Re: Voip database
Thank you @Johan Meiring for that. It is not my intend to spam the group and asking same question again and again. Belive me that I have done everything that you said (I changed secret on the NAS and ond the radius and I restarted both,...). So please help me out with this problem. I can see that the secret is wrong. But why? First request goes through: +- entering group PAP {...} [pap] login attempt with password 1122 [pap] Using clear text password 1122 [pap] User authenticated successfully But the second what is rejected due to wrong secret. User-Name = 081609000 User-Password = \257+\360\350 [pap] login attempt with password ¯+ðè [pap] Using clear text password 1122 [pap] Passwords don't match SO this I am asking. If the first time secret is right and for the second request is wrong. Could the different encryption (the is sending nas) is causing the problem? I have also looked at the AVP pairs that the freeradius is sending to nas. IF I looked at the AVP pairs which are send from our radius (Ibill solution) to NAS I see that the freeradius is not sending all AVP pairs. Could this be cause of problem? I am realy greadful for you help! miha -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3313123.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On 2010/12/21 10:01 AM, miha- wrote: Thank you @Johan Meiring for that. It is not my intend to spam the group and asking same question again and again. Belive me that I have done everything that you said (I changed secret on the NAS and ond the radius and I restarted both,...). So please help me out with this problem. I can see that the secret is wrong. But why? First request goes through: +- entering group PAP {...} [pap] login attempt with password 1122 [pap] Using clear text password 1122 [pap] User authenticated successfully But the second what is rejected due to wrong secret. User-Name = 081609000 User-Password = \257+\360\350 [pap] login attempt with password ¯+ðè [pap] Using clear text password 1122 [pap] Passwords don't match SO this I am asking. If the first time secret is right and for the second request is wrong. Could the different encryption (the is sending nas) is causing the problem? Answer the following: 1) What is the NAS's IP? 2) Post the section in clients.conf defining the NAS 3) Post the NAS config. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
1. My ip 1.2.3.4 (if will not post right one for security reasons) 2. Configuration on NAS ##- Activate RADIUS connection setProperty com.centile.connectors.aaa.watchdog.enable false setProperty com.centile.connectors.aaa radius setProperty com.centile.connectors.aaa.localserv intraswitch setProperty com.centile.connectors.aaa.localpass 1122 setProperty com.centile.connectors.aaa.remotserv 1.2.3.5 (ip of freeradius) setProperty com.centile.connectors.aaa.remotport 1812 setProperty com.centile.connectors.aaa.calltype any 3. clients.conf client 1.2.3.4 (ip nas) { secret = 1122 shortname = intraswitch nastype = cisco # require_message_authenticator = no } Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3313149.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
miha- wrote: ##- Activate RADIUS connection setProperty com.centile.connectors.aaa.watchdog.enable false setProperty com.centile.connectors.aaa radius setProperty com.centile.connectors.aaa.localserv intraswitch setProperty com.centile.connectors.aaa.localpass 1122 setProperty com.centile.connectors.aaa.remotserv 1.2.3.5 (ip of freeradius) setProperty com.centile.connectors.aaa.remotport 1812 setProperty com.centile.connectors.aaa.calltype any Go ask the centile.com people why their RADIUS client doesn't work. It is *not* our problem. FreeRADIUS works with Cisco, Juniper, HP, SIP servers, firewalls, switches, routers, open source, closed source, etc. Let me guess: in all of your time taken posting to this list, you haven't bothered asking the centile.com people any questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS exiting with Signal 11 on FreeBSD
Danial wrote: Here's the full output from gdb: ..l. #4 0x0806c852 in rad_assert_fail (file=Could not find the frame base for rad_assert_fail. ) at util.c:365 #5 0x0806af44 in request_dequeue (request=0x28542b7c, fun=0xbf9fef8c) at threads.c:412 Ugh. Something is free'ing the request when it's still queued. This *only* can happen when the request is in the queue for more than 30s. So... why is your server so slow? Fix that, and the problem won't be fixed, but it *will* go away. I can take a look at the code, but this is a very odd edge case, and hard to track down/fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Voip database
Belive me that I am asking centile people to. And to let you know I have begun asking centile.com before I made first post on this forum. thanks! Date: Tue, 21 Dec 2010 09:44:47 +0100 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Voip database miha- wrote: ##- Activate RADIUS connection setProperty com.centile.connectors.aaa.watchdog.enable false setProperty com.centile.connectors.aaa radius setProperty com.centile.connectors.aaa.localserv intraswitch setProperty com.centile.connectors.aaa.localpass 1122 setProperty com.centile.connectors.aaa.remotserv 1.2.3.5 (ip of freeradius) setProperty com.centile.connectors.aaa.remotport 1812 setProperty com.centile.connectors.aaa.calltype any Go ask the centile.com people why their RADIUS client doesn't work. It is *not* our problem. FreeRADIUS works with Cisco, Juniper, HP, SIP servers, firewalls, switches, routers, open source, closed source, etc. Let me guess: in all of your time taken posting to this list, you haven't bothered asking the centile.com people any questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
Miha Zoubek wrote: Belive me that I am asking centile people to. And to let you know I have begun asking centile.com before I made first post on this forum. OK, that's better. But FreeRADIUS works. It really does. Try it with ntradping on another machine. There *only* issues are with the centile.com NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On 2010/12/21 10:26 AM, miha- wrote: ##- Activate RADIUS connection setProperty com.centile.connectors.aaa.watchdog.enable false setProperty com.centile.connectors.aaa radius setProperty com.centile.connectors.aaa.localserv intraswitch setProperty com.centile.connectors.aaa.localpass 1122 setProperty com.centile.connectors.aaa.remotserv 1.2.3.5 (ip of freeradius) setProperty com.centile.connectors.aaa.remotport 1812 setProperty com.centile.connectors.aaa.calltype any I nothing of centile. Alan is right that you need to ask them.. But, my logic says that you need a line similar to the following on your centile NAS. setProperty com.centile.connectors.aaa.remotepass 1122 ^^ -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Use Event-Timestamp for Accounting Start/Stop with MySQL
Juri Glaß wrote: I would like to write the Event-Timestamp from Accounting Start/Stop messages to my MySQL database instead of the server side time. I tried to configure the dialup.conf, but it doesn't work properly. I replaced %S with %{Event-Timestamp}, the result is -00-00 00:00:00 in the database, the log file says : expand: UPDATE radacct SET acctstoptime = '%{Event-Timestamp}', ** snip ** - UPDATE radacct SET acctstoptime = 'Dec 21 2010 10:02:30 CET' ** snip ** i.e. the Event-Timestamp is not in an SQL format. That's why the %S variable exists. When I use something like DATE_FORMAT(date,format) from MySQL, the format string is somehow expanded. FROM_UNIXTIME isn't working either. I understand that unix timestamps are printed as strings like 'Dec 21 2010 10:02:30 CET', but only for logging or for the sql statements too? For everything, unfortunately. They cannot currently be printed as 32-bit integers. Maybe in 2.1.11. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Verify certificate - mac mapping in openldap..
Christ Schlacta wrote: so I've done some research, looking at how freeradius works now, it manages to identify hostnames from certificates which are issued to a given host, blah blah blah. suffice it to say when lain authenticates, it knows it's lain. I want to make sure that lain's MAC address matches what I know lain's mac address to be. more importantly, if lain's mac address isn't known, I'd like it to log the mac address (which it does now already) and NOT give an error. Also, I'd like to be able to shove hosts into groups, such as disabled. That can be done. I need advice on just what information needs to be stored in openldap, MAC addresses? and just which changes need to be made to freeradius. You need to write down the exact set of steps required to implement the above policy. What is in a packet? How is that information used? Where are the known MAC addresses? Where are the groups stored? What information is used to look up the groups? The overwhelming majority of issues people see when creating policies are due to poor specifications. The more detailed the specification, the more successful you will be. I've done a little independent research, and I think I can use a definition for a host as a device with a cn, and an ieee802Device with a mac address. I can create a group of unique names, or is there some other mechanism I have to use for groups to work with freeradius? See the rlm_ldap documentation for how it handles groups. They're usually based on User-Names. If you want a *different* kind of grouping, you'll have to create it yourself. will this scheme work with freeradius? is there some better, more established standard to store this mapping of hostname from certificate to mac address? Databases. SQL, LDAP, whatever. This isn't a RADIUS issue: Q: given X, how do I look up Y? A: put X and Y into a DB, and write a DB query to use X to look up Y. and last, but not least, what do I have to do to make sure that an absence of mac address doesn't trigger a failure, but the presence of a wrong mac address does? Write the policy for that. The MAC address is stored in the Calling-Station-Id attribute. So... if the Calling-Station-Id exists, do MAC lookups. Otherwise, don't Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Huntgroups question.
Ok,I 'll try to crarify the question. Does anybody know why in hungroups this match works: XXX NAS-IP-Address == X.Y.Z.W or XXX NAS-IP-Address == X.Y.Z.W, NAS-Port-Id == 1:33 But not this one: XXX NAS-IP-Address==X.Y.Z.W, NAS-Port=1033, NAS-Port=1038 Thanks. PD: Merry Christmas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/EAP-GTC proxy?
mgmitch wrote: OK, upgraded to 2.1.10 as suggested. Thanks. However, I have a different issue now -- seems that the passcode is not being proxied over to the home server. I only see a username, nas IP address and proxy state being proxied in the access-request packet but no user-password. IIRC, the EAP module doesn't support re-writing EAP-GTC to User-Password when proxying. Also get a segmentation fault after the authentication is rejected. Ugh. See doc/bugs for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Use Event-Timestamp for Accounting Start/Stop with MySQL
On Tue, Dec 21, 2010 at 11:26 AM, Alan DeKok al...@deployingradius.com wrote: Juri Glaß wrote: I would like to write the Event-Timestamp from Accounting Start/Stop messages to my MySQL database instead of the server side time. I tried to configure the dialup.conf, but it doesn't work properly. I replaced %S with %{Event-Timestamp}, the result is -00-00 00:00:00 in the database, the log file says : expand: UPDATE radacct SET acctstoptime = '%{Event-Timestamp}', ** snip ** - UPDATE radacct SET acctstoptime = 'Dec 21 2010 10:02:30 CET' ** snip ** i.e. the Event-Timestamp is not in an SQL format. That's why the %S variable exists. When I use something like DATE_FORMAT(date,format) from MySQL, the format string is somehow expanded. FROM_UNIXTIME isn't working either. I understand that unix timestamps are printed as strings like 'Dec 21 2010 10:02:30 CET', but only for logging or for the sql statements too? For everything, unfortunately. They cannot currently be printed as 32-bit integers. Maybe in 2.1.11. 2.1.10 allows you to use {%Event-Timestamp#} to get date type attributes printed in numeric format. It doesn't seem to be documented, but its in the code. Eddie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On Tue, Dec 21, 2010 at 3:52 PM, Miha Zoubek miha_zou...@hotmail.com wrote: Belive me that I am asking centile people to. And to let you know I have begun asking centile.com before I made first post on this forum. I noticed from you earlier debug output that the NAS is sending different attributes. The working one (I selected some attributes only): NAS-Identifier = intraswitch NAS-IP-Address = 1.2.3.4 3GPP2-Prepaid-acct-Capability = 0x01060002 3GPP2-Session-Termination-Capability = 1 h323-conf-id = h323-conf-id=1292574457509 Vendor-Specific = 0x0009 the non working one Called-Station-Id = 38651357952 Cisco-AVPair = h323-called-enterprise-id=External h323-remote-address = h323-remote-address=unknown Acct-Session-Id = 129257445750920 h323-conf-id = h323-conf-id=1292574457509 h323-incoming-conf-id = h323-incoming-conf-id=1292574457509 3GPP2-Prepaid-Acct-Quota = 0x0a06564f495008040002 Acct-Status-Type = One-Time Message-Authenticator = 0x6f793daff586ab35701631c5f2a48d96 why is that? It almost seems like the request was made from two different NAS. In your question to centile people, it might help to also ask whether the device has more than one radius config section. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Voip database
Thank you very much for you help!!! I will ask them that and that I will report back! Thanks guys! miha Date: Tue, 21 Dec 2010 18:11:21 +0700 Subject: Re: Voip database From: w...@fajar.net To: freeradius-users@lists.freeradius.org On Tue, Dec 21, 2010 at 3:52 PM, Miha Zoubek miha_zou...@hotmail.com wrote: Belive me that I am asking centile people to. And to let you know I have begun asking centile.com before I made first post on this forum. I noticed from you earlier debug output that the NAS is sending different attributes. The working one (I selected some attributes only): NAS-Identifier = intraswitch NAS-IP-Address = 1.2.3.4 3GPP2-Prepaid-acct-Capability = 0x01060002 3GPP2-Session-Termination-Capability = 1 h323-conf-id = h323-conf-id=1292574457509 Vendor-Specific = 0x0009 the non working one Called-Station-Id = 38651357952 Cisco-AVPair = h323-called-enterprise-id=External h323-remote-address = h323-remote-address=unknown Acct-Session-Id = 129257445750920 h323-conf-id = h323-conf-id=1292574457509 h323-incoming-conf-id = h323-incoming-conf-id=1292574457509 3GPP2-Prepaid-Acct-Quota = 0x0a06564f495008040002 Acct-Status-Type = One-Time Message-Authenticator = 0x6f793daff586ab35701631c5f2a48d96 why is that? It almost seems like the request was made from two different NAS. In your question to centile people, it might help to also ask whether the device has more than one radius config section. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Use Event-Timestamp for Accounting Start/Stop with MySQL
Eddie Stassen wrote: 2.1.10 allows you to use {%Event-Timestamp#} to get date type attributes printed in numeric format. It doesn't seem to be documented, but its in the code. $ man unlang It's there. There's enough stuff in the server that I'm starting to forget what it can do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Use Event-Timestamp for Accounting Start/Stop with MySQL
On Tue, Dec 21, 2010 at 3:28 PM, Alan DeKok al...@deployingradius.com wrote: Eddie Stassen wrote: 2.1.10 allows you to use {%Event-Timestamp#} to get date type attributes printed in numeric format. It doesn't seem to be documented, but its in the code. $ man unlang It's there. Thanks, I was looking at the web man page at http://freeradius.org/radiusd/man/unlang.html, which I now notice is not quite up to date. There's enough stuff in the server that I'm starting to forget what it can do. Thats one of the best parts of programming - looking over your old code and finding all the awesome stuff you did and already forgot about ;-) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tolower seems to result in unneeded reject of mac address, or I am using it wrong
Hi all, I am not very used to working with freeradius unfortunately and I am using the Mac Auth solutionhttp://wiki.freeradius.org/Mac-Auth as described on your website and other then the case sensitivity it was working correctly. I was looking for a way to change the Calling station id to lowercase, or to make the comparison case insensitive as some of our switches return mac addresses in uppercase, others in lowercase. Then I discovered a brand new function tolower had been added to the 2.1.10 version of freeradius and we were still at 2.1.8. So after an update I could run freeradius with the added function without errors. Unfortunately it seems not to work correctly. Now, if a known mac address is authorized, it is rejected [authorized_macs] expand: %{Calling-Station-ID} - 00-17-42-1C-44-68 [authorized_macs] expand: %{tolower:%{Calling-Station-ID}} - 00-17-42-1c-44-68 +[authorized_macs.authorize] returns noop 00-17-42-1c-44-68 does actually exist in the authorized_macs file. This used to return a match and ok when the calling station id was matched, case sensitive. Unfortunately I do not have permission from my superiors to utilize a MySQL database yet (which would solve all of this), so I am stuck with the files for now. Can any of you see what I am doing wrong? modules/files files authorized_macs { # The default key attribute to use for matches. The content # of this attribute is used to match the name of the # entry. key = %{tolower:%{Calling-Station-ID}} usersfile = ${confdir}/authorized_macs # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } sites-available/default post-auth { # output surpressed if(control:Auth-Type == 'CSID'){ # Authorization happens here # %{Calling-Station-ID} = %{tolower:%{Calling-Station-ID}} # here the function does not work (like this) authorized_phones.authorize if (!ok) { authorized_printers.authorize if (!ok) { authorized_macs.authorize if (notfound) { # notfound construction used to overcome false rejects reject } else { update reply { Cisco-AVPair = tunnel-type=vlan Cisco-AVPair = tunnel-medium-type=802 Cisco-AVPair = tunnel-private-group-id=4 } } } else{ update reply { Cisco-AVPair = tunnel-type=vlan Cisco-AVPair = tunnel-medium-type=802 Cisco-AVPair = tunnel-private-group-id=1 } } } else{ update reply { Cisco-AVPair = device-traffic-class=voice } } } } Chris Schaatsbergen -- aleo solar Deutschland GmbH Chris Schaatsbergen IT Projekte / IT Projects Osterstr. 15, 26122 Oldenburg T +49 441 21988-288 F +49 441 21988-150 M +49 162 2552288 chris.schaatsber...@aleo-solar.demailto:chris.schaatsber...@aleo-solar.de http://www.aleo-solar.de Geschäftsführer/Management Board: York zu Putlitz, Dr. Jens Sabotke, Norbert Schlesiger Sitz der Gesellschaft/Registered Office: Oldenburg (Oldb), Germany Handelsregister/Companies´ Register: Oldenburg, Germany, HRB 4947 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: tolower seems to result in unneeded reject of mac address, or I am using it wrong
Hi again all, Sorry, stupid me. Not key = %{tolower:%{Calling-Station-ID}} But key = %{tolower:%{Calling-Station-ID}} Now it works again properly. Apologies, Chris Schaatsbergen Von: freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Schaatsbergen, Chris Gesendet: Dienstag, 21. Dezember 2010 15:01 An: freeradius-users@lists.freeradius.org Betreff: tolower seems to result in unneeded reject of mac address, or I am using it wrong Hi all, I am not very used to working with freeradius unfortunately and I am using the Mac Auth solutionhttp://wiki.freeradius.org/Mac-Auth as described on your website and other then the case sensitivity it was working correctly. I was looking for a way to change the Calling station id to lowercase, or to make the comparison case insensitive as some of our switches return mac addresses in uppercase, others in lowercase. Then I discovered a brand new function tolower had been added to the 2.1.10 version of freeradius and we were still at 2.1.8. So after an update I could run freeradius with the added function without errors. Unfortunately it seems not to work correctly. Now, if a known mac address is authorized, it is rejected [authorized_macs] expand: %{Calling-Station-ID} - 00-17-42-1C-44-68 [authorized_macs] expand: %{tolower:%{Calling-Station-ID}} - 00-17-42-1c-44-68 +[authorized_macs.authorize] returns noop 00-17-42-1c-44-68 does actually exist in the authorized_macs file. This used to return a match and ok when the calling station id was matched, case sensitive. Unfortunately I do not have permission from my superiors to utilize a MySQL database yet (which would solve all of this), so I am stuck with the files for now. Can any of you see what I am doing wrong? modules/files files authorized_macs { # The default key attribute to use for matches. The content # of this attribute is used to match the name of the # entry. key = %{tolower:%{Calling-Station-ID}} usersfile = ${confdir}/authorized_macs # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } sites-available/default post-auth { # output surpressed if(control:Auth-Type == 'CSID'){ # Authorization happens here # %{Calling-Station-ID} = %{tolower:%{Calling-Station-ID}} # here the function does not work (like this) authorized_phones.authorize if (!ok) { authorized_printers.authorize if (!ok) { authorized_macs.authorize if (notfound) { # notfound construction used to overcome false rejects reject } else { update reply { Cisco-AVPair = tunnel-type=vlan Cisco-AVPair = tunnel-medium-type=802 Cisco-AVPair = tunnel-private-group-id=4 } } } else{ update reply { Cisco-AVPair = tunnel-type=vlan Cisco-AVPair = tunnel-medium-type=802 Cisco-AVPair = tunnel-private-group-id=1 } } } else{ update reply { Cisco-AVPair = device-traffic-class=voice } } } } Chris Schaatsbergen -- aleo solar Deutschland GmbH Chris Schaatsbergen IT Projekte / IT Projects Osterstr. 15, 26122 Oldenburg T +49 441 21988-288 F +49 441 21988-150 M +49 162 2552288 chris.schaatsber...@aleo-solar.demailto:chris.schaatsber...@aleo-solar.de http://www.aleo-solar.de Geschäftsführer/Management Board: York zu Putlitz, Dr. Jens Sabotke, Norbert Schlesiger Sitz der Gesellschaft/Registered Office: Oldenburg (Oldb), Germany Handelsregister/Companies´ Register: Oldenburg, Germany, HRB 4947 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dont distribute certificate
Hi, I am setting up a FreeRADIUS server for our wireless network and I was asked if I can disable the distribution of the public certificate I search around in the www but could not find a solution for this. Is there a way to implement this feature in my setup? I am using FreeRADIUS 2.1.10 on debian squeeze Julian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dont distribute certificate
On 12/21/2010 09:43 AM, Julian Labus wrote: Hi, I am setting up a FreeRADIUS server for our wireless network and I was asked if I can disable the distribution of the public certificate I search around in the www but could not find a solution for this. Is there a way to implement this feature in my setup? Perhaps you should explain which public certificate you're talking about and why you want to disable this. FWIW public certificates are sent as part of the SSL/TLS protocol, you can't disable this if you're using SSL/TLS. The whole point of a public cert is that not only is it safe to distribute, but it is intended to be distributed which makes your question perplexing. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dont distribute certificate
Hi, I am setting up a FreeRADIUS server for our wireless network and I was asked if I can disable the distribution of the public certificate I search around in the www but could not find a solution for this. Is there a way to implement this feature in my setup? I'm seeking clarification of what you mean here. the clients will need the public key of your server or they wont be able to validate your server when they authenticate against it - you know, the very important bit in the client config where you verify the server, its CA and its name (CN from cert) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dont distribute certificate
Yes, I was talking about the TLS public certificate, sorry for leaving this out. The reason for that is that you only have the ability to connect to the hotspot if you have manually installed the public cert on your client before connecting. On 12/21/2010 04:10 PM, John Dennis wrote: On 12/21/2010 09:43 AM, Julian Labus wrote: Hi, I am setting up a FreeRADIUS server for our wireless network and I was asked if I can disable the distribution of the public certificate I search around in the www but could not find a solution for this. Is there a way to implement this feature in my setup? Perhaps you should explain which public certificate you're talking about and why you want to disable this. FWIW public certificates are sent as part of the SSL/TLS protocol, you can't disable this if you're using SSL/TLS. The whole point of a public cert is that not only is it safe to distribute, but it is intended to be distributed which makes your question perplexing. -- \ / Sol-3 GmbH Co. KG Julian Labus --o-- Sol-3An der Klostermühle 1 Phone: +49 6123 7029 18 / \ D-65399 KiedrichFax: +49 6123 7029 29 USt-ID: DE 204978307 eMail: j...@sol-3.de Register: WI HRA 6607 Komplementär:Sol-3 Verwaltungs-GmbH Register:WI HRB 117786 Geschäftsführer: Norbert Geus, Dirk Zoller - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dont distribute certificate
On 12/21/2010 10:22 AM, Julian Labus wrote: Yes, I was talking about the TLS public certificate, sorry for leaving this out.The reason for that is that you only have the ability to connect to the hotspot if you have manually installed the public cert on your client before connecting. No, I think you're confused. Perhaps you're referring to the trusted CA cert used to sign your public server cert. The CA which signed your server cert has to be installed as a trusted CA on the client (or resolve to one via a cert chain). Generally you don't want clients to install trusted CA certs. Therefore your server cert must be signed by a CA which is normally trusted and hence previously installed. Usually that means a commercial CA which you pay to sign your server cert. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dont distribute certificate
Hi, Yes, I was talking about the TLS public certificate, sorry for leaving this out.The reason for that is that you only have the ability to connect to the hotspot if you have manually installed the public cert on your client before connecting. No, I think you're confused. Perhaps you're referring to the trusted CA cert used to sign your public server cert. The CA which signed your server cert has to be installed as a trusted CA on the client (or resolve to one via a cert chain). Generally you don't want clients to install trusted CA certs. Therefore your server cert must be signed by a CA which is normally trusted and hence previously installed. Usually that means a commercial CA which you pay to sign your server cert. aye. you dont HAVE to install the server public cert as that will be transferred to the client during the creation of the SSL/TLS tunnel. what the client does need, AND trust, is the public cert of the CA that signed the server. in this way, the web of trust is created. so...if you have a public system I'd advice you use a well known CA to sign your server... a CA whose public keys are already in the OS. for a private, closed loop system - eg 802.1X authentication I'd still go for a private CA - yes, you have the issue of CA distribution onto the clients but you avoid the issue that anyone can pay and get a CA signed by a well known CA that your clients would trust (closed-loop method) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and /etc/apsswd
hi, how could i use /etc/passwd to authenticate users? here is my config in users and radiusd doesn't like it: dougService-Type := System Juniper-Local-User-Name = ops manpage for radiusd states: users Here the users are defined. On a typical setup, this file mainly contains DEFAULT entries to process the different types of logins, based on hints from the hints file. Authentication is then based on the contents of the UNIX /etc/passwd file. However it is also possible to define all users, and their passwords, in this file. thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Verify certificate - mac mapping in openldap..
I read most of what you said, and spend a few hours with the wifi down for maintenance while noone was on, and got it working. it now authenticates macAddress == Calling-Station-ID when the mac is available, and doesn't fail when it's not available, and works when it is available. There's only one thing I didn't think of that needs changing: I want to be able to also say If there's no rdn for this hostname (IE: user isn't found at all in the directory) then the auth should fail. there's no one entry that's guaranteed to exist though. host, description, macAddress, and owner are all common, but every device is missing one or more of them :( I can't think of any other way to ensure that a user is found On 12/21/2010 01:37, Alan DeKok wrote: Christ Schlacta wrote: so I've done some research, looking at how freeradius works now, it manages to identify hostnames from certificates which are issued to a given host, blah blah blah. suffice it to say when lain authenticates, it knows it's lain. I want to make sure that lain's MAC address matches what I know lain's mac address to be. more importantly, if lain's mac address isn't known, I'd like it to log the mac address (which it does now already) and NOT give an error. Also, I'd like to be able to shove hosts into groups, such as disabled. That can be done. I need advice on just what information needs to be stored in openldap, MAC addresses? and just which changes need to be made to freeradius. You need to write down the exact set of steps required to implement the above policy. What is in a packet? How is that information used? Where are the known MAC addresses? Where are the groups stored? What information is used to look up the groups? The overwhelming majority of issues people see when creating policies are due to poor specifications. The more detailed the specification, the more successful you will be. I've done a little independent research, and I think I can use a definition for a host as a device with a cn, and an ieee802Device with a mac address. I can create a group of unique names, or is there some other mechanism I have to use for groups to work with freeradius? See the rlm_ldap documentation for how it handles groups. They're usually based on User-Names. If you want a *different* kind of grouping, you'll have to create it yourself. will this scheme work with freeradius? is there some better, more established standard to store this mapping of hostname from certificate to mac address? Databases. SQL, LDAP, whatever. This isn't a RADIUS issue: Q: given X, how do I look up Y? A: put X and Y into a DB, and write a DB query to use X to look up Y. and last, but not least, what do I have to do to make sure that an absence of mac address doesn't trigger a failure, but the presence of a wrong mac address does? Write the policy for that. The MAC address is stored in the Calling-Station-Id attribute. So... if the Calling-Station-Id exists, do MAC lookups. Otherwise, don't Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL modul
I have the same problem as Miha Zoubek. Alan DeKok wrote: Miha Zoubek wrote: at the end of this file I am getting massage Failed to load module sql. Does your system have the rlm_sql library? Did you configure the SQL module? In freeradius-server 2.1.9-1.7 in OpenSuse 11.3, directory /usr/lib/freeradius contains all of the same files as were present in freeradius-server 2.0.5-8.3 in OpenSuse 11.0, but obviously filenames reflect the newer version number. It is interesting that modules other than rlm_sql load with no problems. In sites-available files default and inner-tunnel, if I change contents from sql to files, then all other modules load OK. Only the sql module fails to load. Mysql works by itself, and dialup_admin access mysql. I did change admin.sql to change 3 lines into 1: GRANT ALL ON radius.* TO 'radius'@'localhost'; because I figured dialup_admin would need it. But I think radiusd -XC doesn't get that far, because radiusd -XC can't load the module for SQL. I wondered if libgda might be relevant because it was installed in OpenSuse 11.0 (I don't know what I did to install it but it was there). Therefore I added libgda to the OpenSuse 11.3 machine but it didn't change the problem. Maybe rlm_sql and rlm_sql_mysql depend on something else, but I can't guess what. Modules file inner-eap was added in between 2.0.5-8.3 and 2.1.9-1.7 but the only thing I did there was edit the password. What else changed? Why did it break? And most importantly, how can I fix it? -- Get the new Internet Explorer 8 optimized for Yahoo! JAPAN http://pr.mail.yahoo.co.jp/ie8/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL modul
On Wed, Dec 22, 2010 at 9:07 AM, Norman Diamond n0diam...@yahoo.co.jp wrote: radiusd -XC can't load the module for SQL. What else changed? Why did it break? And most importantly, how can I fix it? What does the debug log show? Does it complain about missing library or incorrect configuration? Do you have the relevant freeradius-mysql (or whatever the name is on your distro) installed? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL modul
Fajar A. Nugraha wrote: On Wed, Dec 22, 2010 at 9:07 AM, Norman Diamond wrote: radiusd -XC can't load the module for SQL. What else changed? \xA0Why did it break? \xA0And most importantly, how can I fix it? What does the debug log show? OK, I ran radiusd -XXXC and it's the same. Output lines now have the word Debug in them but the contents are the same. It successfully links to rlm_realm and configures that, as used by inner-tunnel. (If I unconfigure sql in inner-tunnel then the last successful operation comes somewhat later in default.) Immediately after that success, it says: Failed to load module sql. It does not give any additional information about what part of the load operation failed. Does it complain about missing library or incorrect configuration? Not that I can see. Do you have the relevant freeradius-mysql (or whatever the name is on your distro) installed? As mentioned, a bunch of files are the same except for updated versions in the filnames: /usr/lib/freeradius/rlm_sql-2.1.9.so /usr/lib/freeradius/rlm_sql.so (symbolic link) /usr/lib/freeradius/rlm_sql_mysql-2.1.9.so /usr/lib/freeradius/rlm_sql_mysql.so (symbolic link) etc. These are in Suse's RPM freeradius-server. (Other RPMs also have names freeradius-server-* and I installed all of them.) -- Get the new Internet Explorer 8 optimized for Yahoo! JAPAN http://pr.mail.yahoo.co.jp/ie8/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL modul
2010/12/22 Norman Diamond n0diam...@yahoo.co.jp: Fajar A. Nugraha wrote: What does the debug log show? OK, I ran radiusd -XXXC and it's the same. Output lines now have the word Debug in them but the contents are the same. It successfully links to rlm_realm and configures that, as used by inner-tunnel. (If I unconfigure sql in inner-tunnel then the last successful operation comes somewhat later in default.) Immediately after that success, it says: Failed to load module sql. It does not give any additional information about what part of the load operation failed. From http://wiki.freeradius.org/Radiusd Ask questions on the mailing list. When asking questions, include the output from debugging mode ( radiusd -X ). This information will allow people to help you. Without it, your message will get ignored. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL modul
Fajar A. Nugraha wrote: Norman Diamond wrote: Fajar A. Nugraha wrote: What does the debug log show? OK, I ran radiusd -XXXC and it's the same. \xA0Output lines now have the word Debug in them but the contents are the same. \xA0It successfully links to rlm_realm and configures that, as used by inner-tunnel. \xA0(If I unconfigure sql in inner-tunnel then the last successful operation comes somewhat later in default.) \xA0Immediately after that success, it says: \xA0Failed to load module sql. It does not give any additional information about what part of the load operation failed. From http://wiki.freeradius.org/Radiusd Ask questions on the mailing list. When asking questions, include the output from debugging mode ( radiusd -X ). This information will allow people to help you. Without it, your message will get ignored. Yahoo's web mail interface wraps lines, sorry. Anyway I think you'll detect that my wording described the output: Wed Dec 22 12:57:04 2010 : Info: FreeRADIUS Version 2.1.9, for host i686-pc-linux-gnu, built on Jul 5 2010 at 21:41:31 Wed Dec 22 12:57:04 2010 : Info: Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. Wed Dec 22 12:57:04 2010 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Wed Dec 22 12:57:04 2010 : Info: PARTICULAR PURPOSE. Wed Dec 22 12:57:04 2010 : Info: You may redistribute copies of FreeRADIUS under the terms of the Wed Dec 22 12:57:04 2010 : Info: GNU General Public License v2. Wed Dec 22 12:57:04 2010 : Info: Starting - reading configuration files ... Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/radiusd.conf Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/proxy.conf Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/clients.conf Wed Dec 22 12:57:04 2010 : Debug: including files in directory /etc/raddb/modules/ Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/realm Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/ntlm_auth Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/expr Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/radutmp Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/echo Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/digest Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/pap.org Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/checkval Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/counter Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/logintime Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/preprocess Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/etc_group Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/perl Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/pam Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/unix Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/linelog Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/pap Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/mschap Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/smsotp Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/expiration Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/chap Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/detail.example.com Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/smbpasswd Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/detail.log Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/acct_unique Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/sradutmp Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/detail Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/mac2ip Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/otp Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/sql_log Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/ldap Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/inner-eap.org Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/attr_filter Wed Dec 22 12:57:04 2010 : Debug: including configuration file /etc/raddb/modules/files
Re: FreeRADIUS exiting with Signal 11 on FreeBSD
Hi Alan, Daniel and all, On 21/12/2010 19:46, Alan DeKok wrote: Danial wrote: Here's the full output from gdb: ..l. #4 0x0806c852 in rad_assert_fail (file=Could not find the frame base for rad_assert_fail. ) at util.c:365 #5 0x0806af44 in request_dequeue (request=0x28542b7c, fun=0xbf9fef8c) at threads.c:412 Ugh. Something is free'ing the request when it's still queued. This *only* can happen when the request is in the queue for more than 30s. So... why is your server so slow? Fix that, and the problem won't be fixed, but it *will* go away. I have been running a network monitoring program on my server, that tracks cpu load, free memory. None of these have moved out of spec. Load average on the machine hit a high of 0.012. Since this problem effects a number of different FreeBSD boxes, is there something that could be related to the kernel, scheduling, locking etc. I'm guessing here so could be totally wrong. Are the debugs collected by Daniel meaningful to a FreeBSD developer or are they totally FreeRADIUS specific (yes I'm out of my league here)? Daniel, one of your emails suggests that you have two servers. One that seems OK and the other that gives the Signal 11 problem. Do they both run the same version of FreeBSD? Are there differences in the scheduling or SMP options in the kernel? What other differences are there between these two machines? Hugh I can take a look at the code, but this is a very odd edge case, and hard to track down/fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Hugh Blandford Island Internet ph 1300 130 428 mb 0412 016 875 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL modul
2010/12/22 Norman Diamond n0diam...@yahoo.co.jp: Fajar A. Nugraha wrote: Norman Diamond wrote: Fajar A. Nugraha wrote: What does the debug log show? OK, I ran radiusd -XXXC and it's the same. Output lines now have the word Debug in them but the contents are the same. It successfully links to rlm_realm and configures that, as used by inner-tunnel. (If I unconfigure sql in inner-tunnel then the last successful operation comes somewhat later in default.) Immediately after that success, it says: Failed to load module sql. It does not give any additional information about what part of the load operation failed. From http://wiki.freeradius.org/Radiusd Ask questions on the mailing list. When asking questions, include the output from debugging mode ( radiusd -X ). This information will allow people to help you. Without it, your message will get ignored. Yahoo's web mail interface wraps lines, sorry. If you just use radiusd -X (like the wiki says) the output would be much easier to read. Anyway I think you'll detect that my wording described the output: /etc/raddb/sites-enabled/inner-tunnel[118]: Failed to load module sql. ... and if you've included the debug output from start you'd see that sql.conf was never loaded. Probably because you haven't bothered looking at radiusd.conf and uncomment the line # $INCLUDE sql.conf without that, the sql module is not initialized, and would give an error when you call sql in the config file. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL modul
Fajar A. Nugraha wrote: Norman Diamond wrote: Fajar A. Nugraha wrote: Norman Diamond wrote: Fajar A. Nugraha wrote: What does the debug log show? OK, I ran radiusd -XXXC and it's the same. Output lines now have the word Debug in them but the contents are the same. It successfully links to rlm_realm and configures that, as used by inner-tunnel. (If I unconfigure sql in inner-tunnel then the last successful operation comes somewhat later in default.) Immediately after that success, it says: Failed to load module sql. It does not give any additional information about what part of the load operation failed. From http://wiki.freeradius.org/Radiusd Ask questions on the mailing list. When asking questions, include the output from debugging mode ( radiusd -X ). This information will allow people to help you. Without it, your message will get ignored. Yahoo's web mail interface wraps lines, sorry. If you just use radiusd -X (like the wiki says) the output would be much easier to read. I think readability would be the same. I had expected radiusd -XXXC to produce more lines of output than radiusd -XC but it didn't (or at least not any that I noticed). Insertion of the word Debug slightly lengthened the lines but even without that the lines still would get wrapped by Yahoo's web mail. Anyway I think you'll detect that my wording described the output: [...] /etc/raddb/sites-enabled/inner-tunnel[118]: Failed to load module sql. ... and if you've included the debug output from start you'd see that sql.conf was never loaded. YOU saw that and I thank you. I would not have known to look for that. The reason follows below. Probably because you haven't bothered looking at radiusd.conf and uncomment the line # $INCLUDE sql.conf Because I didn't guess that radiusd.conf had such a change between version 2.0.5-8.3 in OpenSuse 11.0, and version 2.1.9-1.7 in OpenSuse 11.3. Thank you for pointing that out. YOU knew about the change and I thank you. I did not know about the change. without that, the sql module is not initialized, and would give an error when you call sql in the config file. I understand. I thank you again. Please note that my initial posting to this discussion asked what changed between those two versions to break the use of SQL, and here you have answered. I thank you for answering. I think you could have answered directly that radiusd.conf changed and users need to look at it. Yours sincerely, Norman Diamond -- Get the new Internet Explorer 8 optimized for Yahoo! JAPAN http://pr.mail.yahoo.co.jp/ie8/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and /etc/apsswd
gahn wrote: how could i use /etc/passwd to authenticate users? List unix in the authorize section of raddb/sites-available/default. here is my config in users and radiusd doesn't like it: dougService-Type := System That makes no sense. Juniper-Local-User-Name = ops manpage for radiusd states: users Here the users are defined. On a typical setup, this file mainly contains DEFAULT entries to process the different types of logins, based on hints from the hints file. Authentication is then based on the contents of the UNIX /etc/passwd file. However it is also possible to define all users, and their passwords, in this file. Well... that documentation is probably 6 years old. Feel free to submit updates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL modul
2010/12/22 Norman Diamond n0diam...@yahoo.co.jp: /etc/raddb/sites-enabled/inner-tunnel[118]: Failed to load module sql. ... and if you've included the debug output from start you'd see that sql.conf was never loaded. YOU saw that and I thank you. I would not have known to look for that. The reason follows below. So it's working now? Good to hear. Please note that my initial posting to this discussion asked what changed between those two versions to break the use of SQL, and here you have answered. I thank you for answering. I think you could have answered directly that radiusd.conf changed and users need to look at it. I couldn't have answered that, because I didn't know what the exact changes are. First of all, I don't use freeradius 2.0.x. Second, distro packagers can change the default bundled config files, making it both version and distro-specific. Regardles, debug output can usually show what's wrong in a setup, which is why it's very important to include them. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html