More complex Proxying
Hi to all, I'm not sure how can I configure freeradius to have this kind of configuration: try to account to home_server1; if fails try home_server2; else fail; A kind of failover but not exactly; my goal is to have one @realm for more authentication server. I read the more complex configuration but I'm not sure that I can apply this rule in proxy.conf and how. Thanks in advance. -- Rosario L. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius+peap+mschap+AD
Hi, I have some strange problems with peap+mschap+AD I followed the howto on the wiki for AD but with no luck. When authenticating a user I'll get: Info: ++[mschap] returns ok Debug: MSCHAP Success So i assume that the auth. against AD is OK but then the inner tunnel does something } # server inner-tunnel Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled reply code 11 EAP-Message = 0x010700331a0306002e533d35454536463235384339353037434438373938303137334434424545393533373537304537393443 Message-Authenticator = 0x State = 0x55964b77549151644066a939db03f531 Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700331a0306002e533d35454536463235384339353037434438373938303137334434424545393533373537304537393443 Message-Authenticator = 0x State = 0x55964b77549151644066a939db03f531 Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled Sending Access-Challenge of id 0 to 194.47.88.154 port 2051 EAP-Message = 0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79 Message-Authenticator = 0x State = 0x3b975d133d90441898602b7c0076958a Mon Apr 26 12:32:15 2010 : Info: Finished request 6. After that nothing happens. I'm using: FreeRADIUS Version 2.1.1 I have tried both OS X 10.6 and Ubuntu 10.04 clients I have tried changing AP from CISCO to a Linksys WRT-54GL with DD-WRT with no luck. Has anyone any idea on whats wrong? -- Aniss Nazerian, IT-Department, Linnaeus University Phone: +46-470-708183, E-mail:aniss.nazer...@vxu.se O ascii ribbon campaign - stop html mail - www.asciiribbon.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Upgrading from 1.x to 2.1.8
Hi List, When upgrading an existing 1.x config to 2.1.8 I get following lines in the debug: ++[sql] returns ok ! !! !!!Replacing User-Password in config items with Cleartext-Password. !!! ! !! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! ! !! WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. I did a search on 'User-Password', but it is not in my config files. Same for 'Auth-Type = Local' I am not using PAP or CHAP at all. How serious are above complaints? Regards, Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: R: NAS-Identifier and radgroupcheck table
Hello, sorry to ask again about this isuue, but I can't get the correct configuration. I follow your howto: http://wiki.freeradius.org/SQL_Huntgroup_HOWTO I want to filter users login from fixed NAS,but I always get an reject. I don't understand why in the example bellow: ++[request] returns notfound Thank you very much. EXAMPLE My SQL database: mysql select * from radcheck; +++++-+ | id | username | attribute | op | value | +++++-+ | 1 | ana| Cleartext-Password | := | claveAna| +++++-+ 1 rows in set (0.00 sec) mysql select * from radreply; ++--+---++--+ | id | username | attribute | op | value| ++--+---++--+ | 1 | ana | Reply-Message | += | Hola Anita | ++--+---++--+ 1 rows in set (0.00 sec) mysql select * from radusergroup; +--+---+--+ | username | groupname | priority | +--+---+--+ | ana | CAU1 |0 | +--+---+--+ 1 rows in set (0.00 sec) mysql select * from radgroupcheck; ++---++++ | id | groupname | attribute | op | value | ++---++++ | 1 | CAU1 | Huntgroup-Name | == | pccau1 | | 2 | CAU1 | Auth-Type | := | Accept | ++---++++ 2 rows in set (0.00 sec) mysql select * from radgroupreply; ++---+---++--+ | id | groupname | attribute | op | value| ++---+---++--+ | 1 | CAU1 | Reply-Message | += | Hola miembros del grupo CAU1 | ++---+---++--+ 1 rows in set (0.00 sec) mysql select * from nas; +++---+---+---+++---+---+ | id | nasname| shortname | type | ports | secret | server | community | description | +++---+---+---+++---+---+ | 1 | X.X.X.X | pcCAU1| other | NULL | cau123 | NULL | NULL | CAU1 computer | +++---+---+---+++---+---+ 1 rows in set (0.00 sec) In my users file: debian:/etc/freeradius# cat users DEFAULT Auth-Type := Reject bobCleartext-Password := hello Reply-Message = Hola %{User-Name} My default server: authorize { update request { Huntgroup-Name = %{sql:select shortname from nas where nasname=\%{Client-IP-Address}\} } preprocess mschap suffix eap { ok = return } files sql expiration pap } Request with radtest + ana + pcCAU1 rad_recv: Access-Request packet from host X.X.X.X port 45281, id=133, length=55 User-Name = ana User-Password = claveAna NAS-IP-Address = 127.0.1.1 NAS-Port = 0 +- entering group authorize {...} sql_xlat expand: %{User-Name} - ana sql_set_user escaped user -- 'ana' expand: select shortname from nas where nasname=%{Client-IP-Address} - select shortname from nas where nasname=X.X.X.X expand: /var/log/freeradius/sqltrace.sql - /var/log/freeradius/sqltrace.sql rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: select shortname from nas where nasname=X.X.X.X sql_xlat finished rlm_sql (sql): Released sql socket id: 3 expand: %{sql:select shortname from nas where nasname=%{Client-IP-Address}} - pcCAU1 ++[request] returns notfound ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = ana, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 9 ++[files] returns ok [sql] expand: %{User-Name} - ana [sql] sql_set_user escaped user -- 'ana' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'ana' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'ana' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply
Re: freeradius+peap+mschap+AD
Hi, Info: ++[mschap] returns ok Debug: MSCHAP Success So i assume that the auth. against AD is OK not if you havent done the EAP inner-tunnel stuff yet - unless you mean basic authorize has completed. but then the inner tunnel does something well, it tries to Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled Sending Access-Challenge of id 0 to 194.47.88.154 port 2051 EAP-Message = 0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79 Message-Authenticator = 0x State = 0x3b975d133d90441898602b7c0076958a it sends a challenge back to the NAS/AP - but nothign else is happening. so, either the NAS or the client. how have you got the AP set up? 802.1X or WPA-Enterprise? how is the client configured? to use PEAP/MSCHAPv2 or EAP-TTLS/MSCHAPv2? got the required certificate installed on the client? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading from 1.x to 2.1.8
Hi, ++[sql] returns ok ! !! !!!Replacing User-Password in config items with Cleartext-Password. !!! ! !! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! ! !! WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. I did a search on 'User-Password', but it is not in my config files. Same for 'Auth-Type = Local' I am not using PAP or CHAP at all. How serious are above complaints? quit - they are functions/methods that are to be deprecated...so eventually your system wont work at all... if you send us a complete radiusd -X then we can say where you are using them... my quick guess would be that you have set these values in your SQL tables... usually something like user op value... whoich would be eg user1 == User-Password or such. so please change that so the Op is := and the value check is Cleartext-Password likewise...Auth-Type = Local is a massive override of program logic. rarely do you need itthe daemon can work out the right type with eg the pap module (which should be active and listede last in the authoize section if memory serves correctly) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling freeradius
I'm trying to compile a fresh version of FreeRADIUS. I fetched the latest stable from git://git.freeradius.org/freeradius-server.git using the information provided at http://git.freeradius.org/. I am using the following configuration string: ./configure --with-experimental-modules I want the experimental modules to support WiMAX. Configuration works perfectly, but when building I get the following error: make[6]: Leaving directory `/root/freeradius-server/src/modules/rlm_wimax' make[5]: Leaving directory `/root/freeradius-server/src/modules' make[4]: Leaving directory `/root/freeradius-server/src/modules' Making all in main... /usr/bin/make -w -C main all make[4]: Entering directory `/root/freeradius-server/src/main' /root/freeradius-server/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/freeradius-server/src -DHOSTINFO=\x86_64-unknown-linux-gnu\ -DRADIUSD_VERSION=\2.2.0\ -DOPENSSL_NO_KRB5 -c event.c gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/freeradius-server/src -DHOSTINFO=\x86_64-unknown-linux-gnu\ -DRADIUSD_VERSION=\2.2.0\ -DOPENSSL_NO_KRB5 -c event.c -fPIC -DPIC -o .libs/event.o event.c:634: warning: no previous prototype for 'revive_home_server' event.c:852: warning: no previous prototype for 'mark_home_server_dead' event.c: In function 'wait_a_bit': event.c:1192: error: label 'stop_processing' used but not defined event.c: In function 'radius_signal_self': event.c:3819: warning: ignoring return value of 'write', declared with attribute warn_unused_result make[4]: *** [event.lo] Error 1 make[4]: Leaving directory `/root/freeradius-server/src/main' make[3]: *** [main] Error 2 make[3]: Leaving directory `/root/freeradius-server/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/freeradius-server/src' make[1]: *** [src] Error 2 make[1]: Leaving directory `/root/freeradius-server' make: *** [all] Error 2 Any suggestions to what I am messing up? Thanks in advance, Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot get core dump of crashing freeradius
Alan DeKok, 04/20/2010 06:21 PM: btw, I wonder why is prctl() is not called when debug_flag is set. I would have thought that one would want to get a core dump especially when running in debug mode. It doesn't switch UIDs when in debug mode. So it inherits whatever AFAICS it does when starting it as root (check in mainconfig.c:532). I'd say a quite common case for debugging is to run freeradius -X as root... OK. This will become a non-issue when the prctl() calls are moved into the fr_suid_* functions. :) Would you like me to prepare a patch for that or would you rather do that yourself? Anyway, here's the aftermath: I got my core dump, finally, and it turns out that we are probably hit by the notorious bug #35 (as I half feared, half hoped :). I will try the fix for list_delete() you proposed if I can get to it... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+peap+mschap+AD
Hi, This is what I get. -- [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for usern...@domain.xx with NT-Password [mschap]expand: %{Stripped-User-Name} - username [mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} - --username=username [mschap] No NT-Domain was found in the User-Name. [mschap]expand: %{mschap:NT-Domain} - [mschap]expand: --domain=%{%{mschap:NT-Domain}:-DOMAIN.XX} - --domain=LNU.SE [mschap] mschap2: 67 [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=756cc36d609e7393 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=29dbc4dc525dd28cac668e57a0d85803996301a054d782fb Exec-Program output: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480 Exec-Program-Wait: plaintext: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success --- I'm using WPA2-enterprise (tried WPA-ent to) I've tried both PEAP/MSCHAPv2 and EAP-TTLS/MSCHAPv2 and the CA-cert is used on the client. On 2010-04-26 15:37, Alan Buxey wrote: Hi, Info: ++[mschap] returns ok Debug: MSCHAP Success So i assume that the auth. against AD is OK not if you havent done the EAP inner-tunnel stuff yet - unless you mean basic authorize has completed. but then the inner tunnel does something well, it tries to Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled Sending Access-Challenge of id 0 to 194.47.88.154 port 2051 EAP-Message = 0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79 Message-Authenticator = 0x State = 0x3b975d133d90441898602b7c0076958a it sends a challenge back to the NAS/AP - but nothign else is happening. so, either the NAS or the client. how have you got the AP set up? 802.1X or WPA-Enterprise? how is the client configured? to use PEAP/MSCHAPv2 or EAP-TTLS/MSCHAPv2? got the required certificate installed on the client? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Aniss Nazerian, IT-Department, Linnaeus University Phone: +46-470-708183, E-mail:aniss.nazer...@vxu.se O ascii ribbon campaign - stop html mail - www.asciiribbon.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling freeradius
hi, the GIT version is guaranteed to compile - its very bleeding edge and work in progress ...you've got the pre-2.2.0 HEAD versionand theres a few little niggles that seem to have crept in. will the 2.1.8 source not do things for you? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Upgrading from 1.x to 2.1.8
++[sql] returns ok !! !!! !! !!!Replacing User-Password in config items with Cleartext-Password. !!! !! !!! !! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !! !!! !! WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. I did a search on 'User-Password', but it is not in my config files. Same for 'Auth-Type = Local' I am not using PAP or CHAP at all. How serious are above complaints? quit - they are functions/methods that are to be deprecated...so eventually your system wont work at all... if you send us a complete radiusd -X then we can say where you are using them... my quick guess would be that you have set these values in your SQL tables... usually something like user op value... whoich would be eg user1 == User-Password or such. so please change that so the Op is := and the value check is Cleartext-Password likewise...Auth-Type = Local is a massive override of program logic. rarely do you need itthe daemon can work out the right type with eg the pap module (which should be active and listede last in the authoize section if memory serves correctly) alan Thanks Alan, You're right - User-Password is an op value in my SQL tables, I'll change that and re-test. (And have a further search on where we are using 'Auth-Type = Local' as well) Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling freeradius
Kristoffer Milligan wrote: Configuration works perfectly, but when building I get the following error: $ git pull This was fixed recently. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot get core dump of crashing freeradius
Jakob Hirsch wrote: This will become a non-issue when the prctl() calls are moved into the fr_suid_* functions. :) Would you like me to prepare a patch for that or would you rather do that yourself? Patch, please. It's just easier. Anyway, here's the aftermath: I got my core dump, finally, and it turns out that we are probably hit by the notorious bug #35 (as I half feared, half hoped :). I will try the fix for list_delete() you proposed if I can get to it... I'm not sure that will help. sigh It's happened enough that I know it's real. But I have *no* idea why it's happening: - there is ONE location in the code where entries get added to the cache - there is ONE location where they're looked up - there is ONE location where they're deleted - all this is done from ONE thread So if the request is in the cache, the packet pointer *cannot* be NULL. So it's likely not a race condition between threads. It's not a mismanagement issue. It's not a use after free memory issue. sigh I'll put a fix into 2.1.9 which works around the issue. It's better than having the server crash. If you don't mind trying things, I can send you some patches which might help tracking it down. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More complex Proxying
Rosario Lumia wrote: I'm not sure how can I configure freeradius to have this kind of configuration: try to account to home_server1; if fails try home_server2; else fail; A kind of failover but not exactly; my goal is to have one @realm for more authentication server. What does that mean? I read the more complex configuration but I'm not sure that I can apply this rule in proxy.conf and how. There's no more complex configuration section in proxy.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Radiusclient to implement a radius client on Windows platform?
Joshua Lim wrote: Hi Alan, Thanks, how about using the pgina radius plugin? http://userpage.fu-berlin.de/~holger/radiusplugin/RADIUSplugin-0.3src.zip It has code taken from pam_radius_auth Is pam_radius_auth using radiusclient? No. They are different code bases. They should really be unified at some point. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: R: NAS-Identifier and radgroupcheck table
Ana Gallardo wrote: sorry to ask again about this isuue, but I can't get the correct configuration. I follow your howto: http://wiki.freeradius.org/SQL_Huntgroup_HOWTO I want to filter users login from fixed NAS,but I always get an reject. ... [expiration] Checking Expiration time: '02 Dec 2010' ++[expiration] returns ok [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = Reject Where is this coming from? The default configuration has *no* Auth-Type = Reject setting. You have added this locally. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Remote MySQL backend encryption
Hi, I am trying to figure out if need to encrypt my traffic from a FreeRadius server to a remote MySQL backend. I have the following setup. FreeRadius/MySQL (Server1) FreeRadius/MySQL (Server2) Both Server1 and Server2 are doing MySQL Master to Master (ssl) Replication Now I want to add a third FreeRadius server without a local MySQL Backend. So this third server will point to either Server1 or Server2 which runs MySQL but will these request be sent to the remote MySQL Servers in clear text? -Thanks Eric- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: R: NAS-Identifier and radgroupcheck table
On 04/26/2010 08:46 AM, Ana Gallardo wrote: Hello, sorry to ask again about this isuue, but I can't get the correct configuration. I follow your howto: http://wiki.freeradius.org/SQL_Huntgroup_HOWTO I want to filter users login from fixed NAS,but I always get an reject. I don't understand why in the example bellow: ++[request] returns notfound I believe rlm_sql is being invoked to satisfy the update request using a sql select and I believe the return code of notfound isn't meaningful in this context. You probably also should read doc/rlm_sql and make sure you understand the meanings of the operators, specifically the difference between =, == and := -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius against NAS Cisco 7206-VXR
Hi, all. Is there a How-To explaining how to implement Radius in this NAS? The IOS version is 12.2 Thanks. -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br Tel. (11) 3091-8901 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Remote MySQL backend encryption
On 04/26/2010 01:57 PM, eric.hernan...@allegiantair.com wrote: Hi, I am trying to figure out if need to encrypt my traffic from a FreeRadius server to a remote MySQL backend. I have the following setup. FreeRadius/MySQL (Server1) FreeRadius/MySQL (Server2) Both Server1 and Server2 are doing MySQL Master to Master (ssl) Replication Now I want to add a third FreeRadius server without a local MySQL Backend. So this third server will point to either Server1 or Server2 which runs MySQL but will these request be sent to the remote MySQL Servers in clear text? This has nothing to do with how many MySQL servers you've got or how you're doing replication, encryption occurs on a per connection basis (e.g. connections established via rlm_sql_mysql). rlm_sql_mysql never opens an encrypted session with it's server because rlm_sql_mysql does not have an option to set SSL/TLS transport (e.g. does not call mysql_ssl_set()). That probably would be a good feature to add. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius against NAS Cisco 7206-VXR
On Mon, Apr 26, 2010 at 03:44:50PM -0300, Wagner Pereira wrote: Is there a How-To explaining how to implement Radius in this NAS? The IOS version is 12.2 What exactly do you need explained, that isn't in Cisco documentation? -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy based on number of numeric char.
I'd like to have a radius proxy setup where it can proxy users based on number of numeric characters in the userid. so for example, if the userid is abc123 (with 3 numeric char. at the end) it should proxy to an instance of radius running on the same box and if the user id is abcxxx it should proxy the request to a different instance of radius running on the same box, is this doable or did I miss something in the documentation? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy based on number of numeric char.
Agent Smith wrote: I'd like to have a radius proxy setup where it can proxy users based on number of numeric characters in the userid. so for example, if the userid is abc123 (with 3 numeric char. at the end) it should proxy to an instance of radius running on the same box and if the user id is abcxxx it should proxy the request to a different instance of radius running on the same box, is this doable or did I miss something in the documentation? There is nothing in the documentation that says how to do this exact setup. What you can do is control proxying manually. See raddb/proxy.conf, and man unlang to put the pieces together. authorize { ... if (User-Name =~ /^...$$/) { update control { Proxy-To-Realm := foo } } ... } You will still need to configure realms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Remote MySQL backend encryption
I see thats what I thought, I also confirmed its all clear text with tcpdump. If I were to switch my backend to an ldap system would I have encrypted traffic for user authentication with freeradius remote ldap/backend setup? Also is there a nas/radacct table equivalent in the ldap solution or is it strictly for user authentication? Message: 9 Date: Mon, 26 Apr 2010 15:04:17 -0400 From: John Dennis jden...@redhat.com Subject: Re: Remote MySQL backend encryption To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4bd5e3b1.8060...@redhat.com Content-Type: text/plain; charset=UTF-8; format=flowed On 04/26/2010 01:57 PM, eric.hernan...@allegiantair.com wrote: Hi, I am trying to figure out if need to encrypt my traffic from a FreeRadius server to a remote MySQL backend. I have the following setup. FreeRadius/MySQL (Server1) FreeRadius/MySQL (Server2) Both Server1 and Server2 are doing MySQL Master to Master (ssl) Replication Now I want to add a third FreeRadius server without a local MySQL Backend. So this third server will point to either Server1 or Server2 which runs MySQL but will these request be sent to the remote MySQL Servers in clear text? This has nothing to do with how many MySQL servers you've got or how you're doing replication, encryption occurs on a per connection basis (e.g. connections established via rlm_sql_mysql). rlm_sql_mysql never opens an encrypted session with it's server because rlm_sql_mysql does not have an option to set SSL/TLS transport (e.g. does not call mysql_ssl_set()). That probably would be a good feature to add. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Remote MySQL backend encryption
Hi, This has nothing to do with how many MySQL servers you've got or how you're doing replication, encryption occurs on a per connection basis (e.g. connections established via rlm_sql_mysql). rlm_sql_mysql never opens an encrypted session with it's server because rlm_sql_mysql does not have an option to set SSL/TLS transport (e.g. does not call mysql_ssl_set()). That probably would be a good feature to add. indeed, currently you have to drop out of the SQL module method and use eg PERL with the relevant SQL stuff coded in PERL instead alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Remote MySQL backend encryption
On 04/26/2010 05:33 PM, eric.hernan...@allegiantair.com wrote: I see thats what I thought, I also confirmed its all clear text with tcpdump. If I were to switch my backend to an ldap system would I have encrypted traffic for user authentication with freeradius remote ldap/backend setup? Not currently, but I've got a patch for the 1.1.7 version of rlm_ldap, so it might need some tweaking for 2.x Also is there a nas/radacct table equivalent in the ldap solution or is it strictly for user authentication? Not currently, but I've got a patch for the 1.1.7 version of rlm_ldap, so it might need some tweaking for 2.x FWIW, I don't have extra cycles at the moment. BTW, patching rlm_sql_mysql to use SSL wouldn't be hard. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius against NAS Cisco 7206-VXR [RESOLVED]
Hi, Josip. Now I am able to authenticate against freeradius on the Cisco 7206-VXR. I just copied the configuration from an other Cisco switch. -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br Tel. (11) 3091-8901 Em 26/4/2010 16:08, Josip Rodin escreveu: On Mon, Apr 26, 2010 at 03:44:50PM -0300, Wagner Pereira wrote: Is there a How-To explaining how to implement Radius in this NAS? The IOS version is 12.2 What exactly do you need explained, that isn't in Cisco documentation? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy EAP-TLS as non-EAP
I am trying to setup FreeRadius server to handle EAP-TLS authentication with a WiMAX ASN GW. I have another Radius server which does not support EAP-TLS but stores the WiMAX QoS attribute values that need to be assigned to the user (user is identified by Calling-Station-ID). I have been going through all post archive for few days but have NOT been able to find a thread that directly answers my question. 1. How can I proxy the EAP-TLS request to a radius server which does not support EAP ? (I only need the Radius Attributes in the outer tunnel) 2. How can I add QoS attributes from the proxy-radius response to the outer-tunnel of the EAP-TLS response ? Highly appreciate any help from the community. Thanks and Regards, Alok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLAN with AD/LDAP - Best Practice / preferred option?
Hello all, I currently have FR v2.1.6 (Yes, I'll upgrade...) running on RHEL5. I'm authenticating VPN users and Ci$co device shell access using SAMBA/ntlm_auth integration. Everything is working fine. My next task is assigning Dynamic VLAN ID's. I have some test accounts/ports working using the users file, but I'm ready to take the next step to deploy DVLANs company wide, and want to assign the ID based on an AD/LDAP attribute. I prefer not to extend the schema and ideally would be able to assign the VLAN ID based on a Group attribute - so I don't have to go back and populate some attribute for a couple thousand users. Anyway, there are numerous posts about this issue / similar issues. I'm wondering if there is a Best Practice method or Preferred method to accomplish this? A method known to work better than another or works as well as anything but is easy to implement, etc. Or, is this one of those things where there is a dozen right answers and I just need to pick one and do it? Any thoughts appreciated! TIA! Gary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_python and dynload problem
Hi, I came across a bug when rlm_python executes python code that tries to load a dynamic (shared) module. This bug seems to have been discussed 2 or 3 times on this list, but no really satisfying solution appears to have been found so far (as far as I know), so I thought I might raise the subject again and perhaps try to contribute in finding a solution. In short, I think the solution to this problem is explained here, but I don't know how to implement it in freeRADIUS : http://docs.python.org/release/2.5.2/ext/link-reqs.html Here is my setup : - running a perfectly standard Debian Lenny (2.6.26-2-amd64) - installed the latest freeradius package from the lenny-backports (2.1.8+dfsg-1~bpo50+1) - the python debian package is the one installed with Debian Lenny (2.5.2-3) Here is my config: -- ### # /etc/freeradius/modules/python ### python python_test { mod_instantiate = radiusd_test func_instantiate = instantiate } ### # /etc/freeradius/radiusd.conf ### ... instantiate { python_test } ... ### # /usr/lib/python2.5/site-packages/radiusd_test.py ### def instantiate(p): radiusd.radlog(radiusd.L_DBG, THIS WORKS) import random # this crashes radiusd.radlog(radiusd.L_DBG, THIS IS NEVER REACHED !) -- Here is the output of freeradius -X : -- FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Apr 26 2010 at 21:49:28 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf ... Module: Linked to module rlm_python Module: Instantiating python_test python_init done python python_test { mod_instantiate = radiusd_test func_instantiate = instantiate } THIS WORKS rlm_python:EXCEPT:type 'exceptions.ImportError': /usr/lib/python2.5/lib-dynload/math.so: undefined symbol: PyExc_ValueError /etc/freeradius/modules/python[24]: Instantiation failed for module python_test -- The module is properly loaded, the instantiate function gets called, and the first log message is output. In fact, any 100% pure python code works fine. The bug happens when a python module gets loaded dynamically : importing any module located in /usr/lib/python2.5/lib-dynload/*.so will crash. From what I understand, here's what happens: 1) rlm_python was built against libpython2.5.a, but for optimization purposes, the linker stripped out all the symbols that were not used by rlm_python itself (including, for example, PyExc_ValueError). This behavior is platform-dependent, which probably explains why everything works fine on centos, for example. 2) when the radiusd_test module runs, it tries to import the random module, which itself tries to import the math module, which is in lib-dynload, and gets loaded dynamically. 3) unfortunately, python fails to load that module because it uses the PyExc_ValueError symbol and it does not know where it is defined (it is located in /usr/lib/libpython2.5.so.1, but unfortunately, the math module does not know that. As I said, I believe that the solution to this problem is clearly explained here: http://docs.python.org/release/2.5.2/ext/link-reqs.html As it's just a few paragraphs, I'll quote it here, for your convenience: -- While the configure script shipped with the Python sources will correctly build Python to export the symbols needed by dynamically linked extensions, this is not automatically inherited by applications which embed the Python library statically, at least on Unix. This is an issue when the application is linked to the static runtime library (libpython.a) and needs to load dynamic extensions (implemented as.so files). The problem is that some entry points are defined by the Python runtime solely for extension modules to use. If the embedding application does not use any of these entry points, some linkers will not include those entries in the symbol table of the finished executable. Some additional options are needed to inform the linker not to remove these symbols. Determining the right options to use for any given platform can be quite difficult, but fortunately the Python configuration already has those values. To retrieve them from an installed Python interpreter, start an interactive interpreter and have a short session like this: import distutils.sysconfig distutils.sysconfig.get_config_var('LINKFORSHARED') '-Xlinker -export-dynamic' The contents of the string presented will be the options that should be used. If the string is empty, there's no need to
Re: Dynamic VLAN with AD/LDAP - Best Practice / preferred option?
This may help you. http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg1.html Using the Postauth_users restricting it via a ldap group should work. On Tue, Apr 27, 2010 at 11:50 AM, Gary Gatten ggat...@waddell.com wrote: Hello all, I currently have FR v2.1.6 (Yes, I’ll upgrade…) running on RHEL5. I’m authenticating VPN users and Ci$co device shell access using SAMBA/ntlm_auth integration. “Everything” is working fine. My next task is assigning Dynamic VLAN ID’s. I have some test accounts/ports working using the “users” file, but I’m ready to take the next step to deploy DVLANs company wide, and want to assign the ID based on an AD/LDAP attribute. I prefer not to extend the schema and ideally would be able to assign the VLAN ID based on a “Group” attribute – so I don’t have to go back and populate some attribute for a couple thousand users. Anyway, there are numerous posts about this issue / similar issues. I’m wondering if there is a “Best Practice” method or “Preferred” method to accomplish this? A method known to work better than another or works as well as anything but is “easy” to implement, etc. Or, is this one of those things where there is a dozen right answers and I just need to pick one and do it? Any thoughts appreciated! TIA! Gary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Remote MySQL backend encryption
On Tue, Apr 27, 2010 at 1:17 AM, John Dennis jden...@redhat.com wrote: On 04/26/2010 05:33 PM, eric.hernan...@allegiantair.com wrote: I see thats what I thought, I also confirmed its all clear text with tcpdump. If I were to switch my backend to an ldap system would I have encrypted traffic for user authentication with freeradius remote ldap/backend setup? Or you could probably tunnel the traffic via SSH or some other encrypted medium. Given this will add overhead though I don't know to say how much in compared to other solutions, depending on your deployment I guess. Regards, Liran Tal. Not currently, but I've got a patch for the 1.1.7 version of rlm_ldap, so it might need some tweaking for 2.x Also is there a nas/radacct table equivalent in the ldap solution or is it strictly for user authentication? Not currently, but I've got a patch for the 1.1.7 version of rlm_ldap, so it might need some tweaking for 2.x FWIW, I don't have extra cycles at the moment. BTW, patching rlm_sql_mysql to use SSL wouldn't be hard. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html