Re: EAP session matching the State variable.
is there anything, i can try to test? $ cvs update $ cd src/modules/rlm_eap $ make clean $ make ... and re-run the tests. i am sorry, but my server doesn't have any internet-access... so, i can't use cvs for updating. is there another easy way to test your patch, alan? Sebastian -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error after updating to freeradius 2.0.1
Joep Ruiter wrote: ERROR: Failed to open socket: /etc/freeradius/radiusd.conf[182]: Error binding to port for 0.0.0.0 port 1812 This is likely due to the system having IPv6 support. Version 2.0 adds IPv6, and there are issues with binding to IPv4 and IPv6 sockets. All 1.1.x versions have run smoothly on my Ubuntu server, this is the first time I get this problem. Does anyone know how to fix this? Check that nothing is listening on port 1812, even for IPv6. Also try posting the full debug log. Maybe there's another listen section which is conflicting with the 0.0.0.0:1812. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
error after updating to freeradius 2.0.1
Hi After i found out today that Freeradius 2.0.1 was out i updated my old 1.1.7 release and installed this version. Problem is, that it won't start. I keep getting: ERROR: Failed to open socket: /etc/freeradius/radiusd.conf[182]: Error binding to port for 0.0.0.0 port 1812 All 1.1.x versions have run smoothly on my Ubuntu server, this is the first time I get this problem. Does anyone know how to fix this? Thanks in advance! Joep Ruiter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
Right I've now managed to get v2.0.1 working on our radius server. Although for some reason its not logging to radiusd.log. Previously we have logged accounting to the log file and the radacct table. If anyone can spare a thought on why this isn't now logging to the radiusd.log file I would appreciate it. Onto the different IP pool per realm... This still doesn't seem to work. The debug doesn't show the IP pool being loaded. Does this still need to be put into radiusd.conf or the sites-enabled file? Thanks Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 11 February 2008 13:39 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote: We are running freeradius on Centos and the most supported package that gets installed by yum update is freeradius-1.0.1-3.RHEL4.5, which I now have installed. Ugh. I've tried to upgrade by downloading the latest version, 2.0.1. Although it builds and installs it doesn't seem to try to connect to my SQL database. When I start the old version with -X I see a lot of mention of sql. But version 2.0.1 started with -X doesn't seem to say anything apart from its loading the sql.conf file. Am I missing something here? If you have built 2.0.1 with SQL *and* configured the SQL module in radiusd.conf sites-available/default, it *should* work. My guess is that the server wasn't built with SQL, and that you haven't edited the configuration files to enable SQL. So far as the rest of the debug output goes, 1.0.1 is *years* out of date. I no longer remember what it does, or what quirks it has with respect to IP pools. If that is the only version that Redhat supports, then I suggest calling them and asking them for support. Or, use 2.0.1, which will be much easier to configure debug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl with huge load (~1000-1500 request per minute)
John S. Doe wrote:
Hello!
i use freeradiusd 1.7, rlm_perl with thread conf:
thread pool {
start_servers = 100
max_servers = 1500
min_spare_servers = 1
max_spare_servers = 10
max_requests_per_server = 10
}
rlm_sql uses mysql.
All works fine, but sometime, at moment with high load:
Error: Discarding duplicate request from client nas_4:63429 - ID: 154 due to
unfinished request 2176280
and radiusd like frozen, take 99% of CPU time, and not response for
client's request.
FreeBSD 6.3, Hardware is adequate - 2xXeon with 2 Gb Ram.
Yikes. You're telling it to start 100 threads, and maybe start 1500
threads, but to start closing down threads when there are 1-10 inactive.
You're also telling it to close each thread after it's done 10 requests,
rather than just running forever.
That is a silly config. The defaults are a long way from that, for a
good reason.
Set max_requests_per_server = 0 and max_servers no greater than double
start_servers (at a guess - certainly 1500 is a stupidly large number,
your OS will never, every successfully schedule 1500 contending threads)
As for why it's freezing; it could be related to the thread config, but
more likely your perl module (or another module) is simply taking too
long to respond. Spawning more threads won't help that - you need to
solve why the module is responding slowly.
What's the full config? What other modules are you running, any database
lookups? Why did you change the thread config to something so extreme?
How many NASes do you have? What's your load like?
any ideas?
Tnx.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl with huge load (~1000-1500 request per minute)
Hi,
Hello!
i use freeradiusd 1.7, rlm_perl with thread conf:
thread pool {
start_servers = 100
max_servers = 1500
min_spare_servers = 1
max_spare_servers = 10
max_requests_per_server = 10
}
rlm_sql uses mysql.
All works fine, but sometime, at moment with high load:
Error: Discarding duplicate request from client nas_4:63429 - ID: 154 due to
unfinished request 2176280
and radiusd like frozen, take 99% of CPU time, and not response for
client's request.
FreeBSD 6.3, Hardware is adequate - 2xXeon with 2 Gb Ram.
any ideas?
yep - your database cant keep up with either the authentication traffic,
the accounting traffic or both.
try using sql_log for the accounting - to take it out of 100% realtime
for each incoming packet.
also your config looks a bit wonky.
thread pool {
start_servers = 100
max_servers = 1500
min_spare_servers = 1
max_spare_servers = 10
max_requests_per_server = 10
}
start servers = 100
max spare servers = 10
so the first thing it has to do it kill a load off(!) - set the spare to 100.
how many SQL threads are you running?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl with huge load (~1000-1500 request per minute)
John S. Doe wrote:
i use freeradiusd 1.7, rlm_perl with thread conf:
thread pool {
...
max_requests_per_server = 10
This should always be zero.
and radiusd like frozen, take 99% of CPU time, and not response for
client's request.
Run it in debugging mode (-fxxx for threading) to see what's going on.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
As usually, Alan has made a great job. After more than 7 eap authentications everything is still working fine. The bug is obviously fixed. Thanks Alan Norbert Wegener Norbert Wegener wrote: I am runnning those tests at the moment with the modified version. I will post the result of 7 authentications later. Norbert Wegener Sebastian Heil wrote: is there anything, i can try to test? $ cvs update $ cd src/modules/rlm_eap $ make clean $ make ... and re-run the tests. i am sorry, but my server doesn't have any internet-access... so, i can't use cvs for updating. is there another easy way to test your patch, alan? Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
Hi, i am sorry, but my server doesn't have any internet-access... so, i can't use cvs for updating. use CVS on another machine, tar up the resulting CVS checkout, copy it to the server and recompile. it must have networking or some sort to be a radius server, n'est pas? ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote: We are running freeradius on Centos and the most supported package that gets installed by yum update is freeradius-1.0.1-3.RHEL4.5, which I now have installed. Ugh. I've tried to upgrade by downloading the latest version, 2.0.1. Although it builds and installs it doesn't seem to try to connect to my SQL database. When I start the old version with -X I see a lot of mention of sql. But version 2.0.1 started with -X doesn't seem to say anything apart from its loading the sql.conf file. Am I missing something here? If you have built 2.0.1 with SQL *and* configured the SQL module in radiusd.conf sites-available/default, it *should* work. My guess is that the server wasn't built with SQL, and that you haven't edited the configuration files to enable SQL. So far as the rest of the debug output goes, 1.0.1 is *years* out of date. I no longer remember what it does, or what quirks it has with respect to IP pools. If that is the only version that Redhat supports, then I suggest calling them and asking them for support. Or, use 2.0.1, which will be much easier to configure debug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
We are running freeradius on Centos and the most supported package that gets
installed by yum update is freeradius-1.0.1-3.RHEL4.5, which I now have
installed.
I've tried to upgrade by downloading the latest version, 2.0.1.
Although it builds and installs it doesn't seem to try to connect to my SQL
database. When I start the old version with -X I see a lot of mention of
sql.
But version 2.0.1 started with -X doesn't seem to say anything apart from
its loading the sql.conf file.
Am I missing something here?
That said I do have some debug for the version I am using for trying to
assign a different IP pool per realm.
Here is the section that shows that radius is loading the IP pool:
Module: Loaded IPPOOL
ippool: session-db = /etc/raddb/db.ippool
ippool: ip-index = /etc/raddb/db.ipindex
ippool: range-start = 85.92.168.1 IP address [85.92.168.1]
ippool: range-stop = 85.92.168.254 IP address [85.92.168.254]
ippool: netmask = 255.255.255.0 IP address [255.255.255.0]
ippool: cache-size = 800
ippool: override = no
ippool: maximum-timeout = 0
Module: Instantiated ippool (main_pool)
#
This is the users entry:
DEFAULT Realm == dsl.realm.co.uk, Pool-Name := main_ip_realm1
And here is the debug from a user using the realm logging in:
###
rad_recv: Access-Request packet from host 192.168.1.88:1645, id=245,
length=127
Framed-Protocol = PPP
User-Name = [EMAIL PROTECTED]
CHAP-Password = 0xb2cd36a39f414e084ae6ab6da5719886f7
NAS-Port-Type = Virtual
NAS-Port = 2548
NAS-Port-Id = Uniq-Sess-ID2548
Connect-Info = 4522000/1000
Service-Type = Framed-User
NAS-IP-Address = 192.168.1.88
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 14
modcall[authorize]: module preprocess returns ok for request 14
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for request 14
modcall[authorize]: module mschap returns noop for request 14
rlm_realm: Looking up realm dsl.realm.co.uk for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm dsl.realm.co.uk
rlm_realm: Proxying request from user leekane to realm dsl.realm.co.uk
rlm_realm: Adding Realm = dsl.realm.co.uk
rlm_realm: Preparing to proxy authentication request to realm
dsl.realm.co.uk
modcall[authorize]: module suffix returns updated for request 14
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 14
users: Matched DEFAULT at 1
modcall[authorize]: module files returns ok for request 14
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 21
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '[EMAIL PROTECTED]' ORDER BY id
rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 21
modcall[authorize]: module sql returns notfound for request 14
modcall: group authorize returns updated for request 14
Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 14
radius_xlat:
'/var/log/radius/radacct/192.168.1.88/pre-proxy-detail-20080211'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.1.88/pre-proxy-detail-20080211
modcall[pre-proxy]: module pre_proxy_log returns ok for request 14
modcall: group pre-proxy returns ok for request 14
Sending Access-Request of id 1 to 88.20.106.18:1645
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Zitat von David W Bell [EMAIL PROTECTED]:
LDAP is installed and working out of the box, having been set to be
used for authenication during the SUSE install.
This is proven by the ability to log in to the box, both locally and via SSH
I installed freeRADIUS from the latest source and it is working also.
freeRADIUS seems unable to find a password for the user during Authenication.
I issue the following on my workstation
[EMAIL PROTECTED]:~$ echo User-Name = belld,Password=p455w0rd |
radclient 212.95.255.242:1812 auth testing
Received response ID 99, code 3, length = 20
And see the following from freeRADIUS Listening on authentication
address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
id=99, length=45
User-Name = belld
User-Password = p455w0rd
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = belld, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion :-. See man unlang for details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld)
expand: dc=dxi,dc=net - dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - belld
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 99 to 212.95.252.25 port 20758
Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS
config problem.
what is the result of the following commands (using a terminal):
ldapsearch -x -h localhost -b dc=dxi,dc=net uid=belld
ldapsearch -x -h localhost -b dc=dxi,dc=net -D
cn=Administrator,dc=dxi,dc=net -w trPic4n03 uid=belld
if they (especially the latter) do not return a value for the field
userPassword the problem is on the LDAP side.
markus
--
This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]
smime.p7s
Description: S/MIME krytographische Unterschrift
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius question
I have a question regarding mod_auth_radius which doesn't seem to be addressed by the included documentation or anything I have found with a google search. When configuring the module in the apache configuration (I'm using the latest 1.3 branch) is it possible to specify more than one radius server so that it will fail over in the even that the first is down? Something like this: IfModule mod_auth_radius.c # # AddRadiusAuth server[:port] shared-secret [ timeout [ : retries ]] # AddRadiusAuth server1.example.com:1645 secret 5:3 AddRadiusAuth server2.example.com:1645 secret 5:3 AddRadiusCookieValid 60 /IfModule It seems as though this doesn't work or it wants to use only the last one specified. Am I missing something? Anybody have experience trying to use this module in a similar setup? It would be great to be able to get this working with both of my radius servers. Thanks in advance! Jeremiah - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap_tnc.c source not stricly C
I know good style says newbies should lurk before posting, but anyway: Is freeradius supposed to be C89? src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c Is full of C++ comments and C99isms. -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: error after updating to freeradius 2.0.1
Check that nothing is listening on port 1812, even for IPv6.
Nothing listening except for ssh.
Also try posting the full debug log. Maybe there's another listen
section which is conflicting with the 0.0.0.0:1812.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
This is the full log:
FreeRADIUS Version 2.0.1, for host i486-pc-linux-gnu, built on Feb 10 2008
at 19:29:19
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/sql/mysql/counter.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/freeradius/freeradius.pid
user = freerad
group = freerad
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = insert-pass-here
nastype = other
}
client 192.168.0.1 {
require_message_authenticator = no
secret = secret
shortname = test
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = /var/log/freeradius/radwtmp
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = Password:
auth_type = PAP
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = path here
certificate_file = path here
CA_file = /path herem
private_key_password = secret
dh_file = /etc/freeradius/certs/dh
random_file = /etc/freeradius/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
make_cert_command = /etc/freeradius/certs/bootstrap
}
Module: Linked to sub-module rlm_eap_ttls
Re: Different IP Pool per proxied realm
Tony Spencer wrote:
Right I've now managed to get v2.0.1 working on our radius server.
Although for some reason its not logging to radiusd.log.
Previously we have logged accounting to the log file and the radacct table.
If anyone can spare a thought on why this isn't now logging to the
radiusd.log file I would appreciate it.
File permissions? Also see the log{} configuration in radiusd.conf.
Onto the different IP pool per realm...
This still doesn't seem to work.
The debug doesn't show the IP pool being loaded.
Does this still need to be put into radiusd.conf or the sites-enabled file?
You can put everything in radiusd.conf, just like in 1.1.7.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using the outer envelope attributes in an EAP-TTLS request?
Hi, I am currently configuring a Cisco WiSM blade (software version 4.1.185.0) and a FreeRadius Server (Version 1.1.3, for host i686-redhat-linux-gnu, built on Apr 25 2007) for EAP-TTLS I’ve have gotten VLAN override to work on the WiSM (no problem there). However, what I am trying to do now is let a user choose between two SSIDs, where one SSID supports VLAN overriding and one does not. The problem I am having is that the WISM appears to sends all the Radius attributes like Tunnel-Private-Group-Id in the initial anonymous request to the radius server. See below: rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:32769, id=86, length=182 User-Name = anonymous Calling-Station-Id = 00-13-CE-1A-9F-5D Called-Station-Id = 00-1D-45-A6-02-10:ISD NAS-Port = 29 NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Identifier = Cisco_d4:2c:6b Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 251 EAP-Message = 0x0211000e01616e6f6e796d6f7573 Message-Authenticator = 0x7ad2cce223c93cf13030c0da463232e5 However they are not included in the TTLS tunnel data see below: TTLS tunnel data in 0020: 6b 65 00 00 TTLS: Got tunneled request User-Name = x User-Password = FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = x User-Password = x FreeRADIUS-Proxied-To = 127.0.0.1 I don’t know how (or if it is possible) to combine the outer envelope data with the tunnel data in a FreeRadius stanza. (At least it hasn’t worked the various ways I have tried). FreeRadius appears (to me) to just be using the tunnel data. I would like to do something (in FreeRadius) like: DEFAULT AUTH-TYPE := LDAP, Ldap-Group == isd, Airespace-Wlan-Id == 5 Fall-Through = No or DEFAULT AUTH-TYPE := LDAP, Tunnel-Private-Group-ID:0 == 251, Ldap-Group == isd Fall-Through = No The LDAP group attributes are being looked up properly in the previous stanzas but the outer envelope data appears not to be used. Any suggestions on how I can incorporate both? (Note i've tried both Tunnel-Private-Group-ID:0 and Tunnel-Private-Group-ID) Thanks, begin:vcard fn:Marcus Packard n:Packard;Marcus org:Flinders University;Information Services Division adr:GPO Box 2100;;;Adelaide;SA;5001;Australia email;internet:[EMAIL PROTECTED] title:Campus Network Manager tel;work:+61 08 8201 2130 version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error after updating to freeradius 2.0.1
Check that nothing is listening on port 1812, even for IPv6. Nothing listening except for ssh. Since ssh is TCP, you know that radius is UDP and you need to check with netstat -ulnp ERROR: Failed to open socket: /etc/freeradius/radiusd.conf[182]: Error binding to port for 0.0.0.0 port 1812 BTW If you are using some virtualization or similar software, I've heard some of them don't support binding to 0.0.0.0 so you'll have to bind to the specific ip address. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
Norbert Wegener wrote: As usually, Alan has made a great job. After more than 7 eap authentications everything is still working fine. The bug is obviously fixed. whew! Thanks for the testing. We can release 2.0.2 this week. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl with huge load (~1000-1500 request per minute)
Hello!
i use freeradiusd 1.7, rlm_perl with thread conf:
thread pool {
start_servers = 100
max_servers = 1500
min_spare_servers = 1
max_spare_servers = 10
max_requests_per_server = 10
}
rlm_sql uses mysql.
All works fine, but sometime, at moment with high load:
Error: Discarding duplicate request from client nas_4:63429 - ID: 154 due to
unfinished request 2176280
and radiusd like frozen, take 99% of CPU time, and not response for
client's request.
FreeBSD 6.3, Hardware is adequate - 2xXeon with 2 Gb Ram.
any ideas?
Tnx.
--
WBR,
John mailto:[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Zitat von David W Bell [EMAIL PROTECTED]:
Markus Krause wrote:
Zitat von David W Bell [EMAIL PROTECTED]:
LDAP is installed and working out of the box, having been set to be
used for authenication during the SUSE install.
This is proven by the ability to log in to the box, both locally
and via SSH
I installed freeRADIUS from the latest source and it is working also.
freeRADIUS seems unable to find a password for the user during
Authenication.
I issue the following on my workstation
[EMAIL PROTECTED]:~$ echo User-Name = belld,Password=p455w0rd |
radclient 212.95.255.242:1812 auth testing
Received response ID 99, code 3, length = 20
And see the following from freeRADIUS Listening on authentication
address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
id=99, length=45
User-Name = belld
User-Password = p455w0rd
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = belld, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion :-. See man unlang
for details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld)
expand: dc=dxi,dc=net - dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - belld
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 99 to 212.95.252.25 port 20758
Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS
config problem.
what is the result of the following commands (using a terminal):
ldapsearch -x -h localhost -b dc=dxi,dc=net uid=belld
ldapsearch -x -h localhost -b dc=dxi,dc=net -D
cn=Administrator,dc=dxi,dc=net -w trPic4n03 uid=belld
if they (especially the latter) do not return a value for the field
userPassword the problem is on the LDAP side.
markus
--
This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thanks Markus.
I thought of that - and had done the 1st search and HAD noticed there
was no LDAP password set
# extended LDIF
#
# LDAPv3
# base dc=dxi,dc=net with scope subtree
# filter: uid=belld
# requesting: ALL
#
# belld, people, dxi.net
dn: uid=belld,ou=people,dc=dxi,dc=net
cn: David Bell
gidNumber: 100
givenName: David
homeDirectory: /home/belld
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowInactive: -1
shadowMax: 9
shadowMin: 0
shadowWarning: 7
sn: Bell
uid: belld
uidNumber: 1000
shadowLastChange: 13920
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[EMAIL PROTECTED]:~
I thought this was because LDAP was handing that aspect over to
something else but your second command shows a password.
[EMAIL PROTECTED]:~ ldapsearch -x -h localhost -b dc=dxi,dc=net -D
cn=Administrator,dc=dxi,dc=net -w trPic4n03 uid=belld
# extended LDIF
#
# LDAPv3
# base dc=dxi,dc=net with scope subtree
# filter: uid=belld
# requesting: ALL
#
# belld, people, dxi.net
dn: uid=belld,ou=people,dc=dxi,dc=net
cn: David Bell
gidNumber: 100
givenName: David
Re: EAP session matching the State variable.
Sebastian Heil wrote: i don't know, if it's my stupid configuration or the freeradius, that produces following: No. It's a bug. I committed a fix over the weekend. ... Then, the server switches back to normal state-variables... example: State = 0x03040db7c026e2b769757300 Even that is wrong. is there anything, i can try to test? $ cvs update $ cd src/modules/rlm_eap $ make clean $ make ... and re-run the tests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
Sebastian Heil wrote:
Hmm, i have the same error in 2.0.1.
i did kind of a eap-tls-stress-test with a perl script based on the
rad_eap_test script. there are a lot of login oks in my log-file, but about
5-10% are login incorrect with the same error-message as above.
i did three stress-tests... here the result:
Login OK Login incorrect
5290 281
If the State variable is mostly zero, then it's a problem... even if
authentication succeeds.
Alan DeKok.
Hi,
i don't know, if it's my stupid configuration or the freeradius, that produces
following:
i have two virtual machines (both suse linux 10). on one machine, the
freeradius-server is running, on the other machine, i have my little
perl-script, that uses rad_eap_test.
perl-script:
-
#!/usr/bin/perl
$i = 0;
while ($i=5) {
$i++;
radtest;
}
sub radtest {
$radiustest = `rad_eap_test -H *** -P 1812 -S testing123 -u sl90001 -m
IEEE8021X -e TLS -j /etc/raddb/certs/sl90001_chain.pem -k
/etc/raddb/certs/host_sl90001_chain.pem -a /tmp/rootcerts.pem`;
print $radiustest;
}
--
if i run the script only one-time, the state-variable looks something like this:
State = 0x066227990f682a3467daaa2d38adf01c
If i run the script 3 or 4 times at the same time on my virtual-server, the
freeradius-server gets some problems... after some time, the server produces
such state-variables:
example:
State = 0x00010d00
Then, the server switches back to normal state-variables...
example:
State = 0x03040db7c026e2b769757300
and then back to:
State = 0x04050d00
if the complete debug is helpful, alan, i can send it to you...
is there anything, i can try to test?
Sebastian
--
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using the outer envelope attributes in an EAP-TTLS request?
Hi all, My problem has been fixed by settingcopy_request_to_tunnel = yes in the eap.conf file. Thanks to all that responded. Rgds, begin:vcard fn:Marcus Packard n:Packard;Marcus org:Flinders University;Information Services Division adr:GPO Box 2100;;;Adelaide;SA;5001;Australia email;internet:[EMAIL PROTECTED] title:Campus Network Manager tel;work:+61 08 8201 2130 version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Markus Krause wrote:
Zitat von David W Bell [EMAIL PROTECTED]:
Markus Krause wrote:
Zitat von David W Bell [EMAIL PROTECTED]:
LDAP is installed and working out of the box, having been set to be
used for authenication during the SUSE install.
This is proven by the ability to log in to the box, both locally
and via SSH
I installed freeRADIUS from the latest source and it is working also.
freeRADIUS seems unable to find a password for the user during
Authenication.
I issue the following on my workstation
[EMAIL PROTECTED]:~$ echo User-Name = belld,Password=p455w0rd |
radclient 212.95.255.242:1812 auth testing
Received response ID 99, code 3, length = 20
And see the following from freeRADIUS Listening on authentication
address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
id=99, length=45
User-Name = belld
User-Password = p455w0rd
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = belld, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion :-. See man unlang
for details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld)
expand: dc=dxi,dc=net - dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure
that
the user is configured correctly?
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - belld
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 99 to 212.95.252.25 port 20758
Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS
config problem.
what is the result of the following commands (using a terminal):
ldapsearch -x -h localhost -b dc=dxi,dc=net uid=belld
ldapsearch -x -h localhost -b dc=dxi,dc=net -D
cn=Administrator,dc=dxi,dc=net -w trPic4n03 uid=belld
if they (especially the latter) do not return a value for the field
userPassword the problem is on the LDAP side.
markus
--
This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thanks Markus.
I thought of that - and had done the 1st search and HAD noticed there
was no LDAP password set
# extended LDIF
#
# LDAPv3
# base dc=dxi,dc=net with scope subtree
# filter: uid=belld
# requesting: ALL
#
# belld, people, dxi.net
dn: uid=belld,ou=people,dc=dxi,dc=net
cn: David Bell
gidNumber: 100
givenName: David
homeDirectory: /home/belld
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowInactive: -1
shadowMax: 9
shadowMin: 0
shadowWarning: 7
sn: Bell
uid: belld
uidNumber: 1000
shadowLastChange: 13920
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[EMAIL PROTECTED]:~
I thought this was because LDAP was handing that aspect over to
something else but your second command shows a password.
[EMAIL PROTECTED]:~ ldapsearch -x -h localhost -b dc=dxi,dc=net -D
cn=Administrator,dc=dxi,dc=net -w trPic4n03 uid=belld
# extended LDIF
#
# LDAPv3
# base dc=dxi,dc=net with scope subtree
# filter: uid=belld
# requesting: ALL
#
# belld, people, dxi.net
dn: uid=belld,ou=people,dc=dxi,dc=net
cn: David Bell
gidNumber:
Re: eap_tnc.c source not stricly C
Andrew Hood wrote: I know good style says newbies should lurk before posting, but anyway: Is freeradius supposed to be C89? It's supposed to be as portable as possible. src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c Is full of C++ comments and C99isms. Yes. Most of those should be fixed. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
I am runnning those tests at the moment with the modified version. I will post the result of 7 authentications later. Norbert Wegener Sebastian Heil wrote: is there anything, i can try to test? $ cvs update $ cd src/modules/rlm_eap $ make clean $ make ... and re-run the tests. i am sorry, but my server doesn't have any internet-access... so, i can't use cvs for updating. is there another easy way to test your patch, alan? Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius integrated with Active Directory toautenticatecisco passwords
Still not working.
When I added
krb5 {
}
at the radius.conf file, it gave me the following error at startup
/usr/local/etc/raddb/radiusd.conf[589]: Unexpected end of section
Errors reading radiusd.conf
Regards,
2008/2/8, [EMAIL PROTECTED] [EMAIL PROTECTED]:
Hi,
Thank you all.
But how do I do this? Does any one has a tutorial about it?
add the required parts to the radius config files to enable
krb5 (direct password check) against the AD - you will also need to ensure
your kerberos environment is sane and works
eg run the command
kinit your_user_id
on the command line to validate that your machine can get a kerberos
ticket
the bits you need to add to the radius config are:
krb5 {
}
to the module stanza (radiusd.conf)
and
Auth-Type krb5 {
krb5
}
to the authenticate stanza (radiusd.conf in 1.1.x and
sites-enabled/default
in radiusd 2.x )
you MAY need to set Auth-Type = krb5 for the required user or NAS
setting
depending on your config!
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault over perl script.
hello i am trying to install freeradius over debian with perl support. I am running the same config with same perl script over ubuntu. I compiled 1.1.7 version, copied config files and script to same folder. and when i try to run it i get the folllowing output. Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded perl Module: Instantiated perl (perl) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/wireless rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp It starts waiting here.. When any request submits.. I just receive a message as Segmentation Fault and radiusd quits. I know this script is working without any problem. And the config file is also ok. But i couldnt find the problem Any help would be great. Problem solved.. I recompiled freeradius with ./configure --enable-developer option And then i noticed that i forgot to add previous dictionary entries that i use in my mysql tables. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with OpenLDAP (Suse Enterprise 10)
LDAP is installed and working out of the box, having been set to be used
for authenication during the SUSE install.
This is proven by the ability to log in to the box, both locally and via SSH
I installed freeRADIUS from the latest source and it is working also.
freeRADIUS seems unable to find a password for the user during
Authenication.
I issue the following on my workstation
[EMAIL PROTECTED]:~$ echo User-Name = belld,Password=p455w0rd |
radclient 212.95.255.242:1812 auth testing
Received response ID 99, code 3, length = 20
And see the following from freeRADIUS
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
id=99, length=45
User-Name = belld
User-Password = p455w0rd
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = belld, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld)
expand: dc=dxi,dc=net - dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - belld
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 99 to 212.95.252.25 port 20758
Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS
config problem.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segmentation fault over perl script.
hello i am trying to install freeradius over debian with perl support. I am running the same config with same perl script over ubuntu. I compiled 1.1.7 version, copied config files and script to same folder. and when i try to run it i get the folllowing output. Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded perl Module: Instantiated perl (perl) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/wireless rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp It starts waiting here.. When any request submits.. I just receive a message as Segmentation Fault and radiusd quits. I know this script is working without any problem. And the config file is also ok. But i couldnt find the problem Any help would be great. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Markus Krause wrote:
Zitat von David W Bell [EMAIL PROTECTED]:
LDAP is installed and working out of the box, having been set to be
used for authenication during the SUSE install.
This is proven by the ability to log in to the box, both locally and
via SSH
I installed freeRADIUS from the latest source and it is working also.
freeRADIUS seems unable to find a password for the user during
Authenication.
I issue the following on my workstation
[EMAIL PROTECTED]:~$ echo User-Name = belld,Password=p455w0rd |
radclient 212.95.255.242:1812 auth testing
Received response ID 99, code 3, length = 20
And see the following from freeRADIUS Listening on authentication
address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
id=99, length=45
User-Name = belld
User-Password = p455w0rd
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = belld, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld)
expand: dc=dxi,dc=net - dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - belld
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 99 to 212.95.252.25 port 20758
Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS
config problem.
what is the result of the following commands (using a terminal):
ldapsearch -x -h localhost -b dc=dxi,dc=net uid=belld
ldapsearch -x -h localhost -b dc=dxi,dc=net -D
cn=Administrator,dc=dxi,dc=net -w trPic4n03 uid=belld
if they (especially the latter) do not return a value for the field
userPassword the problem is on the LDAP side.
markus
--
This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Markus.
I thought of that - and had done the 1st search and HAD noticed there
was no LDAP password set
# extended LDIF
#
# LDAPv3
# base dc=dxi,dc=net with scope subtree
# filter: uid=belld
# requesting: ALL
#
# belld, people, dxi.net
dn: uid=belld,ou=people,dc=dxi,dc=net
cn: David Bell
gidNumber: 100
givenName: David
homeDirectory: /home/belld
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowInactive: -1
shadowMax: 9
shadowMin: 0
shadowWarning: 7
sn: Bell
uid: belld
uidNumber: 1000
shadowLastChange: 13920
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[EMAIL PROTECTED]:~
I thought this was because LDAP was handing that aspect over to
something else but your second command shows a password.
[EMAIL PROTECTED]:~ ldapsearch -x -h localhost -b dc=dxi,dc=net -D
cn=Administrator,dc=dxi,dc=net -w trPic4n03 uid=belld
# extended LDIF
#
# LDAPv3
# base dc=dxi,dc=net with scope subtree
# filter: uid=belld
# requesting: ALL
#
# belld, people, dxi.net
dn: uid=belld,ou=people,dc=dxi,dc=net
cn: David Bell
gidNumber: 100
givenName: David
homeDirectory: /home/belld
loginShell:
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Zitat von David W Bell [EMAIL PROTECTED]:
Markus Krause wrote:
Zitat von David W Bell [EMAIL PROTECTED]:
Markus Krause wrote:
Zitat von David W Bell [EMAIL PROTECTED]:
LDAP is installed and working out of the box, having been set to be
used for authenication during the SUSE install.
This is proven by the ability to log in to the box, both locally
and via SSH
I installed freeRADIUS from the latest source and it is working also.
freeRADIUS seems unable to find a password for the user during
Authenication.
I issue the following on my workstation
[EMAIL PROTECTED]:~$ echo User-Name = belld,Password=p455w0rd |
radclient 212.95.255.242:1812 auth testing
Received response ID 99, code 3, length = 20
And see the following from freeRADIUS Listening on authentication
address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
id=99, length=45
User-Name = belld
User-Password = p455w0rd
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = belld, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion :-. See man
unlang for details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld)
expand: dc=dxi,dc=net - dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - belld
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 99 to 212.95.252.25 port 20758
Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS
config problem.
what is the result of the following commands (using a terminal):
ldapsearch -x -h localhost -b dc=dxi,dc=net uid=belld
ldapsearch -x -h localhost -b dc=dxi,dc=net -D
cn=Administrator,dc=dxi,dc=net -w trPic4n03 uid=belld
if they (especially the latter) do not return a value for the
field userPassword the problem is on the LDAP side.
markus
--
This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thanks Markus.
I thought of that - and had done the 1st search and HAD noticed there
was no LDAP password set
# extended LDIF
#
# LDAPv3
# base dc=dxi,dc=net with scope subtree
# filter: uid=belld
# requesting: ALL
#
# belld, people, dxi.net
dn: uid=belld,ou=people,dc=dxi,dc=net
cn: David Bell
gidNumber: 100
givenName: David
homeDirectory: /home/belld
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowInactive: -1
shadowMax: 9
shadowMin: 0
shadowWarning: 7
sn: Bell
uid: belld
uidNumber: 1000
shadowLastChange: 13920
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[EMAIL PROTECTED]:~
I thought this was because LDAP was handing that aspect over to
something else but your second command shows a password.
[EMAIL PROTECTED]:~ ldapsearch -x -h localhost -b dc=dxi,dc=net -D
cn=Administrator,dc=dxi,dc=net -w trPic4n03 uid=belld
# extended LDIF
#
# LDAPv3
# base dc=dxi,dc=net with scope subtree
# filter: uid=belld
# requesting: ALL
#
# belld, people, dxi.net
dn:
