Re: Connecting the dots.
Hi Ken, Thanks for the response On this particular server we have not run any updates to the software stack as it is our policy to only update at regular intervals so that we can catch these things. I only sent the e-mail to the list after spending the day in freeradius -X and -Xx to see if I can find out why it is failing. I wanted to start fresh with a server so I could see at what stage it starts failing. But funnily enough the new server lets me auth against ad using a local query using radtest and a forced auth method of DEFAULT Auth-Type = ntlm_auth in the users file. As soon as I try to auth using my cisco wirless conection it fails unable to find the realm. That is why I was asking how the doc's on the site match up to the latest conf files. So I can find out where to add the REALM settings so that it works. We also have 2 AD trees we connect to but once I get the one working the other will be easy. Thanks for the help Lance On 15/09/2010 20:38, Kenneth Marshall k...@rice.edu wrote: Many times this is caused by a software update to the system. To figure out where the problem lies, you will need to follow the very well documented procedure for debugging freeradius if you do not have logs of what was updated on the system so you can rollback the update(s). Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Hi C.J. Thanks for the tip. We do run out config in Git and it has not changed since it was configured about 2 months ago, this is what is baffling me. The windows servers were not changed (well that is what the windows admins have informed us@) Thanks Lance On 15/09/2010 21:10, C.J. Adams-Collier KF7BMP c...@colliertech.org wrote: I've found that keeping config file history using RCS or git to be very useful. It's saved me a bunch of headache with bind, apache, sendmail and freeradius. If you'd like some tips, I'm happy to oblige either on-list or off, depending on whether the regulars consider it OT. Cheers, C.J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Hi Alan, Thanks for the response. We do know about the samba update and it was the first thing I check when the system broke. We have about 400 ubuntu vm's running on our environment and we have not yet updated our corporate repo with this update as we have not tested it yet. I checked the winbindd_privileged directory and it has the correct file permissions I want to add to me original post to the list in that this server was not originally configured by myself and the original person created a monolithic radiusd.conf file with all the settings in the one file this is making it difficult to match the settings to the docs. Hence my question about how the docs match to the new conf files. Freeradius -X and -Xx have not highlighted anything suspicious that I believe is different to what was being logged there before. The reason for the new server build is so that I can understand how freeradius works and specifically how it will work with AD as a backend. I have been able to get the server connecting to AD and authing me against it as per one of my other posts to the list. I am just not sure I have done this correctly as the auth request fails when I try to connect using my laptop. (we mostly have mac's in this office) This is against my new server by the way. This is what led me to copntact the list to see how the docs match the new config as I have seen = Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.210.4 port 32768, id=187, length=205 User-Name = Lance.Haig Calling-Station-Id = 00-26-08-e8-c9-85 Called-Station-Id = 00-1b-8f-8a-d8-90:LNH NAS-Port = 13 NAS-IP-Address = 10.0.210.4 NAS-Identifier = FWDWLC Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207002b19001703010020520cb27842380dee8600973e5967661e03fab0689f23a28f27cb 78dce34bfcc5 State = 0x47419e384246876f90468b6b37412030 Message-Authenticator = 0x4bb2d4d267947887f5bcb88b9c8dfbb2 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = Lance.Haig, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. == Which leads me to believe that the REALMS config is not working properly. And I cant find instructions on what to check to make sure this is the case. Apologies for rambling on a bit. Lance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a lot of memory inuse
Strong, Mark wrote: http://github.com/alandekok/freeradius-server/blob/v2.1.x/doc/ChangeLog Yeah, gave that a look didn't see anything definite (as far as memory leaks go). Look for the work leak Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
[ldap] expand: dc=int-evry,dc=fr - dc=int-evry,dc=fr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldapdev.int-evry.fr:389, authentication 0 [ldap] bind as cn=admin,dc=int-evry,dc=fr/admldap to ldapdev.int-evry.fr:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele) [ldap] looking for check items in directory... [ldap] sambaNtPassword - NT-Password == 0x3846343134354531463530334232353337443430363846343942363633434143 [ldap] sambaLmPassword - LM-Password == 0x4434413632394242394536303843323438423045413541374446313335423033 [ldap] looking for reply items in directory... [ldap] eduPersonPrimaryAffiliation - User-Category = employee Two issues; first, as above you're adding the User-Category item from LDAP into the reply list, but the files syntax doesn't (can't) match items in the reply this. This: DEFAULT User-Category == employee means match all request with the attribute User-Category == employee in the *request* items Secondly, I think you're running LDAP after files, so even if it could match, it would not. Try something like this in sites-available/inner-tunnel: authorize { ... ldap if (reply:User-Category == employee) { update reply { Tunnel-Private-Group-Id := 1234 } } elsif (reply:User-Category == ...) { } } Or, modify your ldap.attrmap to put the User-Category into the request items (assuming your NAS doesn't need it) then move the files module after the ldap one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates
freerad...@corwyn.net wrote: I'm tinkering with my VPN setup using FreeRadius and AD, and getting Not possible to verify the identity of the server. Some googling shows that message can be related to certificates. Uh... the documentation on setting up EAP describes what you need to do on the client machine in order for EAP to work. This involves putting the CA cert on the PC. Some digging through the FreeRadius docs came up with: If FreeRADIUS was configured to use OpenSSL, then simply starting the server in root in debugging mode should also create test certificates, i.e.: Does this mean that, presuming I never did create certificates, that freeradius could function differently in debug mode than when running not in debug mode? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Lance Haig wrote: Thanks for the response On this particular server we have not run any updates to the software stack as it is our policy to only update at regular intervals so that we can catch these things. Well... nothing in the server magically changes it's behavior on a certain day. *Something* changed. As soon as I try to auth using my cisco wirless conection it fails unable to find the realm. And... what does the debug output say? That is why I was asking how the doc's on the site match up to the latest conf files. So I can find out where to add the REALM settings so that it works. The documentation is pretty clear on this, as are the comments in the configuration files. It's more efficient to read them than to ask a question on this list, and wait for an answer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: Thanks a lot Alan DeKok, do I have any possibility to permit login only persons with username/password and client certificate? All authentications methods works fine on my server, but I´ll only permit login with username/password and client certificate. Which code I need to set in users/eap.conf ? TLS works fine on my server and the users can login themselves with the client certificate, but I don´t want allow login without username/password, also I don´t want allow logins with username and password but without client certificates. Put this into the users file: DEFAULT EAP-TLS-Require-Client-Cert = yes This will require client certificates for *all* EAP methods. If you want it to be more specific, see man unlang for writing general policies. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.10
Hi, Alan DeKok, 2010-09-06 13:58: It's been a few weeks since the last pre release of 2.1.10. I've put another one up on the web at: I tried it, mainly to get rid of the random segfaults we get every few days (bug #35). Unfortunately, last night it a crashed on one machine (after running for about 60h): Sep 16 04:07:22 radius64-01b kernel: [24863577.558534] ui-freeradius[20331] general protection ip:7f6627405b0e sp:7fff11594180 error:0 in libfreeradius-radius-2.1.10.so[7f66273ee000+1f000] backtrace: #0 fr_packet_cmp (a=0x7f6618064700, b=0xf6f5bc5f78c00c80) at packet.c:139 #1 0x7f66273f7a54 in fr_hash_table_find (ht=0x278fa30, data=0x7fff115941e0) at hash.c:191 #2 0x7f66273f7a99 in fr_hash_table_finddata (ht=0x7f6618064700, data=0xf6f5bc5f78c00c80) at hash.c:484 #3 0x7f662740572b in fr_packet_list_find (pl=value optimized out, request=0x7f6618064700) at packet.c:583 #4 0x00427bd9 in received_request (listener=0x2794400, packet=0xf6f5bc5f78c00c80, prequest=0x79, client=0x7f6627408600) at event.c:2822 #5 0x00415ac6 in auth_socket_recv (listener=0x2794400, pfun=0x7fff11594348, prequest=0x7fff11594340) at listen.c:826 #6 0x00422e5e in event_socket_handler (xel=value optimized out, fd=value optimized out, ctx=value optimized out) at event.c:3410 #7 0x7f6627406a16 in fr_event_loop (el=0x2789c00) at event.c:411 #8 0x0041c322 in main (argc=1, argv=0x80) at radiusd.c:406 Is there anything we can do to help sorting this out? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
thanks for your replay here what i did in the ldap.attrmap i put checkItem User-Category eduPersonPrimaryAffiliation in the user file i did DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id = 901, Fall-Through = Yes DEFAULT User-Category == student Reply-Message = Your a member of the student Group, Tunnel-Private-Group-Id = 902 DEFAULT User-Category == employee Reply-Message = Your a member of the employee Group, Tunnel-Private-Group-Id = 903 in the inner-tunnel file i have authorize { chap mschap uni suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } ldap files expiration logintime pap } i got the following logs [eap] EAP packet type response id 7 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for doutrele [ldap] expand: %{Stripped-User-Name} - doutrele [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=doutrele) [ldap] expand: dc=int-evry,dc=fr - dc=int-evry,dc=fr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele) [ldap] looking for check items in directory... [ldap] eduPersonPrimaryAffiliation - User-Category == employee [ldap] sambaNtPassword - NT-Password == 0x3846343134354531463530334232353337443430363846343942363633434143 [ldap] sambaLmPassword - LM-Password == 0x4434413632394242394536303843323438423045413541374446313335423033 [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user doutrele authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [files] users: Matched entry DEFAULT at line 166 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok .. THe line 166 in my users file is these ones DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id = 901, Fall-Through = Yes and i don't match the following entries DEFAULT User-Category == employee Reply-Message = Your a member of the employee Group, Tunnel-Private-Group-Id = 903 and i really don't know why Le 16/09/2010 09:44, Phil Mayers a écrit : [ldap] expand: dc=int-evry,dc=fr - dc=int-evry,dc=fr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldapdev.int-evry.fr:389, authentication 0 [ldap] bind as cn=admin,dc=int-evry,dc=fr/admldap to ldapdev.int-evry.fr:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele) [ldap] looking for check items in directory... [ldap] sambaNtPassword - NT-Password == 0x3846343134354531463530334232353337443430363846343942363633434143 [ldap] sambaLmPassword - LM-Password == 0x4434413632394242394536303843323438423045413541374446313335423033 [ldap] looking for reply items in directory... [ldap] eduPersonPrimaryAffiliation - User-Category = employee Two issues; first, as above you're adding the User-Category item from LDAP into the reply list, but the files syntax doesn't (can't) match items in the reply this. This: DEFAULT User-Category == employee means match all request with the attribute User-Category == employee in the *request* items Secondly, I think you're running LDAP after files, so even if it could match, it would not. Try something like this in sites-available/inner-tunnel: authorize { ... ldap if (reply:User-Category == employee) { update reply { Tunnel-Private-Group-Id := 1234 } } elsif (reply:User-Category == ...) { } } Or, modify your ldap.attrmap to put the User-Category into the request items (assuming your NAS doesn't need it) then move the files module after the ldap one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
connection start and stop infos
Hello, any idea why I don't see no connection start and stop into mysql radacct table (other infos are ok) while in the /var/log/radius/radacct/nas-ip-address/detail-date is ok? Thanks a lot. Matteo This message was sent using IMP, the Internet Messaging Program. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
external auth modul
Hi! I would like to auth my users from my own script. radiusd -X debug [otp_auth] expand: %{User-Name} - qtgame [otp_auth] expand: %{User-Password} - ?O:J?? ?r [otp_auth] expand: %{reply:Secret} - 8bd1f2fc2c2f68bb [otp_auth] expand: %{reply:Pin} - 1616 [otp_auth] expand: %{reply:Offset} - 0 my script don't understand this user-password :( how can i use cleartext password? and the other hand the ENV variable : USER_PASSWORD=3!\333$\026\276\362\202\002\2522\231\355\302[\374 how can i create this password from cleartext or can i decrypt to cleartext? QTGame - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: external auth modul
Krisztian Kuti wrote: radiusd -X debug [otp_auth] expand: %{User-Name} - qtgame [otp_auth] expand: %{User-Password} - ?O:J?? ?r Read the REST of the debug output to see what's going wrong. Honestly. the answer to your question is *already* in the debug output. All you need to do is to read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
HI Alan, Thanks for the response mine are inline Well... nothing in the server magically changes it's behavior on a certain day. *Something* changed. I agree and I am having a hard time finding what. And... what does the debug output say? I posted my debug output to the list in another mail but I will add it to the end of this mail so they two are on the same page as it were. The documentation is pretty clear on this, as are the comments in the configuration files. It's more efficient to read them than to ask a question on this list, and wait for an answer. I beg to differ. The documentation does not match the current config file structure and so it is very difficult for anyone to follow. Your insinuation that I am being lazy by asking a list for answers would be valid if that was the case. I do realise you have had to answer many questions on this subject but I would recommend a review of the docs tomake sure it is easier to follow for people then your argument would be valid. Please do not take this as a flame just someone hoping to find out how to use a great tool. Lance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
Hi alexander Le 16/09/2010 00:31, Alexander Clouter a écrit : Remember that the 'inner-auth' virtual server is a *unique* instance to your outer layer so 'User-Category' might be defined but only on the outside whilst it looks like you are calling 'files' *inside*. Cheers Well I understand what you mean but i have some difficulties to traduce that in my configuration file. Yes i m have in my inner-tunnel file the lines authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } ldap files expiration logintime pap } but how can i call it outside? i m a bit lost - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two-Step LDAP authentication?
Hi everybody! I'm a new subcriber of this list. I'm trying to setup a radius server with LDAP authentication; I've managed to authenticate a user (from a Cisco Device), but my fellows from Security Department think that we should have a two-step authentication: 1. User/password authentication, searching in cn=users,ou=pepe,ou=jose,c=es 2. A compare request, searching a specific objectclass in the LDAP tree. So, the idea is the following one: depending on the NAS-IP-Address, not only to check for a correct password, but search the uid in an objectclass called owner in the entry cn=deviceX,ou=pepe,ou=jose,c=es. deviceX is the one with the source NAS-IP-Address. I Know how to unlang using swicht statements, configuring differents ldap's modules in the radius server, so I can write the basedn I want. But how can do the step 2? Thank you and sorry for my english. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Put this into the users file: DEFAULT EAP-TLS-Require-Client-Cert = yes I did this, but the clients can login furthermore without any client certificate for example with PEAP or EAP-TTLS. Here is my users file: DEFAULT EAP-TLS-Require-Client-Cert = yes testuserCleartext-Password := xxx Reply-Message = Hello, %{User-Name} DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == CSLIP Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == SLIP Framed-Protocol = SLIP Here's the eap.conf file eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = /etc/ssl cadir = /etc/ssl private_key_password = xx private_key_file = ${certdir}/serverkey.pem certificate_file = ${certdir}/servercert.pem CA_file = ${cadir}/cacert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random check_crl = no CA_path = /etc/ssl cipher_list = DEFAULT cache { enable = no lifetime = 24 # hours max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = inner-tunnel } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = inner-tunnel } mschapv2 { } } Any idea's what is wrong here? Thanks Original-Nachricht Datum: Thu, 16 Sep 2010 09:54:28 +0200 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: need help - force EAP-TTLS to validate the server certificate Klaus Laus wrote: Thanks a lot Alan DeKok, do I have any possibility to permit login only persons with username/password and client certificate? All authentications methods works fine on my server, but I´ll only permit login with username/password and client certificate. Which code I need to set in users/eap.conf ? TLS works fine on my server and the users can login themselves with the client certificate, but I don´t want allow login without username/password, also I don´t want allow logins with username and password but without client certificates. Put this into the users file: DEFAULT EAP-TLS-Require-Client-Cert = yes This will require client certificates for *all* EAP methods. If you want it to be more specific, see man unlang for writing general policies. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Hi, would recommend a review of the docs tomake sure it is easier to follow for people then your argument would be valid. personally I foudn the docs weak when I first started with FreeRADIUS 0.x - but then have sicne then learnt everything from the actual config files and the man pages. (and docs in the tarball itself) - i am horrified that your config was minimised like some jus into just ince single monolithic config file - that is actually very bad ( I would even say, in this case, bad practice) as it makes it very difficult to see the new changes and config options when a new version from out... if you use the seperate modules, virtual servers etc then you can simply DIFF them and get to see the goodies. it also allows you to know what you can enable etc - this is why Apache is moving into seperate module files etc themselves. people lose view of the possibilities otherwise. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Lance Haig wrote: I posted my debug output to the list in another mail but I will add it to the end of this mail so they two are on the same page as it were. What you posted earlier was a *tiny* portion of the debug output. And the email I'm replying to contains no debug output. The documentation does not match the current config file structure and so it is very difficult for anyone to follow. Your insinuation that I am being lazy by asking a list for answers would be valid if that was the case. The config file structure has change *only* in layout on the disk. The files are still included into radiusd.conf. i.e. the config from 1.x will very likely work with 2.x. I do realise you have had to answer many questions on this subject but I would recommend a review of the docs tomake sure it is easier to follow for people then your argument would be valid. Sure. Send a patch to update the documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: connection start and stop infos
mat...@crs4.it wrote: Hello, any idea why I don't see no connection start and stop into mysql radacct table (other infos are ok) while in the /var/log/radius/radacct/nas-ip-address/detail-date is ok? Run the server in debugging mode to see. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
well i though i have found the answer i m not sure if it s the right way to do in the section of peap of the eap file i had use_tunneled_reply = yes Le 16/09/2010 13:22, Eric Doutreleau a écrit : Hi alexander Le 16/09/2010 00:31, Alexander Clouter a écrit : Remember that the 'inner-auth' virtual server is a *unique* instance to your outer layer so 'User-Category' might be defined but only on the outside whilst it looks like you are calling 'files' *inside*. Cheers Well I understand what you mean but i have some difficulties to traduce that in my configuration file. Yes i m have in my inner-tunnel file the lines authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } ldap files expiration logintime pap } but how can i call it outside? i m a bit lost - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: connection start and stop infos
Hi, Hello, any idea why I don't see no connection start and stop into mysql radacct table (other infos are ok) while in the /var/log/radius/radacct/nas-ip-address/detail-date is ok? wild stab in the dark here you have 'detail' enabled in the accounting {} section of your default server, but havent enabled sql in that section. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: I did this, but the clients can login furthermore without any client certificate for example with PEAP or EAP-TTLS. Here is my users file: sigh Is it that hard to show the debug output? Here's the eap.conf file Neither the documentation or messages on this list ask for the EAP configuration. Any idea's what is wrong here? Thanks If you're not going to post the debug output, we have no idea what's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.10
Jakob Hirsch wrote: I tried it, mainly to get rid of the random segfaults we get every few days (bug #35). Unfortunately, last night it a crashed on one machine (after running for about 60h): Sep 16 04:07:22 radius64-01b kernel: [24863577.558534] ui-freeradius[20331] general protection ip:7f6627405b0e sp:7fff11594180 error:0 in libfreeradius-radius-2.1.10.so[7f66273ee000+1f000] backtrace: #0 fr_packet_cmp (a=0x7f6618064700, b=0xf6f5bc5f78c00c80) at packet.c:139 Well... that looks like the same problem. sigh Is there anything we can do to help sorting this out? Run it under 'valgrind --tool=memcheck --leak-check=full radiusd -f It will be slow, but it may help track down the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to access proxy-reply:Packet-Type in if condition
Hi, I am using freeRadius 2.1.9 version. I am trying to update proxy-reply message with additional attributes, I want to do it only if proxy-reply is Access-Accept. I see %{proxy-reply:Packet-Type} returns Access-Accept but I am not able to form a if condition, I see following error: Thu Sep 16 12:20:24 2010 : Info: +- entering group post-proxy {...} Thu Sep 16 12:20:24 2010 : Info:expand: %{proxy-reply:Packet-Type} - Access-Accept Thu Sep 16 12:20:24 2010 : Info: ++[proxy-reply] returns noop Thu Sep 16 12:20:24 2010 : Info: ++? if (proxy-reply:Packet-Type == Access-Accept) Thu Sep 16 12:20:24 2010 : Info: (Attribute proxy-reply:Packet-Type was not found) Thu Sep 16 12:20:24 2010 : Info: [eap] No pre-existing handler found Thu Sep 16 12:20:24 2010 : Info: ++[eap] returns noop Thu Sep 16 12:20:24 2010 : Info: Found Auth-Type = Accept Thu Sep 16 12:20:24 2010 : Info: Auth-Type = Accept, accepting the user Thu Sep 16 12:20:24 2010 : Info: +- entering group post-auth {...} Thu Sep 16 12:20:24 2010 : Info: ++[exec] returns noop Sending Access-Accept of id 11 to 192.168.6.181 port 32771 Framed-Protocol = PPP Service-Type = Framed-User EAP-Message = 0x030c0004 Class = 0x482404d301370001c0a8073f01cb53194e942c94020f MS-CHAP-Domain = \001TESTAD MS-CHAP2-Success = 0x01533d33374341363935353838313541433741463032344131333733453832463730424238413846433033 MS-MPPE-Send-Key = 0x6690415a2581f6721c2bd5b7248693f972bd3c750929bb4ab85eccba612b34ee MS-MPPE-Recv-Key = 0x2a32a3e3f8e828d049c41b18dc8ef342720afe4de007074eb3c880de24a51ba3 Message-Authenticator = 0x User-Name = Access-Accept Thu Sep 16 12:20:24 2010 : Info: Finished request 11. Thu Sep 16 12:20:24 2010 : Debug: Going to the next request Thu Sep 16 12:20:24 2010 : Debug: Waking up in 4.8 seconds. Can we really access proxy-reply:Packet-Type using unlang? Please help me solving this problem. Thanks,Chidanand - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two-Step LDAP authentication?
In article bay154-w6ae2b5874b5015e85e875c0...@phx.gbl you wrote: I'm a new subcriber of this list. I'm trying to setup a radius server with LDAP authentication; I've managed to authenticate a user (from a Cisco Device), but my fellows from Security Department think that we should have a two-step authentication: Ask your security folk for *today* a list of people who may only administrator one selection of devices and not the other. If they actually do not use the facility then it is a waste of time implementing it (it is easy enough to implement later on); I get the impression this is a not needed but would be nice if this could be done. :) Far more appropriate is to configure the switches to all log to a central syslog server (so you know who and when someone logged in and out) and configure something like RANCID to record the configuration changes. ...anyway, onto the problem. 1. User/password authentication, searching in cn=users,ou=pepe,ou=jose,c=es 2. A compare request, searching a specific objectclass in the LDAP tree. So, the idea is the following one: depending on the NAS-IP-Address, not only to check for a correct password, but search the uid in an objectclass called owner in the entry cn=deviceX,ou=pepe,ou=jose,c=es. deviceX is the one with the source NAS-IP-Address. I Know how to unlang using swicht statements, configuring differents ldap's modules in the radius server, so I can write the basedn I want. But how can do the step 2? The easiest approach is to create LDAP groups based on the NAS-IP-Address and then test to see if the user is a member of the group '%{NAS-IP-Address}'. Once you create the LDAP groups and make the users members of them you can use unlang in your 'authorize' section in a manner like: authorize { ldap if (Ldap-Group != %{NAS-IP-Address}) { update reply { Reply-Message := no way kiddo } reject } } This is off the top of my head but should give you what you are looking for; you will see in the output of 'freeradius -X' it doing what you roughly need. The only problem I can see with it is that if you have a lot of switches to log into, the number of groups you have to add a user to becomes a real tedious process; this problem could be solved by using something like the following instead: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59481.html http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg62699.html Cheers -- Alexander Clouter .sigmonster says: I hate quotations. -- Ralph Waldo Emerson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
On 16/09/10 10:16, Eric Doutreleau wrote: thanks for your replay here what i did in the ldap.attrmap i put checkItem User-Category eduPersonPrimaryAffiliation checkItem means put the attribute into the check/config items list. Looking at the source code, I see that rlm_ldap can't update the request item list. in the user file i did DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id = 901, Fall-Through = Yes DEFAULT User-Category == student Reply-Message = Your a member of the student Group, Tunnel-Private-Group-Id = 902 This means match User-Category in the request items list, which is not the list you've put it in. files syntax cannot do comparisons against check/config or reply items, and LDAP can only put items into check/config or reply. You will therefore have to use an unlang syntax as per my previous email: authorize { ... ldap if (control:User-Category == ...) { ... } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
Le 16/09/2010 15:34, Phil Mayers a écrit : On 16/09/10 10:16, Eric Doutreleau wrote: thanks for your replay here what i did in the ldap.attrmap i put checkItem User-Category eduPersonPrimaryAffiliation checkItem means put the attribute into the check/config items list. Looking at the source code, I see that rlm_ldap can't update the request item list. in the user file i did DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id = 901, Fall-Through = Yes DEFAULT User-Category == student Reply-Message = Your a member of the student Group, Tunnel-Private-Group-Id = 902 This means match User-Category in the request items list, which is not the list you've put it in. files syntax cannot do comparisons against check/config or reply items, and LDAP can only put items into check/config or reply. You will therefore have to use an unlang syntax as per my previous email: authorize { ... ldap if (control:User-Category == ...) { ... } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Phil that s what i will do - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Discarding duplicate request...
I am running NTLM_AUTH for mschap authentication with an MS AD at the back end. I suppose that could be the culprit. If so, is upgrading FreeRadius likely to resolve that (not knowing exactly what the problem is). Anything I could configure at the FreeRadius end to make that work a bit better? -Mike On Wed, 15 Sep 2010, Alan Buxey wrote: 2.1.3 is very old now , 2.1.9 is current and has many fixes over that - check its changelog .. this error message suggests that you've got a slow backend somewhere - be that ldap, sql or even a bit of perl - Reply message - From: Mike Diggins mike.digg...@mcmaster.ca Date: Wed, Sep 15, 2010 16:22 Subject: Error: Discarding duplicate request... To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Our students have returned this week, and I've noticed a couple new messages logged to my FreeRadius 2.1.3 server. When it happens, my controllers fail over to the secondary Radius server. This has happened a few times. My Radius servers are only lightly loaded, and only configured to do authentication. No databases. Any idea what might be causing this? Sep 15 10:06:44 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 218 due to unfinished request 35236 Sep 15 10:07:01 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 219 due to unfinished request 35237 Sep 15 10:07:24 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 220 due to unfinished request 35239 Sep 15 10:07:41 prad02 radiusd[10632]: WARNING: Unresponsive child for request 35239, in module component Sep 15 10:07:52 prad02 radiusd[10632]: WARNING: Unresponsive child for request 35240, in module component Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-7 port 32769 - ID: 173 due to unfinished request 35240 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 220 due to unfinished request 35239 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-7 port 32769 - ID: 173 due to unfinished request 35240 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 220 due to unfinished request 35239 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 221 due to unfinished request 35244 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 221 due to unfinished request 35244 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client FHSWLC-1 port 32768 - ID: 205 due to unfinished request 35245 -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
On 16/09/10 14:35, Klaus Laus wrote: ok, this is the debug output: FreeRADIUS Version 2.1.6, for host i686-pc-linux-gnu, built on Oct 27 2009 at 17:05:49 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = status-server ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over
Re: Error: Discarding duplicate request...
On 16/09/10 15:27, Mike Diggins wrote: I am running NTLM_AUTH for mschap authentication with an MS AD at the back end. I suppose that could be the culprit. If so, is upgrading FreeRadius likely to resolve that (not knowing exactly what the problem is). Anything I could configure at the FreeRadius end to make that work a bit better? It would be a bit surprising for ntlm_auth to take that long, unless your AD controllers are very heavily loaded or are very distant. It takes ~30 milliseconds to auth a user/challenge pair in our installation. You could try restarting winbind - maybe it's gone crazy or eaten a load of RAM or something. If it is ntlm_auth, upgrading FreeRadius probably won't help (unless you take advantage of the SSL session resumption available in later versions to avoid doing some of the auths on re-auth) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Support of Tag 0x00 for Tunnel-Server-Endpoint
Hi, I'm using free radius 2.1.9 as a client to connect to a distant server (not freeradius). We are facing a problem for Tunnel-Server-Endpoint attribute : RFC http://www.ietf.org/rfc/rfc2868.txt indicates for Tunnel-Server-Endpoint : Tag The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same tunnel. If the value of the Tag field is greater than 0x00 and less than or equal to 0x1F, it SHOULD be interpreted as indicating which tunnel (of several alternatives) this attribute pertains. If the Tag field is greater than 0x1F, it SHOULD be interpreted as the first byte of the following String field. So, there is no explicit prohibition of use of 0x00 as a Tag value. What we see in freeradius is that this values makes as ignore the value of the atrtribute. Is there some other RFCs that show explicitely that the 0x00 tag should lead to this behavior ? Is it a freeradius bug ? Any help about where is it managed in the code ? Thanks for help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support of Tag 0x00 for Tunnel-Server-Endpoint
Naoufel wrote: Hi, I'm using free radius 2.1.9 as a client to connect to a distant server (not freeradius). We are facing a problem for Tunnel-Server-Endpoint attribute : RFC http://www.ietf.org/rfc/rfc2868.txt indicates for Tunnel-Server-Endpoint : ... So, there is no explicit prohibition of use of 0x00 as a Tag value. Yup. But who bothers reading the specs? sigh What we see in freeradius is that this values makes as ignore the value of the atrtribute. What does that mean? Is there some other RFCs that show explicitely that the 0x00 tag should lead to this behavior ? Is it a freeradius bug ? Any help about where is it managed in the code ? The tag 0x00 could be treated as no tag. The server does this when sending packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure proxy server to send a copy of acct to remote/home server
Dear experts, I configured my Freeradius2.1.7 server to be a proxy server which will forward the PEAP authentication packages to a remote server. The authentication part works great. I configured my switch to send accounting information to the proxy server. The proxy server is using MySQL to store the acct info. This part works fine too. However I'm requested to also send a copy of the acct info to the remote server... I'm still checking my switch (Cisco) and see if it can send two copies of acct info to two different servers at the same time. However, is it possible to make FreeRadius to automatically forward a copy to the remote server?? Thanks! Difan Zhao, M.Eng Network Engineer Guest-Tek Interactive Entertainment Inc. Email: difan.z...@guest-tek.com Office: +1 (403) 509 1010 ext 3048 Cell: +1 (403) 689 7514 www.guest-tek.com INTERNET | MEDIA | VOICE The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. image001.jpgimage002.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html