Re: Proxy state attribute in accounting
On Sat, Apr 16, 2011 at 9:19 PM, Alan DeKok al...@deployingradius.com wrote: Waqas Toor wrote: Yes, Understood, Can I can limit those proxy-state attributes to lets say 100 attributes only. Because the other server is complaining about possible DoS attacks. sigh It would have been useful for you to say that at the beginning. If there are 100 Proxy-State attributes, it's likely because you screwed up proxying somewhere. It makes *no* sense to proxy packets through 100 servers. Ok here is my robust-example-accounting that I am using for proxy == home_server home1.example.com { type = acct ipaddr = 10.1.67.37 port = 1813 secret = free-rad512 # Mark this home server alive ONLY when it starts being responsive status_check = request username = test_user_status_check response_window = 6 } home_server home2.example.com { type = acct ipaddr = 10.1.67.28 port = 1813 secret = free-rad512 # Mark this home server alive ONLY when it starts being responsive status_check = request username = test_user_status_check response_window = 6 } home_server acct_detail.example.com { virtual_server = acct_detail.example.com } home_server_pool acct_pool.example.com { type = load-balance # other types are OK, too. home_server = home1.example.com home_server = home2.example.com fallback = acct_detail.example.com virtual_server = home.example.com } realm test_cpe.com{ acct_pool = acct_pool.example.com nostrip } server acct_detail.example.com { accounting { detail.example.com } } server home.example.com { pre-proxy { } post-proxy { Post-Proxy-Type Fail { detail.example.com } } listen { type = detail filename = ${radacctdir}/detail.example.com/detail-*:* load_factor = 10 } accounting { update control { Proxy-To-Realm := test_cpe.com } } } It works fine, but when one of the server goes down of a long period, It sends a lot of proxy state attributes. Regards Waqas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay and off-server accounting
Hello Alan, Etienne Pretorius wrote: When I change the REALM to the following: realm IPASS { nostrip #pool = IPASS Proxy-To-Realm := LOCAL } It won't work. You can't put proxy-To-Realm there. It was only to demonstrate that when I have the pool active then the radelayed accounting packet does not return success. It works, but now this server can not authenticate for IPASS. So I am sure that something is wrong with radrelaying to a realm that needs to acct off another server... Read the debug log. AS Per the debug log: } # server UPSTREAMPROVIDER Going to the next request Received proxied response code 0 from internal virtual server. WARNING: Empty post-proxy section. Using default return values. Finished request 2. Because it is returning response code of 5 now ( without an active pool ). Where specifically have I missed something in the debug log? Kind Regards, Etienne Pretorius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groups with port permissions
Stephen thank you for your answer! I try to do the groups but I don't know how. Where should I assign the pools ? I have FreeRADIUS Version 2.1.10 and In /etc/freeradius/modules/ippool i added: ippool lowpool { range-start = 192.168.181.129 range-stop = 192.168.181.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.iplowpool ip-index = ${raddbdir}/db.iplowindex override = no maximum-timeout = 0 } ippool mipool { range-start = 192.168.182.129 range-stop = 192.168.182.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ipmipool ip-index = ${raddbdir}/db.ipmiindex override = no maximum-timeout = 0 } in /etc/freeradius/users added: DEFAULT Group == low, Pool-Name := lowpool DEFAULT Group == mi, Pool-Name := mipool and it's doesn't works :( can somebody help me?? Thanks a lot!!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/groups-with-port-permissions-tp4300533p4310390.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
can attr_filter.accounting_response be used in post-proxy section ?
Dear All, In post-proxy section, I wrote lines as follows: post-proxy { if(cond) { attr_filter.accounting_response } } But it seems not work as expected. Any Ideas? Best Regards WeiJingPeng - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WildCard/Subject Alternative Names Cert Question
Well I was pounding my head against the wall on this as I couldn't find anything meaningful in the EAP logs. I then spoke to my CA about it and they said they've seen numerous problems with Wildcard certs and RADIUS, and that they normally just give a free normal common name cert for the RADIUS server when customers have this problem, so they gave me one. Seems like Microsoft's client just doesn't like their wildcard certs. When I put the normal cert they gave me into my FreeRADIUS server, it worked fine. Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University -Original Message- From: freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org] On Behalf Of Casartello, Thomas Sent: Saturday, April 16, 2011 9:58 AM To: freeradius-users@lists.freeradius.org Subject: RE: WildCard/Subject Alternative Names Cert Question Ok thank you. Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University -Original Message- From: freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Saturday, April 16, 2011 5:36 AM To: freeradius-users@lists.freeradius.org Subject: Re: WildCard/Subject Alternative Names Cert Question On 04/16/2011 02:42 AM, Casartello, Thomas wrote: When you say client EAP tracing do you mean on the Microsoft side, or Yes is there something you can do on the freeradius side? When I lookup No eap tracing I get information about generating Microsoft EAP host tracing files, but it's an in unreadable format (.etl) that only Microsoft can decode and I can't seem to find a way to make any sense of it. Do you mean some other kind of tracing? You need to read them on a windows system, obviously. IIRC you need to use the tracerpt utility. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The last piece of the puzzle - XP host authentication
hi, your User-Name is going from a sane value 'host/LP-0010.myorg.org' to just '/LP-0010.myorg.org' - are you playing around with hints? you dont need to remove the host/ part - in fact, messing with the User-Name will cause EAP to break...especially when a windows machine is involved. if you are authing against AD then you actually need to keep the entry as host/LP-0010.myorg.org - the ntlm_auth part should deal with it... the required '$' ending will be there :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: The last piece of the puzzle - XP host authentication
-Original Message- From: freeradius-users-bounces+eastb=pffcu@lists.freeradius.org [mailto:freeradius-users- bounces+eastb=pffcu@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Monday, April 18, 2011 3:54 PM To: FreeRadius users mailing list Subject: Re: The last piece of the puzzle - XP host authentication hi, your User-Name is going from a sane value 'host/LP-0010.myorg.org' to just '/LP-0010.myorg.org' - are you playing around with hints? you dont need to remove the host/ part - in fact, messing with the User-Name will cause EAP to break...especially when a windows machine is involved. if you are authing against AD then you actually need to keep the entry as host/LP-0010.myorg.org - the ntlm_auth part should deal with it... the required '$' ending will be there :-) Right you are, I forgot to back that out from my experimentation: :/etc/raddb# diff hints ../raddb.clean/hints 36d35 DEFAULT Prefix == host, Strip-User-Name = Yes You know, looking at other changes I've made I've just realized I need to take a step back. Specifically, I could not get ntdomain working, so I had turned on nt_domain_hack. I've turned it back off, so now login/enable authentication is working but port auth is not. I'm going to have to work on that some more. Dammit. -- be XIV: After the year 2015, there will be no airplane crashes. There will be no takeoffs either, because electronics will occupy 100 percent of every airplane's weight. This E-mail, along with any attachments, is considered confidential and may well be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail or call 215-931-0300 / 800-228-8801 and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
what does the attribute PW_DIGEST_NONCE represent in the rlm_digest module?
Hi, I would like to know what does the attribute PW_DIGEST_NONCE (1064) represent in rlm_digest module in radius server? My radius log information is given here. --the radius log information for the authentication packet starts here-- Received radius packet: NAS-Identifier = localhost.localdomain Digest-Attributes = \003\010INVITE Digest-Attributes = \006\005MD5 Digest-Attributes = \002*60d9d2b7b8ab7b4da4014bcdac1724b7320068d6 Digest-Attributes = \n\014659970 User-Name = 659970@192.168.104.239 Digest-Attributes = \004 sip:659508@192.168.104.240 Digest-Response = 1ee3c49572b6fcd4a9e0438bba8810dc Digest-Attributes = \001\021192.168.104.239 rlm_sql in rlm_sql_authenticate --the radius log information ends here-- The Digest-Attributes = \002*60d9d2b7b8ab7b4da4014bcdac1724b7320068d6 is the PW_DIGEST_NONCE with 60d9d2b7b8ab7b4da4014bcdac1724b7320068d6 as the value. In my setup, the radius client uses SIP. I want to know whether the PW_DIGEST_NONCE in the digest attributes can be used as a Session ID of the SIP call or the Call-Reference of the authentication packet? Or, only after receiving the RLM_MODULE_OK for the digest request, the radius client will send the further SIP call information in the next packet? A little background about the problem I face: I have a customized radius source(taken from freeradius few years back) to work with radius clients to perform authentication and accounting with only rlm_detail, rlm_preprocess, rlm_sql (with unixodbc) modules. Now, I have a requirement for the radius server to work with a radius client which has SIP. And I have found that radius client with SIP uses 'rlm_digest' module as part of authentication. This is when I have the following issues: a) I can not just integrate 'rlm_digest' module source to the existing radius server source to work since the changes are quite a lot. b)I have very limited or no details about how the radius client with the SIP works. This is why I wanted to get more information about the role of rlm_digest module and how to handle it in my situation. Thanks. ./maximus -- View this message in context: http://freeradius.1045715.n5.nabble.com/what-does-the-attribute-PW-DIGEST-NONCE-represent-in-the-rlm-digest-module-tp4312363p4312363.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html