Re: FreeRADIUS + MySQL + DHCP Opt82
Fajar A. Nugraha-2 wrote
... and then on authorize section add something like this (just for check)
if ( (request:User-Name == 00:12:23:56:78:9A)
(control:Agent-Circuit-ID != %{request:Agent-Circuit-ID}) ) {
update control {
Auth-Type := Reject
}
}
then use debug mode again. It should print out what it recognize
control:Agent-Circuit-ID (which is from db) and
request:Agent-Circuit-ID. Then you just need to edit entry on db to
match what's on the request.
Construction shown above don't help me, because there was no output of
control:Agent-Circuit-ID and request:Agent-Circuit-ID.
But I use another construction:
if (request:User-Name == 20:cf:30:e1:e6:29) {
update control {
Auth-Type := Reject
}
update reply {
Context-Name := %{control:Agent-Circuit-ID}
%{request:Agent-Circuit-ID}
}
}
so in Acces-Reject I can see in Context-Name attribute both request and
control attributes.
And I have bad news. I got following:
Context-Name = 0x 0x000403fc0017
Request attribute is OK, but control attribute is zero-length string. I
think this is because first byte in string is 0, and Radius treat this as
end-of-string.
I tested this - I try to return attribute with only printable chars, and got
it in Context-Name exactly as it stored in DB.
So I urgently need help - how I can store needed value to adequately
accepted by Radius?
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5611663.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
Alan DeKok-2 wrote IVB wrote: But I don't see in debug output what exactly was returned in SQL query. Have you tried running the SQL queries from an SQL client on the command line? That's why they're printed out in debugging mode: so you can see them, and re-run them yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes, I run queries by hand and see results as strings, non-printable chars not printed, but attribute itself has non-zero length. -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5611684.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 prompting several times
Hi Alan, thanks for your support. Finally I have my freeradius server working fine, but there are a new issue with the windows clients. If a windows client first enter his credentials erroneous the Ferraris send a error message, next if the user enter the correct credentials the radius server doesn't authenticate the client. Checking the source code, in the file run_eap_mschapv2, when the client sends the correct password after sending the wrong ones i could check the windows sends a message with the code PW_EAP_MSCHAPV2_FAILURE instead of a PW_EAP_MSCHAPV2_CHALLENGE. I detect that the error was in that file because in the with the message rlm_eap_mschapv2:Unexpected response received i also print the value of the data-code and it was 4 that matches with PW_EAP_MSCHAPV2_FAILURE. Can you help me? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Windows-7-prompting-several-times-tp5538046p5611815.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
IVB wrote: Yes, I run queries by hand and see results as strings, non-printable chars not printed, but attribute itself has non-zero length. You can't put binary data into an ASCII string field. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
Alan DeKok-2 wrote You can't put binary data into an ASCII string field. But that was my question! FreeRADIUS offers following schema for radcheck table: CREATE TABLE radcheck ( id int(11) unsigned NOT NULL auto_increment, username varchar(64) NOT NULL default '', attribute varchar(64) NOT NULL default '', op char(2) NOT NULL DEFAULT '==', value varchar(253) NOT NULL default '', PRIMARY KEY (id), KEY username (username(32)) ) ; So it expects attribute value as varchar. The question is: How I can put Opt82 attributes (which contains non-printable bytes) into database to offer it later for FreeRADIUS using SELECT statement? INSERT INTO `radcheck` ( `UserName`, `Attribute`, `Value`, `op` ) VALUES ( '00:12:23:56:78:9A', 'Cleartext-Password', 'Redback', ':=' ), ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', ?, '==' ), ( '00:12:23:56:78:9A', 'Agent-Remote-ID', ?, '==' ) What I must put in place of ? to be correctly accepted by Radius in following SELECT: SELECT `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radcheck` WHERE `UserName` = '00:12:23:56:78:9A' -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5612096.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
IVB wrote: But that was my question! ... How I can put Opt82 attributes (which contains non-printable bytes) into database to offer it later for FreeRADIUS using SELECT statement? You don't. The database is intended for ASCII data. You could also edit the dictionaries to make the data octets, which would take care of the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 prompting several times
Ricardo89 wrote: If a windows client first enter his credentials erroneous the Ferraris send a error message, next if the user enter the correct credentials the radius server doesn't authenticate the client. No. Checking the source code, in the file run_eap_mschapv2, when the client sends the correct password after sending the wrong ones i could check the windows sends a message with the code PW_EAP_MSCHAPV2_FAILURE instead of a PW_EAP_MSCHAPV2_CHALLENGE. So... the Windows box sending a failure means you conclude that FreeRADIUS is at fault? I detect that the error was in that file because in the with the message rlm_eap_mschapv2:Unexpected response received i also print the value of the data-code and it was 4 that matches with PW_EAP_MSCHAPV2_FAILURE. Can you help me? That message is sent by the Windows box to FreeRADIUS. It says that the Windows box didn't like the response from FreeRADIUS. i.e. the Windows box is caching the *wrong* password. Go fix it. Ask Microsoft how this is done. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
Hello Alan, Monday, April 2, 2012, 1:59:03 PM, you wrote: AD IVB wrote: But that was my question! AD ... How I can put Opt82 attributes (which contains non-printable bytes) into database to offer it later for FreeRADIUS using SELECT statement? AD You don't. Are you kidding? AD The database is intended for ASCII data. Are you kidding again? The database is intended for data of any type. Do you mean that FreeRADIUS can't accept non-ASCII data from database? AD You could also edit the dictionaries to make the data octets, which AD would take care of the problem. The dictionaries contains right attributes definitions: ATTRIBUTE Agent-Remote-Id 96 octets ATTRIBUTE Agent-Circuit-Id 97 octets -- Best regards, Igormailto:i...@is.ua - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
Igor Belikov wrote: AD You don't. Are you kidding? If you insist on going down that path, you'll be unsubscribed and banned. I'm tried of people who can't read the documentation, and who use that ignorance to put me down. Do you mean that FreeRADIUS can't accept non-ASCII data from database? It means that FreeRADIUS expects ASCII data from the database. The attribute names and values are all *printable*. AD You could also edit the dictionaries to make the data octets, which AD would take care of the problem. The dictionaries contains right attributes definitions: ATTRIBUTE Agent-Remote-Id 96 octets ATTRIBUTE Agent-Circuit-Id 97 octets Then you need to read the documentation to see how to represent data type octets in the DB and config files. HINT: Look at the debug output. What does it print for data type octets? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plain text shared secrets problematic?
Thanks for the quick answer. Yes, the RADIUS secret was what I meant. Since we want to use a freeRADIUS proxy in our DMZ and because a secure connection from our customers to our application is important, that seems to be a problem. Are there maybe some best practices for a case like that, or isn't the plain-text secret such an issue after all? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Plain-text-shared-secrets-problematic-tp5603361p5612293.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
Hi Alan,
I got your point. I need a reply.
I can use proxying but I also need to send same accounting to all servers at
the same time.
I tried to build virtual servers to proxy accounting packets to other
servers.
For example: I am going to send accounting packets to 20 servers.
First I create 20 virtual servers, and then point them to 20 remote servers
one by one. ( Because proxy only supports failover and loadbalance)
My configs:
/sites-available/default
preacct {
preprocess
update control {
Proxy-To-Realm := TEST0 -- virtual server realm
}
}
/sites-available/default2
preacct {
preprocess
update control {
Proxy-To-Realm += TEST1 -- remote radius
#Replicate-To-Realm += TEST2
#Replicate-To-Realm += TEST3
}
# Session sta
But when I tried it I got segmentation fault.
rad_recv: Accounting-Request packet from host 135.243.68.36 port 55675, i
d=112, length=94
User-Name = test2
Acct-Status-Type = Start
Acct-Session-Id = 4680
Framed-Protocol = PPP
Acct-Delay-Time = 5
Calling-Station-Id = 905436755108
NAS-Port = 1
Framed-IP-Address = 2.2.2.17
NAS-IP-Address = 135.243.90.68
Called-Station-Id = internet1
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/
default
+- entering group preacct {...}
[preprocess] hints: Matched DEFAULT at 85
[preprocess] sql_xlat
[preprocess]expand: %{User-Name} - test2
[preprocess] sql_set_user escaped user -- 'test2'
[preprocess]expand: SELECT id from deneme limit 1 - SELECT id from d
eneme limit 1
rlm_sql (sql): Reserving sql socket id: 4
[preprocess] sql_xlat finished
rlm_sql (sql): Released sql socket id: 4
[preprocess]expand: %{sql:SELECT id from deneme limit 1} - 5
[preprocess] sql_xlat
[preprocess]expand: %{User-Name} - test2
[preprocess] sql_set_user escaped user -- 'test2'
[preprocess]expand: SELECT id from deneme limit 1 - SELECT id from d
eneme limit 1
rlm_sql (sql): Reserving sql socket id: 3
[preprocess] sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
[preprocess]expand: %{sql:SELECT id from deneme limit 1} - 5
++[preprocess] returns ok
++[control] returns ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address = 135.243.68.36,NAS
-IP-Address = 135.243.90.68,Acct-Session-Id = 4680,User-Name = test2'
[acct_unique] Acct-Unique-Session-ID = 8106182d5455e91b.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = test2, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
# Executing section accounting from file /usr/local/etc/raddb/sites-enabl
ed/default
+- entering group accounting {...}
[detail]expand: %{Packet-Src-IP-Address} - 135.243.68.36
[detail]expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address
}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d - /var/log/radius/radacct/1
35.243.68.36/detail-20120402
[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src
-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/135.243.
68.36/detail-20120402
[detail]expand: %t - Mon Apr 2 08:21:05 2012
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutm
p
[radutmp] expand: %{User-Name} - test2
++[radutmp] returns ok
[sql] expand: %{User-Name} - test2
[sql] sql_set_user escaped user -- 'test2'
[sql] expand: %{Acct-Delay-Time} - 5
[sql] expand:INSERT INTO radacct (acctsessionid
,acctuniqueid, username, realm,nasipaddr
ess, nasportid, nasporttype, acctstarttime,acct
stoptime, acctsessiontime, acctauthentic,connectinfo_st
Re: FreeRADIUS + MySQL + DHCP Opt82
Hello Alan, Monday, April 2, 2012, 2:53:15 PM, you wrote: AD2vF Igor Belikov wrote: AD You don't. Are you kidding? AD2vF If you insist on going down that path, you'll be unsubscribed and AD2vF banned. I'm tried of people who can't read the documentation, and who AD2vF use that ignorance to put me down. Please exuse me. Do you mean that FreeRADIUS can't accept non-ASCII data from database? AD2vF It means that FreeRADIUS expects ASCII data from the database. The AD2vF attribute names and values are all *printable*. AD You could also edit the dictionaries to make the data octets, which AD would take care of the problem. The dictionaries contains right attributes definitions: ATTRIBUTE Agent-Remote-Id 96 octets ATTRIBUTE Agent-Circuit-Id 97 octets AD2vF Then you need to read the documentation to see how to represent data AD2vF type octets in the DB and config files. Yes, I will be very happy to read how to represent 'octets' data in DB. And I ask about this several times. I don't find this info in documentation, sorry. Please give me link to right place. -- Best regards, Igormailto:i...@is.ua -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5612329.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
IVB wrote: Hello Alan, Yes, I will be very happy to read how to represent 'octets' data in DB. And I ask about this several times. I don't find this info in documentation, sorry. Please give me link to right place. I gave you a hint, and you deleted it. Good luck. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
mimir wrote: But when I tried it I got segmentation fault. ... [eap] No pre-existing handler found Segmentation fault See doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plain text shared secrets problematic?
Heilz wrote: Thanks for the quick answer. Yes, the RADIUS secret was what I meant. Since we want to use a freeRADIUS proxy in our DMZ and because a secure connection from our customers to our application is important, that seems to be a problem. Are there maybe some best practices for a case like that, or isn't the plain-text secret such an issue after all? (a) use a plain-text secret (b) install the git master branch, and use RadSec. (c) use IPSec for connectivity There are no other choices. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL + DHCP Opt82
This is incorrect: IVB wrote INSERT INTO `radcheck` ( `UserName`, `Attribute`, `Value`, `op` ) VALUES ( '00:12:23:56:78:9A', 'Cleartext-Password', 'Redback', ':=' ), ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', x'000403fc0001', '==' ), ( '00:12:23:56:78:9A', 'Agent-Remote-ID', x'0006001e58ab0304', '==' ) This is correct: INSERT INTO `radcheck` ( `UserName`, `Attribute`, `Value`, `op` ) VALUES ( '00:12:23:56:78:9A', 'Cleartext-Password', 'Redback', ':=' ), ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', '0x000403fc0001', '==' ), ( '00:12:23:56:78:9A', 'Agent-Remote-ID', '0x0006001e58ab0304', '==' ) Thanks to all for help. -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5612364.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Moving included conf files to virtualhost..
Hi, i just wonder if it is possible to move included conf files from radiusd.conf to virtualhosts ? I mean , is it possible to place the client.conf and sql.conf into a virtual host instead of radiusd.conf... And so to have a diferent one pending on called virtualhost .. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plain text shared secrets problematic?
Hello, (c) use IPSec for connectivity or if you don't like the complexity that comes with ipsec, use OpenVPN or any other VPN software. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Moving included conf files to virtualhost..
On Mon, Apr 2, 2012 at 7:56 PM, yzy-oui-fi yzy-oui...@hotmail.fr wrote: Hi, i just wonder if it is possible to move included conf files from radiusd.conf to virtualhosts ? I don't think so. I mean , is it possible to place the client.conf and sql.conf into a virtual host instead of radiusd.conf... And so to have a diferent one pending on called virtualhost .. The best work around I can think of is just to create multiple instances of that module, with different name and configurations. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Moving included conf files to virtualhost..
Can you please share docs links? I only check configuration files comments. I could not find any detailed docs for configurations, or my account do not have access? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5612427.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 prompting several times
Quoting Alan DeKok al...@deployingradius.com: ... i.e. the Windows box is caching the *wrong* password. Go fix it. Ask Microsoft how this is done. In Windows 7, connection setup, there is a check box for remembering credentials, clear it. That gives you some manual control over what has previously been an automated process. The follow KB indicates how you can clear cached EAP credentials on XP. The same registry entries exist on Win7 in a different place (I forgot exactly where) because of the migration to the new EAPhost implementation. http://support.microsoft.com/kb/823731 Also; if a connection is flagged for use by all users on a system, the key is in HKLM, not the current user. Dave. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
set and use internal comment variable
Hi! I've a setup where it is possible to deny a request at various places for different reasons. I use sql_log in post-auth to log the replies. It would now be nice to add a comment variable which I fill at the various stations, that can deny a request, so I know why a request was denied. How should I try to solve this? Or is there an even better way without a comment variable to do something like this? Thx for your help. Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 prompting several times
Hello.
I've been following the this tread for quite a while.
I also had this problem of windows 7 prompting for credential several times
without showning any error message.
The problem was gone once i updated 2.1.10(debian) to 2.1.12.
Now, if the user enters wrong credentials, windows prompts for credentials
again with a message stating that the user credentials are invalid. The
problem is that if the user now types the correct credential, the access
will still be denied. After the third retry, windows gives up on asking and
the user must click on the wireless network icon, to start the login process
again.
As Alan said, this seemed like windows was caching the bad credentials.
But, the logs states a different message. After the first access denied,
each retry comes with a rlm_eap_mschapv2:Unexpected response received.
Im not saying there's a freeradius fault, it can be windows fault or just
windows not following the RFC(wouldnt be the first time).
I've also looked at the code, to try to figure out what was happening.
At rlm_eap_mschapv2.c (line 444):
case PW_EAP_MSCHAPV2_RESPONSE:
if (data-code != PW_EAP_MSCHAPV2_CHALLENGE) {
radlog(L_ERR, rlm_eap_mschapv2: Unexpected response
received);
return 0;
}
the if clause is reached having data-code = PW_EAP_MSCHAPV2_FAILURE.
Aparently windows is sending a EAP-Response/MSCHAP_Failure where it should
send a EAP-Failure/MSCHAP_Failure (to acknowlage the previous sent
EAP-Request/Failure, acording to RFC 'Appendix A - Examples')
Or
Should send a EAP-Response/MSCHAP_Response since it is actually retrying the
authentication.
One possibility is that the new send_error option is missleading windows.
According to RFC 'Appendix A - Examples', a retry flag in order to tell
windows to try again.
Since my knowledge of the freeradius souce code is very basic, i couldnt
figure out exactly if this is happening.
Thanks
Jaime
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Windows-7-prompting-several-times-tp5538046p5612741.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Moving included conf files to virtualhost..
One more question.. is it possible to replicate to virtual hosts? I tried but get following error: [replicate] ERROR: Failed opening socket: cannot open socket: Address family My aim is first replicate the acct packets to virtual hosts then proxy it. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5613140.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Moving included conf files to virtualhost..
What the hell are you talking about ? :) is it a reply to my question ? if yes i don't understand a penny what you are talking about... Le lundi 02 avril 2012 à 06:19 -0700, mimir a écrit : Can you please share docs links? I only check configuration files comments. I could not find any detailed docs for configurations, or my account do not have access? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5612427.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
