date:20090305

i tried to get coopa chilli running, but i have problems with radius and
mysql. Radius works with users from files, but not with mysql. I can
only see on startup some mysql messages (connect) but no queries at all.
..
Wed Mar  4 20:00:03 2009 : Debug:   modsingle[authorize]: calling sql
(rlm_sql) for request 1
Wed Mar  4 20:00:03 2009 : Debug: rlm_sql (sql): Reserving sql socket
id: 2
Wed Mar  4 20:00:03 2009 : Debug: 



   expand:  - 
Wed Mar  4 20:00:03 2009 : Error: rlm_sql (sql): Error generating query;
rejecting user


Queries are in raddb/sql/mysql/dialup.conf. Have you made changes to that
file?

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SV: SV: SV: SV: SV: No known good password

2009-03-05 Thread Ove Fagerheim

Given the circumstances, the company has now decided to go forward with a Linux 
solution. I'm going for Ubuntu, since I have a desktop version at home. If 
there are any problems with this brand, I guess you'll give me a warning. ;-)

A big thanks to everone who responded.

Best regards
Ove

-Opprinnelig melding-
Fra: 
freeradius-users-bounces+ove.fagerheim=helgelandskraft...@lists.freeradius.org 
[mailto:freeradius-users-bounces+ove.fagerheim=helgelandskraft...@lists.freeradius.org]
 På vegne av John Dennis
Sendt: 4. mars 2009 15:21
Til: FreeRadius users mailing list
Emne: Re: SV: SV: SV: SV: No known good password


Ove Fagerheim wrote:
 Hmm, that gives me a policy problem, my company *does not* use Linux.

What a marvellous opportunity for you to become a respected and valued employee 
of your company by educating your peers on the many benefits of open source 
operating systems. Perhaps the money you save your company by avoiding 
licensing fees and the reduced cost of administration could be put towards a 
hefty pay raise for you. Seize the day!

--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

openvpn client ip attrib

2009-03-05 Thread Hegedus Gabor


HI!

Can you help me,

I don't know how can i send back the client ip address to the openvpn 
client.

The cisco vpn 3000 works correctly with cvpn3000 directory.

Are there any directory for openvpn?
or which return attrib name I can use?

Thank you!
Gabor


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Can we do sql just once during eap-tls handshake


We are using eap-tls for authetication assisted with a database for filling
in some attributes.

FreeRADIUS Version 2.1.3 with minimal configuration will do a sql lookup for
each round.
(Four selects: radcheck, radusergroup, radgroupcheck and radgroupreply).
There are 6-9 rounds depending on certificate chain sizes.

Obviously performance would be better with only one database lookup.

Part of the (attempted) configuration:
authorize {
preprocess

eap
if (I have tried some conditions here) {
sql
if (notfound) {
fail
}
}
}

authenticate {
eap
}

Is there som nice condition that will result in only one lookup in the
database?
A thing that complicates thing is that TLS (that declares Success I beleive)
is run during
authenticate which is later the the attempted database lookup.

The TLS outcome is pretty well known in the second last round:
There are logs saying

[tls] (other): SSL negotiation finished successfully 
SSL Connection Established 

but there is still one Access-Challange.
So if this fact could be tested in the last round that test would be a nice
candidate for
doing the sql update.

As an aside: Is there a way to really inspect the client certificate
(preferrably the entire chain)
and let it affect some logic (in perl as an example)?
-- 
View this message in context: 
http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp22335348p22335348.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: openvpn client ip attrib

2009-03-05 Thread Thibault Le Meur


Hegedus Gabor a écrit :

HI!

Can you help me,

I don't know how can i send back the client ip address to the openvpn 
client.

The cisco vpn 3000 works correctly with cvpn3000 directory.

Are there any directory for openvpn?
or which return attrib name I can use?
This is a little off-topic for this list as this is related to your NAS 
(which is openvpn).


Basically I do this by returning the standard Framed-IP-Address 
attribute to the openvpn server.


This implies that your openvpn server is able to understand and process 
this attribute: I use the openvpn radius plugin for this 
(http://www.nongnu.org/radiusplugin/) as the simple pam_radius option 
for openvpn doesn't handle Framed-IP-Addtributes.


For more information, I think the openvpn mailing list will be better 
suited.


Regards,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: No MySQL queries with freeradius 2.x from Lenny

3. Send all of the debug output from the radius server. The useful
information is missing from this section of the debug output:

Wed Mar  4 20:00:03 2009 : Debug: ++[unix] returns notfound
Wed Mar  4 20:00:03 2009 : Debug:   modsingle[authorize]: calling sql
(rlm_sql) for request 1
Wed Mar  4 20:00:03 2009 : Debug: rlm_sql (sql): Reserving sql socket id: 2
Wed Mar  4 20:00:03 2009 : Debug:



   expand:  -
Wed Mar  4 20:00:03 2009 : Error: rlm_sql (sql): Error generating query;
rejecting user


Yes, send the complete debug (include server startup - queries are listed
there). I don't think information was removed from debug. I think that
queries in dialup.conf are missing. Or he has done something to sql.conf
and not included dialup.conf at all.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can we do sql just once during eap-tls handshake

2009-03-05 Thread Phil Mayers


Johan F2 wrote:

We are using eap-tls for authetication assisted with a database for filling
in some attributes.

FreeRADIUS Version 2.1.3 with minimal configuration will do a sql lookup for
each round.
(Four selects: radcheck, radusergroup, radgroupcheck and radgroupreply).
There are 6-9 rounds depending on certificate chain sizes.

Obviously performance would be better with only one database lookup.

Part of the (attempted) configuration:
authorize {
preprocess

eap
if (I have tried some conditions here) {


The default FR 2.0 config has:

authorize {
  eap {
   ok = return
  }
}

...which will do what you want. As always, mangling the default config 
without understanding why it does what it does is a bad idea.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can we do sql just once during eap-tls handshake

Thanks Phil,
I have tried that but regrettably it does not work.
According to my logs eap returns updated every round when doing authorize.
(During the authenticate stage eap returns handled except the last round
where it returns ok)

The comment preceeding eap in the default config says:
# As of 2.0, the EAP module returns ok in the authorize stage
# for TTLS and PEAP. In 1.x, it never returned ok here, so
so there is no promise about any improvement when doing EAP-TLS .

Sorry about the ...mangling the default config without understanding...
I am porting an existing config (by someone else) from 1.x so I missed that.
I did examine the log checking the return values from eap though.
/Johan

Phil Mayers wrote:

Johan F2 wrote:
We are using eap-tls for authetication assisted with a database for
filling
in some attributes.

FreeRADIUS Version 2.1.3 with minimal configuration will do a sql lookup
for
each round.
(Four selects: radcheck, radusergroup, radgroupcheck and radgroupreply).
There are 6-9 rounds depending on certificate chain sizes.

Obviously performance would be better with only one database lookup.

Part of the (attempted) configuration:
authorize {
preprocess

eap
if (I have tried some conditions here) {

The default FR 2.0 config has:

authorize {
eap {
ok = return
}
}

...which will do what you want. As always, mangling the default config
without understanding why it does what it does is a bad idea.

--
View this message in context:
http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp22335348p22350726.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can we do sql just once during eap-tls handshake

Thanks Phil,
I have tried that but regrettably it does not work.
According to my logs eap returns updated every round when doing authorize.
(During the authenticate stage eap returns handled except the last round
where it returns ok)

The comment preceeding eap in the default config says:
   #  As of 2.0, the EAP module returns ok in the authorize stage
   #  for TTLS and PEAP.  In 1.x, it never returned ok here, so
so there is no promise about any improvement when doing EAP-TLS .


You can try adding updated = return to eap section in authorize. Not sure
if that breaks anything.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can we do sql just once during eap-tls handshake


I have tested updated = return  and it behaves as expected.
That is authorize always returns without reading the database so the
attributes are never set.

Remeber that eap returns updated every round including the last one where
the database should be consulted.

I need a test that returns true when doing authorize in the same round as
authenticate will return ok.

/Johan


You can try adding updated = return to eap section in authorize. Not sure
if that breaks anything.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



-- 
View this message in context: 
http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp22335348p22352936.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Production servers num_sql_socks

2009-03-05 Thread Stelio Gouveia

I've read a few posts about increasing this value when  There are no DB
handles to use occur. Not sure if it's a good idea.

Granted your DB is fast enough to query quickly.
Upping this value on a slow DB will severely degrade performance.

What's sort of values are you guys using for production servers?

-- 
Regards
Stelio Gouveia
--
Skyrove Software Engineer,
Skyrove (Pty) Ltd
Technology Top 100 Award Winner (2006)
Mobile: +27 82 34 09 120
Tel: +27 861 ROVERS (0861 768 377)
Fax: +27 86 6204077
Email  Gtalk: ste...@skyrove.com
Skype: skyrove_sa
Web:   www.skyrove.com

This message contains confidential information. If you are not the intended
recipient you are notified that disclosing, copying, distributing or taking
any action in reliance on the contents of this information is strictly
prohibited. E-mail transmission cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of this
message.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Production servers num_sql_socks

2009-03-05 Thread Ben Wiechman

We set num_sql_socks to 25. We had them set to 10 but ran into issues when
massive numbers of subscribers were attempting to enter the network at once
- for example when we would power cycle a base station with 400 subscribers
on it for maintenance. 

Ben Wiechman



 

From: freeradius-users-bounces+ben=wisper-wireless@lists.freeradius.org
[mailto:freeradius-users-bounces+ben=wisper-wireless@lists.freeradius.or
g] On Behalf Of Stelio Gouveia
Sent: Thursday, March 05, 2009 8:55 AM
To: freeradius-users@lists.freeradius.org
Subject: Production servers num_sql_socks

 

I've read a few posts about increasing this value when  There are no DB
handles to use occur. Not sure if it's a good idea.

Granted your DB is fast enough to query quickly.
Upping this value on a slow DB will severely degrade performance.

What's sort of values are you guys using for production servers?

-- 
Regards
Stelio Gouveia
--
Skyrove Software Engineer,
Skyrove (Pty) Ltd
Technology Top 100 Award Winner (2006)
Mobile: +27 82 34 09 120
Tel: +27 861 ROVERS (0861 768 377)
Fax: +27 86 6204077
Email  Gtalk: ste...@skyrove.com
Skype: skyrove_sa
Web:   www.skyrove.com

This message contains confidential information. If you are not the intended
recipient you are notified that disclosing, copying, distributing or taking
any action in reliance on the contents of this information is strictly
prohibited. E-mail transmission cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of this
message.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can we do sql just once during eap-tls handshake

I have tested updated = return  and it behaves as expected.
That is authorize always returns without reading the database so the
attributes are never set.

Remeber that eap returns updated every round including the last one where
the database should be consulted.

I need a test that returns true when doing authorize in the same round as
authenticate will return ok.


Try running authorize:sql in post-auth. Or was it sql:authorize?

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can we do sql just once during eap-tls handshake


Both authorize:sql and sql:authorize cause an error Failed to find module.

Plain
sql
or
sql authorize {
}
lead to the documented post-auth behaviour of sql (that is writing to log).

I have not found any documentation about forcing a module into running code
for 
for another phase (authorize when doing post-auth).


tnt-4 wrote:
 
 
 Try running authorize:sql in post-auth. Or was it sql:authorize?
 
 Ivan Kalik
 Kalik Informatika ISP
 
 

-- 
View this message in context: 
http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp22335348p22355079.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can we do sql just once during eap-tls handshake

Johan F2 wrote:
 Both authorize:sql and sql:authorize cause an error Failed to find module.

  Use sql.authorize

 I have not found any documentation about forcing a module into running code
 for 
 for another phase (authorize when doing post-auth).

  It's not documented.  It was a feature that got added
semi-accidentally, and then turned out to be too useful to remove.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Exec-Program-Wait and FreeRadius 2.1.1

2009-03-05 Thread Michael Schramm


Hello,

we're about to migrate from Freeradius 0.9 to 2.1. During this we're
noticed, that the Atribute Exec-Progam-Wait and Exec-Program are
deprecated.
We used this feature to start a script (which generates special Cisco
AV-Pairs).
Our Freeradius backend is a mysql database.

Now my Problem is that the attributes doesn't work. So we tried with the
exec module. Thie works fine, but we want to execute different scripts
depending on the the group the user is inserted and I want to manage
this via Databse like it was in version 0.9. Can you give me a clue how
to deal with, because didn't find anything about this in the documentation.

Thanks a lot and best regards

Michael Schramm

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec-Program-Wait and FreeRadius 2.1.1

Michael Schramm wrote:
 we're about to migrate from Freeradius 0.9 to 2.1. During this we're
 noticed, that the Atribute Exec-Progam-Wait and Exec-Program are
 deprecated.
 We used this feature to start a script (which generates special Cisco
 AV-Pairs).

  They still work in 2.x.

 Now my Problem is that the attributes doesn't work.

  If you list exec in the post-auth section, then they work.  This
configuration is in the default configuration files in 2.x.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Solved Can we do sql just once during eap-tls handshake


It works!

Now there is only one database access per authetication.

The relevant part of the config is now:
authorize {


eap
}

authenticate {
eap
}

post-auth {
sql.authorize
if (notfound) {
fail
}
}

Somewhat un-obvious but thanks alot for the help!
(But I guess setting Auth-method to Reject in the database no longer works.)

/Johan


Alan DeKok-2 wrote:
 
 Johan F2 wrote:
 Both authorize:sql and sql:authorize cause an error Failed to find
 module.
 
   Use sql.authorize
 
 I have not found any documentation about forcing a module into running
 code
 for 
 for another phase (authorize when doing post-auth).
 
   It's not documented.  It was a feature that got added
 semi-accidentally, and then turned out to be too useful to remove.
 
   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 

-- 
View this message in context: 
http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp22335348p22356130.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Production servers num_sql_socks

2009-03-05 Thread A . L . M . Buxey

Hi,

 Granted your DB is fast enough to query quickly.
 Upping this value on a slow DB will severely degrade performance.
 
 What's sort of values are you guys using for production servers?

we found that any value over 20 caused issues with mysql... we moved
to postgresql anyway a year back. 

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

No known good password for NIS users

2009-03-05 Thread Drew Johnson

I am running FreeRADIUS 2.1.3 on a machine that is also a NIS client.
Using radtest, I find that local user accounts are accepted, but NIS
accounts are rejected.

I have not changed anything from the default configuration other than
adding client info and setting DEFAULT Auth-Type = System in the users
file.

NIS accounts are otherwise functional on the machine (able to login
via console/SSH).

Debugging output is below, showing two Access-Requests: testu is a
local account, and wifi is a NIS account.

Ultimately, I am trying to do EAP-TTLS/PAP but I need to get past this first...

Thanks,

--Drew



FreeRADIUS Version 2.1.3, for host i486-pc-linux-gnu, built on Mar  4
2009 at 14:38:49
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/sql/mysql/counter.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
group = freerad
user = freerad
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
 log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
 }
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
 }
}
 client localhost {
ipaddr = 127.0.0.1

Re: No known good password for NIS users

I am running FreeRADIUS 2.1.3 on a machine that is also a NIS client.
Using radtest, I find that local user accounts are accepted, but NIS
accounts are rejected.


Well, yes. How is freeradius suposed to talk to NIS? Perhaps PAM? Or is
there some ntlm_auth type script?

I have not changed anything from the default configuration other than
adding client info and setting DEFAULT Auth-Type = System in the users
file.


You don't need that in 2.x. And it will get in the way if you need to
set Auth-Type PAM.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Production servers num_sql_socks

2009-03-05 Thread Marinko Tarlac

If it is not a secret, how many users do you have (active users in the 
same time) and how many connections per minute can your system handle 
without problems.


a.l.m.bu...@lboro.ac.uk wrote:

Hi,

  

Granted your DB is fast enough to query quickly.
Upping this value on a slow DB will severely degrade performance.

What's sort of values are you guys using for production servers?



we found that any value over 20 caused issues with mysql... we moved
to postgresql anyway a year back. 


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Production servers num_sql_socks

2009-03-05 Thread A . L . M . Buxey

Hi,
 If it is not a secret, how many users do you have (active users in the  
 same time) and how many connections per minute can your system handle  
 without problems.

around 15k concurrent users, hundreds of thousand per minute could be handled
(when we last did a load test)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Variables' content as a reply

2009-03-05 Thread Augusto G. Andreollo

Hello all!

I've been trying unsuccessfully to get this setup to work, but unfortunately 
haven't been able so far.

My need is to return the contents of three LDAP fields as replies on the 
Access-Accept package.

The setup is for EAP/TTLS, mostly following eduRoam's setup guide (EduROAM 
Cookbook -- DJ 5.1.5,3).
My config is as follows:

on ldap.attrmap:
 checkItem   cLDAPdepartmentNumber   departmentNumber
 replyItem   rLDAPdepartmentNumber   departmentNumber
 checkItem   cLDAPaffiliationeduPersonPrimaryAffiliation
 replyItem   rLDAPaffiliationeduPersonPrimaryAffiliation
 checkItem   cLDAPou ou
 replyItem   rLDAPou ou

on dictionary.university:
 VENDOR Unicamp 12345

 BEGIN-VENDOR Unicamp
 ATTRIBUTE University-LDAP-departmentNumber 1 string
 ATTRIBUTE University-LDAP-affiliation 2 string
 ATTRIBUTE University-LDAP-organizationUnit 3 string
 END-VENDOR University

(the attributes, at least, are recognized correctly on the reply).

on the inner-tunnel configuration file::
 post-auth {
 reply_log
 Post-Auth-Type REJECT {
 reply_log
 }
 redundant {
 sql-server1
 sql-server2
 }
 update outer.reply {
 User-Name := %{reply:User-Name}
 University-LDAP-departmentNumber := 
 %{rLDAPdepartmentNumber}
 }

radiusd -v is:
 radiusd: FreeRADIUS Version 2.1.3, for host i386-portbld-freebsd7.0, built on 
 Jan  9 2009 at 07:02:31


but unfortunately, something does not translate right: From that I've gathered 
running on radiusd -X, the relevant parts are:

- first, an error on rlm_ldap:
 ++- entering policy redundant {...}
 [ldap1] performing user authorization for u...@university
 [ldap1] expand: (eduPersonPrincipalName=%{User-Name}) - 
 (edupersonprincipalname=u...@university)
 [ldap1] expand: dc=university - dc=university
 rlm_ldap: ldap_get_conn: Checking Id: 0
 rlm_ldap: ldap_get_conn: Got Id: 0
 rlm_ldap: attempting LDAP reconnection
 rlm_ldap: (re)connect to ldap1.university:389, authentication 0
 rlm_ldap: starting TLS
 rlm_ldap: bind as / to ldap1.university:389
 rlm_ldap: waiting for bind result ...
 rlm_ldap: Bind was successful
 rlm_ldap: performing search in dc=university, with filter 
 (edupersonprincipalname=u...@university)
 [ldap1] checking if remote access for u...@university is allowed by 
 dialupAccess
 [ldap1] looking for check items in directory...
 rlm_ldap: Failed to create the pair: Invalid octet string cc for 
 attribute name cLDAPou
 rlm_ldap: Failed to create the pair: Invalid octet string staff for 
 attribute name cLDAPaffiliation
 rlm_ldap: Failed to create the pair: Invalid octet string 20.5.2.4.0.0.0 
 for attribute name cLDAPdepartmentNumber
 rlm_ldap: radiusSimultaneousUse - Simultaneous-Use == 1
 [ldap1] looking for reply items in directory...
 rlm_ldap: Failed to create the pair: Invalid octet string cc for 
 attribute name rLDAPou
 rlm_ldap: Failed to create the pair: Invalid octet string staff for 
 attribute name rLDAPaffiliation
 rlm_ldap: Failed to create the pair: Invalid octet string 20.5.2.4.0.0.0 
 for attribute name rLDAPdepartmentNumber
 WARNING: No known good password was found in LDAP.  Are you sure that the 
 user is configured correctly?
 [ldap1] Setting Auth-Type = LDAP
 [ldap1] user u...@university authorized to use remote access
 rlm_ldap: ldap_release_conn: Release Id: 0
 +++[ldap1] returns ok

- second: the reply's content is not getting translated right. Instead
of sending the content's of the variables, it just sends the variable
names outright:

 Sending Access-Accept of id 235 to xxx.xxx.xxx.xxx port 32783
 User-Name = %{reply:User-Name}
 University-LDAP-departmentNumber = %{rLDAPdepartmentNumber}
 MS-MPPE-Recv-Key = blah
 MS-MPPE-Send-Key = blah
 EAP-Message = 0x03050004
 Message-Authenticator = 0x
 Finished request 5.

So, the most important question is: how do i reference the content's of
the variables on the post-auth update section?

Second: what's causing the check and reply items not to get translated?
could this be an LDAP error or is there an error on the ldap.attrmap
file?

By the way, the authentication, authorization, everything is working
fine already (including the TTLS/PAP part).

Thanks in advance for any thoughts..


smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius exceeding num_sql_socks

2009-03-05 Thread Stelio Gouveia

Hi All.

Is there any reason why Freeradius would exceed the limit set by the
num_sql_socks directive?

-- 
Regards
Stelio Gouveia
--
Skyrove Software Engineer,
Skyrove (Pty) Ltd
Technology Top 100 Award Winner (2006)
Mobile: +27 82 34 09 120
Tel: +27 861 ROVERS (0861 768 377)
Fax: +27 86 6204077
Email  Gtalk: ste...@skyrove.com
Skype: skyrove_sa
Web:   www.skyrove.com

This message contains confidential information. If you are not the intended
recipient you are notified that disclosing, copying, distributing or taking
any action in reliance on the contents of this information is strictly
prohibited. E-mail transmission cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of this
message.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rewrite attribute with perl module

2009-03-05 Thread Asaad



Hi ALL

i have attribute Session-Timeout with value 36 at radreply database

and want to modify the value when the radius return it when radius replies, i 
enabled perl module 

and enable it at post-auth

at the perl sub post-auth i added

.
print attr
$RAD_REPLY{'Session-Timeout'} = 5 ;
.
print attr
.
return RLM_MODULE_UPDATED

but that not affect the return vlaue :
Thu Mar  5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Cisco-AVPair = 
throttle=55
Thu Mar  5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Session-Timeout = 36
Thu Mar  5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Framed-IP-Address = x
Thu Mar  5 23:22:30 2009 : Debug: rlm_perl: RAD_REQUEST: SQL-User-Name = user
...
Thu Mar  5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Cisco-AVPair = 
throttle=55
Thu Mar  5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Session-Timeout = 5
Thu Mar  5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Framed-IP-Address = 
xx

but radius sent back 
Sending Access-Accept of id 1 to 192.168.100.10:32830
Framed-IP-Address := 
Cisco-AVPair = throttle=55
Session-Timeout = 36


with value of 36 not (5)

and then i enabled the perl module on authorize and authentication section at 
radius.conf and put the same pervious code in the same subs (authorize and 
authentication ) at perl module , but i got the same result , value not changed 

and also the same result when change the return code to become 
RLM_MODULE_UPDATED

any hint please ?!! , can i modify the value of reply attributes ? 

Thanks lot 




_
Windows Live™ Contacts: Organize your contact list. 
http://windowslive.com/connect/post/marcusatmicrosoft.spaces.live.com-Blog-cns!503D1D86EBB2B53C!2285.entry?ocid=TXT_TAGLM_WL_UGC_Contacts_032009-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

proxy acct records best practices

2009-03-05 Thread TR Missner

Hello,
I am a new user of freeradius ( no experience with the 1.x version at all ).
I am in the process of setting up radius for accounting of voip records.
Due to the nature of my system blocking must be avoided at all costs.
With this in mind I have configure FR to write accounting records locally to
a file then I have the records proxied to a remote freeradius instance where
the  records are written to a database.
My question revolves around best practices and speed.
Reading and shipping the records off box is very slow ( somewhere around 5 -
10 records per second ).
I believe this may be caused by the latency between the proxy and the master
which is around 150ms.
Of course I could just insert the records in the DB across the WAN but am
not sure whether this would be any faster.
I'm convinced latency is the issue because even when I turn off the
databasing of records on the master and only write to flat files the speed
remains in the same range.

Keeping in mind my newness to freeradius I thought it might be a good idea
to ask the community for suggestions.

Thanks

T
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rewrite attribute with perl module

any hint please ?!! , can i modify the value of reply attributes ?

Are you using server version that is years out of date? This works in
current version.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Variables' content as a reply

I've been trying unsuccessfully to get this setup to work, but unfortunately 
haven't been able so far.

My need is to return the contents of three LDAP fields as replies on the 
Access-Accept package.

The setup is for EAP/TTLS, mostly following eduRoam's setup guide (EduROAM 
Cookbook -- DJ 5.1.5,3).
My config is as follows:

on ldap.attrmap:
 checkItem   cLDAPdepartmentNumber   departmentNumber
 replyItem   rLDAPdepartmentNumber   departmentNumber
 checkItem   cLDAPaffiliationeduPersonPrimaryAffiliation
 replyItem   rLDAPaffiliationeduPersonPrimaryAffiliation
 checkItem   cLDAPou ou
 replyItem   rLDAPou ou


Where does the cookbook say that you should put that in ldap.attrmap?
Where are those radius attributes defined? Some additional dictionary?

on dictionary.university:
 VENDOR Unicamp 12345

 BEGIN-VENDOR Unicamp
 ATTRIBUTE University-LDAP-departmentNumber 1 string
 ATTRIBUTE University-LDAP-affiliation 2 string
 ATTRIBUTE University-LDAP-organizationUnit 3 string
 END-VENDOR University


Why don't you map those in ldap.attrmap.

(the attributes, at least, are recognized correctly on the reply).

on the inner-tunnel configuration file::
 post-auth {
 reply_log
 Post-Auth-Type REJECT {
 reply_log
 }
 redundant {
 sql-server1
 sql-server2
 }
 update outer.reply {
 User-Name := %{reply:User-Name}
 University-LDAP-departmentNumber := 
 %{rLDAPdepartmentNumber}
 }

That should be:

 User-Name := '%{reply:User-Name}'
 University-LDAP-departmentNumber :=
'%{rLDAPdepartmentNumber}'

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reject problems w/ v 2.1.3

2009-03-05 Thread Chhaya, Harshal


Hi,

I need to upgrade our freeRADIUS 1.1.7 config to 2.1.3 on
an embedded Linux platform.

I can build everything just fine but all our authentication
attempts are rejected. I didn't do the 1.1.7 work so I am
sure I am missing something simple.

This is for a private wireless network using WPA2-PEAP.

Looks like a config screwup somewhere but I can't figure out
which specific config is causing this to fail.

The users file is:
00093701a89d Cleartext-Password == 66e3c1cd773f487d

(It used to be: 00093701a89d User-Password == 66e3c1cd773f487d)


The log from 'radiusd -X' is below:
(Apologies for the long log but I didn't know which stuff is
important and which isn't)

Thanks for your patience and help,
- Harshal


FreeRADIUS Version 2.1.3, for host arm-unknown-linux-gnu, built on Mar  5 2009 
at 05:10:53
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/etc/raddb/radiusd.conf
including configuration file /usr/etc/raddb/proxy.conf
including configuration file /usr/etc/raddb/clients.conf
including files in directory /usr/etc/raddb/modules/
including configuration file /usr/etc/raddb/modules/passwd
including configuration file /usr/etc/raddb/modules/expiration
including configuration file /usr/etc/raddb/modules/checkval
including configuration file /usr/etc/raddb/modules/acct_unique
including configuration file /usr/etc/raddb/modules/mac2vlan
including configuration file /usr/etc/raddb/modules/echo
including configuration file /usr/etc/raddb/modules/etc_group
including configuration file /usr/etc/raddb/modules/perl
including configuration file /usr/etc/raddb/modules/expr
including configuration file /usr/etc/raddb/modules/krb5
including configuration file /usr/etc/raddb/modules/smbpasswd
including configuration file /usr/etc/raddb/modules/exec
including configuration file /usr/etc/raddb/modules/mschap
including configuration file /usr/etc/raddb/modules/unix
including configuration file /usr/etc/raddb/modules/linelog
including configuration file /usr/etc/raddb/modules/pam
including configuration file /usr/etc/raddb/modules/detail.example.com
including configuration file /usr/etc/raddb/modules/policy
including configuration file /usr/etc/raddb/modules/sql_log
including configuration file /usr/etc/raddb/modules/always
including configuration file /usr/etc/raddb/modules/logintime
including configuration file /usr/etc/raddb/modules/chap
including configuration file /usr/etc/raddb/modules/preprocess
including configuration file /usr/etc/raddb/modules/attr_rewrite
including configuration file /usr/etc/raddb/modules/inner-eap
including configuration file /usr/etc/raddb/modules/wimax
including configuration file /usr/etc/raddb/modules/mac2ip
including configuration file /usr/etc/raddb/modules/radutmp
including configuration file /usr/etc/raddb/modules/detail
including configuration file /usr/etc/raddb/modules/ldap
including configuration file /usr/etc/raddb/modules/detail.log
including configuration file /usr/etc/raddb/modules/attr_filter
including configuration file /usr/etc/raddb/modules/pap
including configuration file /usr/etc/raddb/modules/ippool
including configuration file /usr/etc/raddb/modules/realm
including configuration file /usr/etc/raddb/modules/digest
including configuration file /usr/etc/raddb/modules/counter
including configuration file /usr/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/etc/raddb/modules/files
including configuration file /usr/etc/raddb/modules/sradutmp
including configuration file /usr/etc/raddb/eap.conf
including configuration file /usr/etc/raddb/sql.conf
including configuration file /usr/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/etc/raddb/policy.conf
including files in directory /usr/etc/raddb/sites-enabled/
including configuration file /usr/etc/raddb/sites-enabled/default
including configuration file /usr/etc/raddb/sites-enabled/inner-tunnel
including dictionary file /usr/etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /tmp
logdir = /tmp
libdir = /usr/lib
radacctdir = /tmp/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /tmp/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
 log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
 }
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
 }
}
 client localhost {
ipaddr = 127.0.0.1

failed to receive Accounting Response

2009-03-05 Thread Николай Г. Петров


[IOS Version 12.1(22)EA11]   [freeradius-2.1.3]
--
Hello!
I'm trying to accounting all commands on cisco in enable mode and other 
level, which user run:


   aaa accounting delay-start
   aaa accounting exec default start-stop group radius
   aaa accounting system default stop-only group radius
   aaa accounting connection default start-stop group radius
   aaa accounting network default start-stop group radius
   aaa accounting commands 1 default stop-only group radius
   aaa accounting commands 15 default stop-only group radius
   aaa accounting send stop-record authentication failure

but cisco log about accounting evrytime send message like this

   Mar  6 08:57:48 192.168.255.10 210: 000207: Mar  6 08:57:48 MSK: 
  %RADIUS-3-NOACCOUNTINGRESPONS

   Stop for session 0074 failed to receive Accounting Response.

accounting section in radius config

   accounting {
   detail
   daily
   unix
   radutmp
   sradutmp
   attr_filter.accounting_response
   Acct-Type Status-Server {

   }
   }

How can I resolve the problem?
Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius exceeding num_sql_socks

Stelio Gouveia wrote:
 Is there any reason why Freeradius would exceed the limit set by the
 num_sql_socks directive?

  If you have one SQL modules, no.

  If you have two SQL modules, each will open up it's own sockets.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy acct records best practices

TR Missner wrote:
 I am a new user of freeradius ( no experience with the 1.x version at all ).

  Don't use 1.x.  Use the latest version.

 I am in the process of setting up radius for accounting of voip records.
 Due to the nature of my system blocking must be avoided at all costs.
 With this in mind I have configure FR to write accounting records
 locally to a file then I have the records proxied to a remote freeradius
 instance where the  records are written to a database.
 My question revolves around best practices and speed.
 Reading and shipping the records off box is very slow ( somewhere around
 5 - 10 records per second ).

  You've configured the server to use syslog.  Don't.  Syslog on some
systems is limited to 5-10 log entries per second.  This is because it
syncs the logs to disk after each line of text.

 I believe this may be caused by the latency between the proxy and the
 master which is around 150ms.

  No.

 Of course I could just insert the records in the DB across the WAN but
 am not sure whether this would be any faster.
 I'm convinced latency is the issue because even when I turn off the
 databasing of records on the master and only write to flat files the
 speed remains in the same range.

  syslog.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: No known good password for NIS users