Re: FR virtual server question and EAP configuration
On 2010/07/16 12:34 AM, Michal Bruncko wrote:
Hello list
SSID 1 \
SSID 2 --- AP -- Trunk -- Ruter - FreeRadius
SSID 3 /
My goal is to configure different security for different SSID through
one freeradius with virtual server feature.
This is possible, but with ONE virtual server.
My first question is, if it's possible to have different FR server
configuration per SSID on single Access Point?
Yes. But using ONE virtual server.
Called-Station-Id in Access-Request with form: radio-mac:ssid.
Why dont you use unlang, e.g.
(This is pseodo code!!!)
if (Called-Station-Id = SSID1)
{
pap
chap
}
if (Called-Station-Id = SSID2)
{
pap
mschap
}
It is enough? I have looking for any example for this scenario but
whithout any success.
Dont do this.
Do the above.
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Home servers constantly zombied, and I can't figure out how to fix it
Adam Bultman wrote: How do I change that functionality? I'd *love* it if it didn't zombie their servers for no reason. No.. it marks the servers zombie for a reason: they're not responding. But it may be too aggressive. When I do a radiusd -CXXX, I see options I don't see documented for the latest releases of freeradius: - ping_check - ping_interval - num_pings_to_alive Those are for backwards compatibility with pre-releases of 2.0. They should be removed. They are just different names for the status-server checks. - max_outstanding (I can't even find what this is for) You can put a limit on the total number of outstanding packets sent to a home server. i.e. put it at 256, and if there are 256 packets sent without a response, the proxy will *not* use that home server again, until it gets at least one response. This is a way to do load-limiting on home servers. As it is, my *.work files are stuck (And I've googled for that, and found other list posts regarding that) which seems to indicate that the home servers aren't responding... except that even when my detail.work file is 'stuck' at 24k, and the detail file keeps growing, I'm still sending data to the other side. So something's working, but only sort of.. It's re-transmitting the same packet over and over. If you install 2.1.9, you can use radmin to see its progress in reading the detail file. I'm about to shoot an email to them to see if they can explain their 4 year old radius software, and perhaps maybe that's part of the problem. Yup. They can upgrade to a (cough) real radius server. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR virtual server question and EAP configuration
Michal Bruncko michal.brun...@gmail.com wrote:
I am using FR with WPA2-Enterprise autentification in Wifi environment
with this scheme:
SSID 1 \
SSID 2 --- AP -- Trunk -- Ruter - FreeRadius
SSID 3 /
My goal is to configure different security for different SSID through
one freeradius with virtual server feature.
My first question is, if it's possible to have different FR server
configuration per SSID on single Access Point? AP have its IP address
from specific managemenet VLAN (different from any SSID X VLAN). I know,
that on freeradius side can be configuration separated by client IP
address, but in my scenario, the IP of radius client is same for every
VLAN/SSID, but the only distinguished part in communication is
Called-Station-Id in Access-Request with form: radio-mac:ssid.
That's down to your NAS configuration, if your AP (or wireless
controller) will let you use a different set of RADIUS servers for each
SSID then you are in luck.
The solutions I prefer. if I was doing this, either,
* one SSID, and depending on the type of authentication used, use that
to pick VLAN the user is dropped into
* with our infernal Cisco WLC, it does include attributes in all the
Access-Request packets telling you which SSID the user is
connecting to, you could use this with FreeRADIUS's unlang to
call a different EAP instance depending on what you want
I personally would opt for the first method (as then your FreeRADIUS and
802.1X logic is identical for *wired* connectivity), however you might
have Layer-8 reasons for wanting to go with the multiple SSID approach
instead.
Ok, next question which is related a bit to previously one. I have
presumted that freeradius cannot distinguishes between requests from
different SSID, so I have configured different IP address of Radius
server per SSID configuration on AP and all IP addresses are pointed to
single radius server and I want to use one virtual server per listen IP
address. But how I should to tell FR server, which EAP configuration
must apply to which virtual server?
If you have convinced yourself you need to go with the multiple SSID
approach, add the following (*untested*) to 'policy.conf':
extract_ssid {
if (%{request:Called-Station-Id} =~
/^[0-9a-f]{2}(?:-[0-9a-f]{2}){5}:(.+)$/i)
if (%{1}) {
update request {
My-Local-Custom-SSID := %{1}
}
}
else {
noop
}
}
else {
noop
}
}
Now edit /etc/freeradius/dictionary for a custom string attribute for
My-Local-Custom-SSID (or something you prefer). Now when you call
'extract_ssid' from your authorize section, you get a plain attribute
called My-Local-Custom-SSID created that has the SSID being used.
Example:
SSID 1: Security WPA2-Ent. with EAP-PEAP, for authorized mobile clients
SSID 2: Security WPA2-Ent. with EAP-TLS, for persistent wifi computers
with installed certificates
As a suggestion from experience, unless you actually plan on having real
world different firewalling ACL's for each SSID (or backed VLAN) then
doing this is not going to give your organisation any benefits.
How can I configure this situation with FR Virtual server feature? Can I
simply copy, rename and modify eap part from eap.conf to eap_2 and
applying it in athorize/authenticate sections in second virtual server?
It is enough? I have looking for any example for this scenario but
whithout any success.
Create multiple 'eap {}' instances (one for TLS and one for PEAP; get
these working in isolation *first*) and call then depending on when you
need them.
Cheers
--
Alexander Clouter
.sigmonster says: Conscience is what hurts when everything else feels so good.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Retry delay and retry count when proxying requests
Hi all, Does anyone know how to set the retry_count and retry_delay values for home servers? Thanks, -Murray - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Retry delay and retry count when proxying requests
Murray Long wrote: Does anyone know how to set the retry_count and retry_delay values for home servers? Read raddb/proxy.conf: # i.e. retry_delay and retry_count have been replaced # with per-home-server configuration. See the home_server # example below for details. # Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Retry delay and retry count when proxying requests
I saw that, but the home_server example below, does not mention anything about retry_count or retry_delay. Any simply putting retry_count = value in the home_server section dosn't seem to have any effect. So how are these values set for home servers? - Murray On Fri, Jul 16, 2010 at 1:54 PM, Alan DeKok al...@deployingradius.comwrote: Murray Long wrote: Does anyone know how to set the retry_count and retry_delay values for home servers? Read raddb/proxy.conf: # i.e. retry_delay and retry_count have been replaced # with per-home-server configuration. See the home_server # example below for details. # Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Retry delay and retry count when proxying requests
Murray Long wrote: I saw that, but the home_server example below, does not mention anything about retry_count or retry_delay. Because this is documented in proxy.conf: # # Note that as of 2.0, the synchronous, retry_delay, # retry_count, and dead_time have all been deprecated. # For backwards compatibility, they are are still accepted # by the server, but they ONLY apply to the old-style realm # configuration. i.e. realms with authhost and/or accthost # entries. Any simply putting retry_count = value in the home_server section dosn't seem to have any effect. So how are these values set for home servers? You don't. The configuration entries that work are documented in proxy.conf. Why do you want to set retry_delay and retry_count for a home server? If you think you need them, see the above documentation. You can still set them for realms. But for the new home_server configuration, the new method is better and more stable. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Retry delay and retry count when proxying requests
Oh sorry it does! But only for server type coa, Are they not supported for the other types? On Fri, Jul 16, 2010 at 2:02 PM, Murray Long mur...@skyrove.com wrote: I saw that, but the home_server example below, does not mention anything about retry_count or retry_delay. Any simply putting retry_count = value in the home_server section dosn't seem to have any effect. So how are these values set for home servers? - Murray On Fri, Jul 16, 2010 at 1:54 PM, Alan DeKok al...@deployingradius.comwrote: Murray Long wrote: Does anyone know how to set the retry_count and retry_delay values for home servers? Read raddb/proxy.conf: # i.e. retry_delay and retry_count have been replaced # with per-home-server configuration. See the home_server # example below for details. # Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Backslash issue during AD authetication
HI I'd like to autheticate cisco vpn clients against the freeradius and AD Prompt for the vpn client should be domainame\username. In my smb.conf is as the delimiter: winbind separator = \\ ( because backslash is special character, I had to use twice ) This command works: /usr/bin/ntlm_auth --request-nt-key --username=domainame\\username --password=password NT_STATUS_OK: Success (0x0) When i test through radtest it doesn't work : neither radtest domainame\\username password localhost 0 testing123 , or radtest domainame\\\username password localhost 0 testing123, or radtest domainame\username password localhost 0 testing123 However, when i tried to autheticate through vpn cisco client , the string domainame\\username will pass. How can I force freradius to authenticate through domainame\username Thanks Pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to configure Cisco vpn clients againts freeradius
ntlm_auth2 = /usr/bin/ntlm_auth --request-nt-key
--domain=%{%{mschap:NT-Domain}:} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} --require-membership-of=
S-1-5-21-853024553-185696384-3473746203-512
Err... no. That won't work.
But the vpn cisco clients are authenticated through
domainname\username
and password
Then you don't need to edit the mschap configuration.
Is this ntlm_auth2 in the mschap ok ? or should I remove
--domain=%{%{mschap:NT-Domain}:} ?
Delete the ntlm_auth2 line from the mschap config. It does nothing.
I also changed users to :
DEFAULT Auth-Type := ntlm_auth2,Huntgroup-Name == vpn
That should work.
Alan DeKok.
Hello Alan,
One more question . Why shoud I delete the ntlm_auth2 line from the
mschap file ?
I thought that it is necessary. I have ntlm_auth file and ntlm_auth2
file 9 with the diferrent commands ), but only one cpmmand ntlm_auth in
the mschap file
What is the connection between command in the modules/ntlm_authx file,
and the command ntlm_auth in the mschap.
Thanks
pet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Retry delay and retry count when proxying requests
Murray Long wrote: Oh sorry it does! But only for server type coa, No. The irt/mrt/etc. configurations for CoA are *completely* different. Are they not supported for the other types? Have you been reading my messages? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure Cisco vpn clients againts freeradius
Jevos, Peter wrote: One more question . Why shoud I delete the ntlm_auth2 line from the mschap file ? Does the mschap module documentation/comments say it will understand an ntlm_auth2 line? I thought that it is necessary. I have ntlm_auth file and ntlm_auth2 file 9 with the diferrent commands ), but only one cpmmand ntlm_auth in the mschap file Did you read my previous message explaining why you didn't need an ntlm_auth2 configuration for mschap? What is the connection between command in the modules/ntlm_authx file, and the command ntlm_auth in the mschap. Nothing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Backslash issue during AD authetication
Jevos, Peter wrote: When i test through radtest it doesn’t work : neither radtest domainame\\username password localhost 0 testing123 , or radtest domainame\\\username password localhost 0 testing123, or radtest domainame\username password localhost 0 testing123 And... what does debug mode say? However, when i tried to autheticate through vpn cisco client , the string domainame\\username will pass. Because it's not being parsed by the Unix shell. How can I force freradius to authenticate through domainame\username Get radtest to send the same data as sent by the Cisco client. See the server debug output in order to compare the two user names. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Retry delay and retry count when proxying requests
I'm trying to integrate with Ipass and they have asked for a 12 second or more delay between retry attempts. The default behavior for freeradius seems to be sending 3 retries every 5 secs, which is why I've been trying to change it. As I only have a single home-server for the realm i don't mind applying the change to either the realm or the home-server, but I havn't been able to figure out how to do either. Am I going about this the wrong way? Thanks, Murray On Fri, Jul 16, 2010 at 2:06 PM, Alan DeKok al...@deployingradius.com wrote: Murray Long wrote: I saw that, but the home_server example below, does not mention anything about retry_count or retry_delay. Because this is documented in proxy.conf: # # Note that as of 2.0, the synchronous, retry_delay, # retry_count, and dead_time have all been deprecated. # For backwards compatibility, they are are still accepted # by the server, but they ONLY apply to the old-style realm # configuration. i.e. realms with authhost and/or accthost # entries. Any simply putting retry_count = value in the home_server section dosn't seem to have any effect. So how are these values set for home servers? You don't. The configuration entries that work are documented in proxy.conf. Why do you want to set retry_delay and retry_count for a home server? If you think you need them, see the above documentation. You can still set them for realms. But for the new home_server configuration, the new method is better and more stable. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Backslash issue during AD authetication
How can I force freradius to authenticate through domainame\username
Get radtest to send the same data as sent by the Cisco client. See
the server debug output in order to compare the two user names.
Alan DeKok.
Hi Alan, I forced radtest to pass, with this syntax:
1. radtest domainame\\\username password localhost 0 testing123
Debug is:
++[mschap] returns noop
[suffix] No '@' in User-Name = domainname\\username, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
Found Auth-Type = ntlm_auth2
+- entering group authenticate {...}
[ntlm_auth2]expand: --username=%{mschap:User-Name} - --username=\username
[ntlm_auth2]expand: --password=%{User-Password} - --password=password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth2] returns ok
Login OK: [domainameusername] (from client localhost port 0)
2. Debug, when I use vpn cisco client with domainname\\username is the same
3. Radtest doesn't pass with less backslahes then 7 : ) ( \\\ )
radtest domainame\\username password localhost 0 testing123
[suffix] No '@' in User-Name = domainame\username, looking up realm NULL
[ntlm_auth2]expand: --username=%{mschap:User-Name} - --username=username
[ntlm_auth2]expand: --password=%{User-Password} - --password=password
Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program: returned: 1
++[ntlm_auth2] returns reject
Failed to authenticate the user.
Login incorrect: [domainname\\username/password] (from client localhost port 0)
4. When I use only 2 backslashes:
radtest domainame\\username password localhost 0 testing123
[suffix] No '@' in User-Name = domainnameusername, looking up realm NULL
..
[ntlm_auth2]expand: --username=%{mschap:User-Name} -
--username=domainnameusername
[ntlm_auth2]expand: --password=%{User-Password} - --password=password
Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program: returned: 1
++[ntlm_auth2] returns reject
Failed to authenticate the user.
Login incorrect: [domainnameusername/password] (from client localhost port 0)
I don’t have a problem with radtest if vpn client would authenticate with
domainname\username
Thank you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Retry delay and retry count when proxying requests
Murray Long wrote: I'm trying to integrate with Ipass and they have asked for a 12 second or more delay between retry attempts. The default behavior for freeradius seems to be sending 3 retries every 5 secs, which is why I've been trying to change it. No. The default behavior for the *NAS* is to send 3 retries every 5 seconds. FreeRADIUS just passes those packets along to the home server. As I only have a single home-server for the realm i don't mind applying the change to either the realm or the home-server, but I havn't been able to figure out how to do either. Am I going about this the wrong way? I don't see what is unclear about the documentation. 1) you can still set retry_delay and retry_count 2) just as with 1.x 3) in the same place in the config files as with 1.x 4) those 2 configuration items will only apply to old-style realms 5) old-style realms have authhost and accthost 6) so... configure retry_delay and retry_count as you did with 1.x 7) configure a realm as you did with 1.x 8) it *will* work Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Retry delay and retry count when proxying requests
Oh, that makes more sense now. My confusion was in assuming that the retry packets I was seeing where generated by freeradius when they where actually just being forwarded from the NAS. Thanks very much for the help, -Murray On Fri, Jul 16, 2010 at 2:55 PM, Alan DeKok al...@deployingradius.com wrote: Murray Long wrote: I'm trying to integrate with Ipass and they have asked for a 12 second or more delay between retry attempts. The default behavior for freeradius seems to be sending 3 retries every 5 secs, which is why I've been trying to change it. No. The default behavior for the *NAS* is to send 3 retries every 5 seconds. FreeRADIUS just passes those packets along to the home server. As I only have a single home-server for the realm i don't mind applying the change to either the realm or the home-server, but I havn't been able to figure out how to do either. Am I going about this the wrong way? I don't see what is unclear about the documentation. 1) you can still set retry_delay and retry_count 2) just as with 1.x 3) in the same place in the config files as with 1.x 4) those 2 configuration items will only apply to old-style realms 5) old-style realms have authhost and accthost 6) so... configure retry_delay and retry_count as you did with 1.x 7) configure a realm as you did with 1.x 8) it *will* work Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Passwd module problem
Hello all...
I'm running FR 2.1.9 compiled from source on Debian Linux
and using the passwd module for a couple of things.
I have one instance called 'mac-auth', configured in modules/mac-auth as:
passwd mac-auth {
filename = ${confdir}/mac-auth
format = *User-Name:=Tunnel-Private-Group-Id
delimiter = ,
}
That works fine - the username is mapped to a VLAN-id (as per similar
examples
in mac2ip and mac2vlan included in the distribution).
I also have modules/switch-auth, which contains:
passwd switch-auth {
filename = ${confdir}/switch-auth
format = *NAS-IP-Address:=Tunnel-Private-Group-Id
delimiter = ,
}
However, this never matches and the module always returns 'notfound':
+- entering group post-auth {...}
++[switch-auth] returns notfound
I am calling the module in post-auth but as the 'mac-auth' instance
works fine I'm at a loss as to why the other one is failing.
--
Peter Bates, Network Support Development Officer
Goldsmiths, University of London
New Cross, London SE14 6NW. Telephone: 020 7919 7082
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dyndns ff 1.1.7
Hi all, it's possible use dyndns in clients.conf with fr 1.1.7-0?? I have error every time that ip address change. I read many quests on internet but i don't find fixes. Could help me set hostname_lookups = yes?? Otherwise, it's possible check by nas-id?? My nas is mikrotik. Thanks Tokie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dyndns ff 1.1.7
Tokie wrote: it's possible use dyndns in clients.conf with fr 1.1.7-0?? No. I read many quests on internet but i don't find fixes. Install version 2.1.9. Could help me set hostname_lookups = yes?? No. Otherwise, it's possible check by nas-id?? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passwd module problem
Peter Bates wrote:
I also have modules/switch-auth, which contains:
passwd switch-auth {
filename = ${confdir}/switch-auth
format = *NAS-IP-Address:=Tunnel-Private-Group-Id
delimiter = ,
}
However, this never matches and the module always returns 'notfound':
The passwd module didn't handle keys of type ipaddr. That should be
fixed in 2.1.10.
See git commit c0747eecf9acfa7f583a676aa1f07c650b9821d9.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dyndns ff 1.1.7
On 2010/07/16 05:35 PM, Alan DeKok wrote:
Otherwise, it's possible check by nas-id??
No.
You could try using rlm_raw and dynamic_clients.
Configure your dymanic client virtual server like this.
client dymamic {
ipaddr = 0.0.0.0
netmask = 0
dynamic_clients = dynamic_nas
lifetime = 86400
}
server dynamic_nas {
authorize {
update control {
FreeRADIUS-Client-IP-Address = %{Packet-Src-IP-Address}
FreeRADIUS-Client-Require-MA = no
FreeRADIUS-Client-Secret = %{sql: select RadiusSecret from Nas
where Identifier='%{raw:NAS-Identifier}'}
FreeRADIUS-Client-Shortname = %{Packet-Src-IP-Address}
FreeRADIUS-Client-NAS-Type = other
FreeRADIUS-Client-Virtual-Server = amobia_hotspot
}
}
}
Tables above are my own, so modify the queries.
Cheers,
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fail to restart radiusd
Hi, We're running freeradius server v2.0.3 and restart of the daemon failed with: #/etc/init.d/radiusd restart Stopping RADIUS server: [FAILED] Starting RADIUS server: Fri Jul 16 07:50:16 2010 : Info: Starting - reading configuration files ... [FAILED] In the radius.log, it shows: Error: There appears to be another RADIUS server running on the authentication port 1812 --- The odd thing is that there is no radiusd process running on the Linux server at all: # ps aux | grep rad root 4869 0.0 0.0 4544 636 pts/1S+ 12:11 0:00 grep rad #Debug messages: /usr/sbin/radiusd -X restart Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = / main: localstatedir = //var main: logdir = /var/log main: libdir = //lib main: radacctdir = /etc/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/radius.log main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = //var/run/radiusd/radiusd.pid main: bind_address = 10.25.210.21 IP address [10.25.210.21] main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = //sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms There appears to be another RADIUS server running on the authentication port 1812 --- Does anybody know why it complains about another RADIUS server running on the authentication port 1812 although there is no existing radiusd process at all? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail to restart radiusd
Yang Xue wrote: Hi, We're running freeradius server v2.0.3 and restart of the daemon failed with: #/etc/init.d/radiusd restart Stopping RADIUS server: [FAILED] Starting RADIUS server: Fri Jul 16 07:50:16 2010 : Info: Starting - reading configuration files ... [FAILED] If it didn't stop the server, it won't be able to start a new one. In the radius.log, it shows: Error: There appears to be another RADIUS server running on the authentication port 1812 --- The odd thing is that there is no radiusd process running on the Linux server at all: # ps aux | grep rad root 4869 0.0 0.0 4544 636 pts/1S+ 12:11 0:00 grep rad shrug It might have a different name. See also: $ netstat -an | grep 1812 Does anybody know why it complains about another RADIUS server running on the authentication port 1812 although there is no existing radiusd process at all? The server tries to use port 1812, and the OS says it can't, because there's another process using it. Find that process, and stop it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail to restart radiusd
Hi, Alan netstat -an | grep 1812 returns nothing, which means the port is not used by any process. netstat -an | grep 1812 [r...@server1 etc]# On Fri, Jul 16, 2010 at 2:03 PM, Alan DeKok al...@deployingradius.com wrote: Yang Xue wrote: Hi, We're running freeradius server v2.0.3 and restart of the daemon failed with: #/etc/init.d/radiusd restart Stopping RADIUS server: [FAILED] Starting RADIUS server: Fri Jul 16 07:50:16 2010 : Info: Starting - reading configuration files ... [FAILED] If it didn't stop the server, it won't be able to start a new one. In the radius.log, it shows: Error: There appears to be another RADIUS server running on the authentication port 1812 --- The odd thing is that there is no radiusd process running on the Linux server at all: # ps aux | grep rad root 4869 0.0 0.0 4544 636 pts/1 S+ 12:11 0:00 grep rad shrug It might have a different name. See also: $ netstat -an | grep 1812 Does anybody know why it complains about another RADIUS server running on the authentication port 1812 although there is no existing radiusd process at all? The server tries to use port 1812, and the OS says it can't, because there's another process using it. Find that process, and stop it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail to restart radiusd
Yang Xue wrote: Hi, Alan netstat -an | grep 1812 returns nothing, which means the port is not used by any process. netstat -an | grep 1812 [r...@server1 etc]# Find out why the OS is returning port in use. Try installing 2.1.9, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Home servers constantly zombied, and I can't figure out how to fix it
Alan DeKok wrote: Adam Bultman wrote: How do I change that functionality? I'd *love* it if it didn't zombie their servers for no reason. No.. it marks the servers zombie for a reason: they're not responding. But it may be too aggressive. When I do a radiusd -CXXX, I see options I don't see documented for the latest releases of freeradius: - ping_check - ping_interval - num_pings_to_alive Those are for backwards compatibility with pre-releases of 2.0. They should be removed. They are just different names for the status-server checks. Excellent; I was wondering if I was somehow not seeing something as I went through the documentation. - max_outstanding (I can't even find what this is for) You can put a limit on the total number of outstanding packets sent to a home server. i.e. put it at 256, and if there are 256 packets sent without a response, the proxy will *not* use that home server again, until it gets at least one response. This is a way to do load-limiting on home servers. As it is, my *.work files are stuck (And I've googled for that, and found other list posts regarding that) which seems to indicate that the home servers aren't responding... except that even when my detail.work file is 'stuck' at 24k, and the detail file keeps growing, I'm still sending data to the other side. So something's working, but only sort of.. It's re-transmitting the same packet over and over. If you install 2.1.9, you can use radmin to see its progress in reading the detail file. After some work getting 2.1.9, and v2.1.x from the git repository up and running, I had to go back to 2.1.7-7, that is patched (hopefully, anyway!) for the zombie problem, via the patch you sent me. The 2.1.9 and 2.1.10 versions would die unexpectedly, right around the time the Info: ... ... adding new socket command file /var/run/radiusd/radiusd.sock would scroll through the debug. I couldn't figure it out for the life of me, and strace didn't give me too much - it'd just segfault right around that time. It also did it on vanilla installs of 2.1.10, too - so I just gave it up. At any rate, radmin *does* exist for 2.1.7-7 (from the redhat source, which I patched with the patch you gave me), but it's complaining about permissions on the sock file (which appear to be fine, but perhaps selinux is killing it, I have to take a gander) - once I get that ironed out, I'll take great pleasure in using radmin and seeing what it sees. I'm about to shoot an email to them to see if they can explain their 4 year old radius software, and perhaps maybe that's part of the problem. Yup. They can upgrade to a (cough) real radius server. :) Turns out, they were a bit stand-offish. They didn't like their radius servers being implicated in the mix. It's working for 30+ clients, so we have no plans to upgrade. One thing I also noticed was that it it doesn't look like freeradius is giving it very many tries on a packet before marking the system down. At least, that's the way it appears. I don't know how to use wireshark filters enough to find unacked packets, so I have to do that before I'll be able to piece that together. It is also noteworthy that upon pingscanning their network, I found two IP addresses that are up - and I'm getting packet loss to them. Between 4 and 7 percent, which while not a ton, might be enough to cause a problem if I'm relaying thousands of packets an hour. Thanks for the help, Alan. I appreciate it. -- Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Home servers constantly zombied, and I can't figure out how to fix it
Oh, I must apologize - I didn't know the 'detail' portion of radmin didn't exist until 2.1.9. Perhaps I'll work on compiling and testing that over the weekend. Adam Bultman wrote: Alan DeKok wrote: Adam Bultman wrote: How do I change that functionality? I'd *love* it if it didn't zombie their servers for no reason. No.. it marks the servers zombie for a reason: they're not responding. But it may be too aggressive. When I do a radiusd -CXXX, I see options I don't see documented for the latest releases of freeradius: - ping_check - ping_interval - num_pings_to_alive Those are for backwards compatibility with pre-releases of 2.0. They should be removed. They are just different names for the status-server checks. Excellent; I was wondering if I was somehow not seeing something as I went through the documentation. - max_outstanding (I can't even find what this is for) You can put a limit on the total number of outstanding packets sent to a home server. i.e. put it at 256, and if there are 256 packets sent without a response, the proxy will *not* use that home server again, until it gets at least one response. This is a way to do load-limiting on home servers. As it is, my *.work files are stuck (And I've googled for that, and found other list posts regarding that) which seems to indicate that the home servers aren't responding... except that even when my detail.work file is 'stuck' at 24k, and the detail file keeps growing, I'm still sending data to the other side. So something's working, but only sort of.. It's re-transmitting the same packet over and over. If you install 2.1.9, you can use radmin to see its progress in reading the detail file. After some work getting 2.1.9, and v2.1.x from the git repository up and running, I had to go back to 2.1.7-7, that is patched (hopefully, anyway!) for the zombie problem, via the patch you sent me. The 2.1.9 and 2.1.10 versions would die unexpectedly, right around the time the Info: ... ... adding new socket command file /var/run/radiusd/radiusd.sock would scroll through the debug. I couldn't figure it out for the life of me, and strace didn't give me too much - it'd just segfault right around that time. It also did it on vanilla installs of 2.1.10, too - so I just gave it up. At any rate, radmin *does* exist for 2.1.7-7 (from the redhat source, which I patched with the patch you gave me), but it's complaining about permissions on the sock file (which appear to be fine, but perhaps selinux is killing it, I have to take a gander) - once I get that ironed out, I'll take great pleasure in using radmin and seeing what it sees. I'm about to shoot an email to them to see if they can explain their 4 year old radius software, and perhaps maybe that's part of the problem. Yup. They can upgrade to a (cough) real radius server. :) Turns out, they were a bit stand-offish. They didn't like their radius servers being implicated in the mix. It's working for 30+ clients, so we have no plans to upgrade. One thing I also noticed was that it it doesn't look like freeradius is giving it very many tries on a packet before marking the system down. At least, that's the way it appears. I don't know how to use wireshark filters enough to find unacked packets, so I have to do that before I'll be able to piece that together. It is also noteworthy that upon pingscanning their network, I found two IP addresses that are up - and I'm getting packet loss to them. Between 4 and 7 percent, which while not a ton, might be enough to cause a problem if I'm relaying thousands of packets an hour. Thanks for the help, Alan. I appreciate it. -- Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Only authenticating one access point in client.conf
I am not sure Why my Freeradius setup is not allowing other accesspoints I add
to clients.conf.
Here is what is in my clients.conf file:
client 192.168.89.217 {
secret = visit+$c
shortname = ClhsMeshRm2612
nastype = other
}
client 192.168.89.215 {
secret = visit+$c
shortname = ClhsMeshRm2610
nastype = other
}
The first one can be authenticated through, the second one cannot.
Matthew Stavert
ITSM, ACMT
Information Systems Analyst
NLSD. 69
PH:780-826-3145
Cell: 780-207-1146
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Only authenticating one access point in client.conf
Matthew Stavert wrote:
I am not sure Why my Freeradius setup is not allowing other
accesspoints I add to clients.conf.
Here is what is in my clients.conf file:
client 192.168.89.217 {
secret = visit+$c
That is not the correct format for the clients.conf file in 2.x.
If you want to put a '$' into the secret, you will need to ensure that
the secret is defined properly:
secret = 'visit+$c'
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Home servers constantly zombied, and I can't figure out how to fix it
Adam Bultman wrote: After some work getting 2.1.9, and v2.1.x from the git repository up and running, I had to go back to 2.1.7-7, that is patched (hopefully, anyway!) for the zombie problem, via the patch you sent me. The 2.1.9 and 2.1.10 versions would die unexpectedly, right around the time the Info: ... ... adding new socket command file /var/run/radiusd/radiusd.sock would scroll through the debug. I couldn't figure it out for the life of me, and strace didn't give me too much - it'd just segfault right around that time. Don't use strace to track down SEGVs. It won't help. See doc/bugs for instructions on tracking down SEGVs. Those instructions work. Yup. They can upgrade to a (cough) real radius server. :) Turns out, they were a bit stand-offish. They didn't like their radius servers being implicated in the mix. It's working for 30+ clients, so we have no plans to upgrade. Exactly... no one else has noticed a problem, so we're not going to fix it. I guess they don't fix leaks in the roof of their house. When it doesn't rain, it doesn't leak. When it rains, it's too wet to fix the leak. One thing I also noticed was that it it doesn't look like freeradius is giving it very many tries on a packet before marking the system down. FreeRADIUS doesn't retry packets when proxying. The *NAS* retries packets. FreeRADIUS retransmits only when it receives a packet from the NAS. At least, that's the way it appears. I don't know how to use wireshark filters enough to find unacked packets, so I have to do that before I'll be able to piece that together. Why use wireshark? The server has a debug mode... It is also noteworthy that upon pingscanning their network, I found two IP addresses that are up - and I'm getting packet loss to them. Between 4 and 7 percent, which while not a ton, might be enough to cause a problem if I'm relaying thousands of packets an hour. Yup. Thanks for the help, Alan. I appreciate it. It's what I do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to record certificates error in radius.log?
hi, all! Now I want to record the user access history in the radius.log file. I use fr 2.19 and ttls-mschapv2. I notice that it now only records the user/password log in the radius.log file. for example, when I use a correct password for user test, Tue Jul 13 12:03:49 2010 : Auth: Login OK: [test/via Auth-Type = EAP] (from client localhost port 0 via TLS tunnel) Tue Jul 13 12:03:49 2010 : Auth: Login OK: [anonymous_identity/via Auth-Type = EAP] (from client localhost port 0 cli 02-00-00-00-00-01) when I use a wrong password for user test, Tue Jul 13 12:04:09 2010 : Auth: Login incorrect: [test/via Auth-Type = EAP] (from client localhost port 0 via TLS tunnel) Tue Jul 13 12:04:09 2010 : Auth: Login incorrect: [anonymous_identity/via Auth-Type = EAP] (from client localhost port 0 cli 02-00-00-00-00-01) But no log is recorded if the certificates is wrong (which is possible in real scenarios). I have noticed that if the certificates is wrong, the radiusd -X will output things like that: Fri Jul 16 17:23:30 2010 : Info: [eap] EAP NAK Fri Jul 16 17:23:30 2010 : Info: [eap] EAP-NAK asked for EAP-Type/ttls Fri Jul 16 17:23:30 2010 : Info: [eap] processing type askedtls If this notifys the wrong certificate? Then maybe I can put a radlog in the following part of eap.c?: case PW_EAP_NAK: /* *The NAK data is the preferred EAP type(s) of *the client. * *RFC 3748 says to list one or more proposed *alternative types, one per octet, or to use *0 for no alternative. */ RDEBUG2(EAP NAK); thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
