Re: Problem with MSCHAP and Freeradius authentication
NdK wrote: Il 20/01/2012 21:46, Alan DeKok ha scritto: Yeah, I've gone and fixed that. git is nice for updating web pages. Still there's Then, fine the mschap module. s/fine/find/ :) Fixed, thanks. BTW, in a real AD setup, with AD servers used as DNS, there should be no need to setup /etc/krb5.conf: samba can auto detect the needed settings. OK. Not everyone does that, but it's good to know. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Il 20/01/2012 11:55, Phil Mayers ha scritto: If that's really all you've changed, there must be something wrong with Samba; it's getting the final crypto blob wrong, and the client is dropping the packets. You'll need to investigate and fix this. Just tested with radtest (have had to use single quotes and FOUR backslashes! -- my password is obviously in $P): # radtest -t mschap 'PERSONALEdiego.zuccato' $P localhost 0 testing123 Sending Access-Request of id 123 to 127.0.0.1 port 1812 User-Name = PERSONALE\\diego.zuccato NAS-IP-Address = 127.0.1.1 NAS-Port = 0 MS-CHAP-Challenge = 0x7f218889d9de0c84 MS-CHAP-Response = 0x000115ea491108aa02bb34b5fe79918a67cd8a7b069240091194 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=123, length=84 MS-CHAP-MPPE-Keys = 0x3b1acd0b65d7af221df50f6ca50447cf MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 And the Access-Accept is quite fast. When using eapol_test, I get the timeout. The difference is that radtest seems to use mschapv1 while eapol_test uses mschapv2. What could be so wrong that v1 works and v2 doesn't? IIUC v2 includes username and client nonce in the authenticator, while v1 doesn't. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path. Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Phil Mayers p.may...@imperial.ac.uk wrote: Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path. Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. -- Sent from my phone. Please excuse brevity and typos. See also: https://bugzilla.samba.org/show_bug.cgi?id=6563 ...which I think is the problem you are seeing. Comment 18 gives a way to test this. See also the final comment about invalid nt key until I restarted winbind which might be the issue. -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eapol_test giving up and win-like error?
I mentioned exactly that last week but he disregarded it! Subject: Re: eapol_test giving up and win-like error? From: p.may...@imperial.ac.uk Date: Mon, 23 Jan 2012 10:12:08 + To: freeradius-users@lists.freeradius.org Phil Mayers p.may...@imperial.ac.uk wrote: Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path. Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. -- Sent from my phone. Please excuse brevity and typos. See also: https://bugzilla.samba.org/show_bug.cgi?id=6563 ...which I think is the problem you are seeing. Comment 18 gives a way to test this. See also the final comment about invalid nt key until I restarted winbind which might be the issue. -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Il 23/01/2012 11:02, Phil Mayers ha scritto: Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path. So radtest isn't actually equivalent to eapol_test. It's just another step for testing. Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. What do you mean by local user? One added in users file? I know it works (tested while following the guide), but it's not using mschapv2, IIUC... From https://bugzilla.samba.org/show_bug.cgi?id=6563 it seems that script only generates NTLMv1 responses... And it references a quite old Samba version. I'm using 3.5.10. From comment 46: Yes, 3.5.6 has all necessary fixes for this issue. Unless the sernet packages do contain other changes, it should just work with those packages. I retested, adding winbind:forcesamlogon = True and eapol_test is now successful. Might be useful to add to the guide. Seems, after all, it's needed for recent SAMBA releases, too. Just for completeness my (now working) smb.conf is: [global] workgroup = PERSONALE realm = PERSONALE.DIR.UNIBO.IT server string = %v security = ADS restrict anonymous = 2 log level = 3 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No dns proxy = No idmap uid = 10-1 idmap gid = 10-1 template shell = /bin/bash winbind use default domain = Yes winbind refresh tickets = Yes winbind offline logon = Yes winbind normalize names = Yes idmap config STUDENTI:range = 5000 - idmap config STUDENTI:base_rid = 500 idmap config STUDENTI:backend = rid idmap config PERSONALE:range = 10 - 4999 idmap config PERSONALE:base_rid = 500 idmap config PERSONALE:backend = rid idmap config STUDENTI:default = yes idmap config PERSONALE:default = no winbind:forcesamlogon = True [maybe the whole idmap could be removed, but better not to touch it once it's working...] No need to edit /etc/krb5.conf (interfacing to a native AD domain, so DNS records are OK for auto-discovery of Kerberos servers. Now it's Zeroshell's turn... Tks for the patience. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segfault in 2.1.10 backports version advice
Any advice on a segfault situation...? Jan 23 13:29:17 LX800476 kernel: [1366692.780725] freeradius[23459]: segfault at 8 ip b7461326 sp b5105988 error 4 in libc-2.7.so[b7403000+155000] Running a backports verison of freeradius on Debian Lenny: 2.1.10+dfsg-2~bpo50+1, 2.6.26-2-686 on Vmware ESX cluster. I cannot reproduce it on a test server and it only happens in production. Probably a load thing...? I could upgrade to current stable version in git, I could upgrade the OS (Lenny to Squeeze). Debugging from this backports version seems an impossible road? Or I could install the -dbg version and perhaps run the server in a screen session? However I have experienced it won't crash if run in debug mode (-X). I reckon in -X it is run in single threaded mode? Rg, Arnaud - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault in 2.1.10 backports version advice
Arnaud Loonstra wrote: Any advice on a segfault situation...? Upgrade. I cannot reproduce it on a test server and it only happens in production. Probably a load thing...? Possibly. I could upgrade to current stable version in git, Upgrade to the v2.1.x branch in git. I could upgrade the OS (Lenny to Squeeze). Debugging from this backports version seems an impossible road? Or I could install the -dbg version and perhaps run the server in a screen session? However I have experienced it won't crash if run in debug mode (-X). I reckon in -X it is run in single threaded mode? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault in 2.1.10 backports version advice
On 2012/01/23 03:20 PM, Alan DeKok wrote: I could upgrade the OS (Lenny to Squeeze). Debugging from this backports version seems an impossible road? Or I could install the -dbg version and perhaps run the server in a screen session? However I have experienced it won't crash if run in debug mode (-X). I reckon in -X it is run in single threaded mode? Yes. Hi, I can confirm the same problem. Version is freeradius-git downloaded about 4 days before 2.1.12 was released. Running with -X it runs forever. (About two months now) Without, it crashes about once a week. Have not had the time to collect debug info. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault in 2.1.10 backports version advice
Johan Meiring wrote: I can confirm the same problem. Version is freeradius-git downloaded about 4 days before 2.1.12 was released. Running with -X it runs forever. (About two months now) Without, it crashes about once a week. Well, the only thing I can see which could be it is the changes to the rlm_passwd module. If you're using that, set hashsize=0. Otherwise it *will* crash. If you're not using rlm_passwd, see doc/bugs. Backtraces will help a lot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
On 01/19/2012 11:25 AM, James wrote: Hi, I've successfully set up a radius server to support 802.1x authentication using peap mschapv2 and samba to authenticate users against AD. To do this I followed configuration on the freeradius.org website and the AD integration howto on deployingradius.com, thank you very much for writing these! I now need to assign the vlan due to membership of some group in AD and I understand that an ldap lookup is needed. Where in the configuration do I check this group and map it to a vlan? Can I do it as a default entry in the users file or is it needed somewhere else? Thank you very much, James Hi James, I don't know anything about AD and I presume you are using the latest FR. I'm currently testing an ldap-group check in authorize using unlang: This is part of a switch statement: case 'NAS-Prompt-User' { my-ldap #Check if user is member of a certain group if (Ldap-Group == cn=mygroup,ou=groups,o=radius) { update reply { Service-Type := Administrative-User } } #else DENY else { update control { Auth-Type := reject } } } But I reckon you could also do something like that in post-auth section if (Ldap-Group == cn=mygroup,ou=groups,o=radius) { update reply { Tunnel-type = VLAN Tunnel-medium-type = IEEE-802 Tunnel-Private-Group-Id = 1 } } This works for me :) it might as well for AD. Rg, Arnaud -- Stichting z25.org Concordiastraat 67A 3551 EM Utrecht The Netherlands +31-(0)6-41861063 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault in 2.1.10 backports version advice
On 01/23/2012 02:44 PM, Alan DeKok wrote: Johan Meiring wrote: I can confirm the same problem. Version is freeradius-git downloaded about 4 days before 2.1.12 was released. Running with -X it runs forever. (About two months now) Without, it crashes about once a week. Well, the only thing I can see which could be it is the changes to the rlm_passwd module. If you're using that, set hashsize=0. Otherwise it *will* crash. If you're not using rlm_passwd, see doc/bugs. Backtraces will help a lot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well, I am using an rlm_passwd module with hashsize=0. So that shouldn't be the case in my case? I'll see if I can upgrade and see if it differs. Rg, Arnaud - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault in 2.1.10 backports version advice
Hi, Version is freeradius-git downloaded about 4 days before 2.1.12 was released. I'd say go to 2.1.12 - why run a version from GIT that is older than the released version (there were quite a few fixes in the last couple of days before 2.1.12 was released) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault in 2.1.10 backports version advice
Hi, On Mon, Jan 23, 2012 at 02:13:55PM +0100, Arnaud Loonstra wrote: Jan 23 13:29:17 LX800476 kernel: [1366692.780725] freeradius[23459]: segfault at 8 ip b7461326 sp b5105988 error 4 in libc-2.7.so[b7403000+155000] Running a backports verison of freeradius on Debian Lenny: 2.1.10+dfsg-2~bpo50+1, 2.6.26-2-686 on Vmware ESX cluster. I cannot reproduce it on a test server and it only happens in production. Probably a load thing...? Had similar segfaults here on 2.1.10. Was very quick to debug - enabled core dumps, and waited for it to crash. Then started up gdb on the corefile and looked at the backtrace. For me, it was a feof bug in the detail listener (copy-acct-to-home-server) - so if you're using that, then you may have hit the same. Fixed in 2.1.11. The backtrace is what you really need to debug it. Upgrade first, though. Compiling the latest from git (or 2.1.12) is trivial as all the Debian stuff is there to build your package for you :-). Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
openLDAP authorization with PAP authentication
Thank you for the help. In addition to removing the unix option from the /sites-available/default authorize section, I also had to remove the 'encryption schema = ssha' from /modules/pap in order for it to work. I was also able to comment out password_attribute = userPassword from modules/ldap again and it still works. Just figured I would send this to let others trying to do the same thing that I made some unnecessary changes but it works now. Now lets see if I can keep it working when I add my WPA to do the authentication. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using sql and userfile together
Hello all, I just wanted to ask how could I make FR to use either users file or sql to send attributes based on the NAS ip address. I suspect that I would need to use ulang for that. Something like: if(NAS-IP-Address == NAS A IP) { use sql } else { use users file } I'm just wondering what is the proper syntax of making FR use sql or user file. Kind regards, Krzysztof image/gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using sql and userfile together
Hi, Hello all, I just wanted to ask how could I make FR to use either users file or sql to send attributes based on the NAS ip address. I suspect that I would need to use ulang for that. Something like: if(NAS-IP-Address == NAS A IP) { use sql } else { use users file } I'm just wondering what is the proper syntax of making FR use sql or user file. with default modules if(%{NAS-IP-Address} == 192.168.100.1) { sql } else { files } alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cannot control attribute ordering via rlm_perl
Alan, My original reply was confusingly brief. I've clarified below, and I've also put the module we wrote into github in case it helps: https://github.com/claudebrown/freeradius-server/compare/master...rlm_tagfiles (about 60 lines of C beyond usual module plumbing; 250 lines in total) Alan DeKok wrote: - Allow high rate of user-by-user updates; i.e. avoid config re-write as per rlm_fastfile ? The fastusers module is deprecated, because the files module is just as fast. The files module also can be HUP'd, so it can be reloaded on the fly. We avoided both fastfile and reloading files on the fly because of the number of updates we have to our user setup. The rate of change to our customers would require a reload every few seconds during most of the day. We had concerns in two areas: - The time to re-write the config and then re-load so frequently. This may become a performance problem as our user base grows out to 250K - The risk of using the reload mechanism in a way that didn't seem consistent with its design intent, or the likely usage pattern of reloads every day or every few hours. - Simple for stability: no shared in-memory state (avoid locking and races) The server core takes care of that when the files module is reloaded. These Simple for stability points were goals for our code. It wasn't something we were worried about for the existing code-base. FreeRADIUS core is very stable. But MySQL adds instability we have been unable to identify or reproduce in our environment. A crucial success factor for us was to ensure our module code was so simple it was very easy to be confident that stability was maintained. The strategy was to minimise the amount of software outside FreeRADIUS core. Daily config reloads are easy. Agreed. If we only needed daily, the files module would be perfect. Say you have a format similar to the users file, with one user per file. Loading 100K users will mean 100K file reads, and that can take a long time. The module doesn't re-implement the users format or have a users file for every user. It does not read 100K (or even 10) files at start-up. The files module is used directly with a single normal users file just as per any normal FreeRADIUS deployment. We acheived all these goals and can now process bring all our customers back onto our service in about five minutes. 5 minutes for what, exactly? When large parts of our WiMAX network are restarted due to maintenance or failure the customer devices re-join the network. Whilst this doesn't happen often, when it does happen we need to get as many as 50K devices will simultaneously ask to rejoin the network. We need to service this sudden and dramatic backlog as quickly as possible. With the files module this is a breeze with a single server. It just eats it up and everything comes back in a few minutes. Importantly, our testing shows the design goal of 250K users would also be met with one server. But with rlm_sql and MySQL we could not do it. The radiusd would start slowly grinding to a halt roughly as we reached 200 auths per sec (with EAP, this is about 30 devices per sec). The radiusd log reported Unresponsive child in a MySQL module and gradually all the database concurrency would disappear as those threads were lost for further work. After a lot of effort testing and experimenting with all sorts of things to isolate or avoid this problem, we did get a lot of improvement. But mostly what we achieved was a drop in the probability of losing threads. Inevitably the next larger network-outage event would re-trigger the issue. With our new far simpler approach, all of this has gone away because we are now using the files module and users file directly. The speed of authentication is essentially as per that module. Our new module adds an extra attribute to the Access-Request prior to it being processed by module files. The extra attribute can be any text attribute (we use Reply-Message to be perverse) and can have any value. Normal files matching (typically used DEFAULT entries) is used to determine the attributes in the Access-Response. The value of the extra attribute is in essence obtained like this: 1. Format a filename such as /blah/%{Username} 2. Read a line from this file We only have about 10 different values in these files: things like voip-customer, payment-overdue, gold-customer, exceeded-download-limit, etc. The value is used to select a DEFAULT entry in the users file that builds the reply attributes needed to configure the customers service. This adds marginal overhead so performance is barely different to a vanilla files module. The cost is one i-node per customer and a few 100 lines of C code. We are more than happy with that cost. Outside calls to FreeRADIUS code, the module pretty much just calls fopen, fgets and fclose. So it's dreadfully simple and doesn't have any concerns with thread
RE: Cannot control attribute ordering via rlm_perl
Bjorn, Thanks. You don't even need to be that careful. Just run a read-only mysql slave instance locally on the radius server and all mysql-related performance problems will vanish. We didn't try this. Our design goal is: - 250K users all needing to get on the network at the same time - each user performing 7 authentications during EAP negotiation - one hour duration to get everyone sorted This is about 486 authentications per second. I'm sure that a MySQL configuration can be constructed to achieve this, but I'm not confident it would be a simple setup. In contrast, the files module easily does this with a trivial configuration. In any case, assuming MySQL can be configured appropriately, I believe the thread-loss stability issue we experienced with high authentication rates would remain. See my longer reply to Alan for more details. If you do mysql accounting: use buffered-sql aka decoupled-accounting. It won't fix the performance issues on your accounting mysql-server, but it will decouple the radius server from any such problems. Yes, we did use this feature to move the accounting backlog from the radius clients into the on-disk buffer. However, as you note it doesn't solve the accounting performance issues on the database. This was a significant issue for us as we are only able to learn the customers IP address (needed for many business processed) from the accounting start request. If this is delayed due to an avalanche of requests it affects customers in certain business states. We were able to gain a significant performance improvement over and above rlm_sql accounting by writing the essential data to a flat-file and then batch-loading that into the SQL database. The improvement came down to SQL transactions - the batch load only created one transaction for 1000's of accounting events rather than one transaction per event. Cheers, Claude. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
Il 23/01/2012 14:48, Arnaud Loonstra ha scritto: But I reckon you could also do something like that in post-auth section if (Ldap-Group == cn=mygroup,ou=groups,o=radius) { update reply { Tunnel-type = VLAN Tunnel-medium-type = IEEE-802 Tunnel-Private-Group-Id = 1 } } I think it could be possible to do the same using exec, a script and wbinfo... Just still don't know how. With for T in $(wbinfo --user-domgroups `wbinfo -n ADusername`) ; do wbinfo -s $T; done I can get all AD groups ADusername is into. Checking group membership would be even easier. But how do I set Tunnel-Private-Group-Id from an exec-ed script? BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
On 24 Jan 2012, at 08:23, NdK wrote: Il 23/01/2012 14:48, Arnaud Loonstra ha scritto: But I reckon you could also do something like that in post-auth section if (Ldap-Group == cn=mygroup,ou=groups,o=radius) { update reply { Tunnel-type = VLAN Tunnel-medium-type = IEEE-802 Tunnel-Private-Group-Id = 1 } } I think it could be possible to do the same using exec, a script and wbinfo... Just still don't know how. With for T in $(wbinfo --user-domgroups `wbinfo -n ADusername`) ; do wbinfo -s $T; done I can get all AD groups ADusername is into. Checking group membership would be even easier. But how do I set Tunnel-Private-Group-Id from an exec-ed script? Just execute it using a backticks expansion, store the result in Tmp-String-0 then use regular expression matches over the result to figure out whether it contains a certain group or not. You may hit the maximum internal string size if the user is a member of lots of groups in which case the result would be silently truncated (just something to watch for). Honestly doing it with LDAP would probably be significantly easier and faster. Exec is really quite slow... IIRC the LDAP Module is actually smart enough to figure out whether you passed in a DN as a group or just a groupname, so in theory if you have the filters and search depth set correctly you can just use Ldap-Group == mygroup. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html