Re: Problem with MSCHAP and Freeradius authentication
NdK wrote: Il 20/01/2012 21:46, Alan DeKok ha scritto: Yeah, I've gone and fixed that. git is nice for updating web pages. Still there's Then, fine the mschap module. s/fine/find/ :) Fixed, thanks. BTW, in a real AD setup, with AD servers used as DNS, there should be no need to setup /etc/krb5.conf: samba can auto detect the needed settings. OK. Not everyone does that, but it's good to know. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Il 20/01/2012 11:55, Phil Mayers ha scritto: If that's really all you've changed, there must be something wrong with Samba; it's getting the final crypto blob wrong, and the client is dropping the packets. You'll need to investigate and fix this. Just tested with radtest (have had to use single quotes and FOUR backslashes! -- my password is obviously in $P): # radtest -t mschap 'PERSONALEdiego.zuccato' $P localhost 0 testing123 Sending Access-Request of id 123 to 127.0.0.1 port 1812 User-Name = PERSONALE\\diego.zuccato NAS-IP-Address = 127.0.1.1 NAS-Port = 0 MS-CHAP-Challenge = 0x7f218889d9de0c84 MS-CHAP-Response = 0x000115ea491108aa02bb34b5fe79918a67cd8a7b069240091194 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=123, length=84 MS-CHAP-MPPE-Keys = 0x3b1acd0b65d7af221df50f6ca50447cf MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 And the Access-Accept is quite fast. When using eapol_test, I get the timeout. The difference is that radtest seems to use mschapv1 while eapol_test uses mschapv2. What could be so wrong that v1 works and v2 doesn't? IIUC v2 includes username and client nonce in the authenticator, while v1 doesn't. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path. Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Phil Mayers p.may...@imperial.ac.uk wrote: Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path. Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. -- Sent from my phone. Please excuse brevity and typos. See also: https://bugzilla.samba.org/show_bug.cgi?id=6563 ...which I think is the problem you are seeing. Comment 18 gives a way to test this. See also the final comment about invalid nt key until I restarted winbind which might be the issue. -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eapol_test giving up and win-like error?
I mentioned exactly that last week but he disregarded it! Subject: Re: eapol_test giving up and win-like error? From: p.may...@imperial.ac.uk Date: Mon, 23 Jan 2012 10:12:08 + To: freeradius-users@lists.freeradius.org Phil Mayers p.may...@imperial.ac.uk wrote: Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path. Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. -- Sent from my phone. Please excuse brevity and typos. See also: https://bugzilla.samba.org/show_bug.cgi?id=6563 ...which I think is the problem you are seeing. Comment 18 gives a way to test this. See also the final comment about invalid nt key until I restarted winbind which might be the issue. -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Il 23/01/2012 11:02, Phil Mayers ha scritto: Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path. So radtest isn't actually equivalent to eapol_test. It's just another step for testing. Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. What do you mean by local user? One added in users file? I know it works (tested while following the guide), but it's not using mschapv2, IIUC... From https://bugzilla.samba.org/show_bug.cgi?id=6563 it seems that script only generates NTLMv1 responses... And it references a quite old Samba version. I'm using 3.5.10. From comment 46: Yes, 3.5.6 has all necessary fixes for this issue. Unless the sernet packages do contain other changes, it should just work with those packages. I retested, adding winbind:forcesamlogon = True and eapol_test is now successful. Might be useful to add to the guide. Seems, after all, it's needed for recent SAMBA releases, too. Just for completeness my (now working) smb.conf is: [global] workgroup = PERSONALE realm = PERSONALE.DIR.UNIBO.IT server string = %v security = ADS restrict anonymous = 2 log level = 3 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No dns proxy = No idmap uid = 10-1 idmap gid = 10-1 template shell = /bin/bash winbind use default domain = Yes winbind refresh tickets = Yes winbind offline logon = Yes winbind normalize names = Yes idmap config STUDENTI:range = 5000 - idmap config STUDENTI:base_rid = 500 idmap config STUDENTI:backend = rid idmap config PERSONALE:range = 10 - 4999 idmap config PERSONALE:base_rid = 500 idmap config PERSONALE:backend = rid idmap config STUDENTI:default = yes idmap config PERSONALE:default = no winbind:forcesamlogon = True [maybe the whole idmap could be removed, but better not to touch it once it's working...] No need to edit /etc/krb5.conf (interfacing to a native AD domain, so DNS records are OK for auto-discovery of Kerberos servers. Now it's Zeroshell's turn... Tks for the patience. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segfault in 2.1.10 backports version advice
Any advice on a segfault situation...? Jan 23 13:29:17 LX800476 kernel: [1366692.780725] freeradius[23459]: segfault at 8 ip b7461326 sp b5105988 error 4 in libc-2.7.so[b7403000+155000] Running a backports verison of freeradius on Debian Lenny: 2.1.10+dfsg-2~bpo50+1, 2.6.26-2-686 on Vmware ESX cluster. I cannot reproduce it on a test server and it only happens in production. Probably a load thing...? I could upgrade to current stable version in git, I could upgrade the OS (Lenny to Squeeze). Debugging from this backports version seems an impossible road? Or I could install the -dbg version and perhaps run the server in a screen session? However I have experienced it won't crash if run in debug mode (-X). I reckon in -X it is run in single threaded mode? Rg, Arnaud - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault in 2.1.10 backports version advice
Arnaud Loonstra wrote: Any advice on a segfault situation...? Upgrade. I cannot reproduce it on a test server and it only happens in production. Probably a load thing...? Possibly. I could upgrade to current stable version in git, Upgrade to the v2.1.x branch in git. I could upgrade the OS (Lenny to Squeeze). Debugging from this backports version seems an impossible road? Or I could install the -dbg version and perhaps run the server in a screen session? However I have experienced it won't crash if run in debug mode (-X). I reckon in -X it is run in single threaded mode? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault in 2.1.10 backports version advice
On 2012/01/23 03:20 PM, Alan DeKok wrote: I could upgrade the OS (Lenny to Squeeze). Debugging from this backports version seems an impossible road? Or I could install the -dbg version and perhaps run the server in a screen session? However I have experienced it won't crash if run in debug mode (-X). I reckon in -X it is run in single threaded mode? Yes. Hi, I can confirm the same problem. Version is freeradius-git downloaded about 4 days before 2.1.12 was released. Running with -X it runs forever. (About two months now) Without, it crashes about once a week. Have not had the time to collect debug info. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault in 2.1.10 backports version advice
Johan Meiring wrote: I can confirm the same problem. Version is freeradius-git downloaded about 4 days before 2.1.12 was released. Running with -X it runs forever. (About two months now) Without, it crashes about once a week. Well, the only thing I can see which could be it is the changes to the rlm_passwd module. If you're using that, set hashsize=0. Otherwise it *will* crash. If you're not using rlm_passwd, see doc/bugs. Backtraces will help a lot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
On 01/19/2012 11:25 AM, James wrote:
Hi,
I've successfully set up a radius server to support 802.1x
authentication using peap mschapv2 and samba to authenticate users
against AD.
To do this I followed configuration on the freeradius.org website and
the AD integration howto on deployingradius.com, thank you very much
for writing these!
I now need to assign the vlan due to membership of some group in AD
and I understand that an ldap lookup is needed.
Where in the configuration do I check this group and map it to a vlan?
Can I do it as a default entry in the users file or is it needed
somewhere else?
Thank you very much,
James
Hi James,
I don't know anything about AD and I presume you are using the latest FR.
I'm currently testing an ldap-group check in authorize using unlang:
This is part of a switch statement:
case 'NAS-Prompt-User' {
my-ldap
#Check if user is member of a certain group
if (Ldap-Group == cn=mygroup,ou=groups,o=radius) {
update reply {
Service-Type := Administrative-User
}
}
#else DENY
else {
update control {
Auth-Type := reject
}
}
}
But I reckon you could also do something like that in post-auth section
if (Ldap-Group == cn=mygroup,ou=groups,o=radius) {
update reply {
Tunnel-type = VLAN
Tunnel-medium-type = IEEE-802
Tunnel-Private-Group-Id = 1
}
}
This works for me :) it might as well for AD.
Rg,
Arnaud
--
Stichting z25.org
Concordiastraat 67A
3551 EM Utrecht
The Netherlands
+31-(0)6-41861063
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault in 2.1.10 backports version advice
On 01/23/2012 02:44 PM, Alan DeKok wrote: Johan Meiring wrote: I can confirm the same problem. Version is freeradius-git downloaded about 4 days before 2.1.12 was released. Running with -X it runs forever. (About two months now) Without, it crashes about once a week. Well, the only thing I can see which could be it is the changes to the rlm_passwd module. If you're using that, set hashsize=0. Otherwise it *will* crash. If you're not using rlm_passwd, see doc/bugs. Backtraces will help a lot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well, I am using an rlm_passwd module with hashsize=0. So that shouldn't be the case in my case? I'll see if I can upgrade and see if it differs. Rg, Arnaud - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault in 2.1.10 backports version advice
Hi, Version is freeradius-git downloaded about 4 days before 2.1.12 was released. I'd say go to 2.1.12 - why run a version from GIT that is older than the released version (there were quite a few fixes in the last couple of days before 2.1.12 was released) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault in 2.1.10 backports version advice
Hi, On Mon, Jan 23, 2012 at 02:13:55PM +0100, Arnaud Loonstra wrote: Jan 23 13:29:17 LX800476 kernel: [1366692.780725] freeradius[23459]: segfault at 8 ip b7461326 sp b5105988 error 4 in libc-2.7.so[b7403000+155000] Running a backports verison of freeradius on Debian Lenny: 2.1.10+dfsg-2~bpo50+1, 2.6.26-2-686 on Vmware ESX cluster. I cannot reproduce it on a test server and it only happens in production. Probably a load thing...? Had similar segfaults here on 2.1.10. Was very quick to debug - enabled core dumps, and waited for it to crash. Then started up gdb on the corefile and looked at the backtrace. For me, it was a feof bug in the detail listener (copy-acct-to-home-server) - so if you're using that, then you may have hit the same. Fixed in 2.1.11. The backtrace is what you really need to debug it. Upgrade first, though. Compiling the latest from git (or 2.1.12) is trivial as all the Debian stuff is there to build your package for you :-). Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
openLDAP authorization with PAP authentication
Thank you for the help. In addition to removing the unix option from the /sites-available/default authorize section, I also had to remove the 'encryption schema = ssha' from /modules/pap in order for it to work. I was also able to comment out password_attribute = userPassword from modules/ldap again and it still works. Just figured I would send this to let others trying to do the same thing that I made some unnecessary changes but it works now. Now lets see if I can keep it working when I add my WPA to do the authentication. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using sql and userfile together
Hello all,
I just wanted to ask how could I make FR to use either users file or sql
to send attributes based on the NAS ip address.
I suspect that I would need to use ulang for that. Something like:
if(NAS-IP-Address == NAS A IP) {
use sql
}
else
{
use users file
}
I'm just wondering what is the proper syntax of making FR use sql or
user file.
Kind regards,
Krzysztof
image/gif-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using sql and userfile together
Hi,
Hello all,
I just wanted to ask how could I make FR to use either users file or sql
to send attributes based on the NAS ip address.
I suspect that I would need to use ulang for that. Something like:
if(NAS-IP-Address == NAS A IP) {
use sql
}
else
{
use users file
}
I'm just wondering what is the proper syntax of making FR use sql or user
file.
with default modules
if(%{NAS-IP-Address} == 192.168.100.1) {
sql
}
else {
files
}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cannot control attribute ordering via rlm_perl
Alan,
My original reply was confusingly brief. I've clarified below, and I've also
put the module we wrote into github in case it helps:
https://github.com/claudebrown/freeradius-server/compare/master...rlm_tagfiles
(about 60 lines of C beyond usual module plumbing; 250 lines in total)
Alan DeKok wrote:
- Allow high rate of user-by-user updates; i.e. avoid config re-write as
per
rlm_fastfile
? The fastusers module is deprecated, because the files module is
just as fast. The files module also can be HUP'd, so it can be
reloaded on the fly.
We avoided both fastfile and reloading files on the fly because of the
number of updates we have to our user setup. The rate of change to our
customers would require a reload every few seconds during most of the day.
We had concerns in two areas:
- The time to re-write the config and then re-load so frequently. This may
become a performance problem as our user base grows out to 250K
- The risk of using the reload mechanism in a way that didn't seem consistent
with its design intent, or the likely usage pattern of reloads every day or
every few hours.
- Simple for stability: no shared in-memory state (avoid locking and
races)
The server core takes care of that when the files module is reloaded.
These Simple for stability points were goals for our code. It wasn't
something we were worried about for the existing code-base.
FreeRADIUS core is very stable. But MySQL adds instability we have been unable
to identify or reproduce in our environment.
A crucial success factor for us was to ensure our module code was so simple it
was very easy to be confident that stability was maintained. The strategy was
to minimise the amount of software outside FreeRADIUS core.
Daily config reloads are easy.
Agreed. If we only needed daily, the files module would be perfect.
Say you have a format similar to the users file, with one user per
file. Loading 100K users will mean 100K file reads, and that can take a
long time.
The module doesn't re-implement the users format or have a users file for
every user. It does not read 100K (or even 10) files at start-up.
The files module is used directly with a single normal users file just as
per any normal FreeRADIUS deployment.
We acheived all these goals and can now process bring all our customers
back onto our service in about five minutes.
5 minutes for what, exactly?
When large parts of our WiMAX network are restarted due to maintenance or
failure the customer devices re-join the network. Whilst this doesn't happen
often, when it does happen we need to get as many as 50K devices will
simultaneously ask to rejoin the network. We need to service this sudden and
dramatic backlog as quickly as possible.
With the files module this is a breeze with a single server. It just eats it
up and everything comes back in a few minutes. Importantly, our testing shows
the design goal of 250K users would also be met with one server.
But with rlm_sql and MySQL we could not do it. The radiusd would start slowly
grinding to a halt roughly as we reached 200 auths per sec (with EAP, this is
about 30 devices per sec). The radiusd log reported Unresponsive child in a
MySQL module and gradually all the database concurrency would disappear as
those threads were lost for further work.
After a lot of effort testing and experimenting with all sorts of things to
isolate or avoid this problem, we did get a lot of improvement. But mostly what
we achieved was a drop in the probability of losing threads. Inevitably the
next larger network-outage event would re-trigger the issue.
With our new far simpler approach, all of this has gone away because we are now
using the files module and users file directly. The speed of authentication
is essentially as per that module.
Our new module adds an extra attribute to the Access-Request prior to it being
processed by module files. The extra attribute can be any text attribute (we
use Reply-Message to be perverse) and can have any value. Normal files
matching (typically used DEFAULT entries) is used to determine the attributes
in the Access-Response.
The value of the extra attribute is in essence obtained like this:
1. Format a filename such as /blah/%{Username}
2. Read a line from this file
We only have about 10 different values in these files: things like
voip-customer, payment-overdue, gold-customer, exceeded-download-limit,
etc. The value is used to select a DEFAULT entry in the users file that
builds the reply attributes needed to configure the customers service.
This adds marginal overhead so performance is barely different to a vanilla
files module. The cost is one i-node per customer and a few 100 lines of C
code. We are more than happy with that cost.
Outside calls to FreeRADIUS code, the module pretty much just calls fopen,
fgets and fclose. So it's dreadfully simple and doesn't have any concerns
with thread
RE: Cannot control attribute ordering via rlm_perl
Bjorn, Thanks. You don't even need to be that careful. Just run a read-only mysql slave instance locally on the radius server and all mysql-related performance problems will vanish. We didn't try this. Our design goal is: - 250K users all needing to get on the network at the same time - each user performing 7 authentications during EAP negotiation - one hour duration to get everyone sorted This is about 486 authentications per second. I'm sure that a MySQL configuration can be constructed to achieve this, but I'm not confident it would be a simple setup. In contrast, the files module easily does this with a trivial configuration. In any case, assuming MySQL can be configured appropriately, I believe the thread-loss stability issue we experienced with high authentication rates would remain. See my longer reply to Alan for more details. If you do mysql accounting: use buffered-sql aka decoupled-accounting. It won't fix the performance issues on your accounting mysql-server, but it will decouple the radius server from any such problems. Yes, we did use this feature to move the accounting backlog from the radius clients into the on-disk buffer. However, as you note it doesn't solve the accounting performance issues on the database. This was a significant issue for us as we are only able to learn the customers IP address (needed for many business processed) from the accounting start request. If this is delayed due to an avalanche of requests it affects customers in certain business states. We were able to gain a significant performance improvement over and above rlm_sql accounting by writing the essential data to a flat-file and then batch-loading that into the SQL database. The improvement came down to SQL transactions - the batch load only created one transaction for 1000's of accounting events rather than one transaction per event. Cheers, Claude. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
Il 23/01/2012 14:48, Arnaud Loonstra ha scritto:
But I reckon you could also do something like that in post-auth section
if (Ldap-Group == cn=mygroup,ou=groups,o=radius) {
update reply {
Tunnel-type = VLAN
Tunnel-medium-type = IEEE-802
Tunnel-Private-Group-Id = 1
}
}
I think it could be possible to do the same using exec, a script and
wbinfo... Just still don't know how.
With
for T in $(wbinfo --user-domgroups `wbinfo -n ADusername`) ; do
wbinfo -s $T;
done
I can get all AD groups ADusername is into. Checking group membership
would be even easier. But how do I set Tunnel-Private-Group-Id from an
exec-ed script?
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
On 24 Jan 2012, at 08:23, NdK wrote:
Il 23/01/2012 14:48, Arnaud Loonstra ha scritto:
But I reckon you could also do something like that in post-auth section
if (Ldap-Group == cn=mygroup,ou=groups,o=radius) {
update reply {
Tunnel-type = VLAN
Tunnel-medium-type = IEEE-802
Tunnel-Private-Group-Id = 1
}
}
I think it could be possible to do the same using exec, a script and
wbinfo... Just still don't know how.
With
for T in $(wbinfo --user-domgroups `wbinfo -n ADusername`) ; do
wbinfo -s $T;
done
I can get all AD groups ADusername is into. Checking group membership
would be even easier. But how do I set Tunnel-Private-Group-Id from an
exec-ed script?
Just execute it using a backticks expansion, store the result in Tmp-String-0
then use regular expression matches over the result to figure out whether it
contains a certain group or not. You may hit the maximum internal string size
if the user is a member of lots of groups in which case the result would be
silently truncated (just something to watch for).
Honestly doing it with LDAP would probably be significantly easier and faster.
Exec is really quite slow...
IIRC the LDAP Module is actually smart enough to figure out whether you passed
in a DN as a group or just a groupname, so in theory if you have the filters
and search depth set correctly you can just use Ldap-Group == mygroup.
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
