Re: Zombie Infestation of Log file?
Benjamin Marvin wrote: Any other suggestions on where I should look to see why the servers are marking the upstream servers as Zombie? The only log message is that it's marking the server zombie. Until it's marked zombie, it *might* be alive. The reason it's marked zombie is because the home server hasn't responded to the packet in the last response_window seconds. So... it's pretty simple. This *can* be caused by the home server selectively responding to packets. i.e. it responds to 1/2 of the packets, and ignores the rest. This could make the state flip back and forth between zombie alive. I failed to mention that the servers are marking only the accounting port on those servers as Zombie. Yes. Any unique combination of (ip, port) is treated as a unique home server. Please let me know if you want the 9MB debug or if you have recommendations for making a smaller debug file. Nope. Look at the statistics using radmin. You can look at individual home servers, and stats for received / sent packets. You might need to install the git v2.1.x branch for accounting stats, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Attribute -- Authenticator IP Adress
_Stefan_H wrote: Hi, I thought that my Access-Point is able to handle VLAN-Attributes like my Switch but I was wrong. I don't want to tell the whole story. Is there an attribute which returns the authenticator IP-Address? Packet-Src-IP-Address I looked at this site: http://freeradius.org/rfc/rfc2865.html http://freeradius.org/rfc/rfc2865.html but the NAS-IP is not the right thing and i don't unterstand the explanation of http://freeradius.org/rfc/rfc2865.html#Login-IP-Host Login-IP-Host You're right. None of those are appropriate. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Zombie Infestation of Log file?
Benjamin Marvin wrote: I don't believe this is my problem. The debug and packet captures show all of the accounting packets are replied to within the Response_Window and Max_Request_Time frames. (5-10 seconds being at the extreme high end of response times.) If the responses are all within response_window, then the zombie period will never get hit. There's only one place in the code which sets zombie and logs the message. It only gets run when a response hasn't been received for response_window. If there is a response... it doesn't get run. If you want to double-check this, go to src/main/event.c, and look for the function no_response_to_proxied_request(). Add this near the top (i.e. before the reference to zombie) if (request-proxy_reply) { wait_a_bit(request); return; } If the zombie messages go away, then something needs fixing. If they stay, then the home server really is *not* responding within response_window. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP with FreeRADIUS
If someone could help me... Or see a right configuration file or what files I have to configure, something... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic Vlan assigment 802.1x with cisco
Hi, I have a problem to change vlan on a Catalyst 2950 switch using the 802.1x protocol. The problem is that no changes to the vlan you specified. The authentication and validation of the user is correct, but does not change vlan. Freeradius User Configuration: steve Cleartext-Password := testing Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 2 Switch 2950 configuration: aaa new-model aaa authentication login default local aaa authentication dot1x default group radius enable secret 5 $1$Hpyf$/AA8F3lVYES7KUq0abTqy. interface FastEthernet0/3 switchport mode access no ip address dot1x port-control auto interface Vlan1 ip address 192.168.250.250 255.255.255.0 no ip route-cache ip http server ip radius source-interface FastEthernet0/2 radius-server host 192.168.250.200 auth-port 1812 acct-port 1813 key password radius-server retransmit 3 no radius-server attribute nas-port privilege exec level 0 line show Right now, this created the vlan 1 and vlan 2 Thanks.Guillermo _ ¡Citas! ¡Ligues! ¿Salimos? ¿Cómo es tu pareja ideal? Búscala en el sitio nº1… ¡Regístrate ya! http://contactos.es.msn.com/?mtcmk=015352- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP with FreeRADIUS
Jesús Jiménez wrote: If someone could help me... Or see a right configuration file or what files I have to configure, something... I think you need to disable UDPFROMTO: $ ./configure --without-udpfromto Or, edit src/lib/dhcp.c to forcibly disable it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Zombie Infestation of Log file
On Wed, Apr 21, 2010 at 05:47:43PM +0200, Alan DeKok wrote: Without status_check, you rely on the timeouts - revive_interval and zombie_period. Which is much worse than status checks. But, if you're talking to FR 1.1.7, that should be able to make it respond negatively to a single fake user/domain, and then you can use that for status_check = request on its clients. *Any* status_check is better on FR 2.x than none... speaking from horrible experience... Yup. It's not that 2.x is bad without status checks, it's that there is *no way* for anyone to do the right thing without status checks. One thing that we talked I believe in private mail is good to point out on the mailing list as well - the current request cleaning up logic isn't really being kind to proxy settings and how the admins might interpret them - meaning there is nothing in the proxying code that will avoid having individual requests silently dropped on the floor if the timeouts expire. Indeed the only way to get the FR 2.x proxy code to retry and move on to a second home server in a pool is for its original *client* to retry too, within max_request_time, which can then trigger a fail-over in the proxying logic. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan assigment 802.1x with cisco
Guillermo Borrallo guilleb...@hotmail.com wrote: I have a problem to change vlan on a Catalyst 2950 switch using the 802.1x protocol. The problem is that no changes to the vlan you specified. The authentication and validation of the user is correct, but does not change vlan. You might want to consider reading the *Cisco* documentation...on the...erm...*Cisco* website rather than posting on the FreeRADIUS mailing list about problems you are having with your...erm...*Cisco* equipment? Unsurprisingly this is where *FreeRADIUS* problems are solved...not $OTHER_VENDUH issues. I could also argue that this information is lurking in the FreeRADIUS wiki: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO#Configuration_of_the_switch Freeradius User Configuration: steve Cleartext-Password := testing Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 2 I have no idea why people keep insisting on doing this, but make 'Tunnel-Private-Group-ID' the VLAN *name*. You are only going to end up killing yourself later on if you insist on using VLAN ID's. You should also type: vlan 1 name cheese vlan 2 name toast Then you can use 'cheese' and 'toast' to put people into VLAN's instead; handy if you have to send this information across administrative domains. Switch 2950 configuration: aaa new-model aaa authentication login default local aaa authentication dot1x default group radius *sigh* For those who cannot be bothered to read the readily, freely, non-login protected available documentation[1]: aaa authorization network default group radius aaa accounting dot1x default start-stop group radius If that does not work, I cannot be bothered to check the rest of your (incomplete) config so I recommend you read the...erm...documentation. Regards [1] http://www.cisco.com/en/US/products/hw/switches/ps628/tsd_products_support_series_home.html and more specifically http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/sw8021x.html -- Alexander Clouter .sigmonster says: Do not use if foil seal is broken. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql error, can't expand User-Password and Chap-Password, help me !
Hi all, This is my first post. I'm trying to make a AAA server based on freeRadius and MySQL. After I configure radius server and run server in debug mode, I get some problem with rlm_sql about User-Password and Chap-Password. It seems that the server can't expand User-Password and Chap-Password. I don't know what's the problem. I hope that someones will give me advices. Here's my output from Radiusd -X command. rad_recv: Access-Request packet from host 192.168.0.6 port 1026, id=32, length=205 Sending duplicate reply to client RDLAB port 1026 - ID: 32 Sending Access-Challenge of id 32 to 192.168.0.6 port 1026 Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.0.6 port 1026, id=33, length=205 User-Name = hung NAS-IP-Address = 192.168.0.6 NAS-Port = 0 Called-Station-Id = 00-02-6F-59-85-C7:RADIUS_TEST Calling-Station-Id = 00-17-C4-8C-2C-C8 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020a002b19001703010020abe3291179889948f4ed41e6b8102d58aae4dc0f8400550f1d2d2fe050cc2dcb State = 0x296e680f21647160f77444525cb5459d Message-Authenticator = 0xe4889cb8f5e0e5104d92e7d3b13eef2a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok Login OK: [hung] (from client RDLAB port 0 cli 00-17-C4-8C-2C-C8) +- entering group post-auth {...} [sql] expand: %{Stripped-User-Name} - [sql] expand: %{User-Name} - hung [sql] expand: %{%{User-Name}:-DEFAULT} - hung [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - hung [sql] sql_set_user escaped user -- 'hung' [*sql] expand: %{User-Password} - [sql] expand: %{Chap-Password} - * [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'hung', '', 'Access-Accept', '2010-04-21 20:22:27') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'hung', '', 'Access-Accept', '2010-04-21 20:22:27') *rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: MYSQL check_error: 1054 received rlm_sql (sql) in sql_postauth: Database query error - Unknown column 'username' in 'field list'* rlm_sql (sql): Released sql socket id: 2 ++[sql] returns fail Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - hung attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.0.6 port 1026, id=33, length=205 Waiting to send Access-Reject to client RDLAB port 1026 - ID: 33 Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 33 to 192.168.0.6 port 1026 EAP-Message = 0x030a0004 Message-Authenticator = 0x Waking up in 3.6 seconds. Best, Vu Hung, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan assigment 802.1x with cisco
Hi, steve Cleartext-Password := testing Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 2 I have no idea why people keep insisting on doing this, but make 'Tunnel-Private-Group-ID' the VLAN *name*. You are only going to end up killing yourself later on if you insist on using VLAN ID's. because their kit will only work with VLAN assignment being numbers and not names? ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql error, can't expand User-Password and Chap-Password, help me !
On Thu, Apr 22, 2010 at 04:50:50PM +0700, VU VAN HUNG wrote: It looks like you have a problem with this INSERT query: [..] [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'hung', '', 'Access-Accept', '2010-04-21 20:22:27') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'hung', '', 'Access-Accept', '2010-04-21 20:22:27') *rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: MYSQL check_error: 1054 received rlm_sql (sql) in sql_postauth: Database query error - Unknown column 'username' in 'field list'* Everything seems to be fine until you get to this postauth stage so I guess fixing the query should solve your problem. -- Szymon Roczniak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql error, can't expand User-Password and Chap-Password, help me !
szymon roczniak wrote: On Thu, Apr 22, 2010 at 04:50:50PM +0700, VU VAN HUNG wrote: It looks like you have a problem with this INSERT query: [..] [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'hung', '', 'Access-Accept', '2010-04-21 20:22:27') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'hung', '', 'Access-Accept', '2010-04-21 20:22:27') *rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: MYSQL check_error: 1054 received rlm_sql (sql) in sql_postauth: Database query error - Unknown column 'username' in 'field list'* Everything seems to be fine until you get to this postauth stage so I guess fixing the query should solve your problem. I know, but in the output, I see the following lines: *sql] expand: %{User-Password} - [sql] expand: %{Chap-Password} - * no information about User-Password and Chap-Password, and the query, which insert into radpostauth, is error. I dont know why. Do you have any suggests about this problem ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql error, can't expand User-Password and Chap-Password, help me !
On Thu, Apr 22, 2010 at 05:38:04PM +0700, VU VAN HUNG wrote: szymon roczniak wrote: On Thu, Apr 22, 2010 at 04:50:50PM +0700, VU VAN HUNG wrote: I know, but in the output, I see the following lines: *sql] expand: %{User-Password} - [sql] expand: %{Chap-Password} - * no information about User-Password and Chap-Password, and the query, I hope I'm not completely wrong here but this is probably because you're using EAP not PAP or CHAP so these attributes are not set. which insert into radpostauth, is error. I dont know why. Do you have any suggests about this problem ? the query results in an error because the username column in missing (or misspelled) in the table: rlm_sql (sql) in sql_postauth: Database query error - Unknown column 'username' in 'field list'* -- Szymon Roczniak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd does not logging while debug
Hi, FreeRadius. How to force radiusd -X to do logging to log file too? -- mailto:kes-...@yandex.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan assigment 802.1x with cisco
Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: steve Cleartext-Password := testing Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 2 I have no idea why people keep insisting on doing this, but make 'Tunnel-Private-Group-ID' the VLAN *name*. You are only going to end up killing yourself later on if you insist on using VLAN ID's. because their kit will only work with VLAN assignment being numbers and not names? ;-) The old Aironet 1130/1200's AP's needed numbers I remember but I am pretty sure that an IOS update fixed that. However, now with our infernal WLC4400 and the C3750's we have I am using names and have been for three years. My counterpart in some multinational is on their 29[56]0's and I am pretty sure three/four years ago when started playing with 802.1X the 2950 I was playing with did permit the use of names. Cheers -- Alexander Clouter .sigmonster says: Neckties strangle clear thinking. -- Lin Yutang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan assigment 802.1x with cisco
Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: steve Cleartext-Password := testing Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 2 I have no idea why people keep insisting on doing this, but make 'Tunnel-Private-Group-ID' the VLAN *name*. You are only going to end up killing yourself later on if you insist on using VLAN ID's. because their kit will only work with VLAN assignment being numbers and not names? ;-) I was also only ranting towards the Cisco users who seem keen to do this sort of thing Cheers -- Alexander Clouter .sigmonster says: Life is to you a dashing and bold adventure. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Zombie Infestation of Log file
Josip Rodin wrote: One thing that we talked I believe in private mail is good to point out on the mailing list as well - the current request cleaning up logic isn't really being kind to proxy settings and how the admins might interpret them - meaning there is nothing in the proxying code that will avoid having individual requests silently dropped on the floor if the timeouts expire. The intent is to always call post-proxy fail, but there are cases where that doesn't happen. Indeed the only way to get the FR 2.x proxy code to retry and move on to a second home server in a pool is for its original *client* to retry too, within max_request_time, which can then trigger a fail-over in the proxying logic. Yes. The server does *not* originate packets itself. It proxies packets only when the NAS sends it packets. This should be explained more clearly in proxy.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Dear All, I am about deploying an AAA services: All authentication is centralized on my freeradius-server (on debian lenny), in the green zone behind ipcop in which I installed ipcop addons called copspot ( like chilispot) for the captive portal. The authentication worked well locally against openldap (in the same server). When an user try to connect to internet in the Blue Zone (WLAN), it generates the following error in the radius-server. I am really stuck here, any help will be welcome. Thu Apr 22 14:14:51 2010 : Debug: } Thu Apr 22 14:14:51 2010 : Debug: Listening on authentication address * port 1812 Thu Apr 22 14:14:51 2010 : Debug: Listening on accounting address * port 1813 Thu Apr 22 14:14:51 2010 : Debug: Listening on proxy address * port 1814 Thu Apr 22 14:14:51 2010 : Info: Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.1 port 32790, id=0, length=216 User-Name = kkigor14 CHAP-Challenge = 0xd12e07a5f57980aa86a4aa049fc7bb40 CHAP-Password = 0x0005cff525e5508c82bc3ebb315c0b09e5 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.4.7 Calling-Station-Id = 00-21-63-6B-C8-40 Called-Station-Id = 00-08-74-D4-7A-F5 NAS-Identifier = nas01 Acct-Session-Id = 4bd058be0003 NAS-Port-Type = Wireless-802.11 NAS-Port = 3 Message-Authenticator = 0x5d8d6302e9684a55c2db247bdafc022e WISPr-Logoff-URL = http://192.168.4.1:3990/logoff; Thu Apr 22 14:17:59 2010 : Info: +- entering group authorize {...} Thu Apr 22 14:17:59 2010 : Info: ++[preprocess] returns ok Thu Apr 22 14:17:59 2010 : Info: [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/192.168.2.1/auth-detail-20100422 Thu Apr 22 14:17:59 2010 : Info: [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.2.1/auth-detail-20100422 Thu Apr 22 14:17:59 2010 : Info: [auth_log] expand: %t - Thu Apr 22 14:17:59 2010 Thu Apr 22 14:17:59 2010 : Info: ++[auth_log] returns ok Thu Apr 22 14:17:59 2010 : Info: [suffix] No '@' in User-Name = kkigor14, looking up realm NULL Thu Apr 22 14:17:59 2010 : Info: [suffix] No such realm NULL Thu Apr 22 14:17:59 2010 : Info: ++[suffix] returns noop Thu Apr 22 14:17:59 2010 : Info: [eap] No EAP-Message, not doing EAP Thu Apr 22 14:17:59 2010 : Info: ++[eap] returns noop Thu Apr 22 14:17:59 2010 : Info: ++[unix] returns notfound Thu Apr 22 14:17:59 2010 : Info: [ldap] performing user authorization for kkigor14 Thu Apr 22 14:17:59 2010 : Info: [ldap] expand: %{Stripped-User-Name} - Thu Apr 22 14:17:59 2010 : Info: [ldap] ... expanding second conditional Thu Apr 22 14:17:59 2010 : Info: [ldap] expand: %{User-Name} - kkigor14 Thu Apr 22 14:17:59 2010 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=kkigor14) Thu Apr 22 14:17:59 2010 : Info: [ldap] expand: dc=csimaroc, dc=lan - dc=csimaroc, dc=lan Thu Apr 22 14:17:59 2010 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Thu Apr 22 14:17:59 2010 : Debug: [ldap] ldap_get_conn: Got Id: 0 Thu Apr 22 14:17:59 2010 : Debug: [ldap] attempting LDAP reconnection Thu Apr 22 14:17:59 2010 : Debug: [ldap] (re)connect to 127.0.0.1:389, authentication 0 Thu Apr 22 14:17:59 2010 : Debug: [ldap] bind as / to 127.0.0.1:389 Thu Apr 22 14:17:59 2010 : Debug: [ldap] waiting for bind result ... Thu Apr 22 14:17:59 2010 : Debug: [ldap] Bind was successful Thu Apr 22 14:17:59 2010 : Debug: [ldap] performing search in dc=csimaroc, dc=lan, with filter (uid=kkigor14) Thu Apr 22 14:17:59 2010 : Info: [ldap] No default NMAS login sequence Thu Apr 22 14:17:59 2010 : Info: [ldap] looking for check items in directory... Thu Apr 22 14:17:59 2010 : Debug: [ldap] sambaNtPassword - NT-Password == 0x4535334337353245323438413034353342353531353646383131303237453139 Thu Apr 22 14:17:59 2010 : Debug: [ldap] sambaLmPassword - LM-Password == 0x4432433038394334374245444535364641414433423433354235313430344545 Thu Apr 22 14:17:59 2010 : Info: [ldap] looking for reply items in directory... Thu Apr 22 14:17:59 2010 : Debug: WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? Thu Apr 22 14:17:59 2010 : Info: [ldap] user kkigor14 authorized to use remote access Thu Apr 22 14:17:59 2010 : Debug: [ldap] ldap_release_conn: Release Id: 0 Thu Apr 22 14:17:59 2010 : Info: ++[ldap] returns ok Thu Apr 22 14:17:59 2010 : Info: ++[expiration] returns noop Thu Apr 22 14:17:59 2010 : Info: ++[logintime] returns noop Thu Apr 22 14:17:59 2010 : Info: [pap] Normalizing NT-Password from hex encoding Thu Apr 22 14:17:59 2010 : Info: [pap] Normalizing LM-Password from hex encoding Thu Apr 22 14:17:59 2010 : Info: [pap] No clear-text password in the request. Not performing PAP. Thu Apr 22 14:17:59 2010
Re: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Johnny R wrote: The authentication worked well locally against openldap (in the same server). When an user try to connect to internet in the Blue Zone (WLAN), it generates the following error in the radius-server. I am really stuck here, any help will be welcome. Look at the debug log. The packet contains CHAP, and the database has only NT-Password and LM-Passwords. They are simply not compatible: http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd does not logging while debug
kes-...@yandex.ru wrote: Hi, FreeRadius. How to force radiusd -X to do logging to log file too? $ radiusd -X /var/log/radius/radius.log 21 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radiusd does not logging while debug
Maybe (so you both see and log): Radiusd -X | tee -a /var/log/radius/radius-debug.log -Original Message- From: Alan DeKok al...@deployingradius.com Sent: Thursday, April 22, 2010 12:45 PM To: ??? ??? kes-...@yandex.ru; FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: radiusd does not logging while debug kes-...@yandex.ru wrote: Hi, FreeRadius. How to force radiusd -X to do logging to log file too? $ radiusd -X /var/log/radius/radius.log 21 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd does not logging while debug
On 2010/04/22 06:45 PM, Alan DeKok wrote: kes-...@yandex.ru wrote: Hi, FreeRadius. How to force radiusd -X to do logging to log file too? $ radiusd -X /var/log/radius/radius.log 21 Or for both file and console. radiusd -X 21 | tee /var/log/radius/radius.log -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radiusd does not logging while debug
Well, stderr in a foreground process is normally stdout. -Original Message- From: Johan Meiring jmeir...@pcservices.co.za Sent: Thursday, April 22, 2010 1:09 PM To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: radiusd does not logging while debug On 2010/04/22 06:45 PM, Alan DeKok wrote: kes-...@yandex.ru wrote: Hi, FreeRadius. How to force radiusd -X to do logging to log file too? $ radiusd -X /var/log/radius/radius.log 21 Or for both file and console. radiusd -X 21 | tee /var/log/radius/radius.log -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Attribute -- Authenticator IP Adress
Alan DeKok-2 wrote: _Stefan_H wrote: Hi, I thought that my Access-Point is able to handle VLAN-Attributes like my Switch but I was wrong. I don't want to tell the whole story. Is there an attribute which returns the authenticator IP-Address? Packet-Src-IP-Address Thanks that is the attribute I am looking for -- View this message in context: http://old.nabble.com/Radius-Attribute---%3E-Authenticator-IP-Address-tp28301983p28332565.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple instance of proxy
Hi everyone, I have a question about proxy request with freeradius : is it possible to run multiple instance of proxy (not the same but the same daemon) which use different realm configuration. example : proxy 1 (port UDP 1812) : - realm @test.com - realm @test1.com proxy 2 (port UDP 1646) : - realm @test2.com - realm @test3.com Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Nas IP Adress as client key
Hi all, The radius spec currently identifies a Nas (client) by the Nas's IP address (Packet-Src-Ip-Addres?). That is how radius works. We have a bunch of hotspots out in the field which could be behind any kind of internet connection. Broadband/Dynamic IP, natted, etc. Because we have no idea where a spesific Nas's traffic might come from we've implemented dynamic-clients. Using rlm_raw we use the Nas-Identifier to lookup the shared secret in a database, and the client gets dynamically created. (Thanks Alan for the help with this one!!) This works very well, but has a few irritating (not showstopping) side effects. 1) Sometimes we have more than one Nas behind the same natted connection. This means that they all have to have the same shared secret. 2) Also it happens that a different Nas ends up behind a previous Nas's IP (dynamically assigned broadband IP) and then the shared secret is again rejected. Within a corporate/large telco's network, the Nas's (802.11x switches or Dslams) are generally behind fixed IPs, but for the hotspot world any Nas source IP goes. Is it not a maybe a good idea to start considering a different key to identify the Nas by. In clients.conf (or for dynamic clients) a paramter (nas-key) that could be Src-IP or Nas-Id. i.e. you can choose the key that identifies a spesific Nas/client and therefore the shared secret. Does it sound like a bad idea? How difficult would such a change in Freeradius be? (I've not read the source code yet, just throwing an idea out there). Opinions? PS: I realise that tunneling the radius traffic is a different solution to the same problem, but in our case not always easy to implement. (The only extra layer I would love to see is RadSec.) -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Hi again List, Thank very much Alan, I am so sorry if I am a little bit bothering ... but all seems to be jumbled in my head. So I have some questions: - is the cipher login/password which comes from CopSpot(or any captive portal) deciphered before ipcop sends it to freeradius-server? (It's a kind of question which can not be asked here but ... never know) - the authentication type set in ipcop is just radius (and its ip), so I don't understand why the packet contains CHAP? according to http://deployingradius.com/documents/configuration/active_directory.html, centralizing the authentication in samba will work fine, but I want to do it against ldap. I think, what's wrong here is that I added users by smbldap-useradd, not simply ldapadd (which won't work actually, it says: invalid credentials) ... - So how can I force freeradius to use pap (to be able to authenticate it against ldap) even the passwd/login is tls ciphered (from chilispot)I m really convinced that that's not possible, even senseless but I have to know why ... Finally, once again, I really want to thank the list for your availability, the freeradius dev. team, because this is a success for the open source community. Thanks, On Thu, Apr 22, 2010 at 4:45 PM, Alan DeKok al...@deployingradius.comwrote: Johnny R wrote: The authentication worked well locally against openldap (in the same server). When an user try to connect to internet in the Blue Zone (WLAN), it generates the following error in the radius-server. I am really stuck here, any help will be welcome. Look at the debug log. The packet contains CHAP, and the database has only NT-Password and LM-Passwords. They are simply not compatible: http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - |JJohnny RANDRIAMAMPIONONA | | Phone: +212663682554| | National School of Applied Sciences | | 1818 TANGIER 9 | || - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Hi, * is the cipher login/password which comes from CopSpot(or any captive portal) deciphered before ipcop sends it to freeradius-server? (It's a kind of question which can not be asked here but ... never know) if the server says its CHAP then its probably sent as CHAP rather than PAP... * the authentication type set in ipcop is just radius (and its ip), so I don't understand why the packet contains CHAP? RADIUS is the method of AAA - the CHAP is what the NAS/AP/captive system is sending the user details as CHAP and DB is a problem check your CopSpot system to see if that method can be changed alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exiting normally on FreeBSD -- Synopsis?
On 4/6/2010 11:22 AM, Alan DeKok wrote: I don't know. Try using a tool to watch the server memory over time. If it keeps growing... that would be an issue After research, SIGKILL, SIGXFSZ, SIGXCPU are the only signals sent by the kernel - userland on the part of setrlimit(2). FreeRADIUS differentiates different types of signals and does not respond to SIGXFSZ, SIGXCPU. I reckon these SIGTERMs are originating from within FreeRADIUS itself as it relates to signaling child threads, etc.: $ egrep -ir 'signal\(SIG' * main/radiusd.c: signal(SIGPIPE, SIG_IGN); main/radiusd.c: signal(SIGHUP, sig_hup); main/radiusd.c: signal(SIGTERM, sig_fatal); main/radiusd.c: signal(SIGINT, sig_fatal); main/radiusd.c: signal(SIGQUIT, sig_fatal); main/radiusd.c: signal(SIGTERM, SIG_IGN); main/radiusd.c: reset_signal(SIGHUP, sig_hup); main/util.c:signal(signo, func); modules/rlm_smb/smblib.c: signal(SIGPIPE, SIG_IGN); /* Ignore these ... */ Like right here: static void sig_fatal(int sig) { switch(sig) { case SIGTERM: radius_signal_self(RADIUS_SIGNAL_SELF_TERM); ... I'm going to have to track down calls to radius_signal_self() ~BAS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html