Application to change password
Hi, I'm testing openvpn with freeradius and mysql to store users. I'm using dialupadmin to manage users. All is more or less ok, but I haven't found (I have search in google in several ways) an application to allow users to change their passwords (or any other data related to them). Do you know such an application? or I have to do it myself. Thanks a lot for tour time, MIGUEL. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Application to change password
Miguel Pérez wrote: Hi, I'm testing openvpn with freeradius and mysql to store users. I'm using dialupadmin to manage users. All is more or less ok, but I haven't found (I have search in google in several ways) an application to allow users to change their passwords (or any other data related to them). Do you know such an application? or I have to do it myself. You will have to do it yourself. It is really part of a user management system, and is outside of the scope of FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What is the Class attribute for?
Hello, all! I noticed that RFC 2865 defined an attribute called Class, but I don't know its meaning and usage. Can I use it as the QoS classfication for the user? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configuring proxy base on eap-type
Hello freeradius-users, Is there any way to proxy freeradius unsupported eap-type to an external radius ? I have a working setup using inner-tunnel. If I understand correctly, in this case, inner-eap are tunneled to localhost on port 1814 by default. My goal is to have eap-juac (Juniper/Funk Software) tunneled to a Juniper UAC device. I try to avoid my actual proxy setup where a specific real is tunneled to UAC. The problem is that end-users can bypass UAC proxying by simply changing their domain identity ... Best regards Fred MAISON - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What is the Class attribute for?
weiwei fang wrote: Hello, all! I noticed that RFC 2865 defined an attribute called Class, but I don't know its meaning and usage. Can I use it as the QoS classfication for the user? No. See your NAS documentation for how to configure QoS. The Class attribute is for something else. If you don't know how to use it, don't worry. You're not supposed to use it. It's intended for use in certain unusual situations. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring proxy base on eap-type
Fred MAISON wrote: Is there any way to proxy freeradius unsupported eap-type to an external radius ? EAP does not allow this. By the time EAP has decided on an EAP type, the EAP conversation is well underway. Changing it mid-stream to another server won't work. I have a working setup using inner-tunnel. If I understand correctly, in this case, inner-eap are tunneled to localhost on port 1814 by default. Sort of. It's not really proxied, but the basic idea is the same. My goal is to have eap-juac (Juniper/Funk Software) tunneled to a Juniper UAC device. Does that appear inside of a TLS tunnel? If so, the *inner* session can be proxied. Otherwise... no, it can't be proxied. I try to avoid my actual proxy setup where a specific real is tunneled to UAC. The problem is that end-users can bypass UAC proxying by simply changing their domain identity ... Then how will they be authenticated locally? *Why* would you authenticate them locally? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Version 2.1.9 has been released
This is a stable release, which is intended to fix outstanding bugs. We suggest reading the changelog below, to see if any issues you have encountered are fixed in this release. Feature improvements * Add radmin command stats detail file to see what is going on inside of a detail file reader. * Added documentation for CoA. See raddb/sites-available/coa * Add sub-option support for Option 82. See dictionary.dhcp * Add server field to default SQL NAS table, and documented it. Bug fixes * Reset received ping counter for Status-Server checks. In some corner cases it was not getting reset. * Handle large VMPS attributes. * Count accounting responses from a home server in SNMP / statistics code. * Set EAP-Session-Resumed = Yes, not No when session is resumed. * radmin packet counter statistics are now unsigned, for numbers 2^31..2^32. After that they roll over to zero. * Be more careful about expanding data in PAP and MS-CHAP modules. This prevents login failures when passwords contain '{'. * Clean up zombie children if there were many exec modules being run for one packet, all with wait = no. * re-open log file after HUP. Closes bug #63. * Fix no response to proxied packet complaint for Coa / Disconnect packets. It shouldn't ignore replies to packets it sent. * Calculate IPv6 netmasks correctly. Closes bug #69. * Fix SQL module to re-open sockets if they unexpectedly close. * Track scope for IPv6 addresses. This lets us use link-local addresses properly. Closes bug #70. * Updated Makefiles to no longer use the shell for recursing into subdirs. make -j 2 should now work. * Updated raddb/sql/mysql/ippool.conf to use = NULL. Closes bug #75. * Updated Makefiles so that make reconfig no longer uses the shell for recursing into subdirs, and re-builds all configure files. * Used above method to regenerate all configure scripts. Closes bug #34. * Updated SQL module to allow server field of nas table to be blank: . This means the same as it being NULL. * Fixed regex realm example. Create Realm attribute with value of realm from User-Name, not from regex. Closes bug #40. * If processing a DHCP Discover returns fail / reject, ignore the packet rather than sending a NAK. * Allow '%' to be escaped in sqlcounter module. * Fix typo internal hash table. * For PEAP and TTLS, the tunneled reply is added to the reply, rather than integrated via the operators. This allows multiple VSAs to be added, where they would previously be discarded. * Make request number unsigned. This changes nothing other than the debug output when the server receives more than 2^31 packets. * Don't block when reading child output in 'exec wait'. This means that blocked children get killed, instead of blocking the server. * Enabled building without any proxy functionality * radclient now prefers IPv4, to match the default server config. * Print useful error when a realm regex is invalid * relaxed rules for preprocess module with_cisco_vsa_hack. The attributes can now be integer, ipaddr, etc. (i.e. non-string) * Allow rlm_ldap to build if ldap_set_rebind_proc() has only 2 arguments. * Update configure script for rlm_python to avoid dynamic linking problems on some platforms. * Work-around for bug #35 * Do suid to user when running in debug mode as root * Make allow_core_dumps work in more situations. * In detail file reader, treat bad records as EOF. This allows it to continue working when the disk is full. * Fix Oracle default accounting queries to work when there are no gigawords attributes. Other databases already had the fix. * Fix rlm_sql to show when it opens and closes sockets. It already says when it cannot connect, so it should say when it can connect. * chmod -x for a few C source files. * Pull update spec files, etc. from RedHat into the redhat/ directory. * Allow spaces when parsing integer values. This helps people who put too much into an SQL value field. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring proxy base on eap-type
Le lundi 24 mai 2010 à 11:49 +0200, Alan DeKok a écrit : Fred MAISON wrote: Is there any way to proxy freeradius unsupported eap-type to an external radius ? EAP does not allow this. By the time EAP has decided on an EAP type, the EAP conversation is well underway. Changing it mid-stream to another server won't work. I have a working setup using inner-tunnel. If I understand correctly, in this case, inner-eap are tunneled to localhost on port 1814 by default. Sort of. It's not really proxied, but the basic idea is the same. My goal is to have eap-juac (Juniper/Funk Software) tunneled to a Juniper UAC device. Does that appear inside of a TLS tunnel? If so, the *inner* session can be proxied. Yes, JUAC is an inner EAP protocol, inside ttls or peap. In our setup, It must be prefered because I have powerfull client-side host-checking features allowing to deeply control a lot of things mainly on Microsoft and Apple workstations (update level, antivirus, and so on ...) Customer tried to make it work with the help of Juniper's engineers using SteelBelted in front doing proxy to UAC for inner JUAC, but they failed because there is some other EAP protocols present in the production network they have not been able to support after many weeks of efforts. I have proposed to replace SteelBelted by freeradius, and I succeed to pass initial testings, but my current setup was without inner-tunnel modules correctly configured, which makes there is a lot of unneeded ldap access (anonymous identities which does not exist in ldap backend and so on ...) and impossibility to configure seperately outer and inner (when present) author/authent ... Otherwise... no, it can't be proxied. I try to avoid my actual proxy setup where a specific real is tunneled to UAC. The problem is that end-users can bypass UAC proxying by simply changing their domain identity ... Then how will they be authenticated locally? *Why* would you authenticate them locally? Until I am not to sure I correctly manage all existing protocols present in the network, I can't harden by simply rejecting this case ; I must be sure ... Any way, in case of outer+inner, it seems identities are not consistently configured, so using reals is very weak. I think I did not gave you enough information : * All NAS point to freeradius * All EAP protos without inner tunnel must be authenticated by freeradius using a ldap backend (I found existing devices on able to do EAP-LEAP for example, but may be there is some other insecure eap types) * juac is an innner protocol, it can be EAP-TTLS/EAP-JUAC or EAP-PEAP/EAP-JUAC (outer/inner) * for all other tunneled EAP-TTLS/* or EAP-EAP/*, I have to validate inner identity against ldap for authorize (ldap radiusgroupname membership) and authenticate (most common seems to be mschapv2 using ntpassword recovered in ldap during authorize). outer identity will not be checked because of encoutered client-side configuration inconsistencies. Best regards Fred MAISON Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.1.9 release announce and Redhat specs
Pull update spec files, etc. from RedHat into the redhat/ directory. Does this mean freeradius 2.1.9 can now been rebuild again from your standard 2.1.9 source tree, thus making Freeradius RedHat FAQ a bit obsolete ? Best regards, Fred MAISON - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius pre 2.1.9 logging behavior
Dear Users, We are in the process migrating our production server running 2.1.3 version and testing the pre 2.1.9. All running well so far except the logging output generated by radiusd. We set logging to stderr or stdout, when started with debug_level = 0, no log generated except the first starting virtual server... line, but when first started with debug_level 0 and set back to 0 with radmin, the log show normal output as seen on the production server. This behavior not seen when logging to files or syslog, only when set to stdout/stderr. So, my best guess after looking the source is that logging to stdout/err does not go to same processing flow as the others. I have searching for this issue but still no luck, do I miss something? Thanks n best regards, --- Ridho - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.9 has been released
On 2010/05/24 12:28 PM, Alan DeKok wrote: This is a stable release, which is intended to fix outstanding bugs. We suggest reading the changelog below, to see if any issues you have encountered are fixed in this release. debian/changelog still contains +git.. Dont know if it is supposed to be fixed. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: where to insert my code to return custom reply to the client
It's actually easier than all that. I assume you need to send back to the NAS a particular string in order to provision the CPE to a particular service flow or set of service flows. Simply use a reply or group reply attribute. Most WiMax base stations can read Framed-Filter-ID or Filter-ID=service_flow_attrribute_here if you send it in your authentication reply. David From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu s.org] On Behalf Of weiwei fang Sent: Sunday, May 23, 2010 9:55 PM To: freeradius-users@lists.freeradius.org Subject: where to insert my code to return custom reply to the client Hi, all! I am now using a WiMAX network and I want to use freeradius+mysql (and EAP, TLS) for it. Now I need to add some new attribute (such as the service level for a single client) in the mysql database. And then the freeradius server can return the attribute to tell the AGW. I have looked up some methods on the Internet and I found these pages: http://ubuntuforums.org/showthread.php?t=151781 http://www.frontios.com/freeradius.html From the above two links, I have a basic idea. I think I can create a new table in the databse to store the new attribute like this: user1 attribute-value-user1 user1 attribute-value-user2 Then as stated in http://www.frontios.com/freeradius.html, the rlm_sql is responsible for return some pre-defined attributes to the AGW and SS. Then I write some code in rlm_wimax.c to query the database for the new defined attribute and return it to the AGW to let it know. I don't know it is right? Or otherwise I should write my db operation code in rlm_sql? Thanks a lot for your kindly help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS logging
Jens Link li...@quux.de writes: I have a working VMPS installation, radiusd -X shows me the relevant information ( MAC - VLAN assignments) but how do I log these information to a file or syslog? Here is an example of a working config using linelog: /usr/local/etc/raddb/modules/linelog: linelog { filename = syslog reference = reply:VMPS-Join-Response format = %{VPMS-MAC} %{VMPS-VLAN-Name} reply:VMPS-Join-Response = %{VMPS-MAC} - VLAN: %{VMPS-VLAN-Name} } Linelog has to be called from the vmps server. cheers Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.1.9 release announce and Redhat specs
On 05/24/2010 06:56 AM, Fred MAISON wrote: Pull update spec files, etc. from RedHat into the redhat/ directory. Does this mean freeradius 2.1.9 can now been rebuild again from your standard 2.1.9 source tree, thus making Freeradius RedHat FAQ a bit obsolete ? Not really. At best it just replaces one step in the process with another. Instead of pulling the SRPM from a Fedora repository, the contents of the SRPM will be in the tarball. Otherwise everything else stays the same, including how to run rpmbuild, how to manage the installation, packages, etc. Also what's in the tarball is a snapshot, if there are packaging bug fixes or other bug fixes those will be in the current SRPM, not the previous tarball. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Custom table in FreeRadius
Hi, I've successfully using table sip_buddies instead of radcheck table(which is used by default by FreeRadius). The problem I'm facing is that I can not call more than 5 attribute in table sip_buddies in dialup.conf i.e. id, name, attribute, secret and op. But when I call more than 5 attributes i.e. id, name, zero_name, attribute, secret, op I'm getting error as listed below; [sql] expand: SELECT id, name, attribute, zero_name, secret, op FROM sip_buddies WHERE name = '%{SQL-User-Name}' ORDER BY id - SELECT id, name, attribute, zero_name, secret, op FROM sip_buddies WHERE name = '322025' ORDER BY id rlm_sql: Invalid operator 322025 for attribute Cleartext-Password rlm_sql (sql): Error getting data from database [sql] SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 3 ++[sql] returns fail Using Post-Auth-Type Reject +- entering group REJECT {...} But when I use this query as mentioned below; SELECT id, name, attribute, secret, op FROM sip_buddies WHERE name = '%{SQL-User-Name}' ORDER BY id Its working fine then. Kindly advise me how can I resolve this(calling more than 5 attributes in sip_buddies table) issue. Please reply this at your earliest. -- Regards, Ahmed Munir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Odd authentication behavior
Greetings, Short version: Could someone look through the debug logs below and verify that freeradius (2.1.8 lenny backport) is NOT authenticating the user? We believe the issues we are facing (random successful authentication with invalid passwords) are with our Cisco devices, but I want to gather as much info as possible so that we don't get caught in a finger-pointing battle with support. Long version: We are trying to setup freeradius to authenticate our users to our CISCO 4404 Wireless LAN controllers using PEAP/MSCHAPv2+LDAP. When we configured it a few weeks ago everything was working fine. We could authenticate successfully and invalid passwords were rejected. After trying to get a custom perl module to work for Authorization I noticed that occasionally the Controller would grant access with a bad password. Sometimes it would take 6-7 attempts with the same bad password before we gained access, other times it was on the first attempt. I have since taken out all of my custom code (rlm_perl) and reverted back to the original working configuration for freeradius and I still have random successful authentication with a bad password. Below is a -X log of freeradius while doing the following. On my Mac OS X 10.5.8 client I turned on the Wireless adapter, and selected the SSID that uses freeradius to authenticate, which prompted me for a password. I entered a bad password which gave me another password prompt. Before I could try the second time, the wireless adapter acquired an IP address and was allowed to pass traffic on the network. I gained full network connectivity while the Authentication dialog was still on screen. Thanks in advance. Damion FreeRadius: 2.1.8 (debian lenny backport) FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 3 2010 at 15:51:52 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/perlmod.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = freerad group = freerad allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 256000 pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = status-server ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Loading Clients client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } client 172.29.96.12 { require_message_authenticator = no secret = testing123 shortname = vassarwireless } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to
Re: configuring proxy base on eap-type
Hi, Yes, JUAC is an inner EAP protocol, inside ttls or peap. In our setup, It must be prefered because I have powerfull client-side host-checking features allowing to deeply control a lot of things mainly on Microsoft and Apple workstations (update level, antivirus, and so on ...) Customer tried to make it work with the help of Juniper's engineers using SteelBelted in front doing proxy to UAC for inner JUAC, but they failed because there is some other EAP protocols present in the production network they have not been able to support after many weeks of efforts. I have proposed to replace SteelBelted by freeradius, and I succeed to pass initial testings, but my current setup was without inner-tunnel modules correctly configured, which makes there is a lot of unneeded ldap access (anonymous identities which does not exist in ldap backend and so on ...) and impossibility to configure seperately outer and inner (when present) author/authent ... hmmm...apart from the Apple OSX support I'd be tempted to point you to the SVN of FreeRADIUS that contains microsoft NAC support - which lets you check windows stuff (anti virus present/up to date, windows updates, firewall etc) just using the built in supplicant in XP SP3, Vista and 7. it should be present in FreeRADIUS 2.2.x - but no OSX support yet...because I think that'll need additional program/supplicant code on the client. regarding you query though.hmmm, you should be able to see the EAP-Type and do something in unlang to update the control socketbut as its the inner type that might be too late in the process. or maybe not. in inner-tunnel itself you can allow extra proxying to occur. its nasty and you'd be treading down a path that less people have worn...so take care. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Replicated account stop messages
Hi All, we have a problem with some Radius Client that, cause of malfunction, sometimes re-send a specific stop RADIUS messages several times, it just change the stop time but all the other attribute and data are the same (so it easy to find it). We use freeradius v.2 as proxy so all these messages pass through it, and we'd like that freeradius forwards to the Main RADIUS server just the first one. Is it possible and how? Following you can find an abstract of the log referring to this issue: Thu May 20 16:59:12 2010 User-Name = NAS-IP-Address = 172.24.196.190 NAS-Port = 0 Acct-Status-Type = Stop Acct-Session-Id = 1F000C38 Acct-Output-Octets = 115924 Acct-Input-Octets = 597749 Acct-Output-Packets = 1126 Acct-Input-Packets = 1060 Session-Timeout = 2705 Idle-Timeout = 600 Event-Timestamp = May 20 2010 07:15:32 CEST Called-Station-Id = 00-50-E8-01-F1-26 Calling-Station-Id = 00-1C-C4-1A-30-72 Acct-Session-Time = 365 Acct-Terminate-Cause = 23 NAS-Identifier = CC03010010 NAS-Port-Type = Async Framed-IP-Address = 10.0.0.22 Nomadix-Subnet = Nomadix-Attr-17 = 0x WISPr-Location-ID = isocc=IT,cc=39,ac=0522,network=Guglielmo Acct-Delay-Time = 11 Client-IP-Address = 65.199.220.1 Acct-Unique-Session-Id = 4b1d2e908270a790 Stripped-User-Name = XXX Realm = zf Freeradius-Proxied-To = 192.168.27.108 Timestamp = 1274367552 Thu May 20 16:59:17 2010 User-Name = XXX NAS-IP-Address = 172.24.196.190 NAS-Port = 0 Acct-Status-Type = Stop Acct-Session-Id = 1F000C38 Acct-Output-Octets = 115924 Acct-Input-Octets = 597749 Acct-Output-Packets = 1126 Acct-Input-Packets = 1060 Session-Timeout = 2705 Idle-Timeout = 600 Event-Timestamp = May 20 2010 07:15:37 CEST Called-Station-Id = 00-50-E8-01-F1-26 Calling-Station-Id = 00-1C-C4-1A-30-72 Acct-Session-Time = 365 Acct-Terminate-Cause = 23 NAS-Identifier = CC03010010 NAS-Port-Type = Async Framed-IP-Address = 10.0.0.22 Nomadix-Subnet = Nomadix-Attr-17 = 0x WISPr-Location-ID = isocc=IT,cc=39,ac=0522,network=Guglielmo Acct-Delay-Time = 16 Client-IP-Address = 65.199.220.1 Acct-Unique-Session-Id = 4b1d2e908270a790 Stripped-User-Name = XXX Realm = zf Freeradius-Proxied-To = 192.168.27.108 Timestamp = 1274367557 Best Regards Nicola - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.9 has been released
Johan Meiring wrote: debian/changelog still contains +git.. Dont know if it is supposed to be fixed. It's minor enough that it doesn't matter. Upstream Debian packages change things anyways. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring proxy base on eap-type
Fred MAISON wrote: Yes, JUAC is an inner EAP protocol, inside ttls or peap. Then you should be able to proxy it by just proxying the inner tunnel data. I have proposed to replace SteelBelted by freeradius, and I succeed to pass initial testings, but my current setup was without inner-tunnel modules correctly configured, which makes there is a lot of unneeded ldap access (anonymous identities which does not exist in ldap backend and so on ...) and impossibility to configure seperately outer and inner (when present) author/authent ... I don't know what you mean by that. It shouldn't be much of a problem to configure it. I think I did not gave you enough information : * All NAS point to freeradius * All EAP protos without inner tunnel must be authenticated by freeradius using a ldap backend (I found existing devices on able to do EAP-LEAP for example, but may be there is some other insecure eap types) Uh... don't use LEAP. Use TTLS or PEAP. * juac is an innner protocol, it can be EAP-TTLS/EAP-JUAC or EAP-PEAP/EAP-JUAC (outer/inner) * for all other tunneled EAP-TTLS/* or EAP-EAP/*, I have to validate inner identity against ldap for authorize (ldap radiusgroupname membership) and authenticate (most common seems to be mschapv2 using ntpassword recovered in ldap during authorize). outer identity will not be checked because of encoutered client-side configuration inconsistencies. So... figure out who's supposed to do EAP-JUAC, and proxy them. Authenticate everyone else inside of the tunnel. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Custom table in FreeRadius
Ahmed Munir wrote: I've successfully using table sip_buddies instead of radcheck table(which is used by default by FreeRadius). The problem I'm facing is that I can not call more than 5 attribute in table sip_buddies in dialup.conf i.e. id, name, attribute, secret and op. But when I call more than 5 attributes i.e. id, name, zero_name, attribute, secret, op I'm getting error as listed below; The SQL module expects certain fields in the response to the SELECT query. If you give it *different* data, it will get confused. See doc/rlm_sql. Kindly advise me how can I resolve this(calling more than 5 attributes in sip_buddies table) issue. Please reply this at your earliest. Kindly read the existing documentation, and *understand* what you're doing before making random changes to the tables and queries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Odd authentication behavior
Damion Alexander wrote: Greetings, Short version: Could someone look through the debug logs below and verify that freeradius (2.1.8 lenny backport) is NOT authenticating the user? We believe the issues we are facing (random successful authentication with invalid passwords) are with our Cisco devices, but I want to gather as much info as possible so that we don't get caught in a finger-pointing battle with support. Does the log contain Access-Accept? No. Therefore, FreeRADIUS isn't authenticating the user. Below is a -X log of freeradius while doing the following. On my Mac OS X 10.5.8 client I turned on the Wireless adapter, and selected the SSID that uses freeradius to authenticate, which prompted me for a password. I entered a bad password which gave me another password prompt. Before I could try the second time, the wireless adapter acquired an IP address and was allowed to pass traffic on the network. I gained full network connectivity while the Authentication dialog was still on screen. Your NAS is broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Replicated account stop messages
Nicola Iotti wrote: Hi All, we have a problem with some Radius Client that, cause of malfunction, sometimes re-send a specific stop RADIUS messages several times, it just change the stop time but all the other attribute and data are the same (so it easy to find it). We use freeradius v.2 as proxy so all these messages pass through it, and we'd like that freeradius forwards to the Main RADIUS server just the first one. Is it possible and how? Sure. Store all stops in a database, and look them up before proxying. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.9 has been released
FreeRADIUS version 2.1.9 has been built for the following versions of Fedora * devel (aka rawhide) * Fedora 13 * Fedora 12 The packages for Fedora 12 and Fedora 13 have been submitted to the *testing* distribution channel (you will need to have the testing repo enabled in your yum configuration to pick these up). It may take a day for the packages to hit the yum mirrors. If there are no reported problems within a week I will move the packages from testing to stable at which point a normal yum update will pick them up. If you do not want to wait for the packages to hit the mirrors or appear in your designated channel they you may immediately download the packages from koji: https://koji.fedoraproject.org/koji/packageinfo?packageID=298 Enjoy! -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
incorrect static ip sometimes
I'm using CentOS 5.4 and freeradius1.3 with a mysql backend with a redback se800 access device. Nearly everything has been working great, but I have a problem periodically, where DSL modems will receive the wrong static IP. It appears that if a customer power cycles their DSL modem, the modem comes back up before the redback has realized the previous session has ended , but instead of just failing, freeradius is giving another static IP (like the next free one it finds in same static range). Do I need to configure simultaneous use and if so how do I get it to check the redback (I couldn't find any mibs for that model) or is this maybe a problem with freeradius1.3 that could be fixed by upgrading to freeradius2??? Any advice would be appreciated! Thanks, Jeff - Msg sent via MCC Webmail - http://www.molalla.net/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: incorrect static ip sometimes
Let me see if I can beat Alan to the punch…. Upgrade to v 2.1.9 (preferably) as 1.3 is old and decrepit. David From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org] On Behalf Of Jeff Stockett Sent: Monday, May 24, 2010 2:54 PM To: freeradius-users@lists.freeradius.org Subject: incorrect static ip sometimes I'm using CentOS 5.4 and freeradius1.3 with a mysql backend with a redback se800 access device. Nearly everything has been working great, but I have a problem periodically, where DSL modems will receive the wrong static IP. It appears that if a customer power cycles their DSL modem, the modem comes back up before the redback has realized the previous session has ended , but instead of just failing, freeradius is giving another static IP (like the next free one it finds in same static range). Do I need to configure simultaneous use and if so how do I get it to check the redback (I couldn't find any mibs for that model) or is this maybe a problem with freeradius1.3 that could be fixed by upgrading to freeradius2??? Any advice would be appreciated! Thanks, Jeff _ Msg sent via MCC Webmail - http://www.molalla.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: incorrect static ip sometimes
Jeff Stockett wrote: I'm using CentOS 5.4 and freeradius1.3 with a mysql backend with a redback se800 access device. Nearly everything has been working great, but I have a problem periodically, where DSL modems will receive the wrong static IP. It appears that if a customer power cycles their DSL modem, the modem comes back up before the redback has realized the previous session has ended , but instead of just failing, freeradius is giving another static IP (like the next free one it finds in same static range). So... why does it do that? You have the information in front of you, if you look. Do I need to configure simultaneous use and if so how do I get it to check the redback (I couldn't find any mibs for that model) or is this maybe a problem with freeradius1.3 that could be fixed by upgrading to freeradius2??? Any advice would be appreciated! Find out what it's doing now, and figure out why it's not doing what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Does freeradius support EAP-TLS as defined in RFC 5216?
Hi All, Does freeradius support EAP-TLS as defined in RFC 5216? Thanks, Gina Zhang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : What is the Class attribute for?
I personnally use it for QoS definition. It works as expected but i can't garantee this is the regular use for this attribute. What's special with the class attribute is that if you send It in Access-Accept, It should be added in later accounting packets. This can be very usefull and if you don't nées this features i suggest you use another attribute. Sent from my HTC. - Reply message - De : weiwei fang fan...@gmail.com Date : Dim, mai 23, 2010 23:15 Objet : What is the Class attribute for? Pour : freeradius-users@lists.freeradius.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : What is the Class attribute for?
On May 24, 2010, at 1:36 PM, Alexandre Chapellon wrote: I personnally use it for QoS definition. It works as expected but i can't garantee this is the regular use for this attribute. What's special with the class attribute is that if you send It in Access-Accept, It should be added in later accounting packets. This can be very usefull and if you don't nées this features i suggest you use another attribute. The use of the 'Class' attribute is site specific; you can use it to carry any value you want. If you're setting client QoS settings dynamically then the attribute is User-Priority-Table as described in RFC 4674. Personally I think the best way to use the Class attribute is to link Authentication and Accounting sessions. All other session attributes can be stored in a database. -Arran Sent from my HTC. - Reply message - De : weiwei fang fan...@gmail.com Date : Dim, mai 23, 2010 23:15 Objet : What is the Class attribute for? Pour : freeradius-users@lists.freeradius.org Hello, all! I noticed that RFC 2865 defined an attribute called Class, but I don't know its meaning and usage. Can I use it as the QoS classfication for the user? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does freeradius support EAP-TLS as defined in RFC 5216?
Hi, Does freeradius support EAP-TLS as defined in RFC 5216? some part of me wants to say that if it did it'd be in large lit letters in the feature documentation. there again, that'd be too obvious. nope... unless it sneaked in at some point since July, I think the answer is the same as back then, no. not yet - wheres the implementations and who's submitting a patch? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Does freeradius support EAP-TLS as defined in RFC 5216?
Thanks, Alan! Gina Zhang -Original Message- From: freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius.org [mailto:freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Monday, May 24, 2010 4:02 PM To: FreeRadius users mailing list Subject: Re: Does freeradius support EAP-TLS as defined in RFC 5216? Hi, Does freeradius support EAP-TLS as defined in RFC 5216? some part of me wants to say that if it did it'd be in large lit letters in the feature documentation. there again, that'd be too obvious. nope... unless it sneaked in at some point since July, I think the answer is the same as back then, no. not yet - wheres the implementations and who's submitting a patch? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
unsubscribe Magusero09= c.diegoraffae...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Version 2.1.9 has been released
The HTTPS link below did not work, however this HTTP link does. http://koji.fedoraproject.org/koji/packageinfo?packageID=298 -Original Message- From: freeradius-users-bounces+dale=top.net...@lists.freeradius.org [mailto:freeradius-users-bounces+dale=top.net...@lists.freeradius.org] On Behalf Of John Dennis Sent: Tuesday, 25 May 2010 5:27 a.m. To: FreeRadius users mailing list Cc: Alan DeKok Subject: Re: Version 2.1.9 has been released FreeRADIUS version 2.1.9 has been built for the following versions of Fedora * devel (aka rawhide) * Fedora 13 * Fedora 12 The packages for Fedora 12 and Fedora 13 have been submitted to the *testing* distribution channel (you will need to have the testing repo enabled in your yum configuration to pick these up). It may take a day for the packages to hit the yum mirrors. If there are no reported problems within a week I will move the packages from testing to stable at which point a normal yum update will pick them up. If you do not want to wait for the packages to hit the mirrors or appear in your designated channel they you may immediately download the packages from koji: https://koji.fedoraproject.org/koji/packageinfo?packageID=298 Enjoy! -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
execute programme when receiving account packet
Hi, All i'd like to execute an external program when receiving an Accounting-Request. I've try exec ipoque { wait = yes program = /bin/sh /opt/mytest %{User-Name} input_pairs = request output_pairs = reply shell_escape = yes output = none packet_type = Accounting-Request } But the program is not execute even if I comment packet_type = Accounting-Request line (#packet_type = Accounting-Request). Can someone help me please. Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : What is the Class attribute for?
Thanks for your kindly reply. Now our company has bought the WiMAX products. We want to use freeradius as the AAA server. However, the vendor told us that we need to return back the user's qos service level back to AGW after authenticating this user. I looked up the documents and found this attribute. And as the WiMAX network will be used only for our company, we don't want to use the accounting part in freeradius(btw: how can I get rid of this part and don't let this part start)? So maybe we need to define a vendor-specific attribute for our purpose? Thanks again for your help! 2010/5/25 Arran Cudbard-Bell a.cudba...@gmail.com On May 24, 2010, at 1:36 PM, Alexandre Chapellon wrote: I personnally use it for QoS definition. It works as expected but i can't garantee this is the regular use for this attribute. What's special with the class attribute is that if you send It in Access-Accept, It should be added in later accounting packets. This can be very usefull and if you don't nées this features i suggest you use another attribute. The use of the 'Class' attribute is site specific; you can use it to carry any value you want. If you're setting client QoS settings dynamically then the attribute is User-Priority-Table as described in RFC 4674. Personally I think the best way to use the Class attribute is to link Authentication and Accounting sessions. All other session attributes can be stored in a database. -Arran Sent from my HTC. - Reply message - De : weiwei fang fan...@gmail.com Date : Dim, mai 23, 2010 23:15 Objet : What is the Class attribute for? Pour : freeradius-users@lists.freeradius.org Hello, all! I noticed that RFC 2865 defined an attribute called Class, but I don't know its meaning and usage. Can I use it as the QoS classfication for the user? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : What is the Class attribute for?
weiwei fang wrote: Now our company has bought the WiMAX products. We want to use freeradius as the AAA server. It should work without a problem. However, the vendor told us that we need to return back the user's qos service level back to AGW after authenticating this user. I looked up the documents and found this attribute. Uh.. how about reading the documentation for the AGW, or asking the vendor which attribute their product needs for QoS service level? And as the WiMAX network will be used only for our company, we don't want to use the accounting part in freeradius(btw: how can I get rid of this part and don't let this part start)? Don't configure accounting on the AGW? So maybe we need to define a vendor-specific attribute for our purpose? Go ask the vendor how their product works. Then, configure FreeRADIUS to send the data needed by that product. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no access-accept with users file
I feel defeated. I was able to get an access-accept result. During my attempt to use MySQL it appears that I broke my configuration. I am using freeradius 2.1.8 on ubuntu 10.4 server. Here is my freeradius -X debug output: freeradius -X FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 5 2010 at 02:49:11 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/policy.conf main { user = freerad group = freerad allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = no log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers radiusd: Loading Clients client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to
Re: no access-accept with users file
On 25/05/2010 06:30, Robert Wilkinson wrote: I feel defeated. I was able to get an access-accept result. During my attempt to use MySQL it appears that I broke my configuration. I am using freeradius 2.1.8 on ubuntu 10.4 server. Here is my freeradius -X debug output: WARNING: Empty section. Using default return values. No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Hi Robert, What do you actually want it to do, auth against MySQL, or auth against the users file, both or something else? At the moment it seems to be configured to do nothing: WARNING: Empty section. Using default return values. No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ... so, its doing nothing. I'd go back to the default config, and change one thing at a time, then test that it does what you expect, repeat until it works totally as you wish, or your break it. If the latter, revert the most recent config change. ... and the documentation: http://wiki.freeradius.org/SQL_HOWTO etc Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html