Re: Free radius installation
Hi, not really - did you read what I wrote? How can you do a state check on what is a stateless protocol? I think you can still do state checks for UDP: there are ways and means - sure - but in the first throes of getting some test traffic to the daemon, surely the easiest thing is to just allow UDP port 1812 and 1813 traffic and THEN start learning what firewall flags work with the traffic. alternatively, SElinux is getting in the way (if its enabled) 'sestatus' or 'getenforce' and try setting it to permissive - just for testing! - 'setenforce 0' if thats the case, then put the enforcing back and then check the secure/audit logs to see what/why/how its failing and put the right SELinux rules into place to deal with the requirements of the daemon. plenty of online resources dealing with SELinux and how to configure/check it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free radius installation
Hello, Ok after radius -X command nmap shows me that radius ports are open. ... [r...@localhost ~]# nmap -v -sU localhost Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-25 09:36 WET NSE: Loaded 0 scripts for scanning. Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1. Initiating UDP Scan at 09:36 Scanning localhost (127.0.0.1) [1000 ports] Completed UDP Scan at 09:36, 1.21s elapsed (1000 total ports) Host localhost (127.0.0.1) is up (0.090s latency). Interesting ports on localhost (127.0.0.1): Not shown: 996 closed ports PORT STATE SERVICE 111/udp open|filtered rpcbind 1812/udp open|filtered radius 1813/udp open|filtered radacct 5353/udp open|filtered zeroconf Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds Raw packets sent: 1004 (28.112KB) | Rcvd: 996 (55.776KB) [r...@localhost ~]# ... I've changed iptable rules as you mentioned, but with no better results. Even with the firewall turned off, still have any response from server, as you can see here(info from two consoles): ...(console#1) ... ... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. ... ... (console#2) [r...@localhost ~]# radtest test test localhost 0 testing123 Sending Access-Request of id 42 to ::1 port 1812 User-Name = test User-Password = test NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Sending Access-Request of id 42 to ::1 port 1812 User-Name = test User-Password = test NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Sending Access-Request of id 42 to ::1 port 1812 User-Name = test User-Password = test NAS-IP-Address = 127.0.0.1 NAS-Port = 0 radclient: no response from server for ID 42 socket 3 [r...@localhost ~]# ... Atentamente, José Campos -Mensagem original- De: freeradius-users-bounces+jjscampos=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+jjscampos=gmail@lists.freeradius.org] Em nome de Alan Buxey Enviada: domingo, 24 de Janeiro de 2010 21:22 Para: FreeRadius users mailing list Assunto: Re: Free radius installation Hi, I did used nmap like bellow: [r...@localhost raddb]# nmap -v -O localhost nmap -v -sU localhost thats a UDP scan As I understood is that everything all right with iptables? not really - did you read what I wrote? How can you do a state check on what is a stateless protocol? -p udp --dport 1812 -j ACCEPT -p udp --dport 1813 -j ACCEPT would be more suitable Can I debug somehow with more details the radtest command sugested on the freeradius toturial get past the basics first - you could always also use eg 'tcpdump' to see what traffic is on port 1812 on the localhost eg tcpdump -eqnntl -i eth0 port 1812 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dan Schaffer is not in the office
I will be out of the office starting 01/25/2010 and will not return until 01/28/2010. I will have limited email and voicemail access during the week at the Phoenix Contact Kickoff meetings. If this is an urgent issue, please contact our Tech Support group at 800-586-5525. Thanks, Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free radius installation
Hi, I've SELINUX=disabled. Atentamente, José Campos -Mensagem original- De: freeradius-users-bounces+jjscampos=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+jjscampos=gmail@lists.freeradius.org] Em nome de Alan Buxey Enviada: segunda-feira, 25 de Janeiro de 2010 9:19 Para: FreeRadius users mailing list Assunto: Re: Free radius installation Hi, not really - did you read what I wrote? How can you do a state check on what is a stateless protocol? I think you can still do state checks for UDP: there are ways and means - sure - but in the first throes of getting some test traffic to the daemon, surely the easiest thing is to just allow UDP port 1812 and 1813 traffic and THEN start learning what firewall flags work with the traffic. alternatively, SElinux is getting in the way (if its enabled) 'sestatus' or 'getenforce' and try setting it to permissive - just for testing! - 'setenforce 0' if thats the case, then put the enforcing back and then check the secure/audit logs to see what/why/how its failing and put the right SELinux rules into place to deal with the requirements of the daemon. plenty of online resources dealing with SELinux and how to configure/check it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius installation
On 01/25/2010 01:18 PM, Alan Buxey wrote: Hi, not really - did you read what I wrote? How can you do a state check on what is a stateless protocol? I think you can still do state checks for UDP: there are ways and means - sure - but in the first throes of getting some test traffic to the daemon, surely the easiest thing is to just allow UDP port 1812 and 1813 traffic and THEN start learning what firewall flags work with the traffic. I just stated that it's possible, I didn't mean it should be configured like this while debugging something. George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius installation
Scanning localhost (127.0.0.1) [1000 ports] Completed UDP Scan at 09:36, 1.21s elapsed (1000 total ports) Host localhost (127.0.0.1) is up (0.090s latency). Interesting ports on localhost (127.0.0.1): Not shown: 996 closed ports PORT STATE SERVICE 111/udp open|filtered rpcbind 1812/udp open|filtered radius 1813/udp open|filtered radacct 5353/udp open|filtered zeroconf ... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. ... [r...@localhost ~]# radtest test test localhost 0 testing123 Sending Access-Request of id 42 to ::1 port 1812 User-Name = test User-Password = test NAS-IP-Address = 127.0.0.1 NAS-Port = 0 you are nmapping 127.0.0.1 which is ipv4 interface to check whether radiusd is listening (why not try neststat -lnp instead?), while sending radtest queries to ::1 which is ipv6. are you sure your radiusd is listening for ::1 as well? my 2 cents. George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius installation
Hi, Hello, Ok after radius -X command nmap shows me that radius ports are open. ... [r...@localhost ~]# nmap -v -sU localhost okay..what about the output of netstat -apn | grep 1812 ah.i think I've spotted something far MORE interesting... [r...@localhost ~]# radtest test test localhost 0 testing123 Sending Access-Request of id 42 to ::1 port 1812 ::1 oh aye? so this box is configured to have IPv6 running? in that case you should either 1) configure the IPv6 correctly - and that means also configuring the FreeRADIUS to actually be listening on the IPv6 interfaces oe 2) realise that you havent got IPv6 correctly configured and configure it. in either case, THIS will work radtest test test 127.0.0.1 1234 testing123 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free radius installation
Ok, that's a good observation, but this is a fresh new installation... I did not change anything prior the installation of (yum install freeradius*). Should I change something before testing it? Why is radtest doing queries to ::1 (ipv6 address). Can you help me. José Campos -Mensagem original- De: freeradius-users-bounces+jjscampos=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+jjscampos=gmail@lists.freeradius.org] Em nome de George Chelidze Enviada: segunda-feira, 25 de Janeiro de 2010 10:21 Para: FreeRadius users mailing list Assunto: Re: Free radius installation Scanning localhost (127.0.0.1) [1000 ports] Completed UDP Scan at 09:36, 1.21s elapsed (1000 total ports) Host localhost (127.0.0.1) is up (0.090s latency). Interesting ports on localhost (127.0.0.1): Not shown: 996 closed ports PORT STATE SERVICE 111/udp open|filtered rpcbind 1812/udp open|filtered radius 1813/udp open|filtered radacct 5353/udp open|filtered zeroconf ... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. ... [r...@localhost ~]# radtest test test localhost 0 testing123 Sending Access-Request of id 42 to ::1 port 1812 User-Name = test User-Password = test NAS-IP-Address = 127.0.0.1 NAS-Port = 0 you are nmapping 127.0.0.1 which is ipv4 interface to check whether radiusd is listening (why not try neststat -lnp instead?), while sending radtest queries to ::1 which is ipv6. are you sure your radiusd is listening for ::1 as well? my 2 cents. George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius installation
Hi, I did not change anything prior the installation of (yum install freeradius*). Should I change something before testing it? Why is radtest doing queries to ::1 (ipv6 address). look in /etc/hosts see what localhost has been given an alias of. just tell radtest to use 127.0.0.1 - after all, when you go live, you'll be telling your NAS kit to use the IPv4 address of the server. wont you? (if you are serious about IPv6, then you'll simply copy your default server config file, rename it, eg default-ipv6 and configure it to listen to the IPv6 - see the config for the required syntax) - the current daemon cannot listen to both IPv4 and IPv6 within the same main virtual server we use IPv6 here and FreeRADIUS works (very) well with it thanks. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius installation
On 01/25/2010 02:37 PM, José Campos wrote:
Ok, that's a good observation, but this is a fresh new installation...
I did not change anything prior the installation of (yum install
freeradius*).
I thing the default is
listen {
...
ipaddr = *
...
}
which means to listen for every ipv4 interface. you can also file the
following comments in your configuration:
# OR, you can use an IPv6 address, but not both
# at the same time
so, your radius server is _not_ listening for ipv6 interfeces.
Should I change something before testing it?
Why is radtest doing queries to ::1 (ipv6 address).
cat /etc/hosts
I think you have something like this:
::1 localhost ip6-localhost ip6-loopback
either map 127.0.0.1 to localhost, or use
radtest test test 127.0.0.1 0 testing123
George
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free radius installation
OK,
It worked all right with: radtest test test 127.0.0.1 0 testing123
José Campos
-Mensagem original-
De: freeradius-users-bounces+jjscampos=gmail@lists.freeradius.org
[mailto:freeradius-users-bounces+jjscampos=gmail@lists.freeradius.org]
Em nome de George Chelidze
Enviada: segunda-feira, 25 de Janeiro de 2010 10:47
Para: FreeRadius users mailing list
Assunto: Re: Free radius installation
On 01/25/2010 02:37 PM, José Campos wrote:
Ok, that's a good observation, but this is a fresh new installation...
I did not change anything prior the installation of (yum install
freeradius*).
I thing the default is
listen {
...
ipaddr = *
...
}
which means to listen for every ipv4 interface. you can also file the
following comments in your configuration:
# OR, you can use an IPv6 address, but not both
# at the same time
so, your radius server is _not_ listening for ipv6 interfeces.
Should I change something before testing it?
Why is radtest doing queries to ::1 (ipv6 address).
cat /etc/hosts
I think you have something like this:
::1 localhost ip6-localhost ip6-loopback
either map 127.0.0.1 to localhost, or use
radtest test test 127.0.0.1 0 testing123
George
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP delivery for MAC records
Dear freeradius users, I am currently facing an issue on my network architecture. Before, I was using freeradius with a DHCP server running in order to attribute IPs addresses to my customers (I work for an ISP) This configuration is perfectly working however for security, maintenance and monitoring, I took the choice of delivering IP addresses through my radius server. In fact, our Base Station got 2 modes of working, one is Ethernet and the other is IP mode data, so I juste configured as IP mode data to get it working. WHAT IS THE PROBLEM : when I connect my computer it is perfectly working and I can get my IP and all network parameters to get an access to the Internet however, when I want to change of computer, it does not work anymore. We were thinking about record of the MAC address as a security level and would like to get to know more about it. The attributes we are using are : Framed-Netmask -- Netmask Filter-Id -- DNS in this attribute (that's vendor attribute Alvarion) Framed-route -- Routing to the gateway Framed-Ip-address -- the IP addresse If you don't know, could you please advice me on how to troubleshoot this issue. Thanks in advance for your help, Best regards Sylvain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pam radius client and binding to mulitple IPs
Hi everyone, I realise that this maybe somewhat a limitation of the PAM Radius Plugin for OpenVPN but have searched around for a week now to find a solution. The problem I am having is that I have an OpenVPN proxy hub that has 3 external IP addresses. I am using huntgroups to distinguish if a user can authenticate against an IP address and if so they receive an IP default Gw to a front end proxy (each front end proxy is located in a separate country). The idea is that a user of a specific group can only connect to an interface that he is a group memeber of. The authentication uses the pam radius plugin against a backend SQL / radius server. If I connect to int1 then the requests sent by the Radius plugin to the backend radius server has a source IP of int1. This works well and the user is authenticated and is provided a default GW to the front end proxy. However if the user connects to INT2 the NAS requset still has the source IP address of INT1 and therefore the user is rejected because he is not a member of the INT1 grouping. Is it possible to have multiple instances of the radius plugin each binding to a different interface so that the request seen by the Radius server via the PAM plugin has the correct source address? Is it possible to get the NAS to Distinguish between the interfaces? Cheers to all in advance (,) Cj _ New Windows 7: Find the right PC for you. Learn more. http://windows.microsoft.com/shop- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP delivery for MAC records
Sylvain De Muynck wrote: Before, I was using freeradius with a DHCP server running in order to attribute IPs addresses to my customers (I work for an ISP) This configuration is perfectly working however for security, maintenance and monitoring, I took the choice of delivering IP addresses through my radius server. Are you sure that will work? You can do IP assignment via RADIUS only when the computer is connecting via PPP. (e.e. PPPoE). If it connects via ethernet or wireless, you *must* use DHCP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap auth
Hello, Can someone give me some guidelines to config freeradius (freeradius-2.1.7-1.fc11.i586) to do ldap auth. Witch files must I config. José Campos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
config files separation for each sites enabled
Hello freeradius-users,
I have 6 virtual servers on version 2.1.8, each listening on
differents ip addresses lo:[1-6].
I saw it was easy to separate clients files, using clients site-name
{} , and including a sitename.client.conf.
But as huntgroups and users files seems to be loaded globally before
sites instanciation, I found no way to dedicate huntgroup and users
file to each server instance, as done previously for clients...
Is there any way to achieve this without having to launch many radiusd
in differents location ?
Best regards,
Fred MAISON
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: config files separation for each sites enabled
Hi,
I saw it was easy to separate clients files, using clients site-name
{} , and including a sitename.client.conf.
But as huntgroups and users files seems to be loaded globally before
sites instanciation, I found no way to dedicate huntgroup and users
file to each server instance, as done previously for clients...
Is there any way to achieve this without having to launch many radiusd
in differents location ?
sure - just put a name descriptor in the relevant module file eg
instead of
files {
userfile = blah/users
}
do
files sitename_1 {
userfile = blah/sitename1
}
and the same can be done for preprocess.
and then you simply call that module instead of the original one
within your virtual server
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: config files separation for each sites enabled
Thanks, Alan, I will check. Bye. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap redundancy Ldap-Group checkItem in user file
ldap redundancy Ldap-Group checkItem in user file Hi all, I try to migrate a freeradius 1 (where ldap failover was not working) to freeradius 2 and I have some difficulties to configure LDAP failover : As Ldap-Group is registered with individual ldap instances name, (ei ldap1-Ldap-Group ldap2.Ldap-Group), it seems to be necessary to reference ldap servers twice in users file checkItems : ldap1-Ldap-Group == xyz ldap2-Ldap-Group == xyz . I don't see how to make freeradius register to somethink like ldapRedundant. Is there any way to do that ? Despite those attributes are instanciated, I can't have them checked in file users Ldap-Group were checked previously via files, users and huntgroups like this : # users : DEFAULT Huntgroup-Name == ras, NAS-Port-Type == Virtual , Ldap-Group == ras, User-Profile := uid=ras,ou=profiles,ou=radius,dc=mydomain,dc=local Fall-Through = no DEFAULT Huntgroup-Name == ras, Service-Type == Login , Ldap-Group == ras, User-Profile := uid=login,ou=profiles,ou=radius,dc=mydomain,dc=local Fall-Through = no # huntgroups ras NAS-IP-Address == 10.1.1.1 login NAS-IP-Address == 10.1.1.1 ras NAS-IP-Address == 10.1.2.1 login NAS-IP-Address == 10.1.2.1 ras NAS-IP-Address == 10.1.3.1 login NAS-IP-Address == 10.1.3.1 freeradius -X FreeRADIUS Version 2.1.8 .. rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap1-Ldap-Group .. rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap2-Ldap-Group Best regards, Fred MAISON - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help pls: How to strip REALM but insert it from a usern...@mac onto an MySQL DB
On 01/24/2010 03:01 PM, Lucio Godoy wrote: Hi Alan B and Alan D; I'll investigate the unlang, thats what i needed a pointer where to look. man unlang -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help pls: How to strip REALM but insert it from a usern...@mac onto an MySQL DB
Hi All;
I have been reading unlang and also digging the Internet for help with my issue.
I have added the following line to vi sql/mysql/dialup.conf
#Comented out this line
#sql_user_name = %{User-Name}
#as per the man pages:
# Double-quoted strings are expanded by inserting the value of any variables
# Single-quoted strings are evaluated as-is.
if(%{User-Name} == 'london'){
sql_user_name = hasworked
}
And i try to logon using the username london
Still not working!!
I get:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.2.253 port 4981, id=41,
length=222
Acct-Session-Id = 1096
NAS-IP-Address = 192.168.2.253
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 0
MS-RAS-Vendor = 311
MS-RAS-Version = MSRASV5.20
NAS-Port-Type = Virtual
Tunnel-Type:0 = PPTP
Tunnel-Medium-Type:0 = IPv4
Calling-Station-Id = 10.10.108.136
Tunnel-Client-Endpoint:0 = 10.10.108.136
MS-RAS-Client-Version = MSRASV5.10
MS-RAS-Client-Name = MSRAS-0-CRIS_D620_LAPTO
User-Name = london
CHAP-Challenge = 7006be2aedd9dca01
CHAP-Password = 2f9fea3082b5bae5fb
+- entering group authorize {...}
[preprocess]expand: %{User-Name} - london
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username = '' ORDER BY
priority
rlm_sql (sql): Released sql socket id: 3
[sql] User not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by london with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - london
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 41 to 192.168.2.253 port 4981
Waking up in 4.9 seconds.
Cleaning up request 0 ID 41 with timestamp +3
Ready to process requests.
_
We want to hear all your funny, exciting and crazy Hotmail stories. Tell us now
http://clk.atdmt.com/UKM/go/195013117/direct/01/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help pls: How to strip REALM but insert it from a usern...@mac onto an MySQL DB
Lucio Godoy wrote: I have been reading unlang and also digging the Internet for help with my issue. I have added the following line to vi sql/mysql/dialup.conf Nope. As the man page says, you need to put the if/else/update statements into the authorize section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help pls: How to strip REALM but insert it from a usern...@mac onto an MySQL DB
hi, out on a limb but i dont think unlang works in that conf environment...ou need to do the unlang before you call the SQL - and ensure that you set SQL-User-Name before you call the sql in the virtual server alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius does not send tunnel-type.
Hi, I have a problem with my freeradius server, after the authentication, it does not send the tunnel-type or Tunnel-Medium-Type information. Can anyone help me? PEAP: Got tunneled reply RADIUS code 2 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = teste3 PEAP: Processing from tunneled session code 0x967b688 2 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = teste3 PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS Saving tunneled attributes for later modcall[authenticate]: module eap returns handled for request 8 modcall: leaving group EAP (returns handled) for request 8 Sending Access-Challenge of id 47 to 10.1.10.1 port 1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010a00261900170301001b44323057d9f66e452eb3025c6b0adde60971049e6c8c20901a25f0 Message-Authenticator = 0x State = 0x9a5c33fd9b76ead074d1c636d08bb94f Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.1.10.1:1645, id=48, length=147 User-Name = teste3 Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 10.1.10.1 NAS-Port = 7 Calling-Station-Id = 00-22-15-62-54-BA State = 0x9a5c33fd9b76ead074d1c636d08bb94f EAP-Message = 0x020a00261900170301001bd3cca956e18d7127395a3c5cad6f3b564c44038b5dc9740734ca57 Message-Authenticator = 0x8a2cb874d839aa15123357e704f34b95 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module preprocess returns ok for request 9 modcall[authorize]: module chap returns noop for request 9 modcall[authorize]: module mschap returns noop for request 9 rlm_realm: No '@' in User-Name = teste3, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 9 rlm_eap: EAP packet type response id 10 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 9 users: Matched entry DEFAULT at line 171 users: Matched entry teste3 at line 224 modcall[authorize]: module files returns ok for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group EAP for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success Using saved attributes from the original Access-Accept rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 9 modcall: leaving group EAP (returns ok) for request 9 Sending Access-Accept of id 48 to 10.1.10.1 port 1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User User-Name = teste3 MS-MPPE-Recv-Key = 0xf058f1dbb8a5f02902f4d6536af78b333ab73568070fbaac3e281171e9cb31be MS-MPPE-Send-Key = 0xcffa34fb8461d53aff874f3749bee52662c85f05d88c04c8d47453530de47630 EAP-Message = 0x030a0004 Message-Authenticator = 0x -- --- Gildo Castro da Silva JR. --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius packet ID
On 1/23/2010 2:07 AM, Alan DeKok wrote: Padam J Singh wrote: Hi, The RADIUS packet has a 8 bit ID field. This ID field is used to track the requests both in the NAS and the RADIUS server. The question is, does the ID need to be unique between the NAS and RADIUS Server for all packet types? So it is OK to have an ID of 102 in an accounting packet and an ID of 102 for an authentication packet at the same time? Yes. Really? But they're going to different destination ports, and therefore different interfaces? -Arran smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius packet ID
Arran Cudbard-Bell wrote: Really? But they're going to different destination ports, and therefore different interfaces? The unique key is: (src ip/port, dst ip/port, RADIUS code / id) If there's no existing match, it's a new packet, and it can be processed. If there is an existing match, then: if (old vector == new vector) packet is DUP if cached reply send it again else if proxied re-transmit proxied packet else ignore dup else packet is new if old packet is done process new else WTF? Nothing could be simpler. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius does not send tunnel-type.
Hi, Hi, I have a problem with my freeradius server, after the authentication, it does not send the tunnel-type or Tunnel-Medium-Type information. Can anyone help me? where in the system are you configuring/setting those Tunnel-Type etc attributes? are those attrs being set on another RADIUS server and the system proxying - if so, are you allowing those attrs in the proxy filter? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dropped request after ldap constraint violating
Hi, From radius.log, the symptom of the failure goes as follow 1. rlm_ldap receives constraint violation reply from ldap. 2. other authentication requests immediately followed the constraint violation reply failed with incorrect login sample radius log - Jan 12 13:44:05 : rlm_ldap: lblempnum=012345, ou=people, o=LBL, c=US bind to ldap:636 failed Constraint violation Jan 12 13:44:05 : Login incorrect: [012345] (from client XXX port 24772 cli 0017.abcd.3fe0 via TLS tunnel) Jan 12 13:44:12 : Login incorrect: [test-account] (from client XXX port 0) - At my site, I run radiusd with the -s flag. Freeradius operation with the backend ldap server is monitored by nagios running check_radius. I also have cacti checking the round trip transaction time between radiusd and ldap in five minutes interval. For trouble shooting purposes, I obtained a copy of the ldap log around the same time frame. The ldap log showed that the user account 012345 has exceeded the failed login attempts and the account was locked out, thus the constraint violation. However, there was no ldap log entry indicating any bind operation request from the radiusd for the [test-account]. Nagios run the radius monitoring in 1 minute interval, and it usually recover the next minute or so. Cacti showed average radiusd-ldap rtt was under 500ms. Can anybody shed some light on this failure scenario? Thanks Cedric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help pls: How to strip REALM but insert it from a usern...@mac onto an MySQL DB
Hi all;
I am nearly there, thanks to you all.
I have created this rule on the file sites-available/default on the authorize
section:
if(%{User-Name}){
if (%{User-Name} =~ /^([...@]*)(@([-[:alnum:].]+))?$/){
update request {
User-Name := %{1}
Digest-Realm := %{3}
}
}
else {
reject
}
}
I am getting the user to authenticate as user @ MAC_ADDRESS, and the REGEX is
doing what is supposed to do, but the field Realm on the radacct table is not
being updated with the MAC_ADDRESS it is empty, is the Digest-Realm the right
attribute to be updated for the realm?
Thanks
Lucio
Date: Mon, 25 Jan 2010 17:52:35 +0100
From: al...@deployingradius.com
To: freeradius-users@lists.freeradius.org
Subject: Re: Help pls: How to strip REALM but insert it from a usern...@mac
onto an MySQL DB
Lucio Godoy wrote:
I have been reading unlang and also digging the Internet for help with
my issue.
I have added the following line to vi sql/mysql/dialup.conf
Nope. As the man page says, you need to put the if/else/update
statements into the authorize section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Do you have a story that started on Hotmail? Tell us now
http://clk.atdmt.com/UKM/go/195013117/direct/01/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting question
Hi, I have redundant NAS nodes and they obviously have two different NAS-IP. If one NAS fails, the entity for which I'm accounting traffic is automatically switched over to the redundant NAS which can keep sending accounting records to Radius. However, the records will have different NAS-IP, NAS-Identier and NAS-Port-ID. The acct-session-id and framed-ip-addrss will be the same (and this is what I use to identify the entity for which I collect acct info). Is there any way that this new records will be written to the same file as before the failover so that I can correlate the records? I see that the acct directory is in /var/log/freeradius/radacct/NAS-IP/. This NAS-IP directory name is what is bothering me. Is there any way to change this? Thanks Marlon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accounting question
Write the accounting information to a MySQL database. Then query the radacct table for the accounting information. Tim From: freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.or g [mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freer adius.org] On Behalf Of Marlon Duksa Sent: Monday, January 25, 2010 6:12 PM To: FreeRadius users mailing list Subject: accounting question Hi, I have redundant NAS nodes and they obviously have two different NAS-IP. If one NAS fails, the entity for which I'm accounting traffic is automatically switched over to the redundant NAS which can keep sending accounting records to Radius. However, the records will have different NAS-IP, NAS-Identier and NAS-Port-ID. The acct-session-id and framed-ip-addrss will be the same (and this is what I use to identify the entity for which I collect acct info). Is there any way that this new records will be written to the same file as before the failover so that I can correlate the records? I see that the acct directory is in /var/log/freeradius/radacct/NAS-IP/. This NAS-IP directory name is what is bothering me. Is there any way to change this? Thanks Marlon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accounting question
You can configure FreeRADIUS to store all of the accounting information in
one file in the same directory. Look at the etc/raddb/modules/detail file
for instructions on how to change where accounting information is logged.
The default detail file name is:detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d. You could change it to:
detailfile = ${radacctdir}/detail-%Y%m%d and the accounting information
would be written to one file independent of the NAS.
Tim
From:
freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.or
g
[mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freer
adius.org] On Behalf Of Marlon Duksa
Sent: Monday, January 25, 2010 6:12 PM
To: FreeRadius users mailing list
Subject: accounting question
Hi,
I have redundant NAS nodes and they obviously have two different NAS-IP. If
one NAS fails, the entity for which I'm accounting traffic is automatically
switched over to the redundant NAS which can keep sending accounting
records to Radius. However, the records will have different NAS-IP,
NAS-Identier and NAS-Port-ID.
The acct-session-id and framed-ip-addrss will be the same (and this is what
I use to identify the entity for which I collect acct info). Is there any
way that this new records will be written to the same file as before the
failover so that I can correlate the records?
I see that the acct directory is in /var/log/freeradius/radacct/NAS-IP/.
This NAS-IP directory name is what is bothering me. Is there any way to
change this?
Thanks
Marlon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP timeouts
At 12:43 AM 1/20/2010, freerad...@corwyn.net wrote: At 08:33 PM 1/14/2010, freerad...@corwyn.net wrote: The Windows environment works, with one quirk, if no one has logged in for a while (~15-30 min), the next user gets: It looks like the only difference (besides MSCHAP strings) between the first try and the second one is: [ldap] attempting LDAP reconnection [ldap] (re)connect to int.invtitle.com:389, authentication 0 [ldap] bind as CN=_sonicwall,OU=Service Accounts,OU=Special User Accounts,OU=Enterprise,DC=int,DC=example,DC=com/xxx to int.example.com:389 [ldap] waiting for bind result ... [ldap] Bind was successful It takes only moments, but still fails the first time. Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dropped request after ldap constraint violating
chui wrote: From radius.log, the symptom of the failure goes as follow 1. rlm_ldap receives constraint violation reply from ldap. Well... that's an issue with LDAP. 2. other authentication requests immediately followed the constraint violation reply failed with incorrect login Likely because the LDAP server treats the connection as bad, and starts rejecting all searches done via that connection. Can anybody shed some light on this failure scenario? See https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=18 Maybe that change will help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help pls: How to strip REALM but insert it from a usern...@mac onto an MySQL DB
Lucio Godoy wrote:
I have created this rule on the file sites-available/default on the
authorize section:
if(%{User-Name}){
Or just:
if (User-Name) {
The unlang docs say that means check if the attribute exists.
if (%{User-Name} =~ /^([...@]*)(@([-[:alnum:].]+))?$/){
Why not just:
/^(.*)@(.*)$/
That's a lot simpler.
You may need to put two '$$' in.
I am getting the user to authenticate as user @ MAC_ADDRESS, and the
REGEX is doing what is supposed to do, but the field Realm on the
radacct table is not being updated with the MAC_ADDRESS it is empty, is
the Digest-Realm the right attribute to be updated for the realm?
No. You need to update the Realm attribute.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting question
Marlon Duksa wrote: The acct-session-id and framed-ip-addrss will be the same (and this is what I use to identify the entity for which I collect acct info). Is there any way that this new records will be written to the same file as before the failover so that I can correlate the records? Use the acct_unique_id module to key off of Acct-Session-Id Framed-IP-Address. Then, ensure that any accounting sessions are tracked by the unique ID, and not by NAS IP. I see that the acct directory is in /var/log/freeradius/radacct/NAS-IP/. This NAS-IP directory name is what is bothering me. Is there any way to change this? See the configuration for the detail module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
