Re: MLPPP Acct-Session-Id
Jay Kuhne (jkuhne) wrote: Is there another attribute syntax on radclient that could be used aside from Acct-Session-Id to perform COA to a session I'm not sure I can parse that. I *think* the correct response is to say read the NAS documentation. If the NAS accepts CoA packets, the documentation *should* say what it needs in the CoA to disconnect a session. Failing that, look at the Accounting-Request packets for the session. Take that data (other than the various counters), put it into a CoA packet, and hope for the best. RADIUS: COA received from id 48 x.x.x.99:1052, CoA Request, len 149 COA: x.x.x.20 request queued ... COA: Message Authenticator missing or failed decode That message seems clear. Add the Message-Authenticator attribute to the CoA packet. And *why* does the NAS require this? RFC5176 does *not* require a Message-Authenticator to be in a CoA packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I need help
Hi, I'm Tony. I'm running FreeRADIUS version 2.1.10. Each time i try to launch the radiusd daemon, it does not complete successfully and gives an error messageFailed binding to /var/run/radiusd/radiusd.sock: No such file or directory Please I need help on how to take care of this issue. Below is the radiusd daemon launch debug output; * * ossytony@ubuntu:/$ cd /etc//raddb/ ossytony@ubuntu:/etc/raddb$ sudo radiusd -X [sudo] password for ossytony: FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Mar 27 2011 at 23:34:45 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default main { allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = /usr/local localstatedir = /var logdir = /var/log/radius libdir = /usr/local/lib radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding =
Re: I need help
Ossy Tony wrote: Hi, I'm Tony. I'm running FreeRADIUS version 2.1.10. Each time i try to launch the radiusd daemon, it does not complete successfully and gives an error messageFailed binding to /var/run/radiusd/radiusd.sock: No such file or directory Does the directory exist? If not, create it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need help
On 29/03/11 11:55, Ossy Tony wrote: Hi, I'm Tony. I'm running FreeRADIUS version 2.1.10. Each time i try to launch the radiusd daemon, it does not complete successfully and gives an error message Failed binding to /var/run/radiusd/radiusd.sock: No such file or directory Two choices: 1. Find out why it can't bind this socket; probably because /var/run/radiusd does not exists, in which case: mkdir /var/run/radiusd 2. Disable the control-socket virtual server: rm /etc/raddb/sites-enabled/control-socket - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MLPPP Acct-Session-Id
Hi Alan, Thanks for your reply. I think the bottom line is I need to do some more investigation. I tried a PPP vs. MLPPP session and my COAs work as expected. I'll see if I can gather data from the Accounting-Request like you mention. I'll see if I can find the Message-Authenticator attribute I'm not sure why the NAS is making this mandatory, I'll have to investigate. This is very helpful since as I can clearly see I'm not an expert in this area. Thanks, Jay -Original Message- From: freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, March 29, 2011 1:50 AM To: FreeRadius users mailing list Subject: Re: MLPPP Acct-Session-Id Jay Kuhne (jkuhne) wrote: Is there another attribute syntax on radclient that could be used aside from Acct-Session-Id to perform COA to a session I'm not sure I can parse that. I *think* the correct response is to say read the NAS documentation. If the NAS accepts CoA packets, the documentation *should* say what it needs in the CoA to disconnect a session. Failing that, look at the Accounting-Request packets for the session. Take that data (other than the various counters), put it into a CoA packet, and hope for the best. RADIUS: COA received from id 48 x.x.x.99:1052, CoA Request, len 149 COA: x.x.x.20 request queued ... COA: Message Authenticator missing or failed decode That message seems clear. Add the Message-Authenticator attribute to the CoA packet. And *why* does the NAS require this? RFC5176 does *not* require a Message-Authenticator to be in a CoA packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MLPPP Acct-Session-Id
Hi Alan, Do you know of a syntax on Radclient for defining the Message-Authenticator attribute? I'll see if I can find it in the accounting record, get it working and then follow-up as to why the it's not as per RFC. Thanks, Jay -Original Message- From: Jay Kuhne (jkuhne) Sent: Tuesday, March 29, 2011 9:08 AM To: FreeRadius users mailing list Subject: RE: MLPPP Acct-Session-Id Hi Alan, Thanks for your reply. I think the bottom line is I need to do some more investigation. I tried a PPP vs. MLPPP session and my COAs work as expected. I'll see if I can gather data from the Accounting-Request like you mention. I'll see if I can find the Message-Authenticator attribute I'm not sure why the NAS is making this mandatory, I'll have to investigate. This is very helpful since as I can clearly see I'm not an expert in this area. Thanks, Jay -Original Message- From: freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, March 29, 2011 1:50 AM To: FreeRadius users mailing list Subject: Re: MLPPP Acct-Session-Id Jay Kuhne (jkuhne) wrote: Is there another attribute syntax on radclient that could be used aside from Acct-Session-Id to perform COA to a session I'm not sure I can parse that. I *think* the correct response is to say read the NAS documentation. If the NAS accepts CoA packets, the documentation *should* say what it needs in the CoA to disconnect a session. Failing that, look at the Accounting-Request packets for the session. Take that data (other than the various counters), put it into a CoA packet, and hope for the best. RADIUS: COA received from id 48 x.x.x.99:1052, CoA Request, len 149 COA: x.x.x.20 request queued ... COA: Message Authenticator missing or failed decode That message seems clear. Add the Message-Authenticator attribute to the CoA packet. And *why* does the NAS require this? RFC5176 does *not* require a Message-Authenticator to be in a CoA packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Auth and post-auth logging to SQL
Ok. I was just assuming that the FreeRadius Wiki was an authoritative source, and if it's written there, there must be something I just wasn't understanding that required it to be that way. When I get something working correctly, shall I register for an account and update your wiki page accordingly (once MySQL is working again)? -Jason Alan DeKok wrote: Jason Antman wrote: And in post-auth{}: ### snip ### if(control:Auth-Type == 'CSID'){ # Authorization happens here authorized_macs.authorize if(!ok){ reject Uh... why? If the user is authenticated, you shouldn't be rejecting him. If I put a sql line before this, it always logs with Access-Accept, since that's what authenticate{} ALWAYS returns, and the sql module is being called before . If I put a sql line after this, it never gets executed for reject statements... Because you're doing it wrong. The whole point of accepting the user is that you *don't* reject them. Change your rules to reject the user *before* they're accepted. The logging will then behave as you expect. It doesn't behave as you expect now, because you're rejecting them after you've accepted them. That makes no sense. Why is the authorize statement in the post-auth { } section? That seems to be the cause of these problems... So move it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OT: JRadius client - Freeradius 2.1.10 PAP authentication
Hi All, If anyone is using JRadius client (especially via JASIG CAS) to authenticate to a freeradius server using PAP could you contact me offlist? Cheers, Harry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Compatibility
Those intructions worked fine for a PC. But this time I am trying to test a Canopy AP and an SM. It seems to be stopping after the server hello. It is possible that the AP does not like the server certificate (or its encryption method), but I don't think MS MIBs will help ;-) Looks like the wiki is still down... --- On Mon, 3/28/11, Alan DeKok al...@deployingradius.com wrote: From: Alan DeKok al...@deployingradius.com Subject: Re: Certificate Compatibility To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Monday, March 28, 2011, 10:46 PM Jim Rice wrote: Getting this: (FR 2.1.10)... WARNING: !! WARNING: !! EAP session for state 0x2f1a7f7f2b1c6afb did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! It means that the PC didn't like the server certificate. Follow the instructions on http://deployingradius.com/ for configuring EAP. It's a bit long, but it's *guaranteed* to work. Unfortunately the wiki is down... Hmm... I hadn't seen that. I'll take a look. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MLPPP Acct-Session-Id
Jay Kuhne (jkuhne) wrote: Do you know of a syntax on Radclient for defining the Message-Authenticator attribute? It's just like any other attribute... Message-Authenticator = I'll see if I can find it in the accounting record, get it working and then follow-up as to why the it's not as per RFC. The NAS vendors don't bother following (or even reading) the RFCs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Compatibility
You don't have the right CA certificate installed on the SM. Check the certificates listed under the Security tab in the SM and make sure that YOUR CA cert is shown in one of the two available slots. You might also be running into an issue with the issue date on the certificate if the AP doesn't have the proper time. (I don't recall what error gets spit out in that case.) If the AP doesn't have NTP or the proper time set it reverts to starting from 1/1/2001 so your certificate may not have a valid issue date if it was recently created. Ben On Tue, Mar 29, 2011 at 9:17 AM, Jim Rice jmrice6...@yahoo.com wrote: Those intructions worked fine for a PC. But this time I am trying to test a Canopy AP and an SM. It seems to be stopping after the server hello. It is possible that the AP does not like the server certificate (or its encryption method), but I don't think MS MIBs will help ;-) Looks like the wiki is still down... --- On Mon, 3/28/11, Alan DeKok al...@deployingradius.com wrote: From: Alan DeKok al...@deployingradius.com Subject: Re: Certificate Compatibility To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Monday, March 28, 2011, 10:46 PM Jim Rice wrote: Getting this: (FR 2.1.10)... WARNING: !! WARNING: !! EAP session for state 0x2f1a7f7f2b1c6afb did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! It means that the PC didn't like the server certificate. Follow the instructions on http://deployingradius.com/ for configuring EAP. It's a bit long, but it's *guaranteed* to work. Unfortunately the wiki is down... Hmm... I hadn't seen that. I'll take a look. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MLPPP Acct-Session-Id
Okay thanks. I'll do some investigating and let you know. It may be a little bit but I will reply with my findings. Jay -Original Message- From: freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, March 29, 2011 10:20 AM To: FreeRadius users mailing list Subject: Re: MLPPP Acct-Session-Id Jay Kuhne (jkuhne) wrote: Do you know of a syntax on Radclient for defining the Message-Authenticator attribute? It's just like any other attribute... Message-Authenticator = I'll see if I can find it in the accounting record, get it working and then follow-up as to why the it's not as per RFC. The NAS vendors don't bother following (or even reading) the RFCs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
testing which client initiated request ? Client-shortname ... FreeRADIUS-Client-Shortname
I'd like to test and see which particular client was responsible for a request. I found two attributes Client-Shortname and FreeRADIUS-Client-Shortname, but when I try and use this in unlang they do not seem to have values ? Any suggestions... Thanks, Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending accounting packets to more than one server?
On Sat, Mar 12, 2011 at 11:06:51AM +, Brian Candler wrote: Tim McNabb wrote: I was wondering if it is possible to forward accounting packets to another server while also keeping the packets on the local machine. I’m working on integrating a Netsweeper appliance and the company is saying that I need to forward accounting packets to the appliance in order for it to set policies correctly. Has anyone ever done this or would be willing to forward some good documentation on how this can be done? I have a local module here which blindly sends out an extra copy of an accounting packet to target host(s) you specify, without waiting for any acknowledgement. We use it for teeing off accounting to various packet shapers. Because the module doesn't maintain any state, i.e. wait for acknowledgement or resend if no ack received, it's very lightweight and there are no queues or buffers to overflow. I can probably get permission to release the code if you're interested. I have now secured this permission. The module is available as an attachment to this ticket: https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=151 and also on github: https://github.com/candlerb/freeradius-server/tree/candlerb/packetblast Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Compatibility
I believe that installing a certificate on the SM removes both of the defaults. Does this mean then that one slot is for the CA cert, and the other is for a client cert? Do we need to generate and install client certificates for every SM? I thought the AP was the Radius Client in this case, and was handling the TLS handshake? Or does the SM provide its certificates to the AP along with the user identity and MAC address when it connects? (Just when I thought I was beginning to understand all of this...) --- On Tue, 3/29/11, Ben Wiechman wiechman.li...@gmail.com wrote: You don't have the right CA certificate installed on the SM. Check the certificates listed under the Security tab in the SM and make sure that YOUR CA cert is shown in one of the two available slots. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: testing which client initiated request ? Client-shortname ... FreeRADIUS-Client-Shortname
Robert Roll wrote: I'd like to test and see which particular client was responsible for a request. I found two attributes Client-Shortname and FreeRADIUS-Client-Shortname, but when I try and use this in unlang they do not seem to have values ? Any suggestions... Use Packet-Src-IP-Address Or, %{client: shortname}, if it's configured in clients.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: testing which client initiated request ? Client-shortname ... FreeRADIUS-Client-Shortname
Robert Roll wrote: I'd like to test and see which particular client was responsible for a request. I found two attributes Client-Shortname and FreeRADIUS-Client-Shortname, but when I try and use this in unlang they do not seem to have values ? Any suggestions... Use Packet-Src-IP-Address Or, %{client: shortname}, if it's configured in clients.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Compatibility
The SM is bucky. To deploy a new certificate you need to delete at least one of the existing certificates and reboot the SM. That slot should now be empty and should say Certificate X not present in the system. At this point you can import your new certificate. Some SMs however are cranky about actually deleting the certificates. After a reboot the deleted certificate is still present. CNUT seems to work much better when deploying the certificates for some reason. I haven't had it fail yet. Don't ask me. See the Tools menu. Alternatively you could use the aaasvr* certificates included with the firmware. Every SM should have that cacert_aaasvr.pem certificate pre-loaded. I'd recommend generating your own certificates however. You need to generate a CA certificate and use that to sign your server certificate. Configure both of these appropriately in your eap.conf file. If the AP doesn't have a time source it starts its clock at 1/1/2001, so you may want to generate both certificates with a valid start date before 1/1/2001. If your AP believes the time is prior to the issuing date in your certificates authentication will fail and the SM will be locked out for 15 minutes... You need to install a copy of that CA certificate on every SM. You do not need to generate a different certificate for each device. See the limitations on self signed certificates and third party certificates in the release notes. In general you can just use the procedures outlined for EAP in the wiki/deployingradius.org to generate your CA certificate, with the caveat that those certificates will be valid from the time you generate them forward. Logging is basic and essentially worthless in the AP and SM. The underlying RADIUS implementation doesn't provide visibility or better logging, which Moto says they are hoping to rectify at some point, but that doesn't help today. Oh, and if you're using vlans you'll want to wait to deploy the forthcoming patch in production. There is a memory leak in 11.0 that will cause the SM to crash when it has to filter downstream broadcast traffic. Ben On Tue, Mar 29, 2011 at 12:38 PM, Jim Rice jmrice6...@yahoo.com wrote: I believe that installing a certificate on the SM removes both of the defaults. Does this mean then that one slot is for the CA cert, and the other is for a client cert? Do we need to generate and install client certificates for every SM? I thought the AP was the Radius Client in this case, and was handling the TLS handshake? Or does the SM provide its certificates to the AP along with the user identity and MAC address when it connects? (Just when I thought I was beginning to understand all of this...) --- On Tue, 3/29/11, Ben Wiechman wiechman.li...@gmail.com wrote: You don't have the right CA certificate installed on the SM. Check the certificates listed under the Security tab in the SM and make sure that YOUR CA cert is shown in one of the two available slots. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Auth and post-auth logging to SQL
Alan DeKok wrote: Because you're doing it wrong. The whole point of accepting the user is that you *don't* reject them. Change your rules to reject the user *before* they're accepted. The logging will then behave as you expect. It doesn't behave as you expect now, because you're rejecting them after you've accepted them. That makes no sense. Alan, thanks for the pointer, it works fine now. I just found out that the FreeRadius wiki is *not* publicly editable. Could whoever maintains it please update the Mac-Auth article at http://wiki.freeradius.org/Mac-Auth to remove the parts that Alan said make no sense? It's very liable to confuse people (like me) when the Official wiki has examples that are wrong. Thanks, Jason Antman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: testing which client initiated request ? Client-shortname ... FreeRADIUS-Client-Shortname
Still does not seem to be working.. Still looks like its expanding to nothing ? ++? if (%{client: shortname} == WCSmgmt ) expand: %{client: shortname} - ? Evaluating (%{client: shortname} == WCSmgmt ) - FALSE ++? if (%{client: shortname} == WCSmgmt ) - FALSE } Yet in clients.conf: client 155.97.142.192 { secret = doesntmatter shortname = WCSmgmt } The request does seem to be coming from the correct client ? rad_recv: Access-Request packet from host 155.97.142.192 port 55567, id=0, length=124 Thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Alan DeKok [al...@deployingradius.com] Sent: Tuesday, March 29, 2011 12:00 PM To: FreeRadius users mailing list Subject: Re: testing which client initiated request ? Client-shortname ... FreeRADIUS-Client-Shortname Robert Roll wrote: I'd like to test and see which particular client was responsible for a request. I found two attributes Client-Shortname and FreeRADIUS-Client-Shortname, but when I try and use this in unlang they do not seem to have values ? Any suggestions... Use Packet-Src-IP-Address Or, %{client: shortname}, if it's configured in clients.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Compatibility
Thanks Ben, I'll try installing the CA cert on the SM. I had already been through the EAP notes when testing auth with a PC. Baby steps ... The AP is running NTP, so time is not an issue. We were aware of the vlan problem with 11.0. (Of course, no one uses those ;-) Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Compatibility
We were aware of the vlan problem with 11.0. (Of course, no one uses those ;-) If only... lol Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Compatibility
Note that time might be an issue if the AP pushes the auth request through after a reboot before it has received a response from the NTP server and correctly configured the time. I'm not sure how much danger there is that this will happen. I haven't seen it in production that I am aware of, however we ran the beta on a site that is connected via fiber so has minimal latency to the ntp servers. Ben On Tue, Mar 29, 2011 at 1:30 PM, Jim Rice jmrice6...@yahoo.com wrote: Thanks Ben, I'll try installing the CA cert on the SM. I had already been through the EAP notes when testing auth with a PC. Baby steps ... The AP is running NTP, so time is not an issue. We were aware of the vlan problem with 11.0. (Of course, no one uses those ;-) Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: Exec-Program: Permission Denied when running via service start
Greetings all, I've been racking my brains out trying to solve/debug the following issue, hopefully someone can provide a new perspective. I've implemented mOTP as en external authentication program by defining it in radiusd.conf with a Program = /etc/raddb/otpverify.sh statement. As I said, it does indeed work properly, except, when I start the radiusd server up as a daemon via init.d radiusd -X - Works properly service radiusd start or /etc/init.d/radiusd start FAILS sh /etc/init.d/radiusd start Works When it works properly, I get proper Accept Replys. When it 'fails', its due to not being able to execute the script and this is logged in radius.log Error: Exec-Program: FAILED to execute /etc/raddb/otpverify.sh: Permission denied In all the above scenarios, I was root when executing the statements. I am *not* in a chroot jail, all the necessary directories are read/write by user 'radiusd' which is what the process is running as. I'm also using the init.d script that came with the CentOS package. My linux platform and freeradius information is as follows: CentOS 5.5 - 2.6.18-194.32.1.el5 #1 SMP x86_64 GNU/Linux running FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu. Thanks for any assistance with this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Exec-Program: Permission Denied when running via service start
On 03/29/2011 03:09 PM, Christopher Athans wrote: Greetings all, I've been racking my brains out trying to solve/debug the following issue, hopefully someone can provide a new perspective. I've implemented mOTP as en external authentication program by defining it in radiusd.conf with a Program = /etc/raddb/otpverify.sh statement. As I said, it does indeed work properly, except, when I start the radiusd server up as a daemon via init.d radiusd -X - Works properly service radiusd start or /etc/init.d/radiusd start FAILS sh /etc/init.d/radiusd start Works When it works properly, I get proper Accept Replys. When it 'fails', its due to not being able to execute the script and this is logged in radius.log Error: Exec-Program: FAILED to execute /etc/raddb/otpverify.sh: Permission denied In all the above scenarios, I was root when executing the statements. I am *not* in a chroot jail, all the necessary directories are read/write by user 'radiusd' which is what the process is running as. I'm also using the init.d script that came with the CentOS package. My linux platform and freeradius information is as follows: CentOS 5.5 - 2.6.18-194.32.1.el5 #1 SMP x86_64 GNU/Linux running FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu. Thanks for any assistance with this. Is SELinux enabled? % getenforce If it's enforcing then set it to permissive mode % setenforce 0 Now does it work? If so what were your recent AVC's in /var/log/audit/audit.log? Not the problem? Then verify the script can run as the radiusd user. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Exec-Program: Permission Denied when running via service start
*sigh* it was indeed SELinux. I thought it had it disabled. Still not exactly sure why when I wrapped the init.d statement with a 'sh' it works, but nevertheless you solved my issue. Thanks John. On Tue, Mar 29, 2011 at 2:16 PM, John Dennis jden...@redhat.com wrote: On 03/29/2011 03:09 PM, Christopher Athans wrote: Greetings all, I've been racking my brains out trying to solve/debug the following issue, hopefully someone can provide a new perspective. I've implemented mOTP as en external authentication program by defining it in radiusd.conf with a Program = /etc/raddb/otpverify.sh statement. As I said, it does indeed work properly, except, when I start the radiusd server up as a daemon via init.d radiusd -X - Works properly service radiusd start or /etc/init.d/radiusd start FAILS sh /etc/init.d/radiusd start Works When it works properly, I get proper Accept Replys. When it 'fails', its due to not being able to execute the script and this is logged in radius.log Error: Exec-Program: FAILED to execute /etc/raddb/otpverify.sh: Permission denied In all the above scenarios, I was root when executing the statements. I am *not* in a chroot jail, all the necessary directories are read/write by user 'radiusd' which is what the process is running as. I'm also using the init.d script that came with the CentOS package. My linux platform and freeradius information is as follows: CentOS 5.5 - 2.6.18-194.32.1.el5 #1 SMP x86_64 GNU/Linux running FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu. Thanks for any assistance with this. Is SELinux enabled? % getenforce If it's enforcing then set it to permissive mode % setenforce 0 Now does it work? If so what were your recent AVC's in /var/log/audit/audit.log? Not the problem? Then verify the script can run as the radiusd user. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Exec-Program: Permission Denied when running via service start
On 03/29/2011 03:20 PM, Christopher Athans wrote: *sigh* it was indeed SELinux. I thought it had it disabled. Still not exactly sure why when I wrapped the init.d statement with a 'sh' it works, but nevertheless you solved my issue. Thanks John. The behavior is different because /sbin/service has special SELinux transition rules. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: testing which client initiated request ? Client-shortname ... FreeRADIUS-Client-Shortname
The Use Packet-Src-IP-Address does appear to work.. However, I would really like to have a set of clients behave the same way. I would really like to do something like: client 1.2.3.4 { secret XX shortname mgmtStation Identical-client 1.2.3.5, 1.2.3.6, 1.2.3,7 } Then later on simply test on shortname mgmtStation ? If there is nothing like Identical-client... I did notice while debugging that doing something like: client 1.2.3.4 { secret XX shortname stMgt } client 1.2.3.5 { secret XX shortname stMgt } Assigning two different IP number clients the same shortname ? I noticed that when I looked at some logs, the shortname was used in the log text for BOTH clients.. This could be exploited for what I want, if only the testing client based on shortname worked ? Thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Robert Roll [robert.r...@utah.edu] Sent: Tuesday, March 29, 2011 12:16 PM To: FreeRadius users mailing list Subject: RE: testing which client initiated request ? Client-shortname ... FreeRADIUS-Client-Shortname Still does not seem to be working.. Still looks like its expanding to nothing ? ++? if (%{client: shortname} == WCSmgmt ) expand: %{client: shortname} - ? Evaluating (%{client: shortname} == WCSmgmt ) - FALSE ++? if (%{client: shortname} == WCSmgmt ) - FALSE } Yet in clients.conf: client 155.97.142.192 { secret = doesntmatter shortname = WCSmgmt } The request does seem to be coming from the correct client ? rad_recv: Access-Request packet from host 155.97.142.192 port 55567, id=0, length=124 Thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Alan DeKok [al...@deployingradius.com] Sent: Tuesday, March 29, 2011 12:00 PM To: FreeRadius users mailing list Subject: Re: testing which client initiated request ? Client-shortname ... FreeRADIUS-Client-Shortname Robert Roll wrote: I'd like to test and see which particular client was responsible for a request. I found two attributes Client-Shortname and FreeRADIUS-Client-Shortname, but when I try and use this in unlang they do not seem to have values ? Any suggestions... Use Packet-Src-IP-Address Or, %{client: shortname}, if it's configured in clients.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Auth and post-auth logging to SQL
On 03/29/2011 07:13 PM, Jason Antman wrote: I just found out that the FreeRadius wiki is *not* publicly editable. Too much spam :o( Could whoever maintains it please update the Mac-Auth article at http://wiki.freeradius.org/Mac-Auth to remove the parts that Alan said make no sense? The example on the wiki is quite complex, and not easy to follow at first. I've updated it with a couple of simpler examples to start with - a just macauth one, and a macauth plus 802.1x one. Could you have a look and see if they make more sense? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Auth and post-auth logging to SQL
This makes MUCH more sense, thanks! Now the next (relatively new-to-radius) person won't end up as confused as I was. I have MAC auth working with a SQL data source and custom XLAT to check for some special field values in SQL, based on a somewhat custom schema (more from the one-row-per-MAC standpoint than using radcheck and radreply), as well as xlat to include a Username in the reply message. When I'm finished with it and have it working, I'll be more than willing to pass along my code. Thanks to you and Alan for clearing things up. -Jason Phil Mayers wrote: On 03/29/2011 07:13 PM, Jason Antman wrote: I just found out that the FreeRadius wiki is *not* publicly editable. Too much spam :o( Could whoever maintains it please update the Mac-Auth article at http://wiki.freeradius.org/Mac-Auth to remove the parts that Alan said make no sense? The example on the wiki is quite complex, and not easy to follow at first. I've updated it with a couple of simpler examples to start with - a just macauth one, and a macauth plus 802.1x one. Could you have a look and see if they make more sense? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Compatibility
Looks like it got a bit further this time. If I am looking at this right, it got throught the TTLS part. But now what? The SM is just Registering. I am hoping that this is something simple and obvious to you guys... (Just the tail end for now): ... rad_recv: Access-Request packet from host 10.111.4.254 port 1273, id=0, length=439 Cleaning up request 4 ID 0 with timestamp +41 WARNING: !! WARNING: !! EAP session for state 0xf2937007f695654f did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! User-Name = 0a-00-3e-f0-11-34 State = 0xf2937007f695654f37c0362b1499c219 NAS-IP-Address = 10.111.4.254 NAS-Port = 5 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1020 EAP-Message = 0x0206015015800146160301010611020100b208c439d0d90984cce915a82a4455cfcd9088e55760daeb8ff2e4b2bd5115bf3fe2b8e1270daf4dca4cf81a7392 bbf684e2de7147ef4b7bc5dd54a9dd5d682f77959c1b0d7b5af3e64835e4e0e8bc2c76da431b0ff2d36fb94cb4a964da32027c46c54ea060de1a75e0a9e9ad8fac1e810af9a6b82c9e37353afc4aab 0126e19f18d7e6d3998534e364fbeab676acb4eb98b71b3afdf5f850fda7b7d1952e67de3abff875519824c3bd7f91ea33a6e9db3b5132c4947a9128c156f20b809211586ba7961c20edcb9e1bbc81 818b25c499288cd11014ea181eb05c2e0fd566a41121df762993fd0a EAP-Message = 0x10d47398e6dfe27ced7bf9082d0cbb8261315423405c9b2d14030100010116030100303b8f5f207e14a34c814835a671de3025cf69c55a20976e348d692f622b1f8182 e619567c8b8866c571c1ac6df11adb0d Message-Authenticator = 0x0940909b598c4170a6f820374c4adf48 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = 0a-00-3e-f0-11-34, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 326 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] TLS 1.0 Handshake [length 0106], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.111.4.254 port 1273 EAP-Message = 0x010700451580003b1403010001011603010030e9d5415f2dab4d08d3188d183d0c4dc68f65eae604b877e87fc28021e38c48e39ad145595d4cbbbcc00bcd4a5eb6 17f2 Message-Authenticator = 0x State = 0xf2937007f794654f37c0362b1499c219 Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 0 with timestamp +42 WARNING: !! WARNING: !! EAP session for state 0xf2937007f794654f did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Exec-Program: Permission Denied when running via service start
Hi, I've implemented mOTP as en external authentication program by defining it in radiusd.conf with a Program = /etc/raddb/otpverify.sh statement. As I said, it does indeed work properly, except, when I start the radiusd server up as a daemon via init.d radiusd -X - Works properly service radiusd start or /etc/init.d/radiusd start FAILS sh /etc/init.d/radiusd start Works When it works properly, I get proper Accept Replys. When it 'fails', its due to not being able to execute the script and this is logged in radius.log Error: Exec-Program: FAILED to execute /etc/raddb/otpverify.sh: Permission denied it sounds like basics...but this error message is pretty straight forward... what are the permissions on that file? are you running eg SELinux ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Auth and post-auth logging to SQL
On 03/29/2011 08:52 PM, Jason Antman wrote: This makes MUCH more sense, thanks! Now the next (relatively new-to-radius) person won't end up as confused as I was. I have MAC auth working with a SQL data source and custom XLAT to check for some special field values in SQL, based on a somewhat custom schema (more from the one-row-per-MAC standpoint than using radcheck and Yeah, we do a similar thing with a database stored procedure to allocate an appropriate vlan by mac location combo; it's basically along the lines of: update control { Tmp-String-0 := %{sql:select .. from proc('%{Calling-Station-Id}') } if (control:Tmp-String-0 =~ /...regexp for SQL result.../) { update reply { # vlan Tunnel-Private-Group-Id := %{1} Other-Stuff := %{2} } } FreeRadius is damn clever when you grasp it ;o) radreply), as well as xlat to include a Username in the reply message. When I'm finished with it and have it working, I'll be more than willing to pass along my code. Alan can probably give you a wiki account if you want to document it there. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Exec-Program: Permission Denied when running via service start
Hi, *sigh* it was indeed SELinux. I thought it had it disabled. Still not exactly sure why when I wrapped the init.d statement with a 'sh' it works, but nevertheless you solved my issue. Thanks John. you are going to fix the issue as shown by audit2allow etc rathr than just leave SELinux disabled or permissive? (so many people do thatthen wonder how the bad guys got onto their server) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + Active Directory
Hi List, I'm really sorry if this has been asked before, I was able to setup to authenticate radius via AD, now the problem my problem is, is there a way i can apply for Max-All-Session to each account on ad, just like with any other modules like rlm_sql ?, or I should say, is there a pre-autheticate section on the configs just like with pre-accounting section?, please bare with my english :D. Thanks in advance, Best regards, Ronaldo Chan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: testing which client initiated request ? Client-shortname ... FreeRADIUS-Client-Shortname
On 2011/03/29 09:28 PM, Robert Roll wrote: The Use Packet-Src-IP-Address does appear to work.. However, I would really like to have a set of clients behave the same way. I would really like to do something like: client 1.2.3.4 { secret XX shortname mgmtStation Identical-client 1.2.3.5, 1.2.3.6, 1.2.3,7 } Then later on simply test on shortname mgmtStation ? If there is nothing like Identical-client... I did notice while debugging that doing something like: client 1.2.3.4 { secret XX shortname stMgt } client 1.2.3.5 { secret XX shortname stMgt } Assigning two different IP number clients the same shortname ? I noticed that when I looked at some logs, the shortname was used in the log text for BOTH clients.. This could be exploited for what I want, if only the testing client based on shortname worked ? You could try dynamic clients and different virtual servers. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 --- Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/emaildisclaimer.html --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html