Re: FreeRadius questions

[Johan Meiring]

On 2012/02/28 07:06 PM, James DeLuca wrote:

Module: Checking post-auth {...} for more modules to load }

radiusd:  Opening IP addresses and Ports  listen {

type = auth

ipaddr = 10.0.8.9




You've configures your server to NOT listen on localhost.

Sending to localhost will therefore not work.

--


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782


Before acting on this email or opening any attachments
you should read Cape PC Service's email disclaimer at:

http://www.pcservices.co.za/disclaimer.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP (POSIX attibutes) password expiry

[Alan DeKok]

u...@3.am wrote:
 checkItem   Expiration  radiusExpiration
   Did you check that the LDAP module is returning this attribute for the
 query?
 
 No, I don't expect it to, since I don't have that attribute or anything that 
 looks
 like it might be a good substitute.

  So... why would you ever expect that expiration will work?

   Did you check that Expiration works if you put it into the users file?
 
 I'm not worried about that...expiry worked with the old rlm_pam using Unix 
 expiry.

  I see.  You ask for help, and you ignore the response.

  If you do this again, you will be unsubscribed and banned.

 When exporting Unix to LDAP, the expiry data was exported from /etc/shadow to 
 the
 two LDAP attributes mentioned.  I was hoping that perhaps there was a module 
 that
 could calculate between the two and figure out that the password was expired 
 and
 take it from there.  I figured it a long shot but worth asking.

  Was there documentation saying that such a module existed?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sqlcounter doesn't increase counter

[pamela pomary]

Hello Alan,



 logins for Cisco wont do decent accounting for login sessions -
 for authenticated sessions on edge ports they can sent accounting...eg

 aaa accounting dot1x default start-stop group RADIUS


 alan

Sorry, I didn't quiet understand your submission.Please are you saying
Cisco 2960 is unable to send accounting packets to the radius server. I
have the following on my Cisco 2960 switch.

aaa accounting send stop-record authentication failure
aaa accounting suppress null-username
aaa accounting session-duration ntp-adjusted
aaa accounting update newinfo periodic 1
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting resource default start-stop-failure group radius

Do I have too many entries for accounting?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sqlcounter doesn't increase counter

[Alan Buxey]

Hi,

  logins for Cisco wont do decent accounting for login sessions -
  for authenticated sessions on edge ports they can sent accounting...eg
 
  aaa accounting dot1x default start-stop group RADIUS

did you read what I typed?  I dont see a line like this inyour provided
config - which means that any dot1x authenticated client WONT be sending any
accounting updates.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP (POSIX attibutes) password expiry

[Phil Mayers]

On 28/02/12 21:16, u...@3.am wrote:

Hi:

We've been running various versions of FreeRadius for years, currently 2.1.10 in
this application.  A while ago, we switched from PAM (unix) auth to LDAP auth.
Everything worked fine after the switch...POSIX attributes for group membership
correctly allocated the right ippools, etc.

However, we just noticed that password expiry isn't working.  I suspect this is
because we are still using all the original POSIX attributes and none of them 
look
like good for mapping to the ones supplied by FreeRADIUS.  I see:

checkItem   Expiration  radiusExpiration

Our LDAP attributes use the following POSIX attributes to determine expiry:

shadowMax: 90
shadowLastChange: 15215


Other replies should have convinced you that there's no built-in support 
for this. You will need to either:


 1. Arrange for a FreeRADIUS-ready radiusExpiration attribute to be 
set in LDAP alongside the POSIX/shadow schemas


 2. Synthesize an Expiration attribute, or otherwise locally check the 
POSIX/shadow attributes.



One way you might accomplish the 2nd is as follows:

== Create some local RADIUS attributes for the shadow values ==

/etc/raddb/dictionary:

ATTRIBUTE   Shadow-Max-Age  3000integer
ATTRIBUTE   Shadow-Last-Change  3001integer
ATTRIBUTE   Shadow-Expires  3002integer
ATTRIBUTE   Shadow-Current  3003integer

/etc/raddb/ldap.attrmap:

checkItem   Shadow-Max-Age  shadowMax
checkItem   Shadow-Last-Change  shadowLastChange

== Read these attributes from LDAP, then perform some maths ==

/etc/raddb/sites-enabled/server:

authorize {
  ...
  ldap
  update control {
Shadow-Expires := %{expr:%{control:Shadow-Last-Change} + 
%{control:Shadow-Max-Age}}

Shadow-Current := %{expr:%l / 86400}
  }
  if (control:Shadow-Current  control:Shadow-Expires) {
reject
  }
  ...
}

Hopefully it's clear what this does, but basically:

 1. Pulls last-change  max-age from LDAP
 2. Adds them together, to get expiry (in days since epoch)
 3. Divides %l (epoch) by 86400 to get today, in days since epoch
 4. Compares them
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sqlcounter doesn't increase counter

[pamela pomary]

Thanks Alan for pointing it out.

I am happy I am getting close to the solution.I have added the line aaa
accounting dot1x default start-stop group RADIUS to the switch.

 accounting packets are being sent to the radius server now. I also have
accounting details recorded in radacct table in mysql.

But counter doesn't increase.Users are not logged off when they reach their
Maximum Daily session.

#Radius Debug#

rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user clare, check_item=120, counter=0
rlm_sqlcounter: Sent Reply-Item for user clare, Type=Session-Timeout,
value=120
  modcall[authorize]: module dailycounter returns ok for request 257



/etc/raddb/users###

clare   Max-Daily-Session := 120, User-Password := password
Service-Type = Framed-User


log from tail /var/log/radius/radacct/10.1.5.4/detail-20120229 doesn't give
much

NAS-Port-Id = FastEthernet0/9
Called-Station-Id = EC-30-91-1D-69-89
Calling-Station-Id = 00-1E-33-D5-7A-68
Service-Type = Framed-User
NAS-IP-Address = 10.1.5.4
Acct-Delay-Time = 0
Client-IP-Address = 10.1.5.4
Acct-Unique-Session-Id = d5e43dc3a98bea70
Timestamp = 1330522011
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sqlcounter doesn't increase counter

[Fajar A. Nugraha]

On Wed, Feb 29, 2012 at 8:29 PM, pamela pomary ppom...@gmail.com wrote:
 But counter doesn't increase.Users are not logged off when they reach their
 Maximum Daily session.

 #Radius Debug#


 rlm_sqlcounter: (Check item - counter) is greater than zero
 rlm_sqlcounter: Authorized user clare, check_item=120, counter=0
 rlm_sqlcounter: Sent Reply-Item for user clare, Type=Session-Timeout,
 value=120
   modcall[authorize]: module dailycounter returns ok for request 257

A complete output of what attributes FR sends would be nice.

Lacking that, I assume from the above snippet that FR sends
Session-Timeout = 120. Does your NAS honor Session-Timeout? As usual,
if you don't know the answer, look at its documentation or ask the
vendor.

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Internal sanity check failed After adding second Home Server

[Alberto Martínez]

 if(%{User-Name} =~ /?([^@]+)@?([-[:alnum:]._]*)?$/) {


I'm not that good with POSIX regex, but shouldn't it be
if(%{User-Name} =~ /?([^@]+)@?([-[:alnum:]\._]*)?$/) {

AFAIK the dot . means any char so I think it needs to be escaped.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unable to setup freeradius server to authenticate from Unix username/passwords

[Alan DeKok]

Mohit Aron wrote:
 I'm using the freeradius 2.10 server that comes with Ubuntu 11.10. I'm unable
 to set it up so as to authenticate incoming requests from the Unix
 username/passwords stored in /etc/{passwd, shadow}.

  You should mostly just uncomment unix in raddb/sites-enabled/default

 Here is a description of my setup. I've setup wifi security on my wireless
 router to WPA-Enterprise and entered the IP address of the radius server in 
 the
 router to that of a Linux machine running freeradius.
 
 Here's a description of all the changes I made to /etc/freeradius directory to
 even reach the point to make it partially work:
 1) chown -R freerad /etc/freeradius
   The above is needed as Ubuntu seems to install every file there as root and
   thus the freeradius server which runs as user freerad isn't able to read
   the configuration files.

  I saw that.  What a ridiculous thing for them to do.

 2) Modified /etc/freeradius/clients.conf to accept requests from my router's 
 IP
 address. Also added the shared key testing123 there - which is the same that
 was put in the router while configuring it with a radius server.
 
 3) Changed the 'group =' setting inside /etc/freeradius/radiusd.conf to make 
 it
 'shadow' to enable it to lookup /etc/shadow.

  Yes.

 4) Uncommmented the keyword 'unix' in both
 /etc/freeradius/sites-enabled/{inner-tunnel,default}

  That should work.

  *With* the caveat that it will only work for TTLS, not PEAP.

 5) Modified /etc/default/freeradius to pass option '-X' to the freeradius
 server.

  You don't want to do that.  Just run it in debugging mode from the
command-line.

 I've tried using both Windows 7 as well as an iPad as a client to connect 
 using
 wifi. Each time, the freeradius server running on my Linux box denies the
 requests. I should mention that a 'radtest' succeeds - so I'm entering the
 username/passwd correctly.

  That doesn't test EAP, and isn't enough.

 I'm attaching the output of the freeradius
 server when iPad is used. In a separate email I'll also attach the
 output from Windows 7 (to avoid going over the 100KB message limit in
 this email).

  Which says:

 TLS Alert read:fatal:unknown CA
 TLS_accept: failed in SSLv3 read client certificate A
 rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca

  Follow the EAP-TLS Howto.  You either didn't sign the certificates
correctly, or you didn't put the root CA on the client machine.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Internal sanity check failed After adding second Home Server

[Alberto Martínez]

Within POSIX bracket expressions, the dot character matches a literal
dot. For example, a.c matches *abc*, etc., but [a.c] matches only *a*, 
*.*, or *c*.

My bad.

2012/2/29 Alberto Martínez alberto_marti...@deusto.es

 if(%{User-Name} =~ /?([^@]+)@?([-[:alnum:]._]*)?$/) {


 I'm not that good with POSIX regex, but shouldn't it be

 if(%{User-Name} =~ /?([^@]+)@?([-[:alnum:]\._]*)?$/) {

 AFAIK the dot . means any char so I think it needs to be escaped.




-- 
Alberto Martínez Setién
Servicio Informático
Universidad de Deusto
Avda. de las Universidades, 24
48007 - Bilbao (SPAIN)
Phone:  +34 - 94 413 90 00 Ext 2684
Fax:+34 - 94 413 91 01
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Internal sanity check failed After adding second Home Server

[Alan Buxey]

Hi,
  if(%{User-Name} =~ /?([^@]+)@?([-[:alnum:]._]*)?$/) {

please note i did say that was a example - please dont just use anything
like this in a production system - you will need other checks and validations
too - its just to give you an idea. the first one would be something like..

if((%{User-Name} !~ /@/)  (%{Called-Station-Id} =~ /:eduroam$/)){
reject
}

ie if the SSID is eduroam and the user doesnt have an @ in it, then reject.
(this example would work if the kit provides the SSID at the end of the 
Called-Station-Id - most
do..)

..and so on.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html