Re: Freeradius privilege separation
Michał Dopierała wrote: It is possible in freeradius to have one user who has full privilege level to one equipment (one cisco router privilege lvl15), and limited privilege level to other equipment (other router with smaller privilege e.g. lvl10 which will be configured on router)? Yes. How to separate it? How are the requests different? Use that information to separate the policies for the two routers. My current configuration of users: mdopierala Auth-Type := PAP, Crypt-Password = passwrd DON'T set Auth-Type. Honestly. This should be written in huge letters everywhere on all of the documentation. Service-Type = Administrative-User, Cisco-AVPair=shell:priv-lvl=15, Brocade-Auth-Role =Administrator And it doesn't contain any *conditional* checks for different clients. You could do: mdopierala Packet-Src-IP-Address == 192.168.1.1, Cleartext-Password := ... ... i.e. check for NAS IP, and return different results based on that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pending release of 2.1.9
On 2010/05/14 07:46 AM, Alan DeKok wrote: Johan Meiring wrote: There is a log of warnings though. Small subset says this. - dpkg-shlibdeps: warning: symbol radlog used by debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of the libraries. It's in the server core. There's no libfreeradius-server.so, though perhaps there could be. In any case, the warnings are minor. Cool. I compiled the server and can confirm it runs ok on my develepment machine. On another note, every time a new release comes out, I manually add rlm_raw and recompile. I updated rlm_raw to work with FR2 a while ago and have been running it successfully in production for about a year. Any chance of getting it into the 2_1_0 branch? Patch attached. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 rlm_raw_patch.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pending release of 2.1.9
Johan Meiring wrote: I compiled the server and can confirm it runs ok on my develepment machine. OK. On another note, every time a new release comes out, I manually add rlm_raw and recompile. I updated rlm_raw to work with FR2 a while ago and have been running it successfully in production for about a year. Any chance of getting it into the 2_1_0 branch? I have no idea what the module does. The modules are run *only* after the packet has been received, and decoded. Any dynamic expansion is done *only* when the packet has been received and decoded. So the module does nothing more than what the server already does: decode attributes. The dynamic clients' code runs modules before the packet is decoded... but that's only because it doesn't *receive* the packet. So any raw access to the packet will return nothing. What are you doing with the module? I can't for the life of me see why it would be useful in *any* situation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pending release of 2.1.9
On 2010/05/14 10:35 AM, Alan DeKok wrote: Johan Meiring wrote: The dynamic clients' code runs modules before the packet is decoded... but that's only because it doesn't *receive* the packet. So any raw access to the packet will return nothing. What are you doing with the module? I can't for the life of me see why it would be useful in *any* situation. Its dynamic clients. I use it inside dynamic clients to look up the client via the Nas-Identifier. My clients don't have fixed IPs. The only way to give different Nas's different shared secrets is by doing this. You made a modification to dynamic clients a while ago where you could get hold of the whole packet inside dynamic clients. Dont know if you remember this. You sent a mail to me about it on Wed, 27 May 2009 14:05:31 +0200 SNIP=== I've made some changes in revision control that should help you. The dynamic client virtual server will now receive the *full* RADIUS packet. Before, it was impossible to look at the contents. You will *still* need to use the rlm_raw module to look at the raw packet contents. The contents are *not* decoded into attributes, as happens when receiving normal packets. See http://git.freeradius.org/pre for a tar file that contains the code changes. You will need to add rlm_raw to the build. But after that, something like the following should work: authorize { ... if (%{raw:NAS-Identifier} == foo) { ... } ... } SNIP=== It is definately usefull to me! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Diameter roaming
Hi all, Do anyones know why Diameter support faster roaming than RADIUS ? I've read some references but I dont understand. Hung, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Diameter roaming
VU VAN HUNG wrote: Do anyones know why Diameter support faster roaming than RADIUS ? It doesn't. I've read some references but I dont understand. Diameter is useful if you have an ISP / phone company with 10 million users, and $5-10 million to spend on a Diameter infrastructure. And even then, it doesn't do authentication or accounting. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Diameter roaming
Alan DeKok wrote: VU VAN HUNG wrote: Do anyones know why Diameter support faster roaming than RADIUS ? It doesn't. I means roaming between 2 client with 1 AAA Server in network (ex: wireless mesh network). Is roaming with Diameter faster than with Radius? I've read some references but I dont understand. Diameter is useful if you have an ISP / phone company with 10 million users, and $5-10 million to spend on a Diameter infrastructure. And even then, it doesn't do authentication or accounting. I'm sure that Diameter do authentication and accounting. Check it out, http://www.ibm.com/developerworks/wireless/library/wi-diameter/ Hung, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Diameter roaming
VU VAN HUNG vanhung2...@gmail.com writes: Do anyones know why Diameter support faster roaming than RADIUS ? Higher marketing budgets I've read some references but I dont understand. In my experience, that often means that the claim just is not true. Anyway, I believe you'd better ask whoever made that claim. They are in a better position to explain. And if they can't, then a) they are either telling you a lie, or b) not very good at explaining their product I don't know which is best. I prefer not to deal with either group. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Diameter roaming
VU VAN HUNG wrote: I means roaming between 2 client with 1 AAA Server in network (ex: wireless mesh network). Is roaming with Diameter faster than with Radius? What did I say? I'm sure that Diameter do authentication and accounting. Check it out, http://www.ibm.com/developerworks/wireless/library/wi-diameter/ Yes... I was a participant in the process when Diameter was being created. I know most of the people who either wrote the specifications, or wrote the Diameter servers. The *protocol* supports authentication and accounting. The *implementations* don't use it. Anyone doing *real world* authentication and accounting is using RADIUS. You've read a couple of papers about Diameter. That's nice. Don't believe everything you read. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pending release of 2.1.9
On 2010/05/14 11:08 AM, Johan Meiring wrote: Its dynamic clients. Alan, I just saw you were cc-ed on the mail sent to this list. Not intentional. I know you hate it. I always use reply-to-all as a habit. It then replied to you as well. Apologies -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration freeradius with mysql
Have you decommented the $INCLUDE sql.conf line in radiusd.conf? I had the same problem when I compiled freeradius-2.1.8. If I compiled freeradius without libmysqlclient15-dev package the problem appeared. Try it. 2010/5/14 dorra aa dj_dido2...@hotmail.com hi i installed mysql. and i modify in /etc/freeradius/sql.conf: readclients=yes also, i decommented in /etc/freeradius/radiusd.conf: accounting { sql} authorize {... sql} i run again freeradius -X: but it seems failed because of sql: this is the output [...] sql: postauth_query = INSERT into radpostauth (user, pass, reply, date) values ('%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) sql: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to r...@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_s! ql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql_mysql: Couldn't connect socket to MySQL server r! o...@localhost :radius rlm_sql_mysql: Mysql error 'Access denied for user 'root'@'localhost' (using password: YES)' # but i check it and it's ok i have in sql.conf: sql{server = localhost login = root password = rootpass} rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. #but i begin with installing mysql-server and i add a user in the database rlm_sql (sql): - generate_sql_clients rlm_sql (sql): Query: SELECT * FROM nas rlm_sql (sql): Ignoring unconnected handle 4.. rlm_sql (sql): Ignoring unconnected handle 3.. rlm_sql (sql): Ignoring unconnected handle 2.. rlm_sql (s! ql): Ignoring unconnected handle 1.. rlm_sql (sql): Ignoring unconn ected handle 0.. rlm_sql (sql): There are no DB handles to use! sk! ipped 5, tried to connect 0 rlm_sql (sql): generate_sql_clients() r eturned error rlm_sql (sql): Closing sqlsocket 4 rlm_sql (sql): Closing sqlsocket 3 rlm_sql (sql): Closing sqlsocket 2 rlm_sql (sql): Closing sqlsocket 1 rlm_sql (sql): Closing sqlsocket 0 radiusd.conf[14]: sql: Module instantiation failed. radiusd.conf[1860] Unknown module sql. radiusd.conf[1789] Failed to parse authorize section. -- Hotmail: Trusted email with Microsoft’s powerful SPAM protection. Sign up now. https://signup.live.com/signup.aspx?id=60969 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pending release of 2.1.9
Johan Meiring wrote: You made a modification to dynamic clients a while ago where you could get hold of the whole packet inside dynamic clients. Ah... yes. The rlm_raw won't go into 2.1.x. It's a new feature, and doesn't belong there. I'm not sure it will go into 2.2.x, either. It's only use is to work around some limitations in the server core. It would be better to fix the server core. I've been hesitant to do that for 2.1.x, because it's a stable series. For 2.2.0, there's more possibility for changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A question about disconnections
We're a WISP using freeradius to do our AAA, and are in the process of updating our backend to the latest version of freeradius (probably 2.1.8), and we've been able to resolve a lot of issues with our current setup, except for a few (possibly vital) problems. The one we haven't been able to find anything about is if there's a method, or check we can implement to prevent this sort of situation. We have a central radius server, and a few point to point connections where we have our point to multipoint connections (base stations) each base stations is a NAS, which for the most part works just fine. Our problem happens if something interrupts the point to point connectivity, the PPP sessions between the CPEs and the base stations remain up, but on the radius side, if the point to point connection remains down for longer than the idle timeout, the user (at least for freeradius) is disconnected. The NAS however, remains unaware of this (as the UDP disconnect message didn't arrive.. link down and all that), and the user remains up and functional, but we no longer have any accounting for that user. This of course, we can reset by hand, but if it happens during the night for example, we could lose several hours of accounting. What I'd like to know is if freeradius 2.x has some sort of functionality we can configure to make sure that if the radius server is receiving accounting packets for an account which should be disconnected, that it will re-send the PoD to get the NAS to actually disconnect it. Is what I'm requesting something strange (or conversely idiotic, because it's only our Mikrotik base stations that don't do something like this) ? Thanks, Nick Warr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius privilege separation
Thanks for response! So, users file can look like this: users= mdopierala Packet-Src-IP-Address == 192.168.1.1, Crypt-Password = some_hash Service-Type = Administrative-User, Cisco-AVPair=shell:priv-lvl=15, Brocade-Auth-Role =Administrator mdopierala Packet-Src-IP-Address == 192.168.1.2, Crypt-Password = some_hash2 Service-Type = Administrative-User, Cisco-AVPair=shell:priv-lvl=1, Brocade-Auth-Role =Administrator = This way user mdopierala will have priv-lvl=15 to router1 and priv-lvl=1 to router2? I have a lot of users and clients in my environment(a lot of network equipments and administrators). Can I make any groups of this users and clients and then make policies to this groups? This way I could add new users to this groups apart from making separate policies. Unfortunately I work on producing environment and I can't make as many test as I wish. 2010/5/14 Alan DeKok al...@deployingradius.com Michał Dopierała wrote: It is possible in freeradius to have one user who has full privilege level to one equipment (one cisco router privilege lvl15), and limited privilege level to other equipment (other router with smaller privilege e.g. lvl10 which will be configured on router)? Yes. How to separate it? How are the requests different? Use that information to separate the policies for the two routers. My current configuration of users: mdopierala Auth-Type := PAP, Crypt-Password = passwrd DON'T set Auth-Type. Honestly. This should be written in huge letters everywhere on all of the documentation. Service-Type = Administrative-User, Cisco-AVPair=shell:priv-lvl=15, Brocade-Auth-Role =Administrator And it doesn't contain any *conditional* checks for different clients. You could do: mdopierala Packet-Src-IP-Address == 192.168.1.1, Cleartext-Password := ... ... i.e. check for NAS IP, and return different results based on that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius privilege separation
Michał Dopierała wrote: Thanks for response! So, users file can look like this: Yes. users= mdopierala Packet-Src-IP-Address == 192.168.1.1, Crypt-Password = some_hash It's NOT a hash. It's a password. This way user mdopierala will have priv-lvl=15 to router1 and priv-lvl=1 to router2? Yes. I have a lot of users and clients in my environment(a lot of network equipments and administrators). Can I make any groups of this users and clients and then make policies to this groups? Yes. See man rlm_passwd for examples of making groups. This way I could add new users to this groups apart from making separate policies. Unfortunately I work on producing environment and I can't make as many test as I wish. If you don't test it, it won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble (2.1.8 for use with WiMAX)
Hi Alan, Thanks for pointing out what I am doing wrong. Being a newbie to the whole field of AAA, can you give me a few pointers where/what I can read up to configure EAP for the TLS method (rather than MD5)? I appreciate your help. Best Regards, Sumedh Sathaye | | From: | | --| |Alan DeKok al...@deployingradius.com | --| | | To:| | --| |FreeRadius users mailing list freeradius-users@lists.freeradius.org | --| | | Date: | | --| |05/13/2010 01:05 AM | --| | | Subject: | | --| |Re: Configuration trouble (2.1.8 for use with WiMAX) | --| | | Sent by: | | --| |freeradius-users-bounces+sathaye=us.ibm@lists.freeradius.org | --| Sumedh Sathaye wrote: Run-log from radiusd -X is also included at the end of this message. Here is the message that indicates that EAP is not computing MSK and EMSK: [wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys. You're using an EAP method that doesn't provide the MSK. Use something mandated by the WiMAX spec instead of EAP-MD5. e.g. EAP-TLS, PEAP, or TTLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html inline: graycol.gifinline: ecblank.gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: autthentication error
Hi there, Thanks for the fast reply. I did not build myself freeradius, i have installed Freeradius on ubuntu 9.10 using sudo apt-get install freeradius* But maybe this does not installed openSSL support so I am going to check if i have dev packages and ssl support properly installed, and come back to you if necessary. Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble (2.1.8 for use with WiMAX)
Sumedh Sathaye wrote: Thanks for pointing out what I am doing wrong. Being a newbie to the whole field of AAA, can you give me a few pointers where/what I can read up to configure EAP for the TLS method (rather than MD5)? I appreciate your help. See the Wiki my web page: deployingradius.com My web page gives complete end to end instructions for testing EAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A question about disconnections
Nick Warr wrote: We have a central radius server, and a few point to point connections where we have our point to multipoint connections (base stations) each base stations is a NAS, which for the most part works just fine. Our problem happens if something interrupts the point to point connectivity, the PPP sessions between the CPEs and the base stations remain up, but on the radius side, if the point to point connection remains down for longer than the idle timeout, the user (at least for freeradius) is disconnected. I have no idea what that means. The RADIUS server doesn't disconnect users after an idle timeout. Did *you* configure the server to do this? If so, *SAY SO*. This is *not* in the default config. We do *not* have access to your configuration, and we *cannot* read minds. The NAS however, remains unaware of this (as the UDP disconnect message didn't arrive.. link down and all that), What's a UDP disconnect message ? and the user remains up and functional, but we no longer have any accounting for that user. This of course, we can reset by hand, but if it happens during the night for example, we could lose several hours of accounting. This really sounds like a routing problem. The network goes down, comes back up, and the NASes don't send packets to the RADIUS server. If the user session is up, the NAS should continue to send accounting packets. If it doesn't, it's broken. What I'd like to know is if freeradius 2.x has some sort of functionality we can configure to make sure that if the radius server is receiving accounting packets for an account which should be disconnected, that it will re-send the PoD to get the NAS to actually disconnect it. So you're sending PoD from the RADIUS server? Perhaps you could describe what you're doing, without making the assumption that we're familiar with your local configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS and MAC Authentication
First a little information on our setup. When I first started working here, the wireless network had been in place for a year already and was rather small, only 3 access points and ~90 laptops. My boss set it up as static WEP (I don't know why WEP instead of WPA) and used the AP's (Cisco 1121 series) authorized MAC list to restrict access to our laptops. When I came on board, we just received about 250 new laptops from the grant and the AP's couldn't fit all of the MAC addresses in the space allocated in the flash as simulated NVRAM. For a quick fix, I changed how much NVRAM was simulated in order for the AP's to hold the info when rebooted. Of course, maintaining the MAC list on all of these AP's (we got an additional 8 or 9 AP's at that time) was a nightmare, plus the AP's seemed a bit sluggish with authenticating laptops. I convinced my boss to let me configure a FreeRADIUS server to do the authentication, removing all of the MAC addresses from the AP's and resetting the ! NVRAM to its default size. We now have about 15 AP's and ~400 laptops. Some AP's are overloaded while others have no load at all, though this has little to do with FR other than the fact the AP's lose packets to FR from time to time, through no fault of FR at all. This summer, due to budget cuts, we won't be getting in much new equipment which frees me up to do some long needed adjustments to the wireless network. I am going to be converting from WEP to WPA finally. I don't want to use WPA-PSK so I am looking at doing EAP-TLS. I have a test server up that I've gotten to work with EAP-TLS using the snake-oil certificates. On the AP's, there is the option of doing EAP and MAC authentication. This leads to my question. Does doing MAC authentication really accomplish anything when using EAP-TLS? The certificates can't be copied from the laptop they are installed onto as far as I know. They're running XP SP3 and when installing the certificates, the option to export them will not be checked. This should mean that if it has a valid certificate, it is one of our laptops and not someone who somehow stole a cert and installed it on their laptop. I'm not doing any dynamic VLAN assignments over the wireless so I really don't see any need for MAC authentication and just see it as unneeded overhead. Is there any reason why I'm wrong with this assumption? The only thing I can see enabling MAC authentication for is if we switch at some point to EAP-TTLS or EAP-PEAP to verify that the user is logging in with one of our laptops and not one they brought in from home/cell phone/etc. Or if I can convince my boss to authenticate all the wired connections so that no one brings in a laptop from home and plugs it into the network. (We've had at least some substitute teachers do this apparently, not sure if any full-time staff has done this.) While I might end up creating temporary users for when we have presenters and use EAP-[TTLS|PEAP] for them, I'd have to not do MAC authentication for them as finding out the MAC address in advance seems rather unlikely to happen. Sorry for being so long winded, but I wanted to make sure I got everything relevant about our setup and what I'm trying to do across. And as I finish my proof-reading, I realize that regardless of if I do MAC authentication or not, it seems rather pointless to enable the option on the AP as the MAC address would be sent regardless of if I set it or not. (Which really makes me wonder why they even included it, unless I'm misunderstanding something.) I think the proper solution would be to do a check in FR to ensure when the user requests access, that the requesting MAC is from one of our machines. Regardless, could someone let me know if there is any need to do MAC authentication when doing EAP-TLS? -- John McDonnell Penn Cambria School District mcdon...@pcam.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication with existing MySQL database
Hello all, I've set up and configured freeradius to properly authenticate users using the MySQL database schema specified on the freeradius.org website. However, since we already have a different database set up with users' passwords that is updated by scripts when users change their passwords or their accounts are disabled etc, I would like to be able to pull their password hashes directly from that database. This is what I've tried so far to do so, but it has not worked. I've changed in the sql.conf file the authorize_check_query to the following, but left the authorize_reply_query untouched: authorize_check_query = SELECT id, name as UserName, 'NT-Password' as Attribute, nthashpass as Value, ':=' as op \ FROM users \ WHERE name = '%{SQL-User-Name}' \ ORDER BY id However, when I run freeradius -X, it appears that for some reason that setting is erased. The following is the pertinent output: sql: authorize_check_query = sql: authorize_reply_query = SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id Then, when I try to authenticate a user, the following error is output: lm_sql (sql): sql_set_user escaped user -- ''**' radius_xlat: '' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns fail for request 0 I'm guessing the SQL query error is related to the fact that authorize_check_query is now an empty string, but I'm not sure why that's the case. Anyone have any insight? -- Quentin Smith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: autthentication error
HI there, Ok i have tryed to add ssl support to freeradius in my ubuntu 9.10. As i mentioned before i have installed freeradius using apt-get. The thing is that every tutorial i followed did not woked, and after hours of trying...i read that freeradius over ubuntu does not have ssl support for some license issues. Is this right? Then i just remove all my freeradius installation, and tryed to install from source(because fin so menay tutorials explaning this kind of installation), i downloaded the last version from freeradius.org, and followed the installation tutorial that exists there(creating a .deb package etc etc), but all i get is tons of dependencies errors. Is there any way of installing freeradius over ubuntu 9.10 with ssl support using apt? Any advice will be apreciatted. Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: autthentication error
hi, i have followed this tutorial(because this is what i need exacty to do) but it does not worked either. http://www.wains.be/index.php/2009/09/13/wpa2-freeradius-eap-tls/ Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html