Re: ldap server connection timeout
Daniel Davidson wrote: My new wireless network tested great, but now that I have rolled it out to the entire building, I get error messages like: Mon May 2 15:15:06 2011 : Error: rlm_ldap: ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout. Make sure your LDAP server is up and reachable. The only existing firewalls are on the machines themselves and the ip range of the servers are open with each other. Any ideas? It's a networking issue and has nothing to do with FreeRADIUS. The server is just a victim of the underlying problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius authentification ldap and windows 7 (PEAP mschapv2)
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, bind addresses, and multihoming
Gary T. Giesen wrote: I've compiled freeradius with the --with-udpfromto directive. ... However, if I specify multiple IPs to bind to (rather than just one or all), it reverts to the the behaviour of responding to all requests with a source IP of the first bind directive listed. For example: That's weird. Please try the v2.1.x branch from http://git.freeradius.org. It has some fixes to the udpfromto code which should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple MACs per Network
Sure no problem...I have made it so it is very easy to see who's mac
belongs to who..
--
-- Table structure for table `MACAUTH`
--
CREATE TABLE IF NOT EXISTS `MACAUTH` (
`id` int(11) unsigned NOT NULL AUTO_INCREMENT,
`macaddress` varchar(64) NOT NULL,
`SSID` varchar(255) NOT NULL,
`CLIENTSNAME` varchar(255) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;
On Mon, May 2, 2011 at 3:43 PM, Arran Cudbard-Bell a.cudba...@gmail.com wrote:
Yeah I missed out a bunch of things, well done for figuring it out .
Would you mind dumping out the schema of your table, and I can add it and the
below snippet to the wiki for future users?
Thanks,
Arran
On May 2, 2011, at 6:51 AM, John Corps wrote:
wow i totally overlooked that, many thanks Aaran! I have it setup and
working perfectly! Many many thanks again. The sql was wrong in your
post, missing some quotes or something so the working code was, my
complete authorize section:
authorize {
preprocess
rewrite_calling_station_id
rewrite_called_station_id
if(%{sql:SELECT COUNT(*) FROM `SSIDMACAUTH` WHERE macaddress =
'%{Calling-Station-ID}' AND SSID = '%{Called-Station-SSID}'} = 1){
ok
update control {
Auth-Type := Accept
}
}
else{
reject
}
}
Obviously this can be optimized, the sql line, so that the update
control section doesn't need to be referenced, it can be pulled from
the table but the original sql i have is just counting the amount of
rows returned and if its more then or equal to 1, it accepts the user.
Thanks again.
On Fri, Apr 29, 2011 at 2:48 PM, Arran Cudbard-Bell
a.cudba...@gmail.com wrote:
John,
To be honest its probably easier to use SQL xlat then calling the SQL
module if you're just trying to determine whether a mac address is allowed
to access an SSID. SQL module is meant for more complex configurations.
Create a new table with two fields 'ssid' and 'macaddress'
authorize {
preprocess
if(%{sql:SELECT COUNT(*) FROM `my_mac_table` WHERE macaddress =
'%{Calling-Station-ID}' AND ssid = '%{Called-Station-SSID}'} = 1}{
ok
}
else{
reject
}
rewrite_calling_station_id
rewrite_called_station_id
}
FYI in your example you listed sql and sql.authorize, in the authorize
section they do the same thing. Modules generally perform different actions
depending in the section from which they're called adding a suffix of
.section_name overrides this and explicitly sets a section name.
-Arran
On Apr 29, 2011, at 11:24 AM, John Corps wrote:
Do you have an example of how to accomplish this? I have tried a lot
of things but can't seem to get it to work. I have this in my
authorize section:
authorize {
preprocess
rewrite_calling_station_id
rewrite_called_station_id
sql
sql.authorize
if(notfound){
reject
}
else{
ok
}
}
Do i have to add anything else here or where do I do the check
attribute? I have created a new table in my db called just macauth
that has the same structure as the radacct table except for the
exception of adding an SSID field. I have tried to modify the original
sql for checking the radacct table to reflect the ssid table, so check
ssid table where macaddress is the macaddress and ssid is the ssid. I
am stuck here as when connecting it just shows up in debug as the user
was not found...
[sql] expand: SELECT id, macaddress, attribute, value, op
FROM SSIDMACAUTH WHERE SSID = '%{Called-Station-SSID}'
AND macaddress ='%{Calling-Station-ID}' ORDER BY id -
SELECT id, macaddress, attribute, value, op FROM SSIDMACAUTH
WHERE SSID = 'SSID' AND macaddress
='00-11-22-33-44-55' ORDER BY id
rlm_sql_mysql: query: SELECT id, macaddress, attribute, value, op
FROM SSIDMACAUTH WHERE SSID = 'RADIUSTEST'
AND macaddress ='00-11-22-33-44-55' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -
SELECT groupname FROM radusergroup WHERE username
= '00-11-22-33-44-55' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = '00-11-22-33-44-55' ORDER BY
priority
rlm_sql (sql): Released sql socket id: 3
[sql] User 00-11-22-33-44-55 not found
I think I am missing something here as the user is found in the db,
but i think it is trying to read the results from like username and
not macaddress. Any insight would be great, thanks.
On Thu, Apr 28, 2011 at 4:29 PM, Arran Cudbard-Bell
a.cudba...@gmail.com wrote:
On Apr 28, 2011, at 1:13 PM, John Corps wrote:
Thank
Re: ldap server connection timeout
Upon seeing Alan's response, i took the step of installing openldap on the radius machine and then trying it with the ldap module pointing to localhost. I am still seeing the same results from this. The server is up and taking requests. Any other ideas as to what could be causing this? Dan On 05/03/2011 05:00 AM, freeradius-users-requ...@lists.freeradius.org wrote: Daniel Davidson wrote: My new wireless network tested great, but now that I have rolled it out to the entire building, I get error messages like: Mon May 2 15:15:06 2011 : Error: rlm_ldap: ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout. Make sure your LDAP server is up and reachable. The only existing firewalls are on the machines themselves and the ip range of the servers are open with each other. Any ideas? It's a networking issue and has nothing to do with FreeRADIUS. The server is just a victim of the underlying problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple ldaps (SSL) backends and only the first queried works. Possible bug?
I've two ldaps backends instantiated like:
authorize {
...
Autz-Type OPENLDAP {
openldap
}
Autz-Type ADLDAP {
adldap
}
...
}
authenticate {
...
Auth-Type OPENLDAP {
openldap
}
Auth-Type ADLDAP {
adldap
}
...
}
The two modules are configured as follows using DIFFERENT issuing CAs...
ldap adldap {
server = ldaps://myAD.ds.units.it
identity = ...
password = ...
basedn = ...
filter = (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
cacertfile = /usr/local/etc/raddb/.../certs/ad_root_ca.pem
require_cert= demand
}
...
}
ldap openldap {
server = ldaps://myopenldap.units.it
identity = ...
password = ...
basedn = ...
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
ldap_connections_number = 5
timeout = 5
timelimit = 5
net_timeout = 10
tls {
start_tls = no
cacertfile = /etc/ssl/certs/AddTrust_External_Root.pem
require_cert= demand
}
...
}
Now, the problem is that once I started freeradius, the first connection
to an ldap server goes straight, while the second (to the other one) says:
ldap_create
ldap_url_parse_ext(ldaps://myAD.ds.units.it)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myAD.ds.units.it:636
ldap_new_socket: 32
ldap_prepare_socket: 32
ldap_connect_to_host: Trying yyy.yyy.yyy.yyy:636
ldap_pvt_connect: fd: 32 tm: 1 async: 0
ldap_ndelay_on: 32
ldap_int_poll: fd: 32 tm: 1
ldap_is_sock_ready: 32
ldap_ndelay_off: 32
ldap_pvt_connect: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
...and letting the first request to be to the myAD server (soon after a
restart):
ldap_create
ldap_url_parse_ext(ldaps://myopenldap.units.it)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myopenldap.units.it:636
ldap_new_socket: 33
ldap_prepare_socket: 33
ldap_connect_to_host: Trying xxx.xxx.xxx.xxx:636
ldap_pvt_connect: fd: 33 tm: 10 async: 0
ldap_ndelay_on: 33
ldap_int_poll: fd: 33 tm: 10
ldap_is_sock_ready: 33
ldap_ndelay_off: 33
ldap_pvt_connect: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
I suspect the cacertfile attribute is not correctly re-instantiated
and only the value of the first request is used to check against when
instantiating a new ldaps connection.
Any suggestions?
--
Daniele ALBRIZIO - albri...@univ.trieste.it
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple ldaps (SSL) backends and only the first queried works. Possible bug?
On 03/05/11 19:00, Daniele Albrizio wrote: I've two ldaps backends instantiated like: Forgot... Using compiled freeradius-server-2.1.10 on Debian GNU/Linux 6.0 -- Daniele ALBRIZIO - albri...@univ.trieste.it Tel. +39-040.558.3319 UNIVERSITY OF TRIESTE - Network Services Divisione V - Infrastrutture e Servizi Informativi via Alfonso Valerio, 12 I-34127 Trieste, Italy Sezione Infrastrutture Informatiche e Telematiche - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, bind addresses, and multihoming
Built latest git and still the exact same results. GG On Tue, May 3, 2011 at 8:23 AM, Alan DeKok al...@deployingradius.com wrote: Gary T. Giesen wrote: I've compiled freeradius with the --with-udpfromto directive. ... However, if I specify multiple IPs to bind to (rather than just one or all), it reverts to the the behaviour of responding to all requests with a source IP of the first bind directive listed. For example: That's weird. Please try the v2.1.x branch from http://git.freeradius.org. It has some fixes to the udpfromto code which should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, bind addresses, and multihoming
My apologies, it does seem to be working correctly now... I found part of the problem was that I hadn't specified a source IP address for proxying, but direct clients were broken as well too so I'm going to drop back to the old version and see if I still have the same problem GG On Tue, May 3, 2011 at 3:01 PM, Gary T. Giesen gie...@snickers.org wrote: Built latest git and still the exact same results. GG On Tue, May 3, 2011 at 8:23 AM, Alan DeKok al...@deployingradius.com wrote: Gary T. Giesen wrote: I've compiled freeradius with the --with-udpfromto directive. ... However, if I specify multiple IPs to bind to (rather than just one or all), it reverts to the the behaviour of responding to all requests with a source IP of the first bind directive listed. For example: That's weird. Please try the v2.1.x branch from http://git.freeradius.org. It has some fixes to the udpfromto code which should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple groups per user
b. Fall-Through was set in the last group's reply items Thanks It was exactly the problem! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Multiple-groups-per-user-tp4362664p4368223.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap server connection timeout
Daniel Davidson dani...@igb.uiuc.edu wrote:
My new wireless network tested great, but now that I have rolled it out
to the entire building, I get error messages like:
Mon May 2 15:15:06 2011 : Error: rlm_ldap: ldap_search() failed: Timed
out while waiting for server to respond. Please increase the timeout.
And when these trigger, nearly everyone gets disconnected for about 5
seconds. Possible relevant code from ldap module:
ldap {
#private stuff -- BUT CRUCIAL!
ldap_connections_number = 15
timeout = 10
timelimit = 10
net_timeout = 5
}
The only existing firewalls are on the machines themselves and the ip
range of the servers are open with each other. Any ideas?
I am guessing your LDAP server is *way* too slow when processing the
queries are making it munch through. Typical 'first-timer' mistakes are
that you are not indexing the important attribtues. For example our
filter looks like:
filter =
((objectClass=Person)(|(businessCategory=staff)(businessCategory=student)(cn=avg*))(|(!(loginDisabled=*))(loginDisabled=FALSE))(cn=%{Stripped-User-Name}))
This takes ~0.02s to respond for us, how long does it take to process
the query at your end (test with the following and remember to test
the server when it is under load, which is probably why it worked
before you widely deployed it):
time ldapsearch -h ldap-server.example.com -x -LLL 'query'
Where query is what you see FreeRADIUS make in the output of 'radiusd
-X'.
Cheers
--
Alexander Clouter
.sigmonster says: Out of register space (ugh)
-- vi
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, bind addresses, and multihoming
Gary T. Giesen gie...@snickers.org wrote: In this configuration, freeradius will always respond from 192.168.1.250, even if the initial request was sent to 1.2.3.4. This is obviously breaking things for me, as I'd rather not have freeradius listen on every interface on the server (and there are a number of them). Am I doing something wrong? Am I expecting the wrong behaviour? Or is this a bug? What's the: * OS * output of 'ip route' and 'ip route get src-ip-of-request' If you are multihomed (can get to the same IP via more than one interface/gateway) then it should work. If you have miconfigured the server so that it does not how to route to src-ip-of-request via the interface it saw the packet come in on, then you will have a problem (although I would have expected no reply at all). Cheers -- Alexander Clouter .sigmonster says: Vax Vobiscum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple ldaps (SSL) backends and only the first queried works.?Possible bug?
Daniele Albrizio albri...@univ.trieste.it wrote: I suspect the cacertfile attribute is not correctly re-instantiated and only the value of the first request is used to check against when instantiating a new ldaps connection. Without a doubt the chaining is not working on your LDAP servers. What is the full output of: openssl s_client -connect myAD.ds.units.it:636 -showcerts openssl s_client -connect myopenldap.units.it:636 -showcerts You can pipe the server cert (cut'n'paste on stdin) through the following to see the useful parts of the certs: openssl x509 -noout -text You probably will find if you change those tls 'demands' to 'never' things work, but then it kinda is self defeating :) Cheers -- Alexander Clouter .sigmonster says: You can't break eggs without making an omelet. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, bind addresses, and multihoming
Tanjil Ahmed tan...@tanjil.net wrote: why radius is not bind auto MAC from user in first time use?like mikrotik user manager have this option... ...dear user, why do people keep hijacking mailing list threads and use the *Reply-To* button rather than *Compose* in their email clients? is there any way? Indeed. Regards -- Alexander Clouter .sigmonster says: Talk is cheap because supply always exceeds demand. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
