Re: howto pstack running freeradius process
On Fri, 2009-07-24 at 09:15 -0400, John Dennis wrote: On 07/24/2009 04:27 AM, George Chelidze wrote: On Fri, 2009-07-24 at 08:08 +0200, Alan DeKok wrote: George Chelidze wrote: I didn't say it's an issue with freeradius. If it's not a FreeRADIUS issue, then the question doesn't belong on the list. I have just realized that this question should have been posted to freeradius-devel list. Sorry for mistake. You're asking us to support (for free) a module you wrote, and/or an OS that someone else wrote. Why? What kind of answer you would like to get? I am afraid I missed something while building freeradius the way I did so I asked what I asked. If I knew that I have built freeradius with enough parameters to get the stack trace and I can't get it because I have some other OS related problem I would never asked this question on this list. I still do not know it, so if someone can give me a hint, I'll be thankful. I have to agree with Alan, this is not a FreeRADIUS issue. It is clearly an OS and software development environment issue. You haven't even stated what OS and architecture it is and your description of the error is vague at best. No, It's not a FreeRADIUS issue, it's an issue with my custom module. Let me say it again - I posted to the wrong list, sorry. The man page for ptrace states it has architecture specific limitations. You built a local copy using your own toolchain and installed it in in a non-standard location, the ball is in your court. My original question was about pstack not ptrace. If you mean pstack and __pthread_threads_debug stuff, I checked it before posting to this list. Here is a hint which is appropriate for Linux. I assume the process is aborting No, it's not, however your hists are useful. Thank you. Best Regards, George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: get attributes from multiple AD domains
Hi, You need to contact the AD at the Global Catalog port 3268, otherwise it will return results only for the current AD. Also ensure your AD is a Global Catalog and the Replication connections are working fine. Hope it helps, Luis Azevedo http://www.braceta.com On Jul 27, 2009, at 03:27 , John wrote: I follow up this link to set up freeRADIUS talk to AD, http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO It can work and can get VLAN attribute from AD through LDAP module (ldap_search). But we need to support 2 AD domains. NTLM_auth can work in multiple domains. But we can not get attributes from multiple domains. Anyone can give me some advice? Thanks. John. 好玩贺卡等你发,邮箱贺卡全新上线!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple AD's and domains?
On Jul 22, 2009, at 02:22 , Alan DeKok wrote: However... they all need to be part of the same AD forest / whatever. You CANNOT authenticate to two completely independent AD systems. This is a fundamental limitation of AD. Hi, Well, they don't need to be part of the same forest if you create simple trusts between the multiple AD's. But if you have a Forest, this means you will have Transitive Trusts between the domains. Therefore you can authenticate in every domain (via ntlm_auth). Just to emphasize the key requisite is Trusts between domains/forests and not that they need to be in the same forest. Cheers, Luis Azevedo http://www.braceta.com smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius client configuration issue
I want to use PAM for user authentication. I am trying to setup radius client but unable to configure it. Radius client's setup is at Solaris and Radius Server (RKS emulator) is at Linux machine. Can any one tell the procedure to configure radius client so that it can communicate with Radius server? Is there any script required for that or all the commands needed to configure are in some config file? Also, how to login with radius client to check the authentication. Thanks in Advance. -- View this message in context: http://www.nabble.com/Radius-client-configuration-issue-tp24678845p24678845.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client configuration issue
I want to use PAM for user authentication. I am trying to setup radius client but unable to configure it. Radius client's setup is at Solaris and Radius Server (RKS emulator) is at Linux machine. Can any one tell the procedure to configure radius client so that it can communicate with Radius server? Is there any script required for that or all the commands needed to configure are in some config file? Also, how to login with radius client to check the authentication. http://freeradius.org/pam_radius_auth/ Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and attributes from user file.
The issue I have now is that the attributes I set in the user file: DEFAULT Huntgroup-Name == WirelessGear, Ldap-Group == cn=WirelessAllowed,o=integrity Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10 The attributes are not included in the Access-Accept when using radtest or a XP workstation using the Novell 802.1x client. Below is the debug: rad_recv: Access-Request packet from host 10.1.0.24 port 32888, id=30, length=59 User-Name = testuser User-Password = password NAS-IP-Address = 10.1.0.24 NAS-Port = 0 ... ++[files] returns noop ... However when I use an XP client and no Novell client or ntradping I see the attributes and I am assigned the correct VLAN Here is the debug below: rad_recv: Access-Request packet from host 10.1.0.5 port 1541, id=6, length=48 User-Name = testuser CHAP-Password = 0xa734db980a0367669cce38acbf8badf1bc ... [files] users: Matched entry DEFAULT at line 4 ++[files] returns ok ... It looks like there is no huntgroup match in the first request. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl problems]
On Jul 26, 2009, at 12:59 AM, si...@blic.net si...@blic.net wrote: Igor wrote: I have tried 2.1.7 and got same error. I will try to compile it with --enable-developer and see if i can find out anything from gdb output. I realy don't know why would this happen because exactly the same setup worked on older releases. All i did was to compile the new version (2.1.6) and then copy old raddb dir. I am not sure why i got so many no debugging symbols found but i did per doc/bugs instructions. This is gdb output: Try attached patch. rlm_perl.diff.gz Description: GNU Zip compressed data Best Regards, Boian Jordanov RD Expert Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl problems]
Boian, SUCCESS! Thank you , thank you, thank you! I applied the patch to my test 2.1.6 system and it eliminated the Seg Fault and all of the strange behaviour. My perl scripts now function as they do in Production. I am extremely grateful for the time you spent debugging this issue and creating a patch in such a timely manner. I hope Igor experiences a similar euphoria.. Thanks again.. -Original Message- From: freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org [mailto:freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org] On Behalf Of Boian Jordanov Sent: Monday, July 27, 2009 10:09 AM To: si...@blic.net; FreeRadius users mailing list Cc: Boian Jordanov Subject: Re: rlm_perl problems] On Jul 26, 2009, at 12:59 AM, si...@blic.net si...@blic.net wrote: Igor wrote: I have tried 2.1.7 and got same error. I will try to compile it with --enable-developer and see if i can find out anything from gdb output. I realy don't know why would this happen because exactly the same setup worked on older releases. All i did was to compile the new version (2.1.6) and then copy old raddb dir. I am not sure why i got so many no debugging symbols found but i did per doc/bugs instructions. This is gdb output: Try attached patch. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wrt54g+freeradius+mysql
Hello everyone. My name is Gustavo, and I'm from Argentina. I need to deploy a wireless network with WRT54G routers. I need to check users and passwords against a freeradius server, and the latter with a mysql database. My idea is then to implement an LDAP, but I decided to try to start mysql. I am a newbie in this topic. Let me know if you can recommend any tutorial. Thank you very much! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wrt54g+freeradius+mysql
I need to deploy a wireless network with WRT54G routers. I need to check users and passwords against a freeradius server, and the latter with a mysql database. My idea is then to implement an LDAP, but I decided to try to start mysql. I am a newbie in this topic. Let me know if you can recommend any tutorial. http://wiki.freeradius.org/SQL_HOWTO Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: rlm_eap: Failed to store handler
Hi, im new on the freeradius world but very curious. Sorry but my
english is not very good.
I have a working Freedius 1.0.5 server since year 2005 and i want to
improve it, migrating a Freeradius 2.1.1-6 version, the latest version
i have found for my Sles10 Sp2 server.
This server its allowed to authenticate users by EAP-PEAP Mschapv2 and
EAP-LEAP against Files and Ldap. In the new server moved all users in
user's file to mysql server. All users in mysql are stored with
Cleartext-Password.
When i run server on debug mode for doing tests the server works
without problems, and validate's users using both types of EAP and
both Authorization types (Ldap and Mysql).
But when i run as daemon and i introduce it in production validating
about 2000 of users, freeradius 2.1.1-6 crashes in a few minutes and
shows this error Error: rlm_eap: Failed to store handler.
I have only one server called default on sites-enabled configured like
this. (The accounting is configured in another virtual server and
works fine )
- Default Server -
listen {
ipaddr = *
port = 1832
type = auth
}
authorize {
preprocess
eap {
ok = return
}
sql
ldap
}
# Authentication
authenticate {
Auth-Type MS-CHAP {
mschap
}
# Allow EAP authentication.
eap
}
session {
sql
}
# Post-Authentication
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
sql
}
}
pre-proxy {
}
post-proxy {
eap
}
And Eap.conf is configured like this:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no
max_sessions = 300
# Cisco LEAP
leap {
}
## EAP-TLS
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = secret
private_key_file = ${certdir}/cert-srv.pem
certificate_file = ${certdir}/cert-srv.pem
CA_file = ${cadir}/cacert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 1024
include_length = yes
cipher_list = DEFAULT
make_cert_command = ${certdir}/bootstrap
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
}
mschapv2 {
}
}
The debug log shows this.
rad_recv: Access-Request packet from host 10.50.31.201 port 1645,
id=48, length=120
User-Name = 25
Framed-MTU = 1400
Called-Station-Id = 000d.ed77.db21
Calling-Station-Id = 000b.6b1e.7177
Message-Authenticator = 0xf1247640d8918729e0c58f0f88dc5a8a
EAP-Message = 0x02010007013235
NAS-Port-Type = Virtual
NAS-Port = 358
NAS-IP-Address = 10.50.31.201
NAS-Identifier = sar76010001
Mon Jul 27 17:16:25 2009 : Info: +- entering group authorize {...}
Mon Jul 27 17:16:25 2009 : Info: ++[preprocess] returns ok
Mon Jul 27 17:16:25 2009 : Info: [eap] EAP packet type response id 1 length 7
Mon Jul 27 17:16:25 2009 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Mon Jul 27 17:16:25 2009 : Info: ++[eap] returns updated
Mon Jul 27 17:16:25 2009 : Info: [sql] expand: %{User-Name} - 25
Mon Jul 27 17:16:25 2009 : Info: [sql] sql_set_user escaped user -- '25'
Mon Jul 27 17:16:25 2009 : Debug: rlm_sql (sql): Reserving sql socket id: 6
Mon Jul 27 17:16:25 2009 : Info: [sql] expand: SELECT id, username,
attribute, value, op FROM radcheck WHERE username
= '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radcheck WHERE username
= '25' ORDER BY id
Mon Jul 27 17:16:25 2009 : Info: [sql] expand: SELECT groupname
FROM radusergroup WHERE username = '%{SQL-User-Name}'
ORDER BY priority - SELECT groupname FROM
radusergroup WHERE username = '25' ORDER BY
priority
Mon Jul 27 17:16:25 2009 : Debug: rlm_sql (sql): Released sql socket id: 6
Mon Jul 27 17:16:25 2009 : Info:
RE: Error: rlm_eap: Failed to store handler
freeradius 2.1.1-6 crashes in a few minutes and shows this error Error: rlm_eap: Failed to store handler. There is documentation that describes what to do if FreeRadius crashes. Look in the file doc/bugs in the distribution and it gives specific instructions for using gdb to produce information about the crash. Also, is 2.1.1-6 really the version printed by the radiusd -v command? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: rlm_eap: Failed to store handler
Sorry but maybe i have not explained my problem very well, freeradius doesn't falls down, when i say that crashes i mean that doesn't validate more users, i get some login incorrect that should be correct if the server will work fine. Server sitel receive some acess-request and process them but send access-rejects instead of acces-accept because of this error. Some access requests are well pocessed. I wil take a look to the doc you tell me. Yes, the version of Freeradius i installed is 2.1.1-6 and the log is shown when i make radiusd -XXX I have installed from the rpm os this page http://download.opensuse.org/repositories/network:/aaa/SLE_10_SP2/i586/ Thanks! 2009/7/27 Garber, Neal neal.gar...@energyeast.com freeradius 2.1.1-6 crashes in a few minutes and shows this error Error: rlm_eap: Failed to store handler. There is documentation that describes what to do if FreeRadius crashes. Look in the file doc/bugs in the distribution and it gives specific instructions for using gdb to produce information about the crash. Also, is 2.1.1-6 really the version printed by the radiusd -v command? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mschap auth for multiple realms off different domain ctlrs?
I've inherited a system which now needs changed and I can't seem to make it do
it! I'm sure it can, but I'm just not familiar enough with FreeRadius to know
how to coax it into doing what I need.
Its a fairly old system, FreeRADIUS Version 1.1.3
Remote users connect to the host using windows VPN client, hence MS-CHAPv2,
call terminates on mpd running on freebsd which auths from using freeradius on
the same host. That all works.
Problem is, the client has been like the borg and assimilated another company
and needs to support their roaming users too.
so now users log in as userand the request is done via ntlm request to
their primary domain controller 10.1.1.1 in realm company1.local
This is configured in krb5.conf as far as I can determine.
FreeRadius also looks for a specific group membership with
--require-membership-of=company1-vpn-users
I now need to support (additionally) another set of users logging in as
otheruser who will need to specify their realm as company2
I can get freeradius to see otheru...@company2.local and it splits the
username and realm out (as seen with radiusd -X) but what I can't figure out is
how to tell it to still use the local auth but to know that it now has to use
company2.local for its realm, to ask 10.1.1.3 instead of 10.1.1.1, and to
look for group membership of company2-vpn-users.
I thought I could perhaps use a variable and set that within a specific realm{}
definition during auth, but I can't see how to define/use variables other than
attributes offered or returned.
I have used
ntlm_auth --request-nt-key --username=user --password=xxx
--domain=COMPANY1.LOCAL --require-membership-of=COMPANY1-VPN-USERS
ntlm_auth --request-nt-key --username=otheruser --password=xxx
--domain=COMPANY2.LOCAL --require-membership-of=COMPANY2-VPN-USERS
and I get the right answers, so looks like the settings in my krb5.conf are
working, but I just can't see how to get freeradius to make the request this
way.
(Yes, I know the correct request will use --challenge= and --nt-response= but
I'm assuming if I can get the rest of the request right, it'll just work)
Any help please? I've googled and tried more things than I can document here
without driving you nuts!
RossW
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
