeradius.org/freeradius-client/ Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool for dynamic users
You could use the same ip pool across two NAS servers if you were only using one radius server to assign IPs. I recommend you either make one radius server handle only one NAS, so the ip pools don't collide, or used rlm_sqlipool across them both as Peter pointed out. Jan On 12/04/07, Peter Nixon [EMAIL PROTECTED] wrote: On Wed 11 Apr 2007, ann kok wrote: Hi all I am using two radius servers for our DSL clients. but our client has ip conflict issue. it looks like the first radius issues the ip to the A DSL client. but seondary radius doesn't know this ip already allocated and issue this ip to B DSL client. Then two clients have the same ip address and cause the ip conflict. How can we avoid this problem? Any of the following: * Don't use the same pool range on 2 servers (What made you think that this would work?) * Use a share storage backend (sqlippool with shared database) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 1.1.6 has been released.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The only new features in this release are a few dictionaries. All of the other changes are bug fixes, including the double-free's that were in 1.1.5. We also fixed approximately 30 bugs found by Coverity (http://scan.coverity.com). One of the bugs found by Coverity was a memory leak in the EAP-TTLS module. We recommend that everyone using EAP-TTLS upgrade to 1.1.6. See http://freeradius.org for further information, including pointers to the source code, and the security announcement. Alan DeKok. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRh42R6kul4vkAkl9AQJVmQP/Tvkt2CosUd/DBrt2K+QS0rak54kce6JO qKP5rEzL27xLeoxZgQKAZCI/o8Nu+/wuoNEJQWbuCs2XwtBLt9PvfmRkDoBvSFVS c/CrA9pRLZchlZ2LUfObRzWqOld6a2HslKS8EGvTJhKBfyB+eNU1MXHPi2wU/Asw j0O5YwnMftQ= =QPPf -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
assigning vlan based on NAS and LDAP field?
HI all, We're using FR authenticating against LDAP to implement our wireless solution. Basically, we are looking at the LDAP field of record type and determining if it is a staff or a student, and assigning a vlan based on that. Pretty simple and it works. However, there are two issues with this: 1. We have a sister campus, on a different network, but who are sharing the same FR and LDAP servers for authentication. Obviously their NAS's are different than ours because we're in different physical locations and networks. With our current configuration, it looks like we have to define the exact same vlans id's and the same vlan eligibility rules (ie staff get vlan x and student get vlan y) in order for this to work. I guess I'm hoping there is a way to assign different vlans based on the NAS ip address in addition to the student/staff distinction. 2. This follows into our future wired side implementation of 802.1x. In this case, we don't want our staff/student wired users to be assigned to the same vlans as they would be if they were on wireless. Rather we'd prefer to break them up based on their NAS or something like that. Anyways, I realize this is quite an odd situation, but probably quite similar to what many EDU people are encountering. Any help/advice is greatly appreaciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NSIS
Prateek Gupta wrote: Can you point to a specification saying how this hashing works? A--B(nsis server)-C(radius server) User A generates a large buffer which contains various Authentication Attributes, A hash of this string is generated using MD5 algorithm with a key known to both users A and C, This string is appended to the original string and sent over the network, Node B get this string and it extract various session attributes from this string. That's not a particularly clear explanation, and not a pointer to a specification. The attributes extracted should be used to construct the diameter message using freeradius client library. FreeRADIUS doesn't implement diameter messages. If you need Diameter, see OpenDiameter.org. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Alexander Serkin wrote: The problem is that regular expression check of NAS-IP-Address =~ xxx.xxx.97.(85|86) does not work. In the CVS head? What has changed since 1.1.5? The CVS head is massively re-written. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Alan DeKok wrote: Alexander Serkin wrote: The problem is that regular expression check of NAS-IP-Address =~ xxx.xxx.97.(85|86) does not work. In the CVS head? Yes i played with CVS head today. Checked huge amount of regexp variants - none worked. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User never get disconnected (was Re: Simultaneous-Use problem)
I have faceing same problem when some time NAS send ACCT-STOP packet and packet would be lost then user session would be open and next time whne user try to login he/she got error multilogin so that i have implement checkrad.pl script and check simultaneouse users through SNMP and it is working fine but i dont know why acct-stop packet lost I have one more query regarding idle-time out if i set idle-time out 5 min then user automaicaly disconnect if connection was idle but suppose NAS send acct-stop packet and packet will be lost then idle-time out work in this case PD [EMAIL PROTECTED] wrote: On 4/12/2007, [EMAIL PROTECTED] wrote: + what cause of this problem ? Either NAS thinks that users are still connected or your RADIUS server is not receiving Stop packages. If NAS (NAS not radacct table) shows users as connected you can add Idle-Timeout of about 5 minutes in user (or group) configuration. If RADIUS packets are not being received have a look at your network. NAS needs reliable connection to RADIUS server - you shouldn't have firewalls and such in the way. Well... the problem only persist sometime.. let say once or two timeseveryday. The communication between Radius box and NAS using STP cable. Currently we are still on development stage of hotspot system. Before implement them on big area, we found some problem, like explain above. When I log in and log out or shut the notebook down without logout, I can see both start and stop the record on radacct table, I could not find the problem sources.. perhaps someone else has face the same problem ? + how to delete this entry daily (perhaps with crontab) Don't do that. Fix your server communication and then delete stale entries once. Well.. with simultaneous-use:=1, the same user will not be able login anymore because radius see that he / she still online. TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Check out what you're missing if you're not on Yahoo! Messenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User never get disconnected (was Re: Simultaneous-Use problem)
checkrad work only for simultaneous detection not fix my stop time entry in sql it is possible to modify checkrad to fix sql stop time in radacct table ? [EMAIL PROTECTED] wrote: If you are happy with reliability then fix checkrad and it will clean these random drops. That is the utility that radiusd calls to check stale entries and in sql.conf you can enable deletion of such entries. Just make sure that such users are not listed as active by the hotspot. If NAS thinks they are still loged on, RADIUS can't do anything about it. Ivan Kalik Kalik Informatika ISP Dana 12/4/2007, PD pi¹e: On 4/12/2007, [EMAIL PROTECTED] wrote: + what cause of this problem ? Either NAS thinks that users are still connected or your RADIUS server is not receiving Stop packages. If NAS (NAS not radacct table) shows users as connected you can add Idle-Timeout of about 5 minutes in user (or group) configuration. If RADIUS packets are not being received have a look at your network. NAS needs reliable connection to RADIUS server - you shouldn't have firewalls and such in the way. Well... the problem only persist sometime.. let say once or two timeseveryday. The communication between Radius box and NAS using STP cable. Currently we are still on development stage of hotspot system. Before implement them on big area, we found some problem, like explain above. When I log in and log out or shut the notebook down without logout, I can see both start and stop the record on radacct table, I could not find the problem sources.. perhaps someone else has face the same problem ? + how to delete this entry daily (perhaps with crontab) Don't do that. Fix your server communication and then delete stale entries once. Well.. with simultaneous-use:=1, the same user will not be able login anymore because radius see that he / she still online. TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Check out what you're missing if you're not on Yahoo! Messenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius + Freetds + unixodbc
hello, i well try my freeradius with mssql, so i have installed Freeradius 1.3 , FreeTDS 0.64 and unixodbc 2.2... i have mssql.conf,odbc.ini,odbcinst.ini,freetds.conf configured . so if i run my radiusd with debug mode i see alyaws this error: that means : failed connection.? rlm_sql (sql): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #0 rlm_sql_unixodbc: Connection failed rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. isql or tsql not worked. any help? Regards! - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
On Thursday 12 April 2007 04:40:47 Milan Holub wrote: - when trying to force reload using snmp: `snmpset -m /devel/freeradius/cvs/radiusd/mibs/RADIUS-AUTH-SERVER-MIB.txt -c verysecret localhost radiusAuthServConfigReset.0 i 2` then 1st reload is OK but after then when trying to either run the snmp-read query or the snmp-write query radius seems to ignore it. * there is no debug activity when running with -X flag and the result of the snmp-read query is empty and result of snmp-write query is following: `snmpset -m /devel/freeradius/cvs/radiusd/mibs/RADIUS-AUTH-SERVER-MIB.txt -c verysecret localhost radiusAuthServConfigReset.0 i 2` Error in packet. Reason: (noSuchName) There is no such variable name in this MIB. Failed object: radiusMIB.radiusAuthentication.radiusAuthServMIB.radiusAuthServMIBObjects.r adiusAuthServ.radiusAuthServConfigReset.0 Radius itself seems to react on radius packets; only snmp is ignored after the snmp-write query. Completely same behaviour is observed when doing reload via HUP signal(using my memory leakage patch for reload). Please advise. Try http://bugs.freeradius.org/show_bug.cgi?id=150 I doubt that patch will still apply cleanly due to the many recent changes. I'll see if I can test the CVS head later today and submit a newer patch. Kevin Bonner pgpktEd5UzlPw.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User never get disconnected (was Re: Simultaneous-Use problem)
for a temp fix I would make your perl script ping said ip before checking for idle (perhaps a sleep timer) or you could simply have each supposed active ip pinged every 1 - 2 minutes by a seperate perl script. Would you mind posting your checkrad.pl script, Im a perl hacker myself :) On 4/12/07, satish patel [EMAIL PROTECTED] wrote: I have faceing same problem when some time NAS send ACCT-STOP packet and packet would be lost then user session would be open and next time whne user try to login he/she got error multilogin so that i have implement checkrad.pl script and check simultaneouse users through SNMP and it is working fine but i dont know why acct-stop packet lost I have one more query regarding idle-time out if i set idle-time out 5 min then user automaicaly disconnect if connection was idle but suppose NAS send acct-stop packet and packet will be lost then idle-time out work in this case PD [EMAIL PROTECTED] wrote: On 4/12/2007, [EMAIL PROTECTED] wrote: + what cause of this problem ? Either NAS thinks that users are still connected or your RADIUS server is not receiving Stop packages. If NAS (NAS not radacct table) shows users as connected you can add Idle-Timeout of about 5 minutes in user (or group) configuration. If RADIUS packets are not being received have a look at your network. NAS needs reliable connection to RADIUS server - you shouldn't have firewalls and such in the way. Well... the problem only persist sometime.. let say once or two timeseveryday. The communication between Radius box and NAS using STP cable. Currently we are still on development stage of hotspot system. Before implement them on big area, we found some problem, like explain above. When I log in and log out or shut the notebook down without logout, I can see both start and stop the record on radacct table, I could not find the problem sources.. perhaps someone else has face the same problem ? + how to delete this entry daily (perhaps with crontab) Don't do that. Fix your server communication and then delete stale entries once. Well.. with simultaneous-use:=1, the same user will not be able login anymore because radius see that he / she still online. TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com Check out what you're missing if you're not on Yahoo! Messenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool for dynamic users
Hi Alan Thank you for your mail We are using a LNS this time We are using 2 radius servers. When one radius is down, 2nd radius can help for authenticate Regarding to separate ip spool eg: radius 1. ip from x.x.x.2 - x.x.x.127 radius 2. ip from x.x.x.128 to x.x.x.254 if the radius1 is used up the ip, ls the client automatically asking the radius2 to get the ip? Thank you --- Alan DeKok [EMAIL PROTECTED] wrote: ann kok wrote: it looks like the first radius issues the ip to the A DSL client. but seondary radius doesn't know this ip already allocated and issue this ip to B DSL client. You've configured two different RADIUS servers to allocate the same IP to two different people? Why? How can we avoid this problem? Each server should have it's own IP pool. IP pools should not be shared between servers. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Don't pick lemons. See all the new 2007 cars at Yahoo! Autos. http://autos.yahoo.com/new_cars.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2 character delimiter in realm problem
Hello, I am researching my current problem with freeradius not authenticating. The user is rejected because the name is not found, our AD (w2k3) sends usernames to freeradius in this format domainname\\username. I have tried enabling the nt hack under the ldap section with no luck. reading through the comments in /etc/raddb/radiusd.conf under the ldap module section I found this though. # Four config options: # format - must be 'prefix' or 'suffix' # delimiter - must be a single character # ignore_default - set to 'yes' or 'no' # ignore_null- set to 'yes' or 'no' and the setting for realmntdomain # # 'domain\user' # realm ntdomain { format = prefix delimiter = \\ ignore_default = no ignore_null = no } so this leads me to two questions. 1 Is \\ actually \ escaped ? 2 can you have 2 character delimiters (despite what the config comments claim) Cheers for any info. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem when executing radiusd
I had the same issue on fedora 6, the temporary solution is to roll back to FreeRADIUS Version 1.1.3. There is an rpm availble if you google. It compiles fine on gentoo though. On 4/12/07, BOQUET Stephanie [EMAIL PROTECTED] wrote: Hi, when I execute radiusd, it ends with Abandon : a glibc detected * radiusd : double free or corruption error occured. Thanks for helping me ! Stephanie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to supress error log : TLS_accept:error in SSLv3 read client certificate ?
I am running both TTLS and PEAP. Everything seems ok but the radius.log is filling up fast with these error messages. Is the error log configurable? Thu Apr 12 09:14:51 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Thu Apr 12 09:14:51 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Thu Apr 12 09:14:52 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.1.6 has been released.
Hi Alan and all core developpers involved in this release, first thanks for your great work on freeradius! I just downloaded the 1.1.6 release via ftp and tried to build debian packages on Etch and rpms on SLES10, here is the almost successful story: ;-) * debian:+ building worked just out of the box, but when trying to install freeradius-dialupadmin_1.1.6-0_all.deb it complains about missing php4, but actually php5 is installed (and should work as earlier version of dialupadmin did). the rest of it (i tested right now sql, ldap and eap) works perfect! * suse linux enterprise server 10: the file suse/freeradius.spec contains the line Version: 1.1.5 so rpmbuild fails. after changing this to 1.1.6 all the build command works, and the packages can be installed without further problems! and the radius server itself of course runs! now eagerly waiting for 2.0 :-) regards markus Zitat von Alan DeKok [EMAIL PROTECTED]: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The only new features in this release are a few dictionaries. All of the other changes are bug fixes, including the double-free's that were in 1.1.5. We also fixed approximately 30 bugs found by Coverity (http://scan.coverity.com). One of the bugs found by Coverity was a memory leak in the EAP-TTLS module. We recommend that everyone using EAP-TTLS upgrade to 1.1.6. See http://freeradius.org for further information, including pointers to the source code, and the security announcement. Alan DeKok. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRh42R6kul4vkAkl9AQJVmQP/Tvkt2CosUd/DBrt2K+QS0rak54kce6JO qKP5rEzL27xLeoxZgQKAZCI/o8Nu+/wuoNEJQWbuCs2XwtBLt9PvfmRkDoBvSFVS c/CrA9pRLZchlZ2LUfObRzWqOld6a2HslKS8EGvTJhKBfyB+eNU1MXHPi2wU/Asw j0O5YwnMftQ= =QPPf -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS, MySQL| | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
kill -HUP
Hi all, I use freeradius 1.0.1. I did a script that do a kill - HUP of radiusd when someone add a NAS in the nas Mysql table. It seems to work. But i see freeradius 1.1.6 correct a bug about HUP. Can you tell me if i'm impacted by the bug corrected in 1.1.6 Thank you for your help Thomas- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Alexander Serkin wrote: Alan DeKok wrote: Alexander Serkin wrote: The problem is that regular expression check of NAS-IP-Address =~ xxx.xxx.97.(85|86) does not work. In the CVS head? Yes i played with CVS head today. Checked huge amount of regexp variants - none worked. Yep can confirm this, .* and .+ matches though, .{4} also matches but .{5} doesn't... strange. H. Seems only to be broken for ipaddr attributes. Still works with string attributes -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: kill -HUP
Read the last two days on the mailing list archives. It's all they've been talking about. It seems to work. But i see freeradius 1.1.6 correct a bug about HUP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User never get disconnected (was Re: Simultaneous-Use problem)
No. Idle-Timeout will work if NAS doesn't realize that user is not online any more. It doesn't help if stop packets are lost. Only checkrad or such routines that check user status with NAS will help there. Ivan Kalik Kalik Informatika ISP Dana 12/4/2007, satish patel [EMAIL PROTECTED] piše: I have faceing same problem when some time NAS send ACCT-STOP packet and packet would be lost then user session would be open and next time whne user try to login he/she got error multilogin so that i have implement checkrad.pl script and check simultaneouse users through SNMP and it is working fine but i dont know why acct-stop packet lost I have one more query regarding idle-time out if i set idle-time out 5 min then user automaicaly disconnect if connection was idle but suppose NAS send acct-stop packet and packet will be lost then idle-time out work in this case PD [EMAIL PROTECTED] wrote: On 4/12/2007, [EMAIL PROTECTED] wrote: + what cause of this problem ? Either NAS thinks that users are still connected or your RADIUS server is not receiving Stop packages. If NAS (NAS not radacct table) shows users as connected you can add Idle-Timeout of about 5 minutes in user (or group) configuration. If RADIUS packets are not being received have a look at your network. NAS needs reliable connection to RADIUS server - you shouldn't have firewalls and such in the way. Well... the problem only persist sometime.. let say once or two timeseveryday. The communication between Radius box and NAS using STP cable. Currently we are still on development stage of hotspot system. Before implement them on big area, we found some problem, like explain above. When I log in and log out or shut the notebook down without logout, I can see both start and stop the record on radacct table, I could not find the problem sources.. perhaps someone else has face the same problem ? + how to delete this entry daily (perhaps with crontab) Don't do that. Fix your server communication and then delete stale entries once. Well.. with simultaneous-use:=1, the same user will not be able login anymore because radius see that he / she still online. TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Check out what you're missing if you're not on Yahoo! Messenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User never get disconnected (was Re: Simultaneous-Use problem)
There is a line in (my)sql.conf: # Remove stale session if checkrad does not see a double login deletestalesessions = yes that enables it. I don't know if there is such an entry in mssql.conf. Ivan Kalik Kalik Informatika ISP Dana 12/4/2007, satish patel [EMAIL PROTECTED] piše: checkrad work only for simultaneous detection not fix my stop time entry in sql it is possible to modify checkrad to fix sql stop time in radacct table ? [EMAIL PROTECTED] wrote: If you are happy with reliability then fix checkrad and it will clean these random drops. That is the utility that radiusd calls to check stale entries and in sql.conf you can enable deletion of such entries. Just make sure that such users are not listed as active by the hotspot. If NAS thinks they are still loged on, RADIUS can't do anything about it. Ivan Kalik Kalik Informatika ISP Dana 12/4/2007, PD piše: On 4/12/2007, [EMAIL PROTECTED] wrote: + what cause of this problem ? Either NAS thinks that users are still connected or your RADIUS server is not receiving Stop packages. If NAS (NAS not radacct table) shows users as connected you can add Idle-Timeout of about 5 minutes in user (or group) configuration. If RADIUS packets are not being received have a look at your network. NAS needs reliable connection to RADIUS server - you shouldn't have firewalls and such in the way. Well... the problem only persist sometime.. let say once or two timeseveryday. The communication between Radius box and NAS using STP cable. Currently we are still on development stage of hotspot system. Before implement them on big area, we found some problem, like explain above. When I log in and log out or shut the notebook down without logout, I can see both start and stop the record on radacct table, I could not find the problem sources.. perhaps someone else has face the same problem ? + how to delete this entry daily (perhaps with crontab) Don't do that. Fix your server communication and then delete stale entries once. Well.. with simultaneous-use:=1, the same user will not be able login anymore because radius see that he / she still online. TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Check out what you're missing if you're not on Yahoo! Messenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem when executing radiusd
Jacob Jarick wrote: I had the same issue on fedora 6, the temporary solution is to roll back to FreeRADIUS Version 1.1.3. There is an rpm availble if you google. 1.1.6 was just released, which fixes this, and other issues. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP changes between 1.01 and 1.1.5
I've recently moved to 1.1.5, and went from a system that worked perfectly with MS LDAP to one that will no longer find the user groups, using the identical config. Anyone have any ideas? The obvious one is that 1.1.5throws in all kinds of escape characters, but i'm assuming that is output only. Ryan Kramer 1.0.1 output rlm_ldap: performing search in ou=DIVISION,dc=state,dc=company, with filter ((cn=DIVISION-WIFI)(|((objectClass=group)(member=CN=Kramer\\, Ryan M.,OU=USERS,OU=DIVISION,DC=state,DC=company))((objectClass=GroupOfUniqueNames)(uniquemember=CN=Kramer\\, Ryan M.,OU=USERS,OU=DIVISION,DC=state,DC=company rlm_ldap::ldap_groupcmp: User found in group DIVISION-WIFI 1.1.5 output rlm_ldap: performing search in ou=DIVISION,dc=state,dc=company, with filter ((cn=DIVISION-WIFI)(|((objectClass=group)(member=CN\3dKramer\5c\5c\2c Ryan M.\2cOU\3dUSERS\2cOU\3dDIVISION\2cDC\3dstate\2cDC\3dcompany))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dKramer\5c\5c\2c Ryan M.\2cOU\3dUSERS\2cOU\3dDIVISION\2cDC\3dstate\2cDC\3dcompany rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: Group DIVISION-WIFI not found or user is not a member. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NSIS
I have followed all your steps on how to get freeradius to work with AD, but still no luck. How do I go about getting assistance with my configuration? Donny On 4/12/07, Alan DeKok [EMAIL PROTECTED] wrote: Prateek Gupta wrote: Can you point to a specification saying how this hashing works? A--B(nsis server)-C(radius server) User A generates a large buffer which contains various Authentication Attributes, A hash of this string is generated using MD5 algorithm with a key known to both users A and C, This string is appended to the original string and sent over the network, Node B get this string and it extract various session attributes from this string. That's not a particularly clear explanation, and not a pointer to a specification. The attributes extracted should be used to construct the diameter message using freeradius client library. FreeRADIUS doesn't implement diameter messages. If you need Diameter, see OpenDiameter.org. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.1.6 has been released.
Hi, * debian:+ building worked just out of the box, but when trying to install freeradius-dialupadmin_1.1.6-0_all.deb it complains about missing php4, but actually php5 is installed (and should work as earlier version of dialupadmin did). the rest of it (i tested right now sql, ldap and eap) works perfect! hmmm, is it PHP5 that should be dependancy on debian now? Etch was released last week so part of my thinks so * suse linux enterprise server 10: the file suse/freeradius.spec contains the line Version: 1.1.5 argh! there should be a through string search for previous versions before release. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to supress error log : TLS_accept:error in SSLv3 read client certificate ?
CHui wrote: I am running both TTLS and PEAP. Everything seems ok but the radius.log is filling up fast with these error messages. Is the error log configurable? No. Upgrade to 1.1.6. The messages will go away. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.1.6 has been released.
Markus Krause wrote: first thanks for your great work on freeradius! You're welcome. A lot of the recent developments that make 2.0 realistic are a result of my recent move across 9 time zones. :) * suse linux enterprise server 10: the file suse/freeradius.spec contains the line Version: 1.1.5 Whoops. I didn't get that before the release. Oh well. now eagerly waiting for 2.0 :-) After the recent back and forth on the list, the new features are looking pretty stable. All we have to do now is fix the HUP issue... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2 character delimiter in realm problem
Jacob Jarick wrote: Hello, I am researching my current problem with freeradius not authenticating. The user is rejected because the name is not found, our AD (w2k3) sends usernames to freeradius in this format domainname\\username. That's not a 2-character delimiter. It's a backslash, escaped. I have tried enabling the nt hack under the ldap section with no luck. There's an nt hack in the LDAP section? 1 Is \\ actually \ escaped ? Yes. 2 can you have 2 character delimiters (despite what the config comments claim) No. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.1.6 has been released.
Alan DeKok wrote: Markus Krause wrote: first thanks for your great work on freeradius! Second that. You're welcome. A lot of the recent developments that make 2.0 realistic are a result of my recent move across 9 time zones. :) Yes where are you located in the world ? I've been quite impressed by your ability to post at all times of the day/night. :) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool for dynamic users
ann kok wrote: Regarding to separate ip spool eg: radius 1. ip from x.x.x.2 - x.x.x.127 radius 2. ip from x.x.x.128 to x.x.x.254 if the radius1 is used up the ip, ls the client automatically asking the radius2 to get the ip? No. But you can configure radius1 to proxy the request to radius2 if the IP pool on radius1 is completely allocated. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Arran Cudbard-Bell wrote: Seems only to be broken for ipaddr attributes. Still works with string attributes OK, that helps. I did some profiling a while ago, and noticed that the server was printing IP addresses to strings all the time... even when they weren't used. The result was a significant waste of CPU time. The fix was to push the printing to the places that need it, like the regex matches. Maybe I missed one spot, I'll go check. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.1.6 has been released.
Arran Cudbard-Bell wrote: Yes where are you located in the world ? GMT +1. I've been quite impressed by your ability to post at all times of the day/night. :) I have a day job which permits me to spend a large amount of time on FreeRADIUS. I have a small child who permits me to not sleep at night. :) The combination results in small amounts of FreeRADIUS work spread across the day and night. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.1.6 has been released.
Alan DeKok wrote: Arran Cudbard-Bell wrote: Yes where are you located in the world ? GMT +1. Ah GMT here, Though would like to be GMT + 1 well the southern part anyway :) Mmm Pizza. I've been quite impressed by your ability to post at all times of the day/night. :) I have a day job which permits me to spend a large amount of time on FreeRADIUS. I have a small child who permits me to not sleep at night. :) The combination results in small amounts of FreeRADIUS work spread across the day and night. Aww bless *sympathy*. --- Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.1.6 has been released.
Zitat von [EMAIL PROTECTED]: Hi, * debian: building worked just out of the box, but when trying to install freeradius-dialupadmin_1.1.6-0_all.deb it complains about missing php4, but actually php5 is installed (and should work as earlier version of dialupadmin did). the rest of it (i tested right now sql, ldap and eap) works perfect! hmmm, is it PHP5 that should be dependancy on debian now? Etch was released last week so part of my thinks so i am not sure, debian etch (released on 8. april) contains both php4 and php5 and i think there might be a lof users/admins which still use/prefer php4 on their systems. so what about something like - Package: freeradius-dialupadmin Architecture: all Depends: php4 | php4-cgi | php5 | php5-cgi Recommends: ${perl:Depends} Suggests: apache2-mpm-prefork | httpd, php4-mysql | php4-pgsql | php5-mysql | php5-pgsql, libdate-manip-perl Description: set of PHP scripts for administering a FreeRADIUS server These scripts provide a web-based interface for administering a FreeRADIUS server which stores authentication information in either SQL or LDAP. - in the debian control file? i don't know if this could lead to something weired, e.g. php5 with php4-mysql or something else but the average admin should be able to avoid this. at least it works here for me ... (well the pages are displayed correctly in a browser, i can not test more as i am using ldap as backend here) regards markus +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS, MySQL| | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP changes between 1.01 and 1.1.5
Ryan Kramer wrote: I've recently moved to 1.1.5, and went from a system that worked perfectly with MS LDAP to one that will no longer find the user groups, using the identical config. Anyone have any ideas? The obvious one is that 1.1.5 throws in all kinds of escape characters, but i'm assuming that is output only. No. It's part of the LDAP query. In order to avoid external users logging in with names that are valid LDAP queries, the untrusted user input is escaped before it is passed to the LDAP module. See the *rest* of the debug output for the sequence of string expansions. It looks like you're calling the LDAP module twice, and using the output of the first query as part of the wuery string for the second query. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP changes between 1.01 and 1.1.5
No. It's part of the LDAP query. In order to avoid external users logging in with names that are valid LDAP queries, the untrusted user input is escaped before it is passed to the LDAP module. Apparently something in the ldap_escape_func is broken when talking to Microsoft AD. I replaced the code of that function with the much more lenient code of the 1.0.1 ldap_escape_func, and it works great with MS LDAP now! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
On Thursday 12 April 2007 10:32:18 Kevin Bonner wrote: On Thursday 12 April 2007 04:40:47 Milan Holub wrote: Radius itself seems to react on radius packets; only snmp is ignored after the snmp-write query. Completely same behaviour is observed when doing reload via HUP signal(using my memory leakage patch for reload). Please advise. Try http://bugs.freeradius.org/show_bug.cgi?id=150 I doubt that patch will still apply cleanly due to the many recent changes. I'll see if I can test the CVS head later today and submit a newer patch. It surprises me that it still applies cleanly (just offset) with the current CVS head. Feel free to test the patch and report results in the bug or on the list. It would be nice to see the bug squashed, but it's become a default patch for my local freeradius build so I haven't been bothered with the issue in a long time. Kevin Bonner pgppnkGkMNWtE.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
URGENT: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
Hi all!! We had correctly working freeradius, but it suddenly failed in the authenticate users. It began to work correctly after we restart the service. Can we avoid this problem? I attach the error log. Thanks in advance German __ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ¡gratis! Regístrate ya - http://correo.yahoo.com.mx/ ... ... Wed Apr 11 12:30:40 2007 : Error: rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Wed Apr 11 12:30:40 2007 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Wed Apr 11 12:30:41 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Apr 11 12:30:41 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Wed Apr 11 12:30:41 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Apr 11 12:30:41 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Wed Apr 11 12:30:41 2007 : Error: TLS Alert write:fatal:bad record mac Wed Apr 11 12:30:41 2007 : Error: TLS_accept:error in SSLv3 read certificate verify A Wed Apr 11 12:30:41 2007 : Error: rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Wed Apr 11 12:30:41 2007 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Wed Apr 11 12:30:42 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Apr 11 12:30:42 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Wed Apr 11 12:30:42 2007 : Error: TLS Alert write:fatal:bad record mac Wed Apr 11 12:30:42 2007 : Error: TLS_accept:error in SSLv3 read certificate verify A Wed Apr 11 12:30:42 2007 : Error: rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Wed Apr 11 12:30:42 2007 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Wed Apr 11 12:30:42 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Apr 11 12:30:42 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Wed Apr 11 12:30:42 2007 : Error: TLS Alert write:fatal:bad record mac Wed Apr 11 12:30:42 2007 : Error: TLS_accept:error in SSLv3 read certificate verify A Wed Apr 11 12:30:42 2007 : Error: rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Wed Apr 11 12:30:42 2007 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Wed Apr 11 12:30:42 2007 : Error: TLS Alert write:fatal:bad record mac ... ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2 character delimiter in realm problem
How would I then tell radius to remove the domain\\ from domain\\user On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Hello, I am researching my current problem with freeradius not authenticating. The user is rejected because the name is not found, our AD (w2k3) sends usernames to freeradius in this format domainname\\username. That's not a 2-character delimiter. It's a backslash, escaped. I have tried enabling the nt hack under the ldap section with no luck. There's an nt hack in the LDAP section? 1 Is \\ actually \ escaped ? Yes. 2 can you have 2 character delimiters (despite what the config comments claim) No. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP changes between 1.01 and 1.1.5
On Thu 12 Apr 2007, Ryan Kramer wrote: No. It's part of the LDAP query. In order to avoid external users logging in with names that are valid LDAP queries, the untrusted user input is escaped before it is passed to the LDAP module. Apparently something in the ldap_escape_func is broken when talking to Microsoft AD. I replaced the code of that function with the much more lenient code of the 1.0.1 ldap_escape_func, and it works great with MS LDAP now! Please open a bug report in the tracker... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP changes between 1.01 and 1.1.5
Ryan Kramer wrote: Apparently something in the ldap_escape_func is broken when talking to Microsoft AD. The code does not distinguish between Microsoft AD and other LDAP servers. I replaced the code of that function with the much more lenient code of the 1.0.1 ldap_escape_func, and it works great with MS LDAP now! I'm curious to know what your queries are, and if you're doing the double queries I suspect. I think that the problem can better be solved by understanding it, rather than by removing the restrictions that prevent people from attacking your LDAP server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
Kevin Bonner wrote: It surprises me that it still applies cleanly (just offset) with the current CVS head. The SMUX code hasn't changed much. It should probably be replaced with AgentX code, but that can be done later... Feel free to test the patch and report results in the bug or on the list. It would be nice to see the bug squashed, but it's become a default patch for my local freeradius build so I haven't been bothered with the issue in a long time. The SMUX code should also try more than 3 times to connect to the SNMP server, and shouldn't try whenever it receives a packet. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2 character delimiter in realm problem
Jacob Jarick wrote: How would I then tell radius to remove the domain\\ from domain\\user Configure the ntdomain instance of the realms module, and make sure it's listed in the authorize section. Then, configure the realm by name in proxy.conf. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP changes between 1.01 and 1.1.5
On 4/12/07, Alan DeKok [EMAIL PROTECTED] wrote: Ryan Kramer wrote: Apparently something in the ldap_escape_func is broken when talking to Microsoft AD. The code does not distinguish between Microsoft AD and other LDAP servers. Correct, it is very simple code and doesn't care. My guess is that it is Microsoft AD not acting like any other reasonable AD on the planet i suspect. I'll post my exact queries tomorrow, but as I mentioned, the only change was to revert that section of code back to the 1.0.1 version, recompile, and it works great. I hacked away at the configs for about 3 hours without any success using pretty much every trick I could think of to get it working. I SUSPECT something might not be escaped in a manner the MS AD server likes, or maybe just the fact it has any escape sequences built in at all is what is causing it to toss it. Hopefully tomorrow I'll be able to get some logs from our server admins to see exactly what the queries they receive look like. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP changes between 1.01 and 1.1.5
Ryan Kramer wrote: I SUSPECT something might not be escaped in a manner the MS AD server likes, or maybe just the fact it has any escape sequences built in at all is what is causing it to toss it. No. As I have said already, the problem is that the LDAP queries are being escaped. Please pay attention to what I'm saying, it might help you solve the problem. The default install does not do this. The default configuration does not do this. Other people have not run into this problem. The problem is almost definitely the way you are building the queries. i.e. the LDAP queries are built up as: text from config file ldap_escape(other text) text from config ... The text that you, as administrator entered into the configuration file is NEVER escaped. The text that a random user enters as a User-Name is ALWAYS escaped. If you're putting queries into an attribute, and then later using that attribute as part of another query, that text WILL be escaped. The server has no way of telling where that text came from, so it's untrusted. The solution is to carefully examine how you build the queries. There may be simpler ways of doing it, which avoids the double escaping issue. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.6 crashes on fedora 6
Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib *** glibc detected *** ./sbin/radiusd: double free or corruption (fasttop): 0x09f91ca8 *** === Backtrace: = /lib/libc.so.6[0xcbfefd] /lib/libc.so.6(cfree+0x90)[0xcc3550] /usr/local/lib/libltdl.so.3[0x3d55db] /usr/local/lib/libltdl.so.3(lt_dlopenext+0xbe)[0x3d5f6e] ./sbin/radiusd(find_module_instance+0x317)[0x8bcc67] ./sbin/radiusd(setup_modules+0x1e8)[0x8bd108] ./sbin/radiusd(main+0x42c)[0x8c090c] /lib/libc.so.6(__libc_start_main+0xdc)[0xc6ff2c] ./sbin/radiusd[0x8b46b1] === Memory map: 0011-00124000 r-xp fd:00 7745049 /usr/local/lib/libradius-1.1.6.so 00124000-00125000 rwxp 00014000 fd:00 7745049 /usr/local/lib/libradius-1.1.6.so 00125000-00126000 rwxp 00125000 00:00 0 00126000-0012f000 r-xp fd:00 458793 /lib/libnss_files-2.5.so 0012f000-0013 r-xp 8000 fd:00 458793 /lib/libnss_files-2.5.so 0013-00131000 rwxp 9000 fd:00 458793 /lib/libnss_files-2.5.so 001e-001eb000 r-xp fd:00 461338 /lib/libgcc_s-4.1.1-20061011.so.1 001eb000-001ec000 rwxp a000 fd:00 461338 /lib/libgcc_s-4.1.1-20061011.so.1 00218000-0022a000 r-xp fd:00 461341 /lib/libnsl-2.5.so 0022a000-0022b000 r-xp 00012000 fd:00 461341 /lib/libnsl-2.5.so 0022b000-0022c000 rwxp 00013000 fd:00 461341 /lib/libnsl-2.5.so 0022c000-0022e000 rwxp 0022c000 00:00 0 0022e000-0023 r-xp fd:00 461330 /lib/libdl-2.5.so 0023-00231000 r-xp 1000 fd:00 461330 /lib/libdl-2.5.so 00231000-00232000 rwxp 2000 fd:00 461330 /lib/libdl-2.5.so 002eb000-002fe000 r-xp fd:00 461331 /lib/libpthread-2.5.so 002fe000-002ff000 r-xp 00012000 fd:00 461331 /lib/libpthread-2.5.so 002ff000-0030 rwxp 00013000 fd:00 461331 /lib/libpthread-2.5.so 0030-00302000 rwxp 0030 00:00 0 003d2000-003d7000 r-xp fd:00 7763046/usr/local/lib/libltdl.so.3.1.4 003d7000-003d8000 rwxp 4000 fd:00 7763046/usr/local/lib/libltdl.so.3.1.4 00637000-0065 r-xp fd:00 461328 /lib/ld-2.5.so 0065-00651000 r-xp 00018000 fd:00 461328 /lib/ld-2.5.so 00651000-00652000 rwxp 00019000 fd:00 461328 /lib/ld-2.5.so 0071e000-00723000 r-xp fd:00 458841 /lib/libcrypt-2.5.so 00723000-00724000 r-xp 4000 fd:00 458841 /lib/libcrypt-2.5.so 00724000-00725000 rwxp 5000 fd:00 458841 /lib/libcrypt-2.5.so 00725000-0074c000 rwxp 00725000 00:00 0 007fa000-007fc000 r-xp fd:00 7759006 /usr/local/lib/rlm_exec-1.1.6.so 007fc000-007fd000 rwxp 1000 fd:00 7759006 /usr/local/lib/rlm_exec-1.1.6.so 008b-008ce000 r-xp fd:00 7763256/usr/local/sbin/radiusd 008ce000-008cf000 rwxp 0001e000 fd:00 7763256/usr/local/sbin/radiusd 008cf000-008d rwxp 008cf000 00:00 0 00c5a000-00d91000 r-xp fd:00 461329 /lib/libc-2.5.so 00d91000-00d93000 r-xp 00137000 fd:00 461329 /lib/libc-2.5.so 00d93000-00d94000 rwxp 00139000 fd:00 461329 /lib/libc-2.5.so 00d94000-00d97000 rwxp 00d94000 00:00 0 00e7c000-00e8b000 r-xp fd:00 461343 /lib/libresolv-2.5.so 00e8b000-00e8c000 r-xp e000 fd:00 461343 /lib/libresolv-2.5.so 00e8c000-00e8d000 rwxp f000 fd:00 461343
1.1.3 authenticating via radtest fails, debug output included.
Im having trouble getting rad test and my wireless clients to authenticate. I have followed FreeRADIUS Tutorial for AD intergration step by step. Im using freeradius 1.1.3 to authenticate against a windows 2003 server. I would use a later version but they all (including 1.1.6) segfault on fedora 6. files: clients.conf http://pastebin.ca/437594 eap.conf http://pastebin.ca/437596 radiusd.conf http://pastebin.ca/437597 proxy.conf http://pastebin.ca/437598 radtest output: [EMAIL PROTECTED] ~]# /usr/bin/radtest Administrator tfxsol 127.0.0.1:1812 10 testing123 Sending Access-Request of id 44 to 127.0.0.1 port 1812 User-Name = Administrator User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=44, length=20 radius -X output: [EMAIL PROTECTED] raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key--domain=%{mschap:NT-Domain}--username=%{mschap:User-Name}--challenge=%{mschap:Challenge:-00}--nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/cert-srv.pem tls: certificate_file = /etc/raddb/certs/cert-srv.pem tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /etc/raddb/certs/dh tls: random_file = /dev/urandom tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups =
Freeradius + AD2003 Authentication ERROR - Help please !
Me again guys, I have adjusted my config files etc (see links betow), but now Im stuck on this new error and it has me a bit baffled. Freeradius 1.1.3 smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 I start the wireless connection on XP, enter in user and password, freeradius runs the ntlm_auth command but then it spits out this hge message. Its so big the terminals buffer isnt big enough, but I have copied and pasted everything I can. Error highlights (stuff that I think may be causing issues). SSL ERROR: (other): SSL negotiation finished successfully rlm_eap: SSL error error::lib(0):func(0):reason(0) Failure to validate user: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain= --username=Administrator --challenge=bb4c397988ae6ebc --nt-response=4a7cd9abdfc2f92680c182845a937f4beb6646c4cddd7de1 Exec-Program output: No such user (0xc064) Exec-Program-Wait: plaintext: No such user (0xc064) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. PEAP Failure: PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE [EMAIL PROTECTED] ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/cert-srv.pem tls: certificate_file = /etc/raddb/certs/cert-srv.pem tls: CA_file =
HELP: radtest fails local test
Freeradius 1.1.3 smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 A local test using radtest fails but I am unsure why. It looks like its trying to authenticate against the unix passwd file, I only need FR to auth against our w2k3 AD server. Any help is appreciated. [EMAIL PROTECTED] ~]# radtest Administrator pass 127.0.0.1:1812 10 testing123 Sending Access-Request of id 166 to 127.0.0.1 port 1812 User-Name = Administrator User-Password = tfxsol NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=166, length=20 radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/cert-srv.pem tls: certificate_file = /etc/raddb/certs/cert-srv.pem tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /etc/raddb/certs/dh tls: random_file = /dev/urandom tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23
Re: Freeradius + AD2003 Authentication ERROR - Help please !
Jacob Jarick wrote: I start the wireless connection on XP, enter in user and password, freeradius runs the ntlm_auth command but then it spits out this hge message. Its so big the terminals buffer isnt big enough, but I have copied and pasted everything I can. $ script logfile $ radiusd -X ... $ exit $ more logfile SSL ERROR: (other): SSL negotiation finished successfully rlm_eap: SSL error error::lib(0):func(0):reason(0) That's fixed in 1.1.6. It's not an error, it just logs too much information. Failure to validate user: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain= --username=Administrator --challenge=bb4c397988ae6ebc --nt-response=4a7cd9abdfc2f92680c182845a937f4beb6646c4cddd7de1 Exec-Program output: No such user (0xc064) Exec-Program-Wait: plaintext: No such user (0xc064) The ntlm_auth program returns that there's no such user. Maybe you should try testing with a user other than Administrator. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.6 crashes on fedora 6
Jacob Jarick wrote: *** glibc detected *** ./sbin/radiusd: double free or corruption ... Its pretty much the same issue I had with 1.1.5 on fedora 6 Are you sure you've removed all of the 1.1.5 libraries and binaries? And the immediate cause of the bug appears to be libltdl, if the backtrace can be believed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: radtest fails local test
Jacob Jarick wrote: A local test using radtest fails but I am unsure why. It looks like its trying to authenticate against the unix passwd file, Yes. See the users file. It sets authentication to /etc/passwd (or system) if there's no other method set. I only need FR to auth against our w2k3 AD server. Any help is appreciated. For PAP authentication, you have to configure that manually. i.e. tell the server if you receive PAP, run ntlm_auth to authenticate against AD. See the exec module for how to run external programs. It looks like you didn't tell the server to authenticate against AD. Please do so. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html