Re: FreeRadius questions
On 2012/02/28 07:06 PM, James DeLuca wrote: Module: Checking post-auth {...} for more modules to load } radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = 10.0.8.9 You've configures your server to NOT listen on localhost. Sending to localhost will therefore not work. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP (POSIX attibutes) password expiry
u...@3.am wrote: checkItem Expiration radiusExpiration Did you check that the LDAP module is returning this attribute for the query? No, I don't expect it to, since I don't have that attribute or anything that looks like it might be a good substitute. So... why would you ever expect that expiration will work? Did you check that Expiration works if you put it into the users file? I'm not worried about that...expiry worked with the old rlm_pam using Unix expiry. I see. You ask for help, and you ignore the response. If you do this again, you will be unsubscribed and banned. When exporting Unix to LDAP, the expiry data was exported from /etc/shadow to the two LDAP attributes mentioned. I was hoping that perhaps there was a module that could calculate between the two and figure out that the password was expired and take it from there. I figured it a long shot but worth asking. Was there documentation saying that such a module existed? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter doesn't increase counter
Hello Alan, logins for Cisco wont do decent accounting for login sessions - for authenticated sessions on edge ports they can sent accounting...eg aaa accounting dot1x default start-stop group RADIUS alan Sorry, I didn't quiet understand your submission.Please are you saying Cisco 2960 is unable to send accounting packets to the radius server. I have the following on my Cisco 2960 switch. aaa accounting send stop-record authentication failure aaa accounting suppress null-username aaa accounting session-duration ntp-adjusted aaa accounting update newinfo periodic 1 aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius aaa accounting connection default start-stop group radius aaa accounting resource default start-stop-failure group radius Do I have too many entries for accounting? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter doesn't increase counter
Hi, logins for Cisco wont do decent accounting for login sessions - for authenticated sessions on edge ports they can sent accounting...eg aaa accounting dot1x default start-stop group RADIUS did you read what I typed? I dont see a line like this inyour provided config - which means that any dot1x authenticated client WONT be sending any accounting updates. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP (POSIX attibutes) password expiry
On 28/02/12 21:16, u...@3.am wrote: Hi: We've been running various versions of FreeRadius for years, currently 2.1.10 in this application. A while ago, we switched from PAM (unix) auth to LDAP auth. Everything worked fine after the switch...POSIX attributes for group membership correctly allocated the right ippools, etc. However, we just noticed that password expiry isn't working. I suspect this is because we are still using all the original POSIX attributes and none of them look like good for mapping to the ones supplied by FreeRADIUS. I see: checkItem Expiration radiusExpiration Our LDAP attributes use the following POSIX attributes to determine expiry: shadowMax: 90 shadowLastChange: 15215 Other replies should have convinced you that there's no built-in support for this. You will need to either: 1. Arrange for a FreeRADIUS-ready radiusExpiration attribute to be set in LDAP alongside the POSIX/shadow schemas 2. Synthesize an Expiration attribute, or otherwise locally check the POSIX/shadow attributes. One way you might accomplish the 2nd is as follows: == Create some local RADIUS attributes for the shadow values == /etc/raddb/dictionary: ATTRIBUTE Shadow-Max-Age 3000integer ATTRIBUTE Shadow-Last-Change 3001integer ATTRIBUTE Shadow-Expires 3002integer ATTRIBUTE Shadow-Current 3003integer /etc/raddb/ldap.attrmap: checkItem Shadow-Max-Age shadowMax checkItem Shadow-Last-Change shadowLastChange == Read these attributes from LDAP, then perform some maths == /etc/raddb/sites-enabled/server: authorize { ... ldap update control { Shadow-Expires := %{expr:%{control:Shadow-Last-Change} + %{control:Shadow-Max-Age}} Shadow-Current := %{expr:%l / 86400} } if (control:Shadow-Current control:Shadow-Expires) { reject } ... } Hopefully it's clear what this does, but basically: 1. Pulls last-change max-age from LDAP 2. Adds them together, to get expiry (in days since epoch) 3. Divides %l (epoch) by 86400 to get today, in days since epoch 4. Compares them - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter doesn't increase counter
Thanks Alan for pointing it out. I am happy I am getting close to the solution.I have added the line aaa accounting dot1x default start-stop group RADIUS to the switch. accounting packets are being sent to the radius server now. I also have accounting details recorded in radacct table in mysql. But counter doesn't increase.Users are not logged off when they reach their Maximum Daily session. #Radius Debug# rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user clare, check_item=120, counter=0 rlm_sqlcounter: Sent Reply-Item for user clare, Type=Session-Timeout, value=120 modcall[authorize]: module dailycounter returns ok for request 257 /etc/raddb/users### clare Max-Daily-Session := 120, User-Password := password Service-Type = Framed-User log from tail /var/log/radius/radacct/10.1.5.4/detail-20120229 doesn't give much NAS-Port-Id = FastEthernet0/9 Called-Station-Id = EC-30-91-1D-69-89 Calling-Station-Id = 00-1E-33-D5-7A-68 Service-Type = Framed-User NAS-IP-Address = 10.1.5.4 Acct-Delay-Time = 0 Client-IP-Address = 10.1.5.4 Acct-Unique-Session-Id = d5e43dc3a98bea70 Timestamp = 1330522011 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter doesn't increase counter
On Wed, Feb 29, 2012 at 8:29 PM, pamela pomary ppom...@gmail.com wrote: But counter doesn't increase.Users are not logged off when they reach their Maximum Daily session. #Radius Debug# rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user clare, check_item=120, counter=0 rlm_sqlcounter: Sent Reply-Item for user clare, Type=Session-Timeout, value=120 modcall[authorize]: module dailycounter returns ok for request 257 A complete output of what attributes FR sends would be nice. Lacking that, I assume from the above snippet that FR sends Session-Timeout = 120. Does your NAS honor Session-Timeout? As usual, if you don't know the answer, look at its documentation or ask the vendor. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Internal sanity check failed After adding second Home Server
if(%{User-Name} =~ /?([^@]+)@?([-[:alnum:]._]*)?$/) { I'm not that good with POSIX regex, but shouldn't it be if(%{User-Name} =~ /?([^@]+)@?([-[:alnum:]\._]*)?$/) { AFAIK the dot . means any char so I think it needs to be escaped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to setup freeradius server to authenticate from Unix username/passwords
Mohit Aron wrote: I'm using the freeradius 2.10 server that comes with Ubuntu 11.10. I'm unable to set it up so as to authenticate incoming requests from the Unix username/passwords stored in /etc/{passwd, shadow}. You should mostly just uncomment unix in raddb/sites-enabled/default Here is a description of my setup. I've setup wifi security on my wireless router to WPA-Enterprise and entered the IP address of the radius server in the router to that of a Linux machine running freeradius. Here's a description of all the changes I made to /etc/freeradius directory to even reach the point to make it partially work: 1) chown -R freerad /etc/freeradius The above is needed as Ubuntu seems to install every file there as root and thus the freeradius server which runs as user freerad isn't able to read the configuration files. I saw that. What a ridiculous thing for them to do. 2) Modified /etc/freeradius/clients.conf to accept requests from my router's IP address. Also added the shared key testing123 there - which is the same that was put in the router while configuring it with a radius server. 3) Changed the 'group =' setting inside /etc/freeradius/radiusd.conf to make it 'shadow' to enable it to lookup /etc/shadow. Yes. 4) Uncommmented the keyword 'unix' in both /etc/freeradius/sites-enabled/{inner-tunnel,default} That should work. *With* the caveat that it will only work for TTLS, not PEAP. 5) Modified /etc/default/freeradius to pass option '-X' to the freeradius server. You don't want to do that. Just run it in debugging mode from the command-line. I've tried using both Windows 7 as well as an iPad as a client to connect using wifi. Each time, the freeradius server running on my Linux box denies the requests. I should mention that a 'radtest' succeeds - so I'm entering the username/passwd correctly. That doesn't test EAP, and isn't enough. I'm attaching the output of the freeradius server when iPad is used. In a separate email I'll also attach the output from Windows 7 (to avoid going over the 100KB message limit in this email). Which says: TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Follow the EAP-TLS Howto. You either didn't sign the certificates correctly, or you didn't put the root CA on the client machine. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Internal sanity check failed After adding second Home Server
Within POSIX bracket expressions, the dot character matches a literal dot. For example, a.c matches *abc*, etc., but [a.c] matches only *a*, *.*, or *c*. My bad. 2012/2/29 Alberto Martínez alberto_marti...@deusto.es if(%{User-Name} =~ /?([^@]+)@?([-[:alnum:]._]*)?$/) { I'm not that good with POSIX regex, but shouldn't it be if(%{User-Name} =~ /?([^@]+)@?([-[:alnum:]\._]*)?$/) { AFAIK the dot . means any char so I think it needs to be escaped. -- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Internal sanity check failed After adding second Home Server
Hi, if(%{User-Name} =~ /?([^@]+)@?([-[:alnum:]._]*)?$/) { please note i did say that was a example - please dont just use anything like this in a production system - you will need other checks and validations too - its just to give you an idea. the first one would be something like.. if((%{User-Name} !~ /@/) (%{Called-Station-Id} =~ /:eduroam$/)){ reject } ie if the SSID is eduroam and the user doesnt have an @ in it, then reject. (this example would work if the kit provides the SSID at the end of the Called-Station-Id - most do..) ..and so on. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html