Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Christopher Sheldon wrote: Does anyone else who subscribes to the list specifically read every email Alan sends just to chuckle at him berating the poor, confused people seeking help? My unhelpful comments are directed at the people who don't read (a) the documentation I already wrote, or (b) the debugging messages I already wrote. Perhaps you could take over the role of cut paste master, where you would cut and paste the existing documentation onto this list for certain people. Failing that, perhaps you could try another method of positive contribution that doesn't involve complaining about me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
daverum...@boothcreek.com wrote: So funny you say that, I was just talking about that with a co worker. I almost find myself searching for his emails and thinking that poor person who is looking for help. Asking people to read the debug log, as suggested in the FAQ, README, INSTALL, man page, every single howto, and daily on this list? For shame. It's really quite simple. It's a choice. People DON'T read the documentation. They DON'T follow instructions. They DON'T read the debug log. But they get incensed when they get told to read it, and they get incensed when told to follow instructions. Happily, there is a solution. Along with Christopher, you're now the new cut paste master. Please spend a few short hours every day answering questions on this list by cutting pasting answers from the existing documentation. Also, you will need to explain to people that they should run the server in debugging mode. Feel free to *continue* explaining why this is necessary after they have gotten angry at you for not immediately solving their problem. Complaining about *my* behavior is not an option until you've contributed something to the project. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling users
DAve wrote: I have read through the docs, looked into Session-Timeout and SQL counters, but I do not see how to force a client to re authenticate. What am I missing? What config information do I need to provide? What information/manual/how to have I missed? http://freeradius.org/rfc/attributes.html. Click on Session-Timeout. If you set Session-Timeout to 86400, the NAS *should* drop the connection after one day. This will force them to re-authenticate. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ubuntu server, FreeRadius 2.1.6, Active Directory Win2K3, Cisco Aironet AG1242
Petar Marinkovic wrote:
[mschap] Told to do MS-CHAPv2 for pmarinkovic with NT-Password
[mschap] expand: --username=%{mschap:User-Name:-None} -
--username=pmarinkovic
[mschap] mschap2: 30
[mschap] expand:
--domain=%{mschap:NT-Domain:-EXCHANGE}--challenge=%{mschap:Challenge:-00} -
--domain=EXCHANGE--challenge=73e442d7ccbf38a0
That's wrong... you need a space between the two command-line options.
--domain= --challenge=...
^
SPACE
In radiusd.conf, I only added exec lines to modules section from the
tutorial
|exec ntlm_auth {
That's not being used here, so it's not affecting this example.
And mschap file in modules dir. I left those 3 commented lines, I tried
also with them, but no luck.||
mschap {
with_ntdomain_hack = yes
#use_mppe = yes
#require_encryption = yes
#require_strong = no
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{mschap:NT-Domain:-EXCHANGE}--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
You added the --domain=.. portion too close to the --challenge.
What I am doing wrong here? In eap.conf I only changed default_auth_type
to PEAP, and that's all. Many thanks for your help, and I would
appreaciate it a lot if you can help me, cause this thing is driving me
crazy for last 2-3 days. I read bunch of topics, but none helped..
Posting the debug log is *exactly* the information that was needed to
solve this problem.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
response_window and zombie_period problem
Hello, first of all, sorry for my english.
I'm testing Freeradius 2.0.4+dfsg-6 in Debian. I want to configure proxy
like this (proxy.conf):
# radiusxx authentication
home_server radiusxx_auth {
type = auth
ipaddr = 1.2.3.4
port = 1812
secret = secret
response_window = 50
zombie_period = 20
status_check = request
username = user
password = pass
check_interval = 30
num_answers_to_alive = 3
}
# radiusxx accounting
home_server radiusxx_acct {
type = acct
ipaddr = 1.2.3.4
port = 1813
secret = secret
response_window = 50
zombie_period = 20
status_check = request
username = user
password = pass
check_interval = 30
num_answers_to_alive = 3
}
# radiusyy authentication
home_server radiusyy_auth {
type = auth
ipaddr = 1.2.3.5
port = 1812
secret = secret
response_window = 50
zombie_period = 20
status_check = request
username = user
password = pass
check_interval = 30
num_answers_to_alive = 3
}
# radiusyy accounting
home_server radiusyy_acct {
type = acct
ipaddr = 1.2.3.5
port = 1813
secret = secret
response_window = 50
zombie_period = 20
status_check = request
username = user
password = pass
check_interval = 30
num_answers_to_alive = 3
}
#authentication pool
home_server_pool my_auth {
type = fail-over
home_server = radiusxx_auth
home_server = radiusyy_auth
}
#accounting pool
home_server_pool my_acct {
type = fail-over
home_server = radiusxx_acct
home_server = radiusyy_acct
}
realm myrealm.my {
auth_pool = my_auth
acct_pool = my_acct
# nostrip
}
My problem is when I'm going to test failover: I stop Freeradius in xx
server and I send a authentication request.
Sending Access-Request of id 143 to 1.2.3.4 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x3238
Proxying request 0 to home server 1.2.3.4 port 1812
Sending Access-Request of id 143 to 1.2.3.4 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x3238
Going to the next request
Waking up in 0.9 seconds.
Waking up in 28.9 seconds.
rad_recv: Access-Request packet from host 1.2.2.2 port 39710, id=28,
length=75
Sending duplicate proxied request to home server 1.2.3.4 port 1812 - ID: 143
Sending Access-Request of id 143 to 1.2.3.4 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x3238
Waking up in 26.9 seconds.
rad_recv: Access-Request packet from host 1.2.2.2 port 39710, id=28,
length=75
Sending duplicate proxied request to home server 1.2.3.4 port 1812 - ID: 143
Sending Access-Request of id 143 to 1.2.3.4 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x3238
Waking up in 23.9 seconds.
. . .
WARNING: Marking home server 1.2.3.4 port 1812 as zombie (it looks like it
is dead).
After 30 seconds I always get an accept_reject the first time. But if my
zombie_period = 20, don't must mark radiusxx as zombie after 20 seconds and
proxy my request to radiusyy. My response_window = 50 and Freeradius must
wait 50 seconds before consider the request dead.
Then, when I send another authentication request:
Sending Access-Request of id 129 to 1.2.3.4 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x31
Proxying request 1 to home server 1.2.3.4 port 1812
Sending Access-Request of id 129 to 1.2.3.4 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x31
Going to the next request
Waking up in 0.9 seconds.
Waking up in 28.9 seconds.
rad_recv: Access-Request packet from host 1.2.2.2 port 59850, id=1,
length=75
FAILURE: Marking home server 1.2.3.4 port 1812 as dead.
Sending Access-Request of id 118 to 1.2.3.5 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x31
Proxying request 1 to home server 1.2.3.5 port 1812
Sending Access-Request of id 118 to 1.2.3.5 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x31
Waking up in 26.9 seconds.
rad_recv: Access-Accept packet from host 1.2.3.5 port 1812, id=118,
length=23
Proxy-State = 0x31
I don't know why Freeradius doesn't send me an acces-accept, when I send the
first request, after mark radiusxx (zombie_period = 20) as zombie and proxy
the request to radiusyy.
Thank you and sorry for my english.
-
List info/subscribe/unsubscribe? See
AW: freeradius 2.1.6 ldap + mschapv2 to authenticate
Not only I have to thank Alan for this or that hint and the great software. Nowadays I find his answers amusing. They sound like a mantra: Read the documentation, post the debug output, don't change too much in the default configuration What is wrong with that answer? And knowing that one might get this kind of answer: Maybe one thinks twice and reads a bit more through the docs before posting a question. In my opinion there are worse things than thinking twice. I know people that behave exactly this way just for that reason. And they solved most of their problems this way. FreeRADIUS is a project with a comprehensive documentation. Many -if not most - of the questions on the list could be answered by reading the wiki and the rest of the documentation. Knowing this I personally would find it hard to impossible to answer the same questions over and over again. Thanks Alan. Norbert Wegener Von: freeradius-users-bounces+norbert.wegener=siemens@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=siemens@lists.freeradius.org] im Auftrag von Alan DeKok [al...@deployingradius.com] Gesendet: Donnerstag, 25. Juni 2009 08:20 An: daverum...@boothcreek.com; FreeRadius users mailing list Betreff: Re: freeradius 2.1.6 ldap + mschapv2 to authenticate daverum...@boothcreek.com wrote: So funny you say that, I was just talking about that with a co worker. I almost find myself searching for his emails and thinking that poor person who is looking for help. Asking people to read the debug log, as suggested in the FAQ, README, INSTALL, man page, every single howto, and daily on this list? For shame. It's really quite simple. It's a choice. People DON'T read the documentation. They DON'T follow instructions. They DON'T read the debug log. But they get incensed when they get told to read it, and they get incensed when told to follow instructions. Happily, there is a solution. Along with Christopher, you're now the new cut paste master. Please spend a few short hours every day answering questions on this list by cutting pasting answers from the existing documentation. Also, you will need to explain to people that they should run the server in debugging mode. Feel free to *continue* explaining why this is necessary after they have gotten angry at you for not immediately solving their problem. Complaining about *my* behavior is not an option until you've contributed something to the project. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: response_window and zombie_period problem
Ana,
The notes in the proxy.conf file describe how proxying works when you do not
receive a response from a home server.
#
# If the home server doesn't respond to the request within
# this time, this server will consider the request dead, and
# respond to the NAS with an Access-Reject.
#
# If NO responses are received to any requests sent within this
# time period, the home server will be marked zombie, as below.
#
# Useful range of values: 5 to 60
response_window = 20
#
# If the home server does not respond to ANY packets for
# a certain time, consider it dead. This time period is
# called the zombie period, because the server is neither
# alive nor dead.
#
# If status_check below is something other than none, then
# the server will start sending status checks at the start of
# the zombie period. It will continue sending status checks
# until the home server is marked alive.
#
# Useful range of values: 20 to 120
zombie_period = 40
When a home server does not respond to an Access-Request, the proxy process
has failed and the default behavior is to reject the users Access-Request.
The proxy server marks the home server as a zombie and after another 40
seconds has passed, the proxy server marks the home server as dead. Once a
server is marked dead, the proxy server will not send requests to that
server. Access-Requests that are sent to the proxy server after the home
server is marked dead, will skip the dead home server and fail-over to the
next home server.
Since an Access-Reject is sent to the NAS, the NAS will deny the user/device
access. This will happen to all users/devices that try to authenticate when
the proxy server was marked alive but it is actually dead. You can lessen
the impact of a dead server by using type=load-balance instead of fail-over
for the home server pool.
In 2.1.6 the server can be configured to not respond when it does not
receive a response from a home server. This will cause the NAS to retry the
request multiple times, which will eventually cause the proxy server to send
the request to the alive home server. Let me know if you want to try this
and I can send an example configuration.
Tim
From:
freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.or
g
[mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freer
adius.org] On Behalf Of Ana Gallardo
Sent: Wednesday, June 24, 2009 11:40 PM
To: freeradius-users@lists.freeradius.org
Subject: response_window and zombie_period problem
Hello, first of all, sorry for my english.
I'm testing Freeradius 2.0.4+dfsg-6 in Debian. I want to configure proxy
like this (proxy.conf):
# radiusxx authentication
home_server radiusxx_auth {
type = auth
ipaddr = 1.2.3.4
port = 1812
secret = secret
response_window = 50
zombie_period = 20
status_check = request
username = user
password = pass
check_interval = 30
num_answers_to_alive = 3
}
# radiusxx accounting
home_server radiusxx_acct {
type = acct
ipaddr = 1.2.3.4
port = 1813
secret = secret
response_window = 50
zombie_period = 20
status_check = request
username = user
password = pass
check_interval = 30
num_answers_to_alive = 3
}
# radiusyy authentication
home_server radiusyy_auth {
type = auth
ipaddr = 1.2.3.5
port = 1812
secret = secret
response_window = 50
zombie_period = 20
status_check = request
username = user
password = pass
check_interval = 30
num_answers_to_alive = 3
}
# radiusyy accounting
home_server radiusyy_acct {
type = acct
ipaddr = 1.2.3.5
port = 1813
secret = secret
response_window = 50
zombie_period = 20
status_check = request
username = user
password = pass
check_interval = 30
num_answers_to_alive = 3
}
#authentication pool
home_server_pool my_auth {
type = fail-over
home_server = radiusxx_auth
home_server = radiusyy_auth
}
#accounting pool
home_server_pool my_acct {
type = fail-over
home_server = radiusxx_acct
home_server = radiusyy_acct
}
realm myrealm.my {
auth_pool = my_auth
acct_pool = my_acct
# nostrip
}
My problem is when I'm going to test failover: I stop Freeradius in xx
server and I send a authentication request.
Sending Access-Request of id 143 to 1.2.3.4 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x3238
Proxying request 0 to home server 1.2.3.4 port 1812
Sending Access-Request of id 143 to 1.2.3.4 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x3238
Going to
Re: problem to forcing TLS and reject PEAP
I insert in my users file this configuration item: DEFAULT Huntgroup-Name == wi-fi, Ldap-Group == wifi, EAP-Type == PEAP, Auth-Type := Reject DEFAULT Huntgroup-Name == wi-fi, Ldap-Group == wifi, EAP-Type == TLS Fall-Through = No DEFAULT Ldap-Group == user, Huntgroup-Name == user Fall-Through = No The fist DEFAULT should reject the request if the EAP-type is PEAP, while the second DEFAULT should accept only the request if the EAP is TLS i think :-)) but during the test i note that if i force wifi in PEAP, the request is reject from the second default, and not in the fist, this is the log: Wed Jun 24 14:02:36 2009 : Debug: users: Matched entry DEFAULT at line 3 ( line 3 is the second DEFAULT ) the reject is because it dont is able to oepn tls If i try in TLS the system accept the request The questions isWhy the Peap request dont match the fist DEFAULT ? Because peap is treated as subsection of tls. Use listen section to direct requests from wi-fi huntgroup clients to one virtual server and user to another. Create two eap instances - one standard, and one without peap configured. Use the one with peap disabled in virtual server which processes wi-fi requests. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Old password 'grace period'
so, what you've actually got to do is run the pap method twice.
once for the user-name/password from sql_new and once for the
user-name/password from sql_old. one of those methods would
work for a valid user
thats a funky bit of group/failover requirement that'll have to
be cooked up...maybe
group {
sql_new {
pap
ok = return
}
sql_old {
pap
ok = return
}
}
or something along those broken lines ;-)
alan
[JK] freeradius does not like anything like that added into that
section. On start-up, I get:
/etc/raddb/sites-enabled/default[168]: Failed to parse sql_new
subsection.
/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section.
Errors initializing modules
You should write your custom authentication script.
This can be made to work with standard modules/attributes for pap requests
with some unlang gymnastics in Post-Auth-Type Reject. But mschap will need
custom script. You can utilize existing mschap module but you will need to
remove from the list NT and LM passwords created with first password,
before you try to call it again with replacement password.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Old password 'grace period'
Hi, You should write your custom authentication script. theres probably a way of doing it all in config with unlang etc - but yes, a PERL script which does all of the SQL stuff and authentication itself is probably the way to go for it alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Old password 'grace period'
On 25/6/09 10:33, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
You should write your custom authentication script.
theres probably a way of doing it all in config
with unlang etc - but yes, a PERL script which does
all of the SQL stuff and authentication itself
is probably the way to go for it
I leave you guys alone for 5 minutes
Use the sql modules to create the pool of database connections required. And list the sql instances in instantiate (the parser isn't clever enough to figure out that the module instances will be
required for string expansion calls).
radiusd.conf
instantiate {
sql_old
sql_new
}
authenticate {
mschap {
update control {
Cleartext-Password := %{sql_new:SELECT cleartext password
query...}
}
mschap {
reject = 2
}
if(reject){
update control {
Cleartext-Password := %{sql_old:SELECT cleartext
password query...}
}
mschap
}
}
}
Don't use the automatic failover stuff, it's not appropriate here...
If this doesn't work, post the debug output. There are some issues with rcode
priority assignments and unlang, but they're possible to work around.
Arran
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: response_window and zombie_period problem
Thank you to for you response. Certainly in the proxy.conf file we can read # If the home server doesn't respond to the request within # this time, this server will consider the request dead, and # respond to the NAS with an Access-Reject. # # Useful range of values: 5 to 60 response_window = 20 # If the home server does not respond to ANY packets for # a certain time, consider it dead. This time period is # called the zombie period, because the server is neither # alive nor dead. # # Useful range of values: 20 to 120 zombie_period = 40 My response_window = 50 zombie_period=20. So, after 20 seconds, my radiusxx Freeradius must consider it dead, and then, I think that Freeradius can proxy the request until the response_window = 50 time gone. Maybe I'm mitaked, so I would like to know how if I'm in an error. When a home server does not respond to an Access-Request, the proxy process has failed and the default behavior is to reject the users Access-Request. The proxy server marks the home server as a zombie and after another 40 seconds has passed, the proxy server marks the home server as dead. Once a server is marked dead, the proxy server will not send requests to that server. Access-Requests that are sent to the proxy server after the home server is marked dead, will skip the dead home server and fail-over to the next home server. Since an Access-Reject is sent to the NAS, the NAS will deny the user/device access. This will happen to all users/devices that try to authenticate when the proxy server was marked alive but it is actually dead. You can lessen the impact of a dead server by using type=load-balance instead of fail-over for the home server pool. Why is lessen the impact using load-balance? In 2.1.6 the server can be configured to not respond when it does not receive a response from a home server. This will cause the NAS to retry the request multiple times, which will eventually cause the proxy server to send the request to the alive home server. Let me know if you want to try this and I can send an example configuration. Yes, I want to try. Tim Thank you very much Tim. Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
new member
i'd have freeradius rpm for opensuse 11 appreciate ur guidance thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Old password 'grace period'
Hi, I leave you guys alone for 5 minutes 8-) as i said, theres probably a way of doing it alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Old password 'grace period'
Original Message
Subject: Re: Old password 'grace period'
Date: Thu, 25 Jun 2009 12:11:07 +0100
From: Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk
Organization: University of Sussex
To: t...@kalik.net
[snip]
I have tested something like this yesterday - it doesn't. You can't just
replace Cleartext-Password. NT-Password and LM-Passowrd were created for
the new password and mschap module will reuse them, completely ignoring
old Cleartext-Password. They need to be removed or replaced before
mschap module is called again.
Ahhh ok... Yes, the code agrees with you :)
} else if (!password) {
RDEBUG2(No Cleartext-Password configured. Cannot create
LM-Password.);
} else {/* there is a configured Cleartext-Password */
lm_password = radius_pairmake(request, request-config_items,
LM-Password, , T_OP_EQ);
Writes the NT-Password and LM-Password values back to the control list of the
request.
But seeing as the values are just being stored in the control list of the
request,
we can remove them using unlang.
authenticate {
mschap {
update control {
Cleartext-Password := %{sql_new:SELECT cleartext password
query...}
}
mschap {
reject = 2
}
if(reject){
update control {
NT-Password -= %{control:NT-Password}
LM-Password -= %{control:LM-Password}
Cleartext-Password := %{sql_old:SELECT cleartext password
query...}
}
mschap
}
}
}
Thanks,
Arran
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: freeradius 2.1.6 ldap + mschapv2 to authenticate
Wegener, Norbert wrote: Not only I have to thank Alan for this or that hint and the great software. Nowadays I find his answers amusing. They sound like a mantra: Read the documentation, post the debug output, don't change too much in the default configuration What is wrong with that answer? And knowing that one might get this kind of answer: Maybe one thinks twice and reads a bit more through the docs before posting a question. In my opinion there are worse things than thinking twice. I know people that behave exactly this way just for that reason. And they solved most of their problems this way. FreeRADIUS is a project with a comprehensive documentation. Many -if not most - of the questions on the list could be answered by reading the wiki and the rest of the documentation. Knowing this I personally would find it hard to impossible to answer the same questions over and over again. Thanks Alan. I have to FULLY agree. Every single time someone has had a resonable request, Alan responded immediately. Personally I did not even know what the three a's in aaa meant when I got involved with freeradius. I got ALL the info I needed from the docs. I configured a perfectly working solution without ONE question to this list. (A fairly complicated one - all the docs are there!!) I started posting when I had a feature that did not quote work as exepected. (dynamic clients). Alan even went to the trouble to commit some code to git just to help me. I certainly cannot fault his behaviour. I personally run about 8 technicians. Whenever someone asks me for advice, I always ask them. What is the exact error? After asking for it the 100th time, I also get rude. You should NOT have to say the same thing over and over again!!! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Old password 'grace period'
On 25/6/09 13:11, Ivan Kalik wrote:
I have tested something like this yesterday - it doesn't. You can't just
replace Cleartext-Password. NT-Password and LM-Passowrd were created for
the new password and mschap module will reuse them, completely
ignoring
old Cleartext-Password. They need to be removed or replaced before
mschap module is called again.
Writes the NT-Password and LM-Password values back to the control list of
the request.
But seeing as the values are just being stored in the control list of the
request,
we can remove them using unlang.
authenticate {
mschap {
Just for the readers of the list - the section is Auth-Type MS-CHAP not
mschap.
Oops, yep Auth-Type MS-CHAP.
update control {
Cleartext-Password := %{sql_new:SELECTcleartext password
query...}
}
mschap {
reject = 2
}
Ah, so that's how you make if work.
Yep. Otherwise reject has a priority/opcode of reject, and the request is
rejected ;)
if(reject){
update control {
NT-Password -= %{control:NT-Password}
LM-Password -= %{control:LM-Password}
Yes, I had that lined up, but couldn't get if to work.
Cleartext-Password := %{sql_old:SELECTcleartext
password query...}
}
mschap
}
}
}
Ok, pap failover done this way now works. I can't test mschap from where I
am right now but I don't see a problem any more. My construction is
slightly different - I read only replacement password from sql assuming
that the usual one is pulled by regular sql queries (my scenario has
Cleartext-Password and custom attribute Old-Password both in same radcheck
table).
That should work fine too.
So you can just swap out the first update control { Cleartext-Password }
bit for a call to the SQL module. Though you'd probably want to put it in the
authorise section...
So it'd be something like :
instantiate {
sql_old
}
authorize {
# Retrieves credentials
sql_new
# Sets auth-type mschap
mschap
}
authenticate {
Auth-Type MS-CHAP {
mschap {
reject = 2
}
if(reject){
# Remove stale password hashes created on first call to
rlm_mschap
update control {
NT-Password -= %{control:NT-Password}
LM-Password -= %{control:LM-Password}
Cleartext-Password := %{sql_old:SELECTcleartext
password query...}
}
mschap
}
}
}
Arran
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: response_window and zombie_period problem
My response_window = 50 zombie_period=20. So, after 20 seconds, my radiusxx Freeradius must consider it dead, and then, I think that Freeradius can proxy the request until the response_window = 50 time gone. Maybe I'm mitaked, so I would like to know how if I'm in an error. You are mistaken. Server will be considered dead for requests *recieved* after the zombie period. It doesn't apply for ongoing requests. When a home server does not respond to an Access-Request, the proxy process has failed and the default behavior is to reject the users Access-Request. ... You can lessen the impact of a dead server by using type=load-balance instead of fail-over for the home server pool. Why is lessen the impact using load-balance? The idea is that only one will die at the time. Fewer request go to the dead server before it's marked dead - fewer rejects and retries. In 2.1.6 the server can be configured to not respond when it does not receive a response from a home server. This will cause the NAS to retry the request multiple times, which will eventually cause the proxy server to send the request to the alive home server. Let me know if you want to try this and I can send an example configuration. Yes, I want to try. It's there already, you just need to use the policy. See do_not_respond in policy.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: response_window and zombie_period problem
My response_window = 50 zombie_period=20. So, after 20 seconds, my radiusxx Freeradius must consider it dead, and then, I think that Freeradius can proxy the request until the response_window = 50 time gone. Maybe I'm mitaked, so I would like to know how if I'm in an error. You are mistaken. Server will be considered dead for requests *recieved* after the zombie period. It doesn't apply for ongoing requests. Ok, thanks When a home server does not respond to an Access-Request, the proxy process has failed and the default behavior is to reject the users Access-Request. ... You can lessen the impact of a dead server by using type=load-balance instead of fail-over for the home server pool. Why is lessen the impact using load-balance? The idea is that only one will die at the time. Fewer request go to the dead server before it's marked dead - fewer rejects and retries. Ok, thanks again. In 2.1.6 the server can be configured to not respond when it does not receive a response from a home server. This will cause the NAS to retry the request multiple times, which will eventually cause the proxy server to send the request to the alive home server. Let me know if you want to try this and I can send an example configuration. Yes, I want to try. It's there already, you just need to use the policy. See do_not_respond in policy.conf. Thank you very much Ivan. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with radmin
Hello, I tested some things with radmin and freeradius 2.1.6 on SLES 10 SP2. I started the server, started radmin, added the following debug condition: debug condition '(User-Name == test)' and then send an acces-request with this username to server. The server crashed with the following errormessages: Thu Jun 25 13:50:26 2009 : Error: ASSERT FAILED event.c[596]: debug_flag != 0 Any idea, what this means or by what this could be caused? Thanks. Sebastian -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issue when freeRadius is accessed using JRadius Client.
Hi, I am using JRadius Client with freeRadius server for user authentication. The following code is used to access freeRadius server: -- AttributeFactory.loadAttributeDictionary(net.jradius.dictionary.AttributeDictionaryImpl); InetAddress addr = InetAddress.getByName(radiusServerAddress); RadiusClient radiusClient = new RadiusClient(addr, secretKey); AttributeList attributeList = new AttributeList(); attributeList.add(new Attr_UserName(userName)); attributeList.add(new Attr_NASPortType(Attr_NASPortType.Ethernet)); attributeList.add(new Attr_NASPort(new Long(1))); AccessRequest request = new AccessRequest(radiusClient, attributeList); request.addAttribute(new Attr_UserPassword(password)); RadiusPacket reply = radiusClient.authenticate(request, new PAPAuthenticator(), 0); System.out.println(Received: + reply.toString()); The server authenticates the user successfully but the response message is printed as follows. So I couldn't read the response values. Unknown-Attribute(6) = [Binary Data (length=4)] Unknown-Attribute(7) = [Binary Data (length=4)] The /usr/local/etc/raddb/users configuration is as follows : dave Cleartext-Password := public Service-Type = Framed-User, Framed-Protocol = PPP, Please help me to resolve this issue. Am I missing anything? Thanks in advance. Regards, Dhandapani -- View this message in context: http://www.nabble.com/Issue-when-freeRadius-is-accessed-using-JRadius-Client.-tp24202940p24202940.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issue when freeRadius is accessed using JRadius Client.
I am using JRadius Client with freeRadius server for user authentication. The following code is used to access freeRadius server: -- AttributeFactory.loadAttributeDictionary(net.jradius.dictionary.AttributeDictionaryImpl); InetAddress addr = InetAddress.getByName(radiusServerAddress); RadiusClient radiusClient = new RadiusClient(addr, secretKey); AttributeList attributeList = new AttributeList(); attributeList.add(new Attr_UserName(userName)); attributeList.add(new Attr_NASPortType(Attr_NASPortType.Ethernet)); attributeList.add(new Attr_NASPort(new Long(1))); AccessRequest request = new AccessRequest(radiusClient, attributeList); request.addAttribute(new Attr_UserPassword(password)); RadiusPacket reply = radiusClient.authenticate(request, new PAPAuthenticator(), 0); System.out.println(Received: + reply.toString()); The server authenticates the user successfully but the response message is printed as follows. So I couldn't read the response values. Unknown-Attribute(6) = [Binary Data (length=4)] Unknown-Attribute(7) = [Binary Data (length=4)] The /usr/local/etc/raddb/users configuration is as follows : dave Cleartext-Password := public Service-Type = Framed-User, Framed-Protocol = PPP, Please help me to resolve this issue. Am I missing anything? You have to decode the reply. Just like you encoded the request. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Old password 'grace period'
On 25/6/09 12:01, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
I leave you guys alone for 5 minutes
8-) as i said, theres probably a way of doing it
:P Granted, was trickier than it first appeared. After a brief discussion with
Ivan, looks like this should work (he pointed out the security hole with not
checking for a null old password)...
instantiate {
sql_old
}
authorize {
# Retrieves credentials
sql_new
# Sets auth-type mschap
mschap
}
authenticate {
Auth-Type MS-CHAP {
mschap {
reject = 2
}
if(reject){
# Could alternatively write the value of a custom attribute
into Cleartext-password
# if both old and new passwords were returned in the call to
sql* in authorize.
update control {
Cleartext-Password := %{sql_old:SELECTcleartext password
query...}
}
# Stop users logging in with null password (if there's no 'old'
password set)
if(%{control:Cleartext-Password} == ''){
reject
}
# Remove stale password hashes created on first call to
rlm_mschap
update control {
NT-Password -= %{control:NT-Password}
LM-Password -= %{control:LM-Password}
}
mschap
}
}
Arran
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Alan often replies immediately with useful information, often for questions which are constantly repeated. I'm personally impressed with his tireless dedication, not only in being one of the primary help desk roles but also in developing the software, both of which you're getting for *free*. I think Alan (and some others) deserve a note of thanks from this community. Folks, get real, this is open source. That means it's a community of volunteers. In open source if you think something is deficient your job is to step up to the plate and contribute for the betterment of everyone. But if instead you feel you need to complain and not contribute then please walk away. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 2.1.6 ldap + mschapv2 to authenticate
-Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of John Dennis Sent: Thursday, June 25, 2009 8:54 AM To: FreeRadius users mailing list Subject: Re: freeradius 2.1.6 ldap + mschapv2 to authenticate Alan often replies immediately with useful information, often for questions which are constantly repeated. I'm personally impressed with his tireless dedication, not only in being one of the primary help desk roles but also in developing the software, both of which you're getting for *free*. I think Alan (and some others) deserve a note of thanks from this community. Folks, get real, this is open source. That means it's a community of volunteers. In open source if you think something is deficient your job is to step up to the plate and contribute for the betterment of everyone. But if instead you feel you need to complain and not contribute then please walk away. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I agree wholeheartedly. The documentation is more than adequate. Surprising how much you'll learn by reading it. If you'd prefer Alan spend time answering already answered questions rather than refining/developing freeradius Mearl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Old password 'grace period'
On 25/6/09 14:53, Arran Cudbard-Bell wrote:
On 25/6/09 12:01, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
I leave you guys alone for 5 minutes
8-) as i said, theres probably a way of doing it
*sigh* the Coffee excuse doesn't work past lunch time does it... (missed out
some curly braces)
instantiate {
sql_old
}
authorize {
# Retrieves credentials
sql_new
# Sets auth-type mschap
mschap
}
authenticate {
Auth-Type MS-CHAP {
mschap {
reject = 2
}
if(reject){
# Could alternatively write the value of a custom
attribute into Cleartext-password
# if both old and new passwords were returned in the
call to sql* in authorize.
update control {
Cleartext-Password := %{sql_old:SELECTcleartext
password query...}
}
# Stop users logging in with null password (if there's
no 'old' password set)
if(%{control:Cleartext-Password} == ''){
reject
}
# Remove stale password hashes created on first call to
rlm_mschap
update control {
NT-Password -= %{control:NT-Password}
LM-Password -= %{control:LM-Password}
}
mschap
}
}
}
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to compile with custom modules in v1.1.7?
I'm trying to include rlm_raw (http://osdir.com/ml/freeradius.devel/2005-01/msg00027.html) in the installation of FR 1.1.7, but it's never included at usr/lib/freeradius after install. I've tried in Ubuntu and Debian. I'm not sure if it's a general module/compiling problem or something with rlm_raw. Here's what I do: 1. Copy rlm_raw to to src/modules. 2. Add rlm_raw to stable file. 3. Add --enable-rlm_raw to the configure section in debian/rules. 4. Build using the Debian steps (http://wiki.freeradius.org/Build) I haven't made any changes at all to the rlm_raw files; do I need to? What else might I check? The config.log file in the root shows no clues, at least from what I can see. I'm not sure what other log files to check. Thanks, Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Old password 'grace period'
Thanks a lot, guys. I am on vacation until Monday, but am very tempted
to login to work and give this a try..nah, it can wait until Monday
:).
Thanks again for you efforts.
John
-Original Message-
From: freeradius-users-
bounces+john.kane=prodeasystems@lists.freeradius.org
[mailto:freeradius-users-
bounces+john.kane=prodeasystems@lists.freeradius.org] On Behalf Of
Arran Cudbard-Bell
Sent: Thursday, June 25, 2009 9:21 AM
To: FreeRadius users mailing list
Subject: Re: Old password 'grace period'
On 25/6/09 14:53, Arran Cudbard-Bell wrote:
On 25/6/09 12:01, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
I leave you guys alone for 5 minutes
8-) as i said, theres probably a way of doing it
*sigh* the Coffee excuse doesn't work past lunch time does it...
(missed out some curly braces)
instantiate {
sql_old
}
authorize {
# Retrieves credentials
sql_new
# Sets auth-type mschap
mschap
}
authenticate {
Auth-Type MS-CHAP {
mschap {
reject = 2
}
if(reject){
# Could alternatively write the value of a
custom
attribute into Cleartext-password
# if both old and new passwords were returned in
the
call to sql* in authorize.
update control {
Cleartext-Password :=
%{sql_old:SELECTcleartext password query...}
}
# Stop users logging in with null password (if
there's no 'old' password set)
if(%{control:Cleartext-Password} == ''){
reject
}
# Remove stale password hashes created on first
call
to rlm_mschap
update control {
NT-Password -= %{control:NT-Password}
LM-Password -= %{control:LM-Password}
}
mschap
}
}
}
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
This message is confidential to Prodea Systems, Inc unless otherwise indicated
or apparent from its nature. This message is directed to the intended recipient
only, who may be readily determined by the sender of this message and its
contents. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended
recipient:(a)any dissemination or copying of this message is strictly
prohibited; and(b)immediately notify the sender by return message and destroy
any copies of this message in any form(electronic, paper or otherwise) that you
have.The delivery of this message and its information is neither intended to be
nor constitutes a disclosure or waiver of any trade secrets, intellectual
property, attorney work product, or attorney-client communications. The
authority of the individual sending this message to legally bind Prodea Systems
is neither apparent nor implied,and must be independently verified.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS (PAP) with Win2K3 domain not working
First, thanks Alan for your help, I managed to make it work with AD. Now I
want to try to test to make EAP-TTLS with PAP to authenticate users in
domain. I saw this link
http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-March/msg00417.html
So I added following lines to modules section of radiusd.conf
exec ntlm_auth_pap {
wait = yes
input_pairs = request
shell_escape = yes
output = none
program = /path/to/ntlm_auth --username=%{User-Name}
--domain=EXCHANGE
--password=%{User-Password}
}
and I edited /etc/freeradius/sites-available/default file and
/etc/freeradius/sites-enabled/default, section authenticate to
Auth-Type PAP
{
ntlm_auth_pap
}
But when user tries to connect, I get following error:
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = testuser
User-Password = testuserpass
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = testuser
User-Password = testuserpass
FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = testuser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
SSL: Removing session
963d9312e7948dc613d384208137728dce44b3071923bb0c257aeaf9229a1a95 from
the cache
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
If someone can help, that would be great. Thanks once again for your help
with my previous question folks, I really appreciate it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Openldap and FreeRadius2
If anyone needs help in getting there openldap to work with freeradius2 please reply back. I finally was able to figure it out and then used unlang to authorize my groups and would like to share what I have learned. Christopher Sheldon wrote: Does anyone else who subscribes to the list specifically read every email Alan sends just to chuckle at him berating the poor, confused people seeking help? It's like reality TV. ;-) Chris. Alan DeKok wrote: jpablorp wrote: I replace eap.conf with the Default eap.conf file and this is my debug: Where you have *deleted* the real cause of the error. [peap] Had sent TLV failure. User was rejected earlier in this session. Look EARLIER in the debug log for the failure. It's really not hard. Look for words like reject, or fail, or error. The messages will tell you what is wrong, and why. All you need to do is read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Openldap and FreeRadius2
Hi Dave... What do you think about wiki? You can post there your experience... Best regards Dave Rummel wrote: If anyone needs help in getting there openldap to work with freeradius2 please reply back. I finally was able to figure it out and then used unlang to authorize my groups and would like to share what I have learned. Christopher Sheldon wrote: Does anyone else who subscribes to the list specifically read every email Alan sends just to chuckle at him berating the poor, confused people seeking help? It's like reality TV. ;-) Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS (PAP) with Win2K3 domain not working
Hi,
exec ntlm_auth_pap {
wait = yes
input_pairs = request
shell_escape = yes
output = none
program = /path/to/ntlm_auth --username=%{User-Name}
--domain=EXCHANGE --password=%{User-Password}
i really do hope that you changed that bit to be the correct $PATH
for your ntlm_auth command
and I edited /etc/freeradius/sites-available/default file and
/etc/freeradius/sites-enabled/default, section authenticate to
Auth-Type PAP
{
ntlm_auth_pap
}
no. this is TTLS, so this is going to occur in the inner-tunnel
unless you've really cooked up your config is some wierd way.
a default install will use the inner-tunnel sites-enabled file
- put your ntlm_auth_pap stuff into that file.
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = testuser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
Failed to authenticate the user.
} # server inner-tunnel
see. inner-tunnel. you arent dealing with the user properly
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Openldap and FreeRadius2
Would like to make a request for an account to the wiki so I can add to it. Dave Rummel wrote: If anyone needs help in getting there openldap to work with freeradius2 please reply back. I finally was able to figure it out and then used unlang to authorize my groups and would like to share what I have learned. Christopher Sheldon wrote: Does anyone else who subscribes to the list specifically read every email Alan sends just to chuckle at him berating the poor, confused people seeking help? It's like reality TV. ;-) Chris. Alan DeKok wrote: jpablorp wrote: I replace eap.conf with the Default eap.conf file and this is my debug: Where you have *deleted* the real cause of the error. [peap] Had sent TLV failure. User was rejected earlier in this session. Look EARLIER in the debug log for the failure. It's really not hard. Look for words like reject, or fail, or error. The messages will tell you what is wrong, and why. All you need to do is read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling users
Alan DeKok wrote: DAve wrote: I have read through the docs, looked into Session-Timeout and SQL counters, but I do not see how to force a client to re authenticate. What am I missing? What config information do I need to provide? What information/manual/how to have I missed? http://freeradius.org/rfc/attributes.html. Click on Session-Timeout. If you set Session-Timeout to 86400, the NAS *should* drop the connection after one day. This will force them to re-authenticate. Oddly I have that set for our dialup users but I am being told that after changing the password they are staying logged in for over 48 hours. I may need to take this up with Megapop, it is their NAS. DAve -- Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it. John Quincy Adams http://appleseedinfo.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling users
Marinko Tarlac wrote: You can use expiration attribute or you can disconnect user with PoD. http://wiki.freeradius.org/Packet_of_Disconnect Expiration Attribute? I've not seen that in any docs. The POD is useful, I think I can provide a cronjob to query the DB once a day and terminate users as needed. Thank you! DAve DAve wrote: Good afternoon all, We recently retired our old ICRadius servers and installed FreeRadius. We run two radius servers with a third server acting as master for the radius data and as the accounting server. All is working well. Billing has approached me with an issue where they need to disable a user for lack of payment. Previously we simply changed their password through our management system and they were then unable to reconnect. Client calls, pays, we enable them again. Currently we are noticing that because of DSL, and the fact we no longer impose any limits on dialup, it may take weeks before a client is disconnected and finds their password has changed. I have read through the docs, looked into Session-Timeout and SQL counters, but I do not see how to force a client to re authenticate. What am I missing? What config information do I need to provide? What information/manual/how to have I missed? Thanks, DAve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it. John Quincy Adams http://appleseedinfo.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with radmin
Sebastian Heil wrote: I started the server, started radmin, added the following debug condition: debug condition '(User-Name == test)' and then send an acces-request with this username to server. The server crashed with the following errormessages: Thu Jun 25 13:50:26 2009 : Error: ASSERT FAILED event.c[596]: debug_flag != 0 Any idea, what this means or by what this could be caused? The assertion is wrong. Delete it. I'll make sure it's not in 2.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unlang authentication help
hello,
I'm trying to use unlang to limit LDAP user's access to different network
devices. Here is what I have so far in the site-enable/default:
Auth-Type LDAP {
ldap
if(NAS-IP-Address == 10.1.1.1 LDAP-Group ==
'RouterAdmin') {
ok
}
else {
reject
}
}
Right now that works if your LDAP radiusGroupName = RouterAdmin and you are
trying to connect to 10.1.1.1 but i would like to add NAS-IP-Addresses and
associate them with a radiusGroupName. This is were I'm having trouble. It
would be nice it I could just reference a file for the IP's like:
RouterAdminList = /usr/local/etc/raddbd/devices/RouterAdmin
if(NAS-IP-Address == %{RouterAdminList} LDAP-Group == 'RouterAdmin') {
And have multiple lines.:
if(NAS-IP-Address == %{RouterAdminList} LDAP-Group == 'RouterAdmin') OR
if(NAS-IP-Address == %{SwitchAdminList} LDAP-Group == 'SwitchAdmin') OR
if(NAS-IP-Address == %{WifiAdminList} LDAP-Group == 'WifiAdmin') {
ok
}
else {
reject
}
}
How would i do that? And how would list the IP address in the files?
Thanks for your help,
Scott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL fet_row: error handling
I noticed an unwanted behavior in rlm_sql.c
In a while loop that fetches rows the return code of rlm_sql_fetch_row is
not checked properly.
If rlm_sql_fetch_row returns -1, then sql_get_grouplist should also fail,
but it return 0 instead and in this case rlm_sql module returns notfound
instead of failed.
Original code:
int num_groups = 0;
..
while (rlm_sql_fetch_row(sqlsocket, inst) == 0) {
...
}
(inst-module-sql_finish_select_query)(sqlsocket, inst-config);
return num_groups;
It would be nice if you could do something like
while ((ret=rlm_sql_fetch_row(sqlsocket, inst)) == 0) {
..
}
if (ret 0)
{
/* sql fetch failed */
num_groups = -1;
}
(inst-module-sql_finish_select_query)(sqlsocket, inst-config);
return num_groups;
--
View this message in context:
http://www.nabble.com/SQL-fet_row%3A-error-handling-tp24211138p24211138.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS (PAP) with Win2K3 domain not working
First, thanks Alan for your help, I managed to make it work with AD. Now I
want to try to test to make EAP-TTLS with PAP to authenticate users in
domain. I saw this link
http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-March/msg00417.html
So I added following lines to modules section of radiusd.conf
exec ntlm_auth_pap {
wait = yes
input_pairs = request
shell_escape = yes
output = none
program = /path/to/ntlm_auth --username=%{User-Name}
--domain=EXCHANGE
--password=%{User-Password}
}
and I edited /etc/freeradius/sites-available/default file and
/etc/freeradius/sites-enabled/default, section authenticate to
Auth-Type PAP
{
ntlm_auth_pap
}
Don't do that. One - it's a wrong virtual server and two - it's not going
to work. Use the same technique as in the guide for pap requests. List
ntlm_auth_pap in authenticate section of inner-tunnel virtual server (look
at ttls section of eap.conf and you will see where will inner tunnel
requests end up). Forcing Auth-Type in users file might break a few things
so add this to authenticate section of inner-tunnel virtual server *after*
pap instead:
if(!control:Auth-Type) {
update control {
Auth-Type = ntlm_auth_pap
}
}
That will set Auth-Type to ntlm_auth_pap for a pap inner tunnel request if
password is nowhere to be found.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unlang authentication help
I'm trying to use unlang to limit LDAP user's access to different
network
devices. Here is what I have so far in the site-enable/default:
Auth-Type LDAP {
ldap
if(NAS-IP-Address == 10.1.1.1 LDAP-Group ==
'RouterAdmin') {
ok
}
else {
reject
}
}
Right now that works if your LDAP radiusGroupName = RouterAdmin and you
are
trying to connect to 10.1.1.1 but i would like to add NAS-IP-Addresses and
associate them with a radiusGroupName. This is were I'm having trouble. It
would be nice it I could just reference a file for the IP's like:
RouterAdminList = /usr/local/etc/raddbd/devices/RouterAdmin
if(NAS-IP-Address == %{RouterAdminList} LDAP-Group == 'RouterAdmin') {
And have multiple lines.:
if(NAS-IP-Address == %{RouterAdminList} LDAP-Group == 'RouterAdmin') OR
if(NAS-IP-Address == %{SwitchAdminList} LDAP-Group == 'SwitchAdmin') OR
if(NAS-IP-Address == %{WifiAdminList} LDAP-Group == 'WifiAdmin') {
ok
}
else {
reject
}
}
How would i do that? And how would list the IP address in the files?
Use huntgroups (raddb/huntgroups).
if(Huntgroup-Name == routers Ldap-Group == RouterAdmin) {
ok
}
else {
reject
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attrs filtering - regex pattern matching
I'd like our radius proxy server to allow an A/V pair, but, cannot find any examples where I can apply any regex type rules to allow a range of values. For example, I received the following from a remote radius server : Cisco-AVPair = vpdn:ip-addresses=10.10.1.4 and would want to (using attrs) allow anything that matches: Cisco-AVPair = vpdn:ip-addresses=.* Where .* would be anything following the = How might I allow this using attrs? I'm running freeradius 1.0.5 I can't upgrade to 2.x yet, so I'm looking for suggestions/feedback for 1.x - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
