Re: Connecting the dots.
Hi Ken, Thanks for the response On this particular server we have not run any updates to the software stack as it is our policy to only update at regular intervals so that we can catch these things. I only sent the e-mail to the list after spending the day in freeradius -X and -Xx to see if I can find out why it is failing. I wanted to start fresh with a server so I could see at what stage it starts failing. But funnily enough the new server lets me auth against ad using a local query using radtest and a forced auth method of DEFAULT Auth-Type = ntlm_auth in the users file. As soon as I try to auth using my cisco wirless conection it fails unable to find the realm. That is why I was asking how the doc's on the site match up to the latest conf files. So I can find out where to add the REALM settings so that it works. We also have 2 AD trees we connect to but once I get the one working the other will be easy. Thanks for the help Lance On 15/09/2010 20:38, Kenneth Marshall k...@rice.edu wrote: Many times this is caused by a software update to the system. To figure out where the problem lies, you will need to follow the very well documented procedure for debugging freeradius if you do not have logs of what was updated on the system so you can rollback the update(s). Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Hi C.J. Thanks for the tip. We do run out config in Git and it has not changed since it was configured about 2 months ago, this is what is baffling me. The windows servers were not changed (well that is what the windows admins have informed us@) Thanks Lance On 15/09/2010 21:10, C.J. Adams-Collier KF7BMP c...@colliertech.org wrote: I've found that keeping config file history using RCS or git to be very useful. It's saved me a bunch of headache with bind, apache, sendmail and freeradius. If you'd like some tips, I'm happy to oblige either on-list or off, depending on whether the regulars consider it OT. Cheers, C.J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Hi Alan,
Thanks for the response.
We do know about the samba update and it was the first thing I check when
the system broke. We have about 400 ubuntu vm's running on our environment
and we have not yet updated our corporate repo with this update as we have
not tested it yet.
I checked the winbindd_privileged directory and it has the correct file
permissions
I want to add to me original post to the list in that this server was not
originally configured by myself and the original person created a monolithic
radiusd.conf file with all the settings in the one file this is making it
difficult to match the settings to the docs. Hence my question about how the
docs match to the new conf files.
Freeradius -X and -Xx have not highlighted anything suspicious that I
believe is different to what was being logged there before.
The reason for the new server build is so that I can understand how
freeradius works and specifically how it will work with AD as a backend.
I have been able to get the server connecting to AD and authing me against
it as per one of my other posts to the list.
I am just not sure I have done this correctly as the auth request fails when
I try to connect using my laptop. (we mostly have mac's in this office)
This is against my new server by the way.
This is what led me to copntact the list to see how the docs match the new
config as I have seen
=
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.210.4 port 32768, id=187,
length=205
User-Name = Lance.Haig
Calling-Station-Id = 00-26-08-e8-c9-85
Called-Station-Id = 00-1b-8f-8a-d8-90:LNH
NAS-Port = 13
NAS-IP-Address = 10.0.210.4
NAS-Identifier = FWDWLC
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0207002b19001703010020520cb27842380dee8600973e5967661e03fab0689f23a28f27cb
78dce34bfcc5
State = 0x47419e384246876f90468b6b37412030
Message-Authenticator = 0x4bb2d4d267947887f5bcb88b9c8dfbb2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = Lance.Haig, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 7 length 43
[eap] Continuing tunnel setup.
==
Which leads me to believe that the REALMS config is not working properly.
And I cant find instructions on what to check to make sure this is the case.
Apologies for rambling on a bit.
Lance
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a lot of memory inuse
Strong, Mark wrote: http://github.com/alandekok/freeradius-server/blob/v2.1.x/doc/ChangeLog Yeah, gave that a look didn't see anything definite (as far as memory leaks go). Look for the work leak Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
[ldap] expand: dc=int-evry,dc=fr - dc=int-evry,dc=fr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldapdev.int-evry.fr:389, authentication 0
[ldap] bind as cn=admin,dc=int-evry,dc=fr/admldap to
ldapdev.int-evry.fr:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele)
[ldap] looking for check items in directory...
[ldap] sambaNtPassword - NT-Password ==
0x3846343134354531463530334232353337443430363846343942363633434143
[ldap] sambaLmPassword - LM-Password ==
0x4434413632394242394536303843323438423045413541374446313335423033
[ldap] looking for reply items in directory...
[ldap] eduPersonPrimaryAffiliation - User-Category = employee
Two issues; first, as above you're adding the User-Category item from
LDAP into the reply list, but the files syntax doesn't (can't) match
items in the reply this. This:
DEFAULT User-Category == employee
means match all request with the attribute User-Category == employee in
the *request* items
Secondly, I think you're running LDAP after files, so even if it could
match, it would not.
Try something like this in sites-available/inner-tunnel:
authorize {
...
ldap
if (reply:User-Category == employee) {
update reply {
Tunnel-Private-Group-Id := 1234
}
}
elsif (reply:User-Category == ...) {
}
}
Or, modify your ldap.attrmap to put the User-Category into the request
items (assuming your NAS doesn't need it) then move the files module
after the ldap one.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates
freerad...@corwyn.net wrote: I'm tinkering with my VPN setup using FreeRadius and AD, and getting Not possible to verify the identity of the server. Some googling shows that message can be related to certificates. Uh... the documentation on setting up EAP describes what you need to do on the client machine in order for EAP to work. This involves putting the CA cert on the PC. Some digging through the FreeRadius docs came up with: If FreeRADIUS was configured to use OpenSSL, then simply starting the server in root in debugging mode should also create test certificates, i.e.: Does this mean that, presuming I never did create certificates, that freeradius could function differently in debug mode than when running not in debug mode? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Lance Haig wrote: Thanks for the response On this particular server we have not run any updates to the software stack as it is our policy to only update at regular intervals so that we can catch these things. Well... nothing in the server magically changes it's behavior on a certain day. *Something* changed. As soon as I try to auth using my cisco wirless conection it fails unable to find the realm. And... what does the debug output say? That is why I was asking how the doc's on the site match up to the latest conf files. So I can find out where to add the REALM settings so that it works. The documentation is pretty clear on this, as are the comments in the configuration files. It's more efficient to read them than to ask a question on this list, and wait for an answer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: Thanks a lot Alan DeKok, do I have any possibility to permit login only persons with username/password and client certificate? All authentications methods works fine on my server, but I´ll only permit login with username/password and client certificate. Which code I need to set in users/eap.conf ? TLS works fine on my server and the users can login themselves with the client certificate, but I don´t want allow login without username/password, also I don´t want allow logins with username and password but without client certificates. Put this into the users file: DEFAULT EAP-TLS-Require-Client-Cert = yes This will require client certificates for *all* EAP methods. If you want it to be more specific, see man unlang for writing general policies. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.10
Hi, Alan DeKok, 2010-09-06 13:58: It's been a few weeks since the last pre release of 2.1.10. I've put another one up on the web at: I tried it, mainly to get rid of the random segfaults we get every few days (bug #35). Unfortunately, last night it a crashed on one machine (after running for about 60h): Sep 16 04:07:22 radius64-01b kernel: [24863577.558534] ui-freeradius[20331] general protection ip:7f6627405b0e sp:7fff11594180 error:0 in libfreeradius-radius-2.1.10.so[7f66273ee000+1f000] backtrace: #0 fr_packet_cmp (a=0x7f6618064700, b=0xf6f5bc5f78c00c80) at packet.c:139 #1 0x7f66273f7a54 in fr_hash_table_find (ht=0x278fa30, data=0x7fff115941e0) at hash.c:191 #2 0x7f66273f7a99 in fr_hash_table_finddata (ht=0x7f6618064700, data=0xf6f5bc5f78c00c80) at hash.c:484 #3 0x7f662740572b in fr_packet_list_find (pl=value optimized out, request=0x7f6618064700) at packet.c:583 #4 0x00427bd9 in received_request (listener=0x2794400, packet=0xf6f5bc5f78c00c80, prequest=0x79, client=0x7f6627408600) at event.c:2822 #5 0x00415ac6 in auth_socket_recv (listener=0x2794400, pfun=0x7fff11594348, prequest=0x7fff11594340) at listen.c:826 #6 0x00422e5e in event_socket_handler (xel=value optimized out, fd=value optimized out, ctx=value optimized out) at event.c:3410 #7 0x7f6627406a16 in fr_event_loop (el=0x2789c00) at event.c:411 #8 0x0041c322 in main (argc=1, argv=0x80) at radiusd.c:406 Is there anything we can do to help sorting this out? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
thanks for your replay
here what i did
in the ldap.attrmap i put
checkItem User-Category eduPersonPrimaryAffiliation
in the user file i did
DEFAULT
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Tunnel-Private-Group-Id = 901,
Fall-Through = Yes
DEFAULT User-Category == student
Reply-Message = Your a member of the student Group,
Tunnel-Private-Group-Id = 902
DEFAULT User-Category == employee
Reply-Message = Your a member of the employee Group,
Tunnel-Private-Group-Id = 903
in the inner-tunnel file i have
authorize {
chap
mschap
uni
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
ldap
files
expiration
logintime
pap
}
i got the following logs
[eap] EAP packet type response id 7 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for doutrele
[ldap] expand: %{Stripped-User-Name} - doutrele
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=doutrele)
[ldap] expand: dc=int-evry,dc=fr - dc=int-evry,dc=fr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele)
[ldap] looking for check items in directory...
[ldap] eduPersonPrimaryAffiliation - User-Category == employee
[ldap] sambaNtPassword - NT-Password ==
0x3846343134354531463530334232353337443430363846343942363633434143
[ldap] sambaLmPassword - LM-Password ==
0x4434413632394242394536303843323438423045413541374446313335423033
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user doutrele authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[files] users: Matched entry DEFAULT at line 166
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
..
THe line 166 in my users file is these ones
DEFAULT
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Tunnel-Private-Group-Id = 901,
Fall-Through = Yes
and i don't match the following entries
DEFAULT User-Category == employee
Reply-Message = Your a member of the employee Group,
Tunnel-Private-Group-Id = 903
and i really don't know why
Le 16/09/2010 09:44, Phil Mayers a écrit :
[ldap] expand: dc=int-evry,dc=fr - dc=int-evry,dc=fr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldapdev.int-evry.fr:389, authentication 0
[ldap] bind as cn=admin,dc=int-evry,dc=fr/admldap to
ldapdev.int-evry.fr:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele)
[ldap] looking for check items in directory...
[ldap] sambaNtPassword - NT-Password ==
0x3846343134354531463530334232353337443430363846343942363633434143
[ldap] sambaLmPassword - LM-Password ==
0x4434413632394242394536303843323438423045413541374446313335423033
[ldap] looking for reply items in directory...
[ldap] eduPersonPrimaryAffiliation - User-Category = employee
Two issues; first, as above you're adding the User-Category item from
LDAP into the reply list, but the files syntax doesn't (can't) match
items in the reply this. This:
DEFAULT User-Category == employee
means match all request with the attribute User-Category == employee in
the *request* items
Secondly, I think you're running LDAP after files, so even if it could
match, it would not.
Try something like this in sites-available/inner-tunnel:
authorize {
...
ldap
if (reply:User-Category == employee) {
update reply {
Tunnel-Private-Group-Id := 1234
}
}
elsif (reply:User-Category == ...) {
}
}
Or, modify your ldap.attrmap to put the User-Category into the request
items (assuming your NAS doesn't need it) then move the files module
after the ldap one.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
connection start and stop infos
Hello, any idea why I don't see no connection start and stop into mysql radacct table (other infos are ok) while in the /var/log/radius/radacct/nas-ip-address/detail-date is ok? Thanks a lot. Matteo This message was sent using IMP, the Internet Messaging Program. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
external auth modul
Hi!
I would like to auth my users from my own script.
radiusd -X debug
[otp_auth] expand: %{User-Name} - qtgame
[otp_auth] expand: %{User-Password} - ?O:J?? ?r
[otp_auth] expand: %{reply:Secret} - 8bd1f2fc2c2f68bb
[otp_auth] expand: %{reply:Pin} - 1616
[otp_auth] expand: %{reply:Offset} - 0
my script don't understand this user-password :( how can i use cleartext
password?
and the other hand the ENV variable :
USER_PASSWORD=3!\333$\026\276\362\202\002\2522\231\355\302[\374
how can i create this password from cleartext or can i decrypt to cleartext?
QTGame
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: external auth modul
Krisztian Kuti wrote:
radiusd -X debug
[otp_auth] expand: %{User-Name} - qtgame
[otp_auth] expand: %{User-Password} - ?O:J?? ?r
Read the REST of the debug output to see what's going wrong.
Honestly. the answer to your question is *already* in the debug output.
All you need to do is to read it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
HI Alan, Thanks for the response mine are inline Well... nothing in the server magically changes it's behavior on a certain day. *Something* changed. I agree and I am having a hard time finding what. And... what does the debug output say? I posted my debug output to the list in another mail but I will add it to the end of this mail so they two are on the same page as it were. The documentation is pretty clear on this, as are the comments in the configuration files. It's more efficient to read them than to ask a question on this list, and wait for an answer. I beg to differ. The documentation does not match the current config file structure and so it is very difficult for anyone to follow. Your insinuation that I am being lazy by asking a list for answers would be valid if that was the case. I do realise you have had to answer many questions on this subject but I would recommend a review of the docs tomake sure it is easier to follow for people then your argument would be valid. Please do not take this as a flame just someone hoping to find out how to use a great tool. Lance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
Hi alexander
Le 16/09/2010 00:31, Alexander Clouter a écrit :
Remember that the 'inner-auth' virtual server is a *unique* instance
to your outer layer so 'User-Category' might be defined but only on the
outside whilst it looks like you are calling 'files' *inside*.
Cheers
Well I understand what you mean but i have some difficulties to traduce
that in my configuration file.
Yes i m have in my inner-tunnel file the lines
authorize {
chap
mschap
unix
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
ldap
files
expiration
logintime
pap
}
but how can i call it outside?
i m a bit lost
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two-Step LDAP authentication?
Hi everybody! I'm a new subcriber of this list. I'm trying to setup a radius server with LDAP authentication; I've managed to authenticate a user (from a Cisco Device), but my fellows from Security Department think that we should have a two-step authentication: 1. User/password authentication, searching in cn=users,ou=pepe,ou=jose,c=es 2. A compare request, searching a specific objectclass in the LDAP tree. So, the idea is the following one: depending on the NAS-IP-Address, not only to check for a correct password, but search the uid in an objectclass called owner in the entry cn=deviceX,ou=pepe,ou=jose,c=es. deviceX is the one with the source NAS-IP-Address. I Know how to unlang using swicht statements, configuring differents ldap's modules in the radius server, so I can write the basedn I want. But how can do the step 2? Thank you and sorry for my english. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Put this into the users file:
DEFAULT EAP-TLS-Require-Client-Cert = yes
I did this, but the clients can login furthermore without any client
certificate for example with PEAP or EAP-TTLS. Here is my users file:
DEFAULT EAP-TLS-Require-Client-Cert = yes
testuserCleartext-Password := xxx
Reply-Message = Hello, %{User-Name}
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == CSLIP
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == SLIP
Framed-Protocol = SLIP
Here's the eap.conf file
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = /etc/ssl
cadir = /etc/ssl
private_key_password = xx
private_key_file = ${certdir}/serverkey.pem
certificate_file = ${certdir}/servercert.pem
CA_file = ${cadir}/cacert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
check_crl = no
CA_path = /etc/ssl
cipher_list = DEFAULT
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = inner-tunnel
}
mschapv2 {
}
}
Any idea's what is wrong here? Thanks
Original-Nachricht
Datum: Thu, 16 Sep 2010 09:54:28 +0200
Von: Alan DeKok al...@deployingradius.com
An: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Betreff: Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote:
Thanks a lot Alan DeKok, do I have any possibility to permit login only
persons with username/password and client certificate?
All authentications methods works fine on my server, but I´ll only
permit login with username/password and client certificate. Which code I need
to set in users/eap.conf ?
TLS works fine on my server and the users can login themselves with the
client certificate, but I don´t want allow login without
username/password, also I don´t want allow logins with username and password
but without
client certificates.
Put this into the users file:
DEFAULT EAP-TLS-Require-Client-Cert = yes
This will require client certificates for *all* EAP methods. If you
want it to be more specific, see man unlang for writing general
policies.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
GRATIS: Spider-Man 1-3 sowie 300 weitere Videos!
Jetzt freischalten! http://portal.gmx.net/de/go/maxdome
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Hi, would recommend a review of the docs tomake sure it is easier to follow for people then your argument would be valid. personally I foudn the docs weak when I first started with FreeRADIUS 0.x - but then have sicne then learnt everything from the actual config files and the man pages. (and docs in the tarball itself) - i am horrified that your config was minimised like some jus into just ince single monolithic config file - that is actually very bad ( I would even say, in this case, bad practice) as it makes it very difficult to see the new changes and config options when a new version from out... if you use the seperate modules, virtual servers etc then you can simply DIFF them and get to see the goodies. it also allows you to know what you can enable etc - this is why Apache is moving into seperate module files etc themselves. people lose view of the possibilities otherwise. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Lance Haig wrote: I posted my debug output to the list in another mail but I will add it to the end of this mail so they two are on the same page as it were. What you posted earlier was a *tiny* portion of the debug output. And the email I'm replying to contains no debug output. The documentation does not match the current config file structure and so it is very difficult for anyone to follow. Your insinuation that I am being lazy by asking a list for answers would be valid if that was the case. The config file structure has change *only* in layout on the disk. The files are still included into radiusd.conf. i.e. the config from 1.x will very likely work with 2.x. I do realise you have had to answer many questions on this subject but I would recommend a review of the docs tomake sure it is easier to follow for people then your argument would be valid. Sure. Send a patch to update the documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: connection start and stop infos
mat...@crs4.it wrote: Hello, any idea why I don't see no connection start and stop into mysql radacct table (other infos are ok) while in the /var/log/radius/radacct/nas-ip-address/detail-date is ok? Run the server in debugging mode to see. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
well i though i have found the answer
i m not sure if it s the right way to do
in the section of peap of the eap file i had
use_tunneled_reply = yes
Le 16/09/2010 13:22, Eric Doutreleau a écrit :
Hi alexander
Le 16/09/2010 00:31, Alexander Clouter a écrit :
Remember that the 'inner-auth' virtual server is a *unique* instance
to your outer layer so 'User-Category' might be defined but only on the
outside whilst it looks like you are calling 'files' *inside*.
Cheers
Well I understand what you mean but i have some difficulties to traduce
that in my configuration file.
Yes i m have in my inner-tunnel file the lines
authorize {
chap
mschap
unix
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
ldap
files
expiration
logintime
pap
}
but how can i call it outside?
i m a bit lost
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: connection start and stop infos
Hi,
Hello,
any idea why I don't see no connection start and stop into mysql radacct
table (other infos are ok) while in the
/var/log/radius/radacct/nas-ip-address/detail-date is ok?
wild stab in the dark here you have 'detail' enabled in the
accounting {} section of your default server, but havent enabled sql
in that section.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: I did this, but the clients can login furthermore without any client certificate for example with PEAP or EAP-TTLS. Here is my users file: sigh Is it that hard to show the debug output? Here's the eap.conf file Neither the documentation or messages on this list ask for the EAP configuration. Any idea's what is wrong here? Thanks If you're not going to post the debug output, we have no idea what's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.10
Jakob Hirsch wrote: I tried it, mainly to get rid of the random segfaults we get every few days (bug #35). Unfortunately, last night it a crashed on one machine (after running for about 60h): Sep 16 04:07:22 radius64-01b kernel: [24863577.558534] ui-freeradius[20331] general protection ip:7f6627405b0e sp:7fff11594180 error:0 in libfreeradius-radius-2.1.10.so[7f66273ee000+1f000] backtrace: #0 fr_packet_cmp (a=0x7f6618064700, b=0xf6f5bc5f78c00c80) at packet.c:139 Well... that looks like the same problem. sigh Is there anything we can do to help sorting this out? Run it under 'valgrind --tool=memcheck --leak-check=full radiusd -f It will be slow, but it may help track down the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to access proxy-reply:Packet-Type in if condition
Hi,
I am using freeRadius 2.1.9 version.
I am trying to update proxy-reply message with additional attributes, I want to
do it only if proxy-reply is Access-Accept. I see %{proxy-reply:Packet-Type}
returns Access-Accept but I am not able to form a if condition, I see
following error:
Thu Sep 16 12:20:24 2010 : Info: +- entering group post-proxy {...}
Thu Sep 16 12:20:24 2010 : Info:expand: %{proxy-reply:Packet-Type} -
Access-Accept
Thu Sep 16 12:20:24 2010 : Info: ++[proxy-reply] returns noop
Thu Sep 16 12:20:24 2010 : Info: ++? if (proxy-reply:Packet-Type ==
Access-Accept)
Thu Sep 16 12:20:24 2010 : Info: (Attribute proxy-reply:Packet-Type was not
found)
Thu Sep 16 12:20:24 2010 : Info: [eap] No pre-existing handler found
Thu Sep 16 12:20:24 2010 : Info: ++[eap] returns noop
Thu Sep 16 12:20:24 2010 : Info: Found Auth-Type = Accept
Thu Sep 16 12:20:24 2010 : Info: Auth-Type = Accept, accepting the user
Thu Sep 16 12:20:24 2010 : Info: +- entering group post-auth {...}
Thu Sep 16 12:20:24 2010 : Info: ++[exec] returns noop
Sending Access-Accept of id 11 to 192.168.6.181 port 32771
Framed-Protocol = PPP
Service-Type = Framed-User
EAP-Message = 0x030c0004
Class = 0x482404d301370001c0a8073f01cb53194e942c94020f
MS-CHAP-Domain = \001TESTAD
MS-CHAP2-Success =
0x01533d33374341363935353838313541433741463032344131333733453832463730424238413846433033
MS-MPPE-Send-Key =
0x6690415a2581f6721c2bd5b7248693f972bd3c750929bb4ab85eccba612b34ee
MS-MPPE-Recv-Key =
0x2a32a3e3f8e828d049c41b18dc8ef342720afe4de007074eb3c880de24a51ba3
Message-Authenticator = 0x
User-Name = Access-Accept
Thu Sep 16 12:20:24 2010 : Info: Finished request 11.
Thu Sep 16 12:20:24 2010 : Debug: Going to the next request
Thu Sep 16 12:20:24 2010 : Debug: Waking up in 4.8 seconds.
Can we really access proxy-reply:Packet-Type using unlang? Please help me
solving this problem.
Thanks,Chidanand
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two-Step LDAP authentication?
In article bay154-w6ae2b5874b5015e85e875c0...@phx.gbl you wrote:
I'm a new subcriber of this list. I'm trying to setup a radius server
with LDAP authentication; I've managed to authenticate a user (from a
Cisco Device), but my fellows from Security Department think that we
should have a two-step authentication:
Ask your security folk for *today* a list of people who may only
administrator one selection of devices and not the other. If they
actually do not use the facility then it is a waste of time implementing
it (it is easy enough to implement later on); I get the impression this
is a not needed but would be nice if this could be done. :)
Far more appropriate is to configure the switches to all log to a central
syslog server (so you know who and when someone logged in and out) and
configure something like RANCID to record the configuration changes.
...anyway, onto the problem.
1. User/password authentication, searching in
cn=users,ou=pepe,ou=jose,c=es
2. A compare request, searching a specific objectclass in the LDAP
tree.
So, the idea is the following one: depending on the NAS-IP-Address,
not only to check for a correct password, but search the uid in an
objectclass called owner in the entry cn=deviceX,ou=pepe,ou=jose,c=es.
deviceX is the one with the source NAS-IP-Address. I Know how to
unlang using swicht statements, configuring differents ldap's modules
in the radius server, so I can write the basedn I want.
But how can do the step 2?
The easiest approach is to create LDAP groups based on the
NAS-IP-Address and then test to see if the user is a member of the group
'%{NAS-IP-Address}'. Once you create the LDAP groups and make the users
members of them you can use unlang in your 'authorize' section in a
manner like:
authorize {
ldap
if (Ldap-Group != %{NAS-IP-Address}) {
update reply {
Reply-Message := no way kiddo
}
reject
}
}
This is off the top of my head but should give you what you are looking
for; you will see in the output of 'freeradius -X' it doing what you
roughly need. The only problem I can see with it is that if you have a
lot of switches to log into, the number of groups you have to add a user
to becomes a real tedious process; this problem could be solved by using
something like the following instead:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59481.html
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg62699.html
Cheers
--
Alexander Clouter
.sigmonster says: I hate quotations.
-- Ralph Waldo Emerson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
On 16/09/10 10:16, Eric Doutreleau wrote:
thanks for your replay
here what i did
in the ldap.attrmap i put
checkItem User-Category eduPersonPrimaryAffiliation
checkItem means put the attribute into the check/config items list.
Looking at the source code, I see that rlm_ldap can't update the request
item list.
in the user file i did
DEFAULT
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Tunnel-Private-Group-Id = 901,
Fall-Through = Yes
DEFAULT User-Category == student
Reply-Message = Your a member of the student Group,
Tunnel-Private-Group-Id = 902
This means match User-Category in the request items list, which is not
the list you've put it in.
files syntax cannot do comparisons against check/config or reply
items, and LDAP can only put items into check/config or reply. You will
therefore have to use an unlang syntax as per my previous email:
authorize {
...
ldap
if (control:User-Category == ...) {
...
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
Le 16/09/2010 15:34, Phil Mayers a écrit :
On 16/09/10 10:16, Eric Doutreleau wrote:
thanks for your replay
here what i did
in the ldap.attrmap i put
checkItem User-Category eduPersonPrimaryAffiliation
checkItem means put the attribute into the check/config items list.
Looking at the source code, I see that rlm_ldap can't update the request
item list.
in the user file i did
DEFAULT
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Tunnel-Private-Group-Id = 901,
Fall-Through = Yes
DEFAULT User-Category == student
Reply-Message = Your a member of the student Group,
Tunnel-Private-Group-Id = 902
This means match User-Category in the request items list, which is not
the list you've put it in.
files syntax cannot do comparisons against check/config or reply
items, and LDAP can only put items into check/config or reply. You will
therefore have to use an unlang syntax as per my previous email:
authorize {
...
ldap
if (control:User-Category == ...) {
...
}
}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thanks Phil that s what i will do
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Discarding duplicate request...
I am running NTLM_AUTH for mschap authentication with an MS AD at the back end. I suppose that could be the culprit. If so, is upgrading FreeRadius likely to resolve that (not knowing exactly what the problem is). Anything I could configure at the FreeRadius end to make that work a bit better? -Mike On Wed, 15 Sep 2010, Alan Buxey wrote: 2.1.3 is very old now , 2.1.9 is current and has many fixes over that - check its changelog .. this error message suggests that you've got a slow backend somewhere - be that ldap, sql or even a bit of perl - Reply message - From: Mike Diggins mike.digg...@mcmaster.ca Date: Wed, Sep 15, 2010 16:22 Subject: Error: Discarding duplicate request... To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Our students have returned this week, and I've noticed a couple new messages logged to my FreeRadius 2.1.3 server. When it happens, my controllers fail over to the secondary Radius server. This has happened a few times. My Radius servers are only lightly loaded, and only configured to do authentication. No databases. Any idea what might be causing this? Sep 15 10:06:44 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 218 due to unfinished request 35236 Sep 15 10:07:01 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 219 due to unfinished request 35237 Sep 15 10:07:24 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 220 due to unfinished request 35239 Sep 15 10:07:41 prad02 radiusd[10632]: WARNING: Unresponsive child for request 35239, in module component Sep 15 10:07:52 prad02 radiusd[10632]: WARNING: Unresponsive child for request 35240, in module component Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-7 port 32769 - ID: 173 due to unfinished request 35240 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 220 due to unfinished request 35239 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-7 port 32769 - ID: 173 due to unfinished request 35240 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 220 due to unfinished request 35239 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 221 due to unfinished request 35244 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 221 due to unfinished request 35244 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client FHSWLC-1 port 32768 - ID: 205 due to unfinished request 35245 -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
On 16/09/10 14:35, Klaus Laus wrote:
ok, this is the debug output:
FreeRADIUS Version 2.1.6, for host i686-pc-linux-gnu, built on Oct 27 2009 at
17:05:49
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = status-server
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
Re: Error: Discarding duplicate request...
On 16/09/10 15:27, Mike Diggins wrote: I am running NTLM_AUTH for mschap authentication with an MS AD at the back end. I suppose that could be the culprit. If so, is upgrading FreeRadius likely to resolve that (not knowing exactly what the problem is). Anything I could configure at the FreeRadius end to make that work a bit better? It would be a bit surprising for ntlm_auth to take that long, unless your AD controllers are very heavily loaded or are very distant. It takes ~30 milliseconds to auth a user/challenge pair in our installation. You could try restarting winbind - maybe it's gone crazy or eaten a load of RAM or something. If it is ntlm_auth, upgrading FreeRadius probably won't help (unless you take advantage of the SSL session resumption available in later versions to avoid doing some of the auths on re-auth) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Support of Tag 0x00 for Tunnel-Server-Endpoint
Hi, I'm using free radius 2.1.9 as a client to connect to a distant server (not freeradius). We are facing a problem for Tunnel-Server-Endpoint attribute : RFC http://www.ietf.org/rfc/rfc2868.txt indicates for Tunnel-Server-Endpoint : Tag The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same tunnel. If the value of the Tag field is greater than 0x00 and less than or equal to 0x1F, it SHOULD be interpreted as indicating which tunnel (of several alternatives) this attribute pertains. If the Tag field is greater than 0x1F, it SHOULD be interpreted as the first byte of the following String field. So, there is no explicit prohibition of use of 0x00 as a Tag value. What we see in freeradius is that this values makes as ignore the value of the atrtribute. Is there some other RFCs that show explicitely that the 0x00 tag should lead to this behavior ? Is it a freeradius bug ? Any help about where is it managed in the code ? Thanks for help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support of Tag 0x00 for Tunnel-Server-Endpoint
Naoufel wrote: Hi, I'm using free radius 2.1.9 as a client to connect to a distant server (not freeradius). We are facing a problem for Tunnel-Server-Endpoint attribute : RFC http://www.ietf.org/rfc/rfc2868.txt indicates for Tunnel-Server-Endpoint : ... So, there is no explicit prohibition of use of 0x00 as a Tag value. Yup. But who bothers reading the specs? sigh What we see in freeradius is that this values makes as ignore the value of the atrtribute. What does that mean? Is there some other RFCs that show explicitely that the 0x00 tag should lead to this behavior ? Is it a freeradius bug ? Any help about where is it managed in the code ? The tag 0x00 could be treated as no tag. The server does this when sending packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure proxy server to send a copy of acct to remote/home server
Dear experts, I configured my Freeradius2.1.7 server to be a proxy server which will forward the PEAP authentication packages to a remote server. The authentication part works great. I configured my switch to send accounting information to the proxy server. The proxy server is using MySQL to store the acct info. This part works fine too. However I'm requested to also send a copy of the acct info to the remote server... I'm still checking my switch (Cisco) and see if it can send two copies of acct info to two different servers at the same time. However, is it possible to make FreeRadius to automatically forward a copy to the remote server?? Thanks! Difan Zhao, M.Eng Network Engineer Guest-Tek Interactive Entertainment Inc. Email: difan.z...@guest-tek.com Office: +1 (403) 509 1010 ext 3048 Cell: +1 (403) 689 7514 www.guest-tek.com INTERNET | MEDIA | VOICE The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. image001.jpgimage002.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
