RE: Freeradius + Alvarion 4Motion specify filter-id value in access-accept from value in user conf file ?
Hello, My Wimax device require MPPE keys to be sent in access accept if I change that setting in module/wimax from no to yes the wimax don't connect anymore. My problem is not getting my Wimax device connected it's already done. My problem is that I want specific values of Filter-Id attribute sent in access-accept according to the user-name sent in access-request. Filter-ID = Profile1 when user c...@eads.com is trying to connect. Filter-ID = Profile2 when user c...@eads.com is trying to connect. Regards, Thomas PS : Uncomment wimax lines in site-enable and inner-tunnel conf files already done. -Message d'origine- De : freeradius-users-bounces+thomas.hahusseau=cassidian@lists.freeradius.org [mailto:freeradius-users-bounces+thomas.hahusseau=cassidian@lists.freeradius.org] De la part de David Peterson Envoyé : mardi 31 mai 2011 19:31 À : 'FreeRadius users mailing list' Objet : RE: Freeradius + Alvarion 4Motion specify filter-id valueinaccess-accept from value in user conf file ? Make sure you configure FR to delete the MPPE keys. This can be found in the /modules/wimax file. Set the value from No to Yes. As well, you need to configure the server to use the inner-tunnel. I would start from the default FR settings, uncomment the wimax entries you see in sites-available/default and sites-available/inner-tunnel, make the change in the /modules/wimax file and make sure your profile names match as this is case sensitive. David -Original Message- From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradiu s.org] On Behalf Of Hahusseau, Thomas Sent: Tuesday, May 31, 2011 1:18 PM To: freeradius-users@lists.freeradius.org Subject: Freeradius + Alvarion 4Motion specify filter-id value inaccess-accept from value in user conf file ? Hello, I'm running latest version form Master Branch of Freeradius. I managed to connect an Alvarion CPE to an Alvarion 4M BS with Freeradius server as authenticator. Everything works well except that I directly specified in my /site-enable/default configuration file the value of Filter-Id attribute required by the base station. --- /site-enabled/default post-auth { exec update request { WiMAX-MN-NAI = %{User-Name} } update reply { WiMAX-FA-RK-Key = 0x00 WiMAX-MSK = %{reply:EAP-MSK} Filter-Id = Profile1 } wimax Post-Auth-Type REJECT { # log failed authentications in SQL, too. # sql attr_filter.access_reject } } --- I would like to use different value of attribute Filter-Id for different users (specific QoS setting in Alvarion ASN-GW for each Filter-Id). I would like to use the Filter-ID's value specified in my users conf file : --- users #standard customer c...@eads.com Cleartext-Password := cpe1 Session-Timeout = 3600, Termination-Action = Radius-Request, Filter-Id = Profile1 #VIP customer c...@eads.com Cleartext-Password := cpe2 Session-Timeout = 3600, Termination-Action = Radius-Request, Filter-Id = Profile2 --- I tried to use the same syntax as for WiMAX-MSK attribute: Filter-ID =%{Filter-Id} but it doesn't work (Filter-ID value in access-accept is empty). I googled Filter-Id freeradius and found nothing relevant. Is it possible to use Filter-ID value form users conf file in access-accept ? Here is an example on access-accept message with filter-id specified directly in site-enable/default conf file. --- radiusd -X (7) Found Auth-Type = ? (7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (7) group authenticate { (7) - entering group authenticate {...} (7) eap : Request found, released from the list (7) eap : EAP/ttls (7) eap : processing type ttls (7) ttls : Authenticate (7) ttls : processing EAP-TLS (7) ttls : Received TLS ACK (7) ttls : Received TLS ACK (7) ttls : ACK handshake is finished (7) ttls : eaptls_verify returned 3 (7) ttls : eaptls_process returned 3 (7) ttls : Using saved attributes from the original Access-Accept (7) eap : Freeing handler (7) [eap] = ok (7) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (7) group post-auth { (7) - entering group post-auth {...} (7) [exec] = noop (7) update request { (7) expand: %{User-Name} - {am=1}791d05915a25400ca9d1a3cb1a2c7...@eads.com (7) } # update request = noop (7) update reply { (7) expand: %{reply:EAP-MSK} - 0x0473dcd65638bc4ef089945467f25e24f252b53f34e4d2f220d157c3d1192528cb185a0437 d0a641fd5434d28738eae8f013d4b0308662a0e1b365d8ad542ce0 (7) } # update reply = noop (7) wimax : MIP-RK = 0x9ec871a65c3033e03c0d77ed55a1517d4b7dbbbeb2d782bcf369635861e64925c5db13c362
Wiki - once upon a time there was documentation
Hi to all, what happened to the contents of the wiki? A lot of stuff is missing, for example http://wiki.freeradius.org/Operators now has nothing more than a few badly explained examples and the table of the operators is missing. Also I couldn't find a lot of stuff that I'm sure there was on the wiki. Also searching stuff is now a pain. Is the old version still accessible in some way? Thanks to all, Denis -- \ __ __ _* _\ \__\ \ \ _\ \/ \_\ \__ \ \ \__ \\ - Registered Linux User # 372295 -BEGIN GEEK CODE BLOCK- Version: 3.1 GCS/CM d--- s:+: a-- C+++ UL+++S E--- W+(-) N o+ w--- O? M-- PS+ PE Y+ PGP t+(++) 5? X- R* tv-- b+ DI+ D G+ e h! r++ y* --END GEEK CODE BLOCK-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki - once upon a time there was documentation
On 01/06/11 10:28, den2k wrote: Hi to all, what happened to the contents of the wiki? A lot of stuff is missing, for example http://wiki.freeradius.org/Operators now has nothing more than a few badly explained examples and the table of the operators is missing. Also I couldn't find a lot of stuff that I'm sure there was on Example? the wiki. Also searching stuff is now a pain. Be more specific. How is searching a pain? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wiki login returning 500
I'm getting: HTTP Error 500 (Internal Server Error): An unexpected condition was encountered while the server was attempting to fulfil the request. ...when I try to log in using the GitHub referral/login thing; the error is from this URL: http://wiki.freeradius.org/auth/github/callback?code= - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki - once upon a time there was documentation
2011/6/1 Phil Mayers p.may...@imperial.ac.uk On 01/06/11 10:28, den2k wrote: Hi to all, what happened to the contents of the wiki? A lot of stuff is missing, for example http://wiki.freeradius.org/Operators now has nothing more than a few badly explained examples and the table of the operators is missing. Also I couldn't find a lot of stuff that I'm sure there was on Example? Right now the operators one. Also users and huntgroups were better descripted before, now there is just some brief introduction and nothing more. It was the lack of any explanation that I was referring to as lack of material (I'm not an English native-speaker so I make some mistakes). Be more specific. How is searching a pain? The entire resultset is now organized under a hierarchy of links that does not allow to see nor a snippet of the page nor to know which documents it exactly points, thus forcing the user to open a huge amount of tabs to only get handful of tabs pointing to the same document. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- \ __ __ _* _\ \__\ \ \ _\ \/ \_\ \__ \ \ \__ \\ - Registered Linux User # 372295 -BEGIN GEEK CODE BLOCK- Version: 3.1 GCS/CM d--- s:+: a-- C+++ UL+++S E--- W+(-) N o+ w--- O? M-- PS+ PE Y+ PGP t+(++) 5? X- R* tv-- b+ DI+ D G+ e h! r++ y* --END GEEK CODE BLOCK-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki - once upon a time there was documentation
On 01/06/11 10:57, den2k wrote: Example? Right now the operators one. Also users and huntgroups were better descripted before, now there is just some brief introduction and nothing more. It was the lack of any explanation that I was referring to as lack of material (I'm not an English native-speaker so I make some mistakes). The wiki was recently migrated onto a new platform, and the idea is that it will be easier to update, and easier to include the resulting docs with the server. This was discussed on the list - see the thread: New FreeRADIUS wiki - Help appreciated! ...in which the migration technique was discussed, and help was requested to reformat documents which had not migrated seamlessly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki - once upon a time there was documentation
den2k wrote: what happened to the contents of the wiki? A lot of stuff is missing, for example http://wiki.freeradius.org/Operators now has nothing more than a few badly explained examples and the table of the operators is missing. Click on the edit link. The content is still there, it is just not being rendered correctly. And the operators are *also* documented in the doc directory, and in the man users page. Honestly, what more do you want? The content served to you on a silver tray? Also I couldn't find a lot of stuff that I'm sure there was on the wiki. Also searching stuff is now a pain. Feel free to contribute *something* which makes the wiki better. Is the old version still accessible in some way? All of the old content is still on the new Wiki. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wiki login returning 500
Phil Mayers wrote: I'm getting: HTTP Error 500 (Internal Server Error): An unexpected condition was encountered while the server was attempting to fulfil the request. ...when I try to log in using the GitHub referral/login thing; the error is from this URL: http://wiki.freeradius.org/auth/github/callback?code= Hmmm... works for me, with both github facebook logins. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki - once upon a time there was documentation
den2k wrote: Right now the operators one. Also users and huntgroups were better descripted before, now there is just some brief introduction and nothing more. It was the lack of any explanation that I was referring to as lack of material (I'm not an English native-speaker so I make some mistakes). All of that documentation was taken from the doc directory, and man pages for those files. The entire resultset is now organized under a hierarchy of links that does not allow to see nor a snippet of the page nor to know which documents it exactly points, thus forcing the user to open a huge amount of tabs to only get handful of tabs pointing to the same document. Feel free to contribute changes which re-organize the wiki. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki - once upon a time there was documentation
On 01/06/11 11:17, Phil Mayers wrote: On 01/06/11 10:57, den2k wrote: Example? Right now the operators one. Also users and huntgroups were better descripted before, now there is just some brief introduction and nothing more. It was the lack of any explanation that I was referring to as lack of material (I'm not an English native-speaker so I make some mistakes). The wiki was recently migrated onto a new platform, and the idea is that it will be easier to update, and easier to include the resulting docs with the server. This was discussed on the list - see the thread: New FreeRADIUS wiki - Help appreciated! ...in which the migration technique was discussed, and help was requested to reformat documents which had not migrated seamlessly. FWIW, it does look like the content is there in the Operators page, but it's one of the ones that didn't migrate and need fixing. Unfortunately I can't edit at the moment because I'm getting HTTP 500 errors when I try to login. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki - once upon a time there was documentation
2011/6/1 Alan DeKok al...@deployingradius.com den2k wrote: what happened to the contents of the wiki? A lot of stuff is missing, for example http://wiki.freeradius.org/Operators now has nothing more than a few badly explained examples and the table of the operators is missing. Click on the edit link. The content is still there, it is just not being rendered correctly. Thank you all. And the operators are *also* documented in the doc directory, and in the man users page. Honestly, what more do you want? The content served to you on a silver tray? With sugar, please :) Also I couldn't find a lot of stuff that I'm sure there was on the wiki. Also searching stuff is now a pain. Feel free to contribute *something* which makes the wiki better. I will probably do, after finishing the project and the dissertation which I'm working on. -- \ __ __ _* _\ \__\ \ \ _\ \/ \_\ \__ \ \ \__ \\ - Registered Linux User # 372295 -BEGIN GEEK CODE BLOCK- Version: 3.1 GCS/CM d--- s:+: a-- C+++ UL+++S E--- W+(-) N o+ w--- O? M-- PS+ PE Y+ PGP t+(++) 5? X- R* tv-- b+ DI+ D G+ e h! r++ y* --END GEEK CODE BLOCK-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki - once upon a time there was documentation
On 2011/06/01 12:17 PM, Phil Mayers wrote: ...in which the migration technique was discussed, and help was requested to reformat documents which had not migrated seamlessly. - Is the old wiki accessable anywhere so one can help to manually transfer info? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki - once upon a time there was documentation
On 01/06/11 11:54, Johan Meiring wrote: On 2011/06/01 12:17 PM, Phil Mayers wrote: ...in which the migration technique was discussed, and help was requested to reformat documents which had not migrated seamlessly. - Is the old wiki accessable anywhere so one can help to manually transfer info? I suggest reading the detailed posts that Arran made. tl;dr version: As far as I know, all the old content is in the new wiki. However, some of it might no render correctly. If this is the case, login, hit edit, and fix it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki - once upon a time there was documentation
Johan Meiring wrote: Is the old wiki accessable anywhere so one can help to manually transfer info? $ git clone git://wiki.freeradius.org/wiki.freeradius.org.git That gets you *all* of the content. You can't push changes, but you can paste the results into the edit page. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius not releasing IPs from pool
Hello, I have a problem with my pools in freeradius. The problems is that it is not releasing IPs from the pools. At least, not all of them, so after a while my users can't connect because the pool is full. I check that it is not releasing IPs because I get (I have replaced usernames with ): root@vulpes21:/usr/share/doc/freeradius# radwho | grep 155.54.194 X PPP 999 Wed 10:28 155.54.213.20 155.54.194.128 X PPP 999 Wed 10:36 155.54.213.20 155.54.194.51 X PPP 999 Wed 10:42 155.54.213.20 155.54.194.8 X PPP 999 Wed 12:33 155.54.213.20 155.54.194.115 X PPP 999 Wed 12:37 155.54.213.20 155.54.194.101 X PPP 999 Wed 12:40 155.54.213.20 155.54.194.62 X PPP 999 Wed 13:06 155.54.213.20 155.54.194.92 X PPP 999 Wed 13:11 155.54.213.20 155.54.194.48 X PPP 999 Wed 13:24 155.54.213.20 155.54.194.78 X PPP 999 Wed 13:27 155.54.213.20 155.54.194.112 X PPP 999 Wed 13:28 155.54.213.20 155.54.194.59 X PPP 999 Wed 13:29 155.54.213.20 155.54.194.134 but rlm_ippol_tool shows a lot of IP addresses in use: root@vulpes21:/etc/freeradius# rlm_ippool_tool -a pool_vpn.ippool pool_vpn.ipindex | wc -l 122 In my configuration I have: authorize { vpn_log vpn_syslog suffix files_vpn pap } authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap-email } } preacct { suffix files_vpn } accounting { vpn_log unix pool_vpn pool_vpn_alu pool_vpn_ryt radutmp vpn_acc_syslog sql_log_um } session { } post-auth { pool_vpn pool_vpn_alu pool_vpn_ryt vpn_log vpn_syslog } pre-proxy { } post-proxy { } Any idea? Ah... I'm running 2.1.8 from ubuntu 10.04. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + Alvarion 4Motion specify filter-id value in access-accept from value in user conf file ?
I just use Framed-Filter-Id = profilename in the reply. When you added: update reply { WiMAX-FA-RK-Key = 0x00 WiMAX-MSK = %{reply:EAP-MSK} Filter-Id = Profile1 } That replies with only 1 filter ID. Take the Filter-Id out and keep it in the users file: c...@eads.com Cleartext-Password := cpe1 Session-Timeout = 3600, Termination-Action = Radius-Request, Filter-Id = Profile1 David -Original Message- From: Hahusseau, Thomas [mailto:thomas.hahuss...@cassidian.com] Sent: Wednesday, June 01, 2011 5:12 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: RE: Freeradius + Alvarion 4Motion specify filter-id value in access-accept from value in user conf file ? Hello, My Wimax device require MPPE keys to be sent in access accept if I change that setting in module/wimax from no to yes the wimax don't connect anymore. My problem is not getting my Wimax device connected it's already done. My problem is that I want specific values of Filter-Id attribute sent in access-accept according to the user-name sent in access-request. Filter-ID = Profile1 when user c...@eads.com is trying to connect. Filter-ID = Profile2 when user c...@eads.com is trying to connect. Regards, Thomas PS : Uncomment wimax lines in site-enable and inner-tunnel conf files already done. -Message d'origine- De : freeradius-users-bounces+thomas.hahusseau=cassidian@lists.freeradius.org [mailto:freeradius-users-bounces+thomas.hahusseau=cassidian.com@lists.freera dius.org] De la part de David Peterson Envoyé : mardi 31 mai 2011 19:31 À : 'FreeRadius users mailing list' Objet : RE: Freeradius + Alvarion 4Motion specify filter-id valueinaccess-accept from value in user conf file ? Make sure you configure FR to delete the MPPE keys. This can be found in the /modules/wimax file. Set the value from No to Yes. As well, you need to configure the server to use the inner-tunnel. I would start from the default FR settings, uncomment the wimax entries you see in sites-available/default and sites-available/inner-tunnel, make the change in the /modules/wimax file and make sure your profile names match as this is case sensitive. David -Original Message- From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.or freeradius-users-bounces+g [mailto:freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradiu s.org] On Behalf Of Hahusseau, Thomas Sent: Tuesday, May 31, 2011 1:18 PM To: freeradius-users@lists.freeradius.org Subject: Freeradius + Alvarion 4Motion specify filter-id value inaccess-accept from value in user conf file ? Hello, I'm running latest version form Master Branch of Freeradius. I managed to connect an Alvarion CPE to an Alvarion 4M BS with Freeradius server as authenticator. Everything works well except that I directly specified in my /site-enable/default configuration file the value of Filter-Id attribute required by the base station. --- /site-enabled/default post-auth { exec update request { WiMAX-MN-NAI = %{User-Name} } update reply { WiMAX-FA-RK-Key = 0x00 WiMAX-MSK = %{reply:EAP-MSK} Filter-Id = Profile1 } wimax Post-Auth-Type REJECT { # log failed authentications in SQL, too. # sql attr_filter.access_reject } } --- I would like to use different value of attribute Filter-Id for different users (specific QoS setting in Alvarion ASN-GW for each Filter-Id). I would like to use the Filter-ID's value specified in my users conf file : --- users #standard customer c...@eads.com Cleartext-Password := cpe1 Session-Timeout = 3600, Termination-Action = Radius-Request, Filter-Id = Profile1 #VIP customer c...@eads.com Cleartext-Password := cpe2 Session-Timeout = 3600, Termination-Action = Radius-Request, Filter-Id = Profile2 --- I tried to use the same syntax as for WiMAX-MSK attribute: Filter-ID =%{Filter-Id} but it doesn't work (Filter-ID value in access-accept is empty). I googled Filter-Id freeradius and found nothing relevant. Is it possible to use Filter-ID value form users conf file in access-accept ? Here is an example on access-accept message with filter-id specified directly in site-enable/default conf file. --- radiusd -X (7) Found Auth-Type = ? (7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (7) group authenticate { (7) - entering group authenticate {...} (7) eap : Request found, released from the list (7) eap : EAP/ttls (7) eap : processing type ttls (7) ttls : Authenticate (7) ttls : processing EAP-TLS (7) ttls : Received TLS ACK (7) ttls : Received TLS ACK
Re: Wiki - once upon a time there was documentation
Hi, I've been updating some of the wiki pages to fix the formatting, etc. Arran put together a list of pages that were a priority at http://wiki.freeradius.org/New-Wiki. Are there other pages that people wish to have done next? (I'll try to fix the Operators page tonight. I fixed the http://wiki.freeradius.org/Policy.conf yesterday.) Thanks. -John On 06/01/2011 06:50 AM, den2k wrote: 2011/6/1 Alan DeKok al...@deployingradius.com mailto:al...@deployingradius.com den2k wrote: what happened to the contents of the wiki? A lot of stuff is missing, for example http://wiki.freeradius.org/Operators now has nothing more than a few badly explained examples and the table of the operators is missing. Click on the edit link. The content is still there, it is just not being rendered correctly. Thank you all. And the operators are *also* documented in the doc directory, and in the man users page. Honestly, what more do you want? The content served to you on a silver tray? With sugar, please :) Also I couldn't find a lot of stuff that I'm sure there was on the wiki. Also searching stuff is now a pain. Feel free to contribute *something* which makes the wiki better. I will probably do, after finishing the project and the dissertation which I'm working on. -- \ __ __ _* _\ \__\ \ \ _\ \/ \_\ \__ \ \ \__ \\ - Registered Linux User # 372295 -BEGIN GEEK CODE BLOCK- Version: 3.1 GCS/CM d--- s:+: a-- C+++ UL+++S E--- W+(-) N o+ w--- O? M-- PS+ PE Y+ PGP t+(++) 5? X- R* tv-- b+ DI+ D G+ e h! r++ y* --END GEEK CODE BLOCK-- -- John Center Villanova University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmetation fault: [eap] Passing reply from proxy back into the tunnel
Hi, my freeradius works as a proxy, terminates eap and proxy the request with mschap to another freeradius. When Passing reply from proxy back into the tunnel the proxy quits with a segmentation fault. This happens, with little difference, when sending the accept or reject back to NAS. EAP/PEAP-MS-CHAPv2 is working when using a local user from users file so that the request is not proxied. My System is Ubuntu 10.4.2 LTS Server and freeradius 2.1.10 from source. I hope anyone got this before and can give a solution. Please have a look in my debug log attached. Thank you very much! Simon FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Jun 1 2011 at 14:11:11 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/control-socket main { allow_core_dumps = yes } Core dumps are enabled. including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var
Re: Segmetation fault: [eap] Passing reply from proxy back into the tunnel
ok now i found this: https://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00295.html This means, i should download the latest freeradius from git master branch? Simon Simon L. schrieb: Hi, my freeradius works as a proxy, terminates eap and proxy the request with mschap to another freeradius. When Passing reply from proxy back into the tunnel the proxy quits with a segmentation fault. This happens, with little difference, when sending the accept or reject back to NAS. EAP/PEAP-MS-CHAPv2 is working when using a local user from users file so that the request is not proxied. My System is Ubuntu 10.4.2 LTS Server and freeradius 2.1.10 from source. I hope anyone got this before and can give a solution. Please have a look in my debug log attached. Thank you very much! Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmetation fault: [eap] Passing reply from proxy back into the tunnel
Simon L. wrote: ok now i found this: https://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00295.html This means, i should download the latest freeradius from git master branch? Use the v2.1.x branch. It will become 2.1.11 soon. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmetation fault: [eap] Passing reply from proxy back into the tunnel
Alan DeKok schrieb: Simon L. wrote: ok now i found this: https://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00295.html This means, i should download the latest freeradius from git master branch? Use the v2.1.x branch. It will become 2.1.11 soon. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ok, thank you! Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmetation fault: [eap] Passing reply from proxy back into the tunnel
On 01/06/11 15:45, Simon L. wrote: ok now i found this: https://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00295.html This means, i should download the latest freeradius from git master branch? No, v2.1.x Beware: I have since been informed that there is still a potential segfault if the remote proxy returns an Access-Reject. I haven't had time to test this yet. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmetation fault: [eap] Passing reply from proxy back into the tunnel
Simon L. fantasn...@ki.tng.de wrote: I hope anyone got this before and can give a solution. Please have a look in my debug log attached. Going to need some GDB lovin' too. http://freeradius.org/radiusd/doc/bugs If you are compiling from source, I recommend you go with the git version which might already have a fix: http://git.freeradius.org/ Cheers -- Alexander Clouter .sigmonster says: He's just like Capistrano, always ready for a few swallows. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
One client, multiple NAS-Port-Types
Hello, I am looking for some guidance on configuring clients that will send requests with different NAS-Port-Type’s. Devices: HP Procurve, Cisco, Aruba wireless controllers Possible NAS-Port-Types: Ethernet, Virtual, Wireless, Async Ex., for an HP procurve switch, the possibilities will be: 1. CLI access (admin) – NAS-Port-Type = Virtual 2. 802.1X (users) – Nas-Port-Type = Ethernet In this case, I would like to send CLI and 802.1x requests to different virtual servers, because I accomplish #1 painlessly with ldap, and #2 gets more complicated with ads and eduroam in the mix. I have read through clients.conf and do not believe it can be done there. Where is the most appropriate place to separate the requests? Thank-you, Dave -- View this message in context: http://freeradius.1045715.n5.nabble.com/One-client-multiple-NAS-Port-Types-tp4445525p4445525.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki - once upon a time there was documentation
John, It's ok, I fixed it this morning. Thanks for your help with the other pages and your continued conversion efforts :) Cheers, Arran On Jun 1, 2011, at 5:51 AM, John Center wrote: Hi, I've been updating some of the wiki pages to fix the formatting, etc. Arran put together a list of pages that were a priority at http://wiki.freeradius.org/New-Wiki. Are there other pages that people wish to have done next? (I'll try to fix the Operators page tonight. I fixed the http://wiki.freeradius.org/Policy.conf yesterday.) Thanks. -John On 06/01/2011 06:50 AM, den2k wrote: 2011/6/1 Alan DeKok al...@deployingradius.com mailto:al...@deployingradius.com den2k wrote: what happened to the contents of the wiki? A lot of stuff is missing, for example http://wiki.freeradius.org/Operators now has nothing more than a few badly explained examples and the table of the operators is missing. Click on the edit link. The content is still there, it is just not being rendered correctly. Thank you all. And the operators are *also* documented in the doc directory, and in the man users page. Honestly, what more do you want? The content served to you on a silver tray? With sugar, please :) Also I couldn't find a lot of stuff that I'm sure there was on the wiki. Also searching stuff is now a pain. Feel free to contribute *something* which makes the wiki better. I will probably do, after finishing the project and the dissertation which I'm working on. -- \ __ __ _* _\ \__\ \ \ _\ \/ \_\ \__ \ \ \__ \\ - Registered Linux User # 372295 -BEGIN GEEK CODE BLOCK- Version: 3.1 GCS/CM d--- s:+: a-- C+++ UL+++S E--- W+(-) N o+ w--- O? M-- PS+ PE Y+ PGP t+(++) 5? X- R* tv-- b+ DI+ D G+ e h! r++ y* --END GEEK CODE BLOCK-- -- John Center Villanova University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell RM-RF Limited - Security consultation and contracting VoIP: +1 916-436-1352 Cell: +44 7854041841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One client, multiple NAS-Port-Types
DaveA wrote: In this case, I would like to send CLI and 802.1x requests to different virtual servers, because I accomplish #1 painlessly with ldap, and #2 gets more complicated with ads and eduroam in the mix. I have read through clients.conf and do not believe it can be done there. Where is the most appropriate place to separate the requests? Proxying. Set up a minimal virtual server that proxies to others. You can set a home server which is really a virtual server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One client, multiple NAS-Port-Types
DaveA daldw...@uwaterloo.ca wrote: I am looking for some guidance on configuring clients that will send requests with different NAS-Port-Type???s. Devices: HP Procurve, Cisco, Aruba wireless controllers Possible NAS-Port-Types: Ethernet, Virtual, Wireless, Async Ex., for an HP procurve switch, the possibilities will be: 1. CLI access (admin) ??? NAS-Port-Type = Virtual 2. 802.1X (users) ??? Nas-Port-Type = Ethernet In this case, I would like to send CLI and 802.1x requests to different virtual servers, because I accomplish #1 painlessly with ldap, and #2 gets more complicated with ads and eduroam in the mix. The switch (NAS) will support sending those different requests to different RADIUS servers. Assign two different IP's to your RADIUS servers and send the relevent request to the relevent FreeRADIUS virtual server. The solution is in the NAS, not FreeRADIUS :) Cheers -- Alexander Clouter .sigmonster says: Them as has, gets. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One client, multiple NAS-Port-Types
On Jun 1, 2011, at 10:53 AM, Alexander Clouter wrote: DaveA daldw...@uwaterloo.ca wrote: I am looking for some guidance on configuring clients that will send requests with different NAS-Port-Type???s. Devices: HP Procurve, Cisco, Aruba wireless controllers Possible NAS-Port-Types: Ethernet, Virtual, Wireless, Async Ex., for an HP procurve switch, the possibilities will be: 1. CLI access (admin) ??? NAS-Port-Type = Virtual 2. 802.1X (users) ??? Nas-Port-Type = Ethernet In this case, I would like to send CLI and 802.1x requests to different virtual servers, because I accomplish #1 painlessly with ldap, and #2 gets more complicated with ads and eduroam in the mix. The switch (NAS) will support sending those different requests to different RADIUS servers. Not necessarily. I know with ProCurve gear RADIUS groups were only added in K14, with some of the older platforms like the 2610's and 2600 all requests go to the same server. You can do an internal proxy, but last time I checked multiple chained internal proxies were broken (I tried something very similar a few years ago). So external-server (with listen block) assignment-logic proxy-to eap-radius eap-radius proxy-to eap-radius-inner (breaks here) Alan DeKok may have fixed it in the interim period. It's a particularly nice setup as it lets you drop in additional servers to support new devices really easily, and then if one type of NAS is smart enough to direct different types of requests (cli, 802.1X) to different servers, you can always use listen blocks in the different virtual servers, so that they can deal with requests sent to a particular IP alias or port, as well as internal requests. Policies can be defined in policy.conf to share code between servers etc... IMHO this is the best way to organise a server that serves many different types of NAS... if only it worked :) -Arran Arran Cudbard-Bell RM-RF Limited - Security consultation and contracting VoIP: +1 916-436-1352 Cell: +44 7854041841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One client, multiple NAS-Port-Types
Arran Cudbard-Bell wrote: You can do an internal proxy, but last time I checked multiple chained internal proxies were broken (I tried something very similar a few years ago). You can proxy to one virtual server. But that request can't be proxied again. It's too awkward to deal with that. So external-server (with listen block) assignment-logic proxy-to eap-radius eap-radius proxy-to eap-radius-inner (breaks here) Hmm, yes. Alan DeKok may have fixed it in the interim period. Nope. :( Most of the code is there (especially in 3.0). But it's disabled because I'm unsure as to what the side effects are, and haven't had any time to look at it. It's a particularly nice setup as it lets you drop in additional servers to support new devices really easily, and then if one type of NAS is smart enough to direct different types of requests (cli, 802.1X) to different servers, you can always use listen blocks in the different virtual servers, so that they can deal with requests sent to a particular IP alias or port, as well as internal requests. Policies can be defined in policy.conf to share code between servers etc... IMHO this is the best way to organise a server that serves many different types of NAS... if only it worked :) There might be a better way. I'll see if I have time in the next few months. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmetation fault: [eap] Passing reply from proxy back into the tunnel
Phil Mayers wrote: No, v2.1.x Beware: I have since been informed that there is still a potential segfault if the remote proxy returns an Access-Reject. I haven't had time to test this yet. I'd like to release 2.1.11 soon. Maybe next week? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server Sertificate
We use EAP-TLS method, but in the Server Hello message don't want to send the certificate. How can it be disabled - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server Sertificate
We use EAP-TLS method, but in the Server Hello message don't want to send the certificate. How can it be disabled - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server Sertificate
We use EAP-TLS method, but in the Server Hello message don't want to send the certificate. How can it be disabled - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server Sertificate
On 06/01/2011 08:28 PM, Lubenski, Zeev [GCS] wrote: We use EAP-TLS method, but in the Server Hello message don’t want to send the certificate. How can it be disabled It can't. EAP-TLS requires a server certificate and a client certificate. Neither are optional, and neither can be disabled. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmetation fault: [eap] Passing reply from proxy back into the tunnel
On 06/01/2011 07:32 PM, Alan DeKok wrote: Phil Mayers wrote: No, v2.1.x Beware: I have since been informed that there is still a potential segfault if the remote proxy returns an Access-Reject. I haven't had time to test this yet. I'd like to release 2.1.11 soon. Maybe next week? Well in fairness this feature (proxying PEAP-inner as non-EAP) doesn't work at all in 2.1.10 so the patch in 2.1.11 is at least an improvement! I'll try to test the Access-Reject thing tomorrow; I'm betting it'll be a trivial fix. A 2.1.11 release would be good; we're been running a recent v2.1.x snapshot in production for a while and it's stable (once I patched the detail file reader segfault, which I believe is now upstream) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Server Sertificate
Paul In the RFC 5216 I see: The EAP server will then respond with an EAP-Request packet with AP-Type=EAP-TLS. The data field of this packet will encapsulate one or more TLS records. These will contain a TLS server_hello handshake message, possibly followed by TLS certificate This leads to believe that certificate is not mandatory ? Regards Zeev -Original Message- From: freeradius-users-bounces+zlubensk=lgsinnovations@lists.freeradius.org [mailto:freeradius-users-bounces+zlubensk=lgsinnovations@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, June 01, 2011 2:58 PM To: freeradius-users@lists.freeradius.org Subject: Re: Server Sertificate On 06/01/2011 08:28 PM, Lubenski, Zeev [GCS] wrote: We use EAP-TLS method, but in the Server Hello message don't want to send the certificate. How can it be disabled It can't. EAP-TLS requires a server certificate and a client certificate. Neither are optional, and neither can be disabled. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server Sertificate
On 06/01/2011 09:07 PM, Lubenski, Zeev [GCS] wrote: Paul In the RFC 5216 I see: The EAP server will then respond with an EAP-Request packet with AP-Type=EAP-TLS. The data field of this packet will encapsulate one or more TLS records. These will contain a TLS server_hello handshake message, possibly followed by TLS certificate This leads to believe that certificate is not mandatory ? If you read just a few lines further on: If the EAP server is not resuming a previously established session, then it MUST include a TLS server_certificate handshake message, and a server_hello_done handshake message MUST be the last handshake message encapsulated in this EAP-Request packet. That is, a certificate is only optional if you're resuming an earlier session (which must itself have contained a certificate) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Server Sertificate
Paul Thanks a lot Regards Zeev -Original Message- From: freeradius-users-bounces+zlubensk=lgsinnovations@lists.freeradius.org [mailto:freeradius-users-bounces+zlubensk=lgsinnovations@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, June 01, 2011 3:15 PM To: freeradius-users@lists.freeradius.org Subject: Re: Server Sertificate On 06/01/2011 09:07 PM, Lubenski, Zeev [GCS] wrote: Paul In the RFC 5216 I see: The EAP server will then respond with an EAP-Request packet with AP-Type=EAP-TLS. The data field of this packet will encapsulate one or more TLS records. These will contain a TLS server_hello handshake message, possibly followed by TLS certificate This leads to believe that certificate is not mandatory ? If you read just a few lines further on: If the EAP server is not resuming a previously established session, then it MUST include a TLS server_certificate handshake message, and a server_hello_done handshake message MUST be the last handshake message encapsulated in this EAP-Request packet. That is, a certificate is only optional if you're resuming an earlier session (which must itself have contained a certificate) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmetation fault: [eap] Passing reply from proxy back into the tunnel
On 06/01/2011 09:00 PM, Phil Mayers wrote: I'll try to test the Access-Reject thing tomorrow; I'm betting it'll be a trivial fix. Huh. It works just fine for me on v2.1.x HEAD. I'll try to dig out the email where someone said it was faulty (IIRC they said they'd emailed you also Alan). I wonder if their config was broken in some other fashion and/or it got fixed in a later commit. I'll roll out the v2.1.x head to our test server tomorrow, but 2.1.11 sounds good. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server Sertificate
Lubenski, Zeev [GCS] zlube...@lgsinnovations.com wrote: This leads to believe that certificate is not mandatory ? ...which leads us to wonder why you want to use EAP-TLS? Probably best to answer: * what is it you are trying to do * how are you trying to accomplish it * what are you expecting to happen * what is actually happening Cheers -- Alexander Clouter .sigmonster says: You enjoy the company of other people. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't get checkrad to be called
I was wondering if someone could help me determine why checkrad isn't being called. I've followed the directions in the doc/Simultaneous-Use but still cannot get checkrad to fire off when I login. It will check radutmp, but never reaches out to my NAS with checkrad, as evidenced here from radiusd -X: +- entering group session {...} [radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp [radutmp] expand: %{User-Name} - testuser ++[radutmp] returns ok Using Post-Auth-Type Reject In this case, testuser was already logged in as verified by radwho, but why didn't it go out and check my NAS? I'm using a Nomadix HSG for a NAS, which doesn't have a definition in clients.conf, but I've been able to get /usr/sbin/checkrad to return the following by modifying the pr3000 definition: [root@hologram radius]# more checkrad.log Wed Jun 1 22:11:34 2011 checkrad pr3000 10.1.10.20 1 testuser 1 snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'public' 10.1.10.20 .1.3.6.1.4.1.3309.1.2.2.18.1.1.5 Returning 1 (double detected) So it would seem if I could get FR to perform checkrad, I'd be in good shape. Can I provide any other data? I'm using SQL for authorization and accounting. I'm on version 2.1.7-7.el5 of FreeRadius. TIA, -dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html