files Authentication problem
Hello, I have a problem of authentication with the files method. I am using freeradius: FreeRADIUS Version 2.1.10 I try to configure freeradius to have authentication with non-sensitive password and user. I am using ntradping to test my radius server. In both case, ++[files] returns ok , so it seems to be ok. But the client receive on ok, and one bad. See the output of freeradius -X NON-WORKING : the last C is in capital letter. = rad_recv: Access-Request packet from host 100.100.16.3 port 44994, id=1, length=57 User-Name = 00c51180d29c User-Password = 00c51180d29C Vendor-Specific = 0x383030 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [files] expand: %{User-Password} - 00c51180d29C [files] expand: %{tolower:%{User-Password}} - 00c51180d29c [files] users: Matched entry 00c51180d29c at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match known good password. Failed to authenticate the user. Login incorrect: [00c51180d29c/00c51180d29C] (from client pc1461 port 0) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 00c51180d29c attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds WORKING = rad_recv: Access-Request packet from host 100.100.16.3 port 45055, id=3, length=57 User-Name = 00c51180d29c User-Password = 00c51180d29c Vendor-Specific = 0x383030 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [files] expand: %{User-Password} - 00c51180d29c [files] expand: %{tolower:%{User-Password}} - 00c51180d29c [files] users: Matched entry 00c51180d29c at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. Login OK: [00c51180d29c/00c51180d29c] (from client pcXX port 0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 3 to 100.100.16.3 port 45055 Alcatel-Lucent-Auth-Group = 4 Finished request 3. Config of the files modules files { # The default key attribute to use for matches. The content # of this attribute is used to match the name of the # entry. #key = %{Stripped-User-Name:-%{User-Name}} usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users key = %{tolower:%{User-Password}} case_sensitive = no # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } Users file (all in lower letters) 00c51180d29c Auth-Type := Local, Cleartext-Password := 00c51180d29c Alcatel-Lucent-Auth-Group = 4 Thanks for the help. Alexandre - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: files Authentication problem
On Wed, Nov 21, 2012 at 09:01:22AM +0100, alexdhel...@free.fr wrote: 00c51180d29c Auth-Type := Local, Cleartext-Password := 00c51180d29c Alcatel-Lucent-Auth-Group = 4 As the debug log says, Remove Auth-Type := Local from the above. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01
I'm using Freeradius server2.1.12 on x86 fedora14. My client is using (armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius server I am receiving the following errors. The client is broken. It's not doing SSL correctly. Do we require different certificates for arm boards, as I was able to run without any issues on x86 with same certificates. Because it has different software. May I know, what is that different software? Tue Nov 20 16:48:05 2012 : Error: TLS Alert write:fatal:decrypt error Tue Nov 20 16:48:05 2012 : Error: TLS_accept: failed in SSLv3 read certificate verify B Tue Nov 20 16:48:05 2012 : Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 You CANNOT fix this by poking FreeRADIUS. I created certificates with the following commands: This is NOT a certificate issue. Notice that the error is NOT complaining about certificates. And why use your own commands to create certs? The scripts in raddb/certs WORK. Alan DeKok. Regards, Swaraj - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject all calls from one or more Calling Station ID regardless of username or password
Henrik Karlsson henrik.karls...@generic.se writes: Hi guys, I am a quite new user of the Free Radius Server and i have a problem. I have an old Dial In system. I want to reject all calls from one or more Calling Station ID regardless of username or password. I have tried to edit the user file like this USERNAME Calling-Station-Id == 404402704, Auth-Type := Reject The line a bow is based on the username and that is not what I want, I want that all users from Callingstation ID 404402704 shall be rejected. Have you guys got some suggestion how to solve my problem? DEFAULT Calling-Station-Id == 404402704, Auth-Type := Reject Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
Unable to open file /etc/freeradius/radiusd.conf: No such file or directory Uh oh ? looking at /etc/freeradius, there's only the directories and the symlinks, but not a single file. Great. When looking in the build environnement, in debian/freeradius/etc/freeradius, all the files are present. During package creation, the files are correctly grabbed as per debian/freeradius.install dpkg -L list all the files. dpkg is high on cocaine or what ? Possibly. Well never mind. It was my system that was left with the package half-installed. purged everything and now the .deb installs correctly. still, there's two issues : 1. the changes made by Arran to move all the modules to boilermake break the linking of rlm_utf8 (see [1] below) 2. there's a package dependency issue. by default ${raddbdir}/mods-available/cui.conf is in the freeradius package. this files reference to ${raddbdir}/sql/mysql/cui.conf, wich is part of freeradius-mysql package. This mean that freeradius won't start if you don't install freeradius-mysql at the same time. [2] There's also some conflict because mods-available/sql* are both present in package freeradius and freeradius-mysql. Should we not rather select files independently in ${raddbdir}/mods-available/ in place of taking everything (*) for the freeradius package ? My two cents Olivier [1] linking of rlm_utf8 broken CC src/modules/rlm_utf8/rlm_utf8.c LINK build/bin/rlm_utf8 /usr/lib/gcc/x86_64-linux-gnu/4.6/../../../x86_64-linux-gnu/crt1.o: In function `_start': (.text+0x20): undefined reference to `main' build/objs/src/modules/rlm_utf8/rlm_utf8.o: In function `utf8_clean': /opt/src/freeradius/FR3/freeradius-server/src/modules/rlm_utf8/rlm_utf8.c:47: undefined reference to `fr_utf8_char' collect2: ld returned 1 exit status make[1]: *** [build/bin/rlm_utf8] Error 1 make[1]: Leaving directory `/opt/src/freeradius/FR3/freeradius-server' make: *** [build-arch-stamp] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 [2] freeradius rely on file not present in freeradius.deb freeradius -X freeradius: FreeRADIUS Version 3.0.0 (git #73bb767), for host x86_64-pc-linux-gnu, built on Nov 20 2012 at 16:33:32 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/mods-enabled/ including configuration file /etc/freeradius/mods-enabled/checkval including configuration file /etc/freeradius/mods-enabled/expiration including configuration file /etc/freeradius/mods-enabled/utf8 including configuration file /etc/freeradius/mods-enabled/dhcp including configuration file /etc/freeradius/mods-enabled/detail including configuration file /etc/freeradius/mods-enabled/logintime including configuration file /etc/freeradius/mods-enabled/cui including configuration file /etc/freeradius/sql/mysql/cui.conf Unable to open file /etc/freeradius/sql/mysql/cui.conf: No such file or directory Errors reading or parsing /etc/freeradius/radiusd.conf -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 21 Nov 2012, at 10:22, Olivier Beytrison oliv...@heliosnet.org wrote: Unable to open file /etc/freeradius/radiusd.conf: No such file or directory Uh oh ? looking at /etc/freeradius, there's only the directories and the symlinks, but not a single file. Great. When looking in the build environnement, in debian/freeradius/etc/freeradius, all the files are present. During package creation, the files are correctly grabbed as per debian/freeradius.install dpkg -L list all the files. dpkg is high on cocaine or what ? Possibly. Well never mind. It was my system that was left with the package half-installed. purged everything and now the .deb installs correctly. still, there's two issues : 1. the changes made by Arran to move all the modules to boilermake break the linking of rlm_utf8 (see [1] below) Fixed. 2. there's a package dependency issue. by default ${raddbdir}/mods-available/cui.conf is in the freeradius package. this files reference to ${raddbdir}/sql/mysql/cui.conf, wich is part of freeradius-mysql package. This mean that freeradius won't start if you don't install freeradius-mysql at the same time. [2] There's also some conflict because mods-available/sql* are both present in package freeradius and freeradius-mysql. Should we not rather select files independently in ${raddbdir}/mods-available/ in place of taking everything (*) for the freeradius package ? I think there should probably be a package for rlm_sql, and then individual packages for the SQL drivers. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: EAP-TLS Failed in handler question
Hi! first thx for your response. My first question is, how can I decode a EAP-Message from the debug Wireshark, or read the EAP RFC and decode it manually (see below) ok, I'll believe i got lucky and got a tcpdump trace on a client yesterday ... need to check it and if it is the same problem I'll provide more info. log to check if the request is itself ok. Here is first packet from No, this is *not* the first packet, because it has a State attribute, which is only present in 2nd and subsequent packets of the EAP exchange. With first packet I meant first packet the radius server saw in some time ... the switch forces a reauthentification every 2h The reason you're getting the error message is that the State attribute is unknown, so FR can't proceed with the EAP session and has no choice but to drop it. Check you haven't reduced the timer_expire value in eap.conf to a too-low value. # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 120 default was 60 .. I doubled it some weeks ago, as I saw No EAP session matching the State variable entries in the log. How many FR servers do you have serving this NAS? Is it possible the NAS is sending packets in a round-robin fashion (which is bad) which is why you're seeing a packet for which you don't have State? In this case it is only one .. we're running in pre-production with the IT department clients (about 100 clients) to make sure it is stable before rollout. But in production it will be more than one ... good point, we need to check that too, before going into production. I guess it's possible something is mangling the State attribute from the previous packet (which is *actually* the first packet). Otherwise, the client or NAS is doing something odd. It *could* be that the client just got stuck and is responding (very) late. But I'm quite surprised the NAS didn't timeout the EAP auth before that. We're running Extreme Networks Switches with following timers set: configure netlogin dot1x timers quiet-period 30 configure netlogin dot1x timers reauth-period 7200 following other timers are set to the default values: server-timeout Configure RADIUS server timeout for 802.1X supp-resp-timeout Configure supplicant response timeout rad_recv: Access-Request packet from host 10.xxx.xxx.4 port 44519, id=151, length=244 User-Name = host/x.tirol.local EAP-Message = 0x02ff00690d80005f160301005a01 Ok so this says: 02 - eap response ff - eap ID 255 - bit odd.. 0069 - length in hex 0d - eap type 13 (EAP-TLS) 80 - eap TLS flags = length included 005f - tls length 160301 - TLS packet 0x16==22==handshake record, version 3,1 (TLS 1.0) 005a - record length 01 - handshake=client hello cool !! etc. etc. So, it's the start of an EAP-TLS exchange, but as above, it's *not* the first packet. If you start a tcpdump on the server, you'll see how this works: C: Access-Request, no state, EAP-Identity=abc S: Access-Challenge, state=, EAP-TLS blah C: Access-Request, state=, EAP-TLS blah ok i.e. the NAS has to reflect the State back to FreeRADIUS on each packet. Something is interfering with that, or erasing the State at your end (a timer or restart). rlm_eap: No EAP session matching the State variable See? But I didn't see a reason for it ;-) Invalid means I return a reject ... should I return something else? No. but reject means the switch sets the port to the guest vlan, and therefor the PC loses the connections ... is there a way to request a new full eap/tls handshake from the client? Is this a client problem or a misconfiguration on my part? It's probably a client or NAS problem, unless you've set timer_expire too low. However: I guess this could also happen right after the server is restarted. Could that be it - is a cron job restarting it maybe? no the server is running for 10 days but if I would restart the server I would reject all clients to the guest vlan on reauthentication after that ... that can't be the designed way. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: EAP-TLS Failed in handler question
On 21/11/12 12:00, PENZ Robert wrote: With first packet I meant first packet the radius server saw in some time ... the switch forces a reauthentification every 2h A re-auth is a fresh EAP session. So even on a re-auth, the first packet would not have a State attribute, absent software bugs. It *could* be that the client just got stuck and is responding (very) late. But I'm quite surprised the NAS didn't timeout the EAP auth before that. We're running Extreme Networks Switches with following timers set: configure netlogin dot1x timers quiet-period 30 configure netlogin dot1x timers reauth-period 7200 We run SummitX edge, and when I've tested dot1x netlogin in the past, I haven't seen this issue. We've never widely deployed it, however, so it's possible there's an XOS bug where a small percentage of re-auths erroneously re-use the State. You'd need to get a packet capture to be sure. but reject means the switch sets the port to the guest vlan, and therefor the PC loses the connections ... is there a way to request a new full eap/tls handshake from the client? You're not understanding, or I'm not making myself clear. Suggestion: fire up wireshark, and take a careful look at a normal EAP authentication. You'll see that the first packet is an EAP-Identity without a State attribute, which the server responds to with an Access-Challenge containing the default eap type start payload, and a State attribute. Are you *absolutely sure* that these packets are really the first RADIUS packet in the auth/re-auth? If you're sure, your problem seems to be that the correct first packet isn't being sent; the switch is just jumping straight in with the EAP payload *and* a State attribute. I am curious to know where it's getting that State attribute. The server source code assumes that a State attribute will be valid. There's no setting to just accept it. Interestingly, I see the RADIUS RFC does actually allow clients to send a previous State if you send an Access-Accept with: Termination-Action = RADIUS-request You're not doing that, are you? Is this a client problem or a misconfiguration on my part? It's probably a client or NAS problem, unless you've set timer_expire too low. However: I guess this could also happen right after the server is restarted. Could that be it - is a cron job restarting it maybe? no the server is running for 10 days but if I would restart the server I would reject all clients to the guest vlan on reauthentication after that ... that can't be the designed way. No. As above, re-auths start new EAP sessions. You would only reject any EAP sessions that were in the *middle* of performing an auth, as the state would be lost across restarts. But this is a very narrow window. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 21.11.2012 12:00, Arran Cudbard-Bell wrote: On 21 Nov 2012, at 10:22, Olivier Beytrison oliv...@heliosnet.org wrote: Unable to open file /etc/freeradius/radiusd.conf: No such file or directory Uh oh ? looking at /etc/freeradius, there's only the directories and the symlinks, but not a single file. Great. When looking in the build environnement, in debian/freeradius/etc/freeradius, all the files are present. During package creation, the files are correctly grabbed as per debian/freeradius.install dpkg -L list all the files. dpkg is high on cocaine or what ? Possibly. Well never mind. It was my system that was left with the package half-installed. purged everything and now the .deb installs correctly. still, there's two issues : 1. the changes made by Arran to move all the modules to boilermake break the linking of rlm_utf8 (see [1] below) Fixed. thanks, works like a charm 2. there's a package dependency issue. by default ${raddbdir}/mods-available/cui.conf is in the freeradius package. this files reference to ${raddbdir}/sql/mysql/cui.conf, wich is part of freeradius-mysql package. This mean that freeradius won't start if you don't install freeradius-mysql at the same time. [2] There's also some conflict because mods-available/sql* are both present in package freeradius and freeradius-mysql. Should we not rather select files independently in ${raddbdir}/mods-available/ in place of taking everything (*) for the freeradius package ? I think there should probably be a package for rlm_sql, and then individual packages for the SQL drivers. Would be nice indeed. Something to throw in the todo list ;) Or I might do it if I find enough time. I just need to learn how to add a new package :p Aside this, I've been able to compile and make the packages, it correctly loads the configuration, but I back at a previous problem : /usr/local/freeradius/etc/raddb/mods-enabled/eap[17]: Failed to link to module 'rlm_eap': /usr/local/freeradius/lib/rlm_eap.so: undefined symbol: eap_wireformat /usr/local/freeradius/etc/raddb/sites-enabled/default[321]: Failed to find eap in the modules section. /usr/local/freeradius/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate section. Just to be sure that's not due to the debian packaging, I compiled by hand and installed FR3 in /usr/local/freeradius, but same thing occurs. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: [ldap] All ldap connections are in use
We have started seeing problems our radius server with the Error Error: [ldap] All ldap connections are in use We have increased the ldap_connections_number from 5 to 20 which has largely resolved the issue. we now receive over 100,000 authentications a day, is there any guide to ldap_connections_number for the number of authentications or should we just keep increasing the number until the issue goes away - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: [ldap] All ldap connections are in use
On 21 Nov 2012, at 13:00, Phil Brown phil.br...@port.ac.uk wrote: We have started seeing problems our radius server with the Error Error: [ldap] All ldap connections are in use We have increased the ldap_connections_number from 5 to 20 which has largely resolved the issue. we now receive over 100,000 authentications a day, is there any guide to ldap_connections_number for the number of authentications or should we just keep increasing the number until the issue goes away For 2.0 I would usually make it as big as the thread pool. The only reason to make it smaller is if processing that many requests in parallel has a negative impact on the overal TPS (transactions per second) of the LDAP server, or if you get so few requests sent via a connection that it gets cleaned up via some intermmediary bit of networking equipment. If you have the time/resources you could do a plot of increasing numbers of parallel requests vs overall TPS, and find the sweet spot for your specific LDAP cluster/server. If you upgrade to 3.0 the connection pool code there allows you to specify elastic pools which automatically add or remove connections to/from the connection pool to cope with the current server load. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 21 Nov 2012, at 12:50, Olivier Beytrison oliv...@heliosnet.org wrote: On 21.11.2012 12:00, Arran Cudbard-Bell wrote: On 21 Nov 2012, at 10:22, Olivier Beytrison oliv...@heliosnet.org wrote: Unable to open file /etc/freeradius/radiusd.conf: No such file or directory Uh oh ? looking at /etc/freeradius, there's only the directories and the symlinks, but not a single file. Great. When looking in the build environnement, in debian/freeradius/etc/freeradius, all the files are present. During package creation, the files are correctly grabbed as per debian/freeradius.install dpkg -L list all the files. dpkg is high on cocaine or what ? Possibly. Well never mind. It was my system that was left with the package half-installed. purged everything and now the .deb installs correctly. still, there's two issues : 1. the changes made by Arran to move all the modules to boilermake break the linking of rlm_utf8 (see [1] below) Fixed. thanks, works like a charm 2. there's a package dependency issue. by default ${raddbdir}/mods-available/cui.conf is in the freeradius package. this files reference to ${raddbdir}/sql/mysql/cui.conf, wich is part of freeradius-mysql package. This mean that freeradius won't start if you don't install freeradius-mysql at the same time. [2] There's also some conflict because mods-available/sql* are both present in package freeradius and freeradius-mysql. Should we not rather select files independently in ${raddbdir}/mods-available/ in place of taking everything (*) for the freeradius package ? I think there should probably be a package for rlm_sql, and then individual packages for the SQL drivers. Would be nice indeed. Something to throw in the todo list ;) Or I might do it if I find enough time. I just need to learn how to add a new package :p It's not too hard. I'll have a look at it today. Aside this, I've been able to compile and make the packages, it correctly loads the configuration, but I back at a previous problem : /usr/local/freeradius/etc/raddb/mods-enabled/eap[17]: Failed to link to module 'rlm_eap': /usr/local/freeradius/lib/rlm_eap.so: undefined symbol: eap_wireformat Hmm that lives in eapcommon.c and should be built as part of libfreeradius-eap.a. ldd --verbose /usr/lib/freeradius/rlm_eap.so linux-vdso.so.1 = (0x7fffb60e6000) libc.so.6 = /lib/x86_64-linux-gnu/libc.so.6 (0x7f7974618000) /lib64/ld-linux-x86-64.so.2 (0x7f7974bf8000) Version information: /usr/lib/freeradius/rlm_eap.so: libc.so.6 (GLIBC_2.14) = /lib/x86_64-linux-gnu/libc.so.6 libc.so.6 (GLIBC_2.4) = /lib/x86_64-linux-gnu/libc.so.6 libc.so.6 (GLIBC_2.2.5) = /lib/x86_64-linux-gnu/libc.so.6 libc.so.6 (GLIBC_2.3.4) = /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libc.so.6: ld-linux-x86-64.so.2 (GLIBC_2.3) = /lib64/ld-linux-x86-64.so.2 ld-linux-x86-64.so.2 (GLIBC_PRIVATE) = /lib64/ld-linux-x86-64.so.2 Oh dear. That'd be why that's happening... /usr/local/freeradius/etc/raddb/sites-enabled/default[321]: Failed to find eap in the modules section. /usr/local/freeradius/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate section. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
There's also some conflict because mods-available/sql* are both present in package freeradius and freeradius-mysql. Should we not rather select files independently in ${raddbdir}/mods-available/ in place of taking everything (*) for the freeradius package ? I think there should probably be a package for rlm_sql, and then individual packages for the SQL drivers. Would be nice indeed. Something to throw in the todo list ;) Or I might do it if I find enough time. I just need to learn how to add a new package :p It's not too hard. I'll have a look at it today. That would be nice. If you need help to test, just ask :) Aside this, I've been able to compile and make the packages, it correctly loads the configuration, but I back at a previous problem : /usr/local/freeradius/etc/raddb/mods-enabled/eap[17]: Failed to link to module 'rlm_eap': /usr/local/freeradius/lib/rlm_eap.so: undefined symbol: eap_wireformat Hmm that lives in eapcommon.c and should be built as part of libfreeradius-eap.a. ldd --verbose /usr/lib/freeradius/rlm_eap.so linux-vdso.so.1 = (0x7fffb60e6000) libc.so.6 = /lib/x86_64-linux-gnu/libc.so.6 (0x7f7974618000) /lib64/ld-linux-x86-64.so.2 (0x7f7974bf8000) Version information: /usr/lib/freeradius/rlm_eap.so: libc.so.6 (GLIBC_2.14) = /lib/x86_64-linux-gnu/libc.so.6 libc.so.6 (GLIBC_2.4) = /lib/x86_64-linux-gnu/libc.so.6 libc.so.6 (GLIBC_2.2.5) = /lib/x86_64-linux-gnu/libc.so.6 libc.so.6 (GLIBC_2.3.4) = /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libc.so.6: ld-linux-x86-64.so.2 (GLIBC_2.3) = /lib64/ld-linux-x86-64.so.2 ld-linux-x86-64.so.2 (GLIBC_PRIVATE) = /lib64/ld-linux-x86-64.so.2 Oh dear. That'd be why that's happening... I have the same output. But I can't see what you saw. Is there a libfreeradius-eap.so missing somewhere ? -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 21 Nov 2012, at 13:41, Olivier Beytrison oliv...@heliosnet.org wrote: There's also some conflict because mods-available/sql* are both present in package freeradius and freeradius-mysql. Should we not rather select files independently in ${raddbdir}/mods-available/ in place of taking everything (*) for the freeradius package ? I think there should probably be a package for rlm_sql, and then individual packages for the SQL drivers. Would be nice indeed. Something to throw in the todo list ;) Or I might do it if I find enough time. I just need to learn how to add a new package :p It's not too hard. I'll have a look at it today. That would be nice. If you need help to test, just ask :) Ok :) Oh dear. That'd be why that's happening... I have the same output. But I can't see what you saw. Is there a libfreeradius-eap.so missing somewhere ? Yep. Can't resolve the symbol because rlm_eap hasn't been linked against libfreeradius-eap.so, apparently TGT_PREREQS both adds the prerequisite as a targets *and* adds it to the linker flags, rlm_eap.mk looks fine, so i'm not sure why this is happening. Will have a look in a bit. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debian (Squeeze) FreeRadius package missing config files
Hi All, It appears that the Debian package for freeradius 2.1.10 does not install the configuration files. At least that is what is happening on my system. As I try to resolve this is it possible to get a copy of the config files from some other location? -- Cheers Dg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian (Squeeze) FreeRadius package missing config files
On 21 Nov 2012, at 15:18, David Gethings dgethi...@juniper.net wrote: Hi All, It appears that the Debian package for freeradius 2.1.10 does not install the configuration files. At least that is what is happening on my system. As I try to resolve this is it possible to get a copy of the config files from some other location? You sure it's not just stuck them in /etc/freeradius? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian (Squeeze) FreeRadius package missing config files
On 21/11/12 15:18, David Gethings wrote: Hi All, It appears that the Debian package for freeradius 2.1.10 does not install the configuration files. At least that is what is happening on my system. As I try to resolve this is it possible to get a copy of the config files from some other location? https://github.com/philmayers/freeradius-server/tree/release_2_1_10/raddb ...or the release tarballs. You want to upgrade that version, too - 2.1.10 has a security issue. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian (Squeeze) FreeRadius package missing config files
That's where I have been looking. ;) I'Ve been checking the deb lists files to see where all the config files should go and then searching there. While the directories are created the files are not. And I am doing this as root. ;) It is a weird problem. Just want to know if I can get the default config files from some other location so I can get the radius server going again. -- Cheers Dg On 21/11/2012 15:29, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 21 Nov 2012, at 15:18, David Gethings dgethi...@juniper.net wrote: Hi All, It appears that the Debian package for freeradius 2.1.10 does not install the configuration files. At least that is what is happening on my system. As I try to resolve this is it possible to get a copy of the config files from some other location? You sure it's not just stuck them in /etc/freeradius? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian (Squeeze) FreeRadius package missing config files
On Wed, Nov 21, 2012 at 9:18 AM, David Gethings dgethi...@juniper.net wrote: Hi All, It appears that the Debian package for freeradius 2.1.10 does not install the configuration files. At least that is what is happening on my system. As I try to resolve this is it possible to get a copy of the config files from some other location? David, Would you run: apt-cache policy freeradius ? The config files do get placed in /etc/freeradius, so there was an error somewhere along the line during your install. % dpkg-deb -c freeradius-common_2.1.10+dfsg-2+squeeze1_all.deb | grep etc drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/ -rw-r--r-- root/root 27201 2012-09-11 12:07 ./etc/freeradius/radiusd.conf -rw-r--r-- root/root 877 2012-09-11 12:07 ./etc/freeradius/dictionary % dpkg-deb -c freeradius_2.1.10+dfsg-2+squeeze1_amd64.deb | grep etc drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/modules/ -rw-r--r-- root/root 3357 2012-09-11 12:07 ./etc/freeradius/modules/otp -rw-r--r-- root/root 1255 2012-09-11 12:07 ./etc/freeradius/modules/attr_filter -rw-r--r-- root/root 269 2012-09-11 12:07 ./etc/freeradius/modules/dynamic_clients -rw-r--r-- root/root 509 2012-09-11 12:07 ./etc/freeradius/modules/cui -rw-r--r-- root/root 1232 2012-09-11 12:07 ./etc/freeradius/modules/smsotp -rw-r--r-- root/root 558 2012-09-11 12:07 ./etc/freeradius/modules/expr -rw-r--r-- root/root 5267 2012-09-11 12:07 ./etc/freeradius/modules/ldap -rw-r--r-- root/root 347 2012-09-11 12:07 ./etc/freeradius/modules/mac2vlan -rw-r--r-- root/root 571 2012-09-11 12:07 ./etc/freeradius/modules/pap -rw-r--r-- root/root 1968 2012-09-11 12:07 ./etc/freeradius/modules/passwd -rw-r--r-- root/root 1587 2012-09-11 12:07 ./etc/freeradius/modules/perl -rw-r--r-- root/root 3289 2012-09-11 12:07 ./etc/freeradius/modules/echo -rw-r--r-- root/root 601 2012-09-11 12:07 ./etc/freeradius/modules/sqlcounter_expire_on_login -rw-r--r-- root/root 139 2012-09-11 12:07 ./etc/freeradius/modules/chap -rw-r--r-- root/root 2104 2012-09-11 12:07 ./etc/freeradius/modules/mschap -rw-r--r-- root/root 379 2012-09-11 12:07 ./etc/freeradius/modules/ntlm_auth -rw-r--r-- root/root 1661 2012-09-11 12:07 ./etc/freeradius/modules/preprocess -rw-r--r-- root/root 680 2012-09-11 12:07 ./etc/freeradius/modules/mac2ip -rw-r--r-- root/root 2162 2012-09-11 12:07 ./etc/freeradius/modules/sql_log -rw-r--r-- root/root 4465 2012-09-11 12:07 ./etc/freeradius/modules/inner-eap -rw-r--r-- root/root 1510 2012-09-11 12:07 ./etc/freeradius/modules/radutmp -rw-r--r-- root/root 559 2012-09-11 12:07 ./etc/freeradius/modules/policy -rw-r--r-- root/root 642 2012-09-11 12:07 ./etc/freeradius/modules/pam -rw-r--r-- root/root 2903 2012-09-11 12:07 ./etc/freeradius/modules/counter -rw-r--r-- root/root 2502 2012-09-11 12:07 ./etc/freeradius/modules/linelog -rw-r--r-- root/root 543 2012-09-11 12:07 ./etc/freeradius/modules/unix -rw-r--r-- root/root 847 2012-09-11 12:07 ./etc/freeradius/modules/realm -rw-r--r-- root/root 1088 2012-09-11 12:07 ./etc/freeradius/modules/logintime -rw-r--r-- root/root 1336 2012-09-11 12:07 ./etc/freeradius/modules/attr_rewrite -rw-r--r-- root/root 2134 2012-09-11 12:07 ./etc/freeradius/modules/detail -rw-r--r-- root/root 273 2012-09-11 12:07 ./etc/freeradius/modules/digest -rw-r--r-- root/root 1724 2012-09-11 12:07 ./etc/freeradius/modules/detail.log -rw-r--r-- root/root 442 2012-09-11 12:07 ./etc/freeradius/modules/sradutmp -rw-r--r-- root/root 1522 2012-09-11 12:07 ./etc/freeradius/modules/files -rw-r--r-- root/root 816 2012-09-11 12:07 ./etc/freeradius/modules/etc_group -rw-r--r-- root/root 924 2012-09-11 12:07 ./etc/freeradius/modules/detail.example.com -rw-r--r-- root/root 354 2012-09-11 12:07 ./etc/freeradius/modules/smbpasswd -rw-r--r-- root/root 548 2012-09-11 12:07 ./etc/freeradius/modules/expiration -rw-r--r-- root/root 1376 2012-09-11 12:07 ./etc/freeradius/modules/checkval -rw-r--r-- root/root 3526 2012-09-11 12:07 ./etc/freeradius/modules/wimax -rw-r--r-- root/root 2200 2012-09-11 12:07 ./etc/freeradius/modules/ippool -rw-r--r-- root/root 420 2012-09-11 12:07 ./etc/freeradius/modules/always -rw-r--r-- root/root 766 2012-09-11 12:07 ./etc/freeradius/modules/exec -rw-r--r-- root/root 153 2012-09-11 12:07 ./etc/freeradius/modules/krb5 -rw-r--r-- root/root 287 2012-09-11 12:07 ./etc/freeradius/modules/opendirectory -rw-r--r-- root/root 457 2012-09-11 12:07 ./etc/freeradius/modules/acct_unique -rw-r--r-- root/root 1604 2012-09-11 12:07 ./etc/freeradius/huntgroups -rw-r--r-- root/root 3042 2012-09-11
Re: Git master branch Debian build
Olivier Beytrison wrote: Aside this, I've been able to compile and make the packages, it correctly loads the configuration, but I back at a previous problem : /usr/local/freeradius/etc/raddb/mods-enabled/eap[17]: Failed to link to module 'rlm_eap': /usr/local/freeradius/lib/rlm_eap.so: undefined symbol: eap_wireformat I've pushed a fix. It was an error in the new build system. I've pushed a few other minor fixes. make -j 8 now should work out of the box. Thanks for everyone's patience. I think the new build system is worth it. Faster, simpler to understand, incremental builds, full dependencies, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian (Squeeze) FreeRadius package missing config files
Thanks Matt, Phil, I'Ve been able to load the default config files. Now I just need to configure the capabilities I need. :) -- Cheers Dg On 21/11/2012 15:57, Matt Zagrabelny mzagr...@d.umn.edu wrote: On Wed, Nov 21, 2012 at 9:18 AM, David Gethings dgethi...@juniper.net wrote: Hi All, It appears that the Debian package for freeradius 2.1.10 does not install the configuration files. At least that is what is happening on my system. As I try to resolve this is it possible to get a copy of the config files from some other location? David, Would you run: apt-cache policy freeradius ? The config files do get placed in /etc/freeradius, so there was an error somewhere along the line during your install. % dpkg-deb -c freeradius-common_2.1.10+dfsg-2+squeeze1_all.deb | grep etc drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/ -rw-r--r-- root/root 27201 2012-09-11 12:07 ./etc/freeradius/radiusd.conf -rw-r--r-- root/root 877 2012-09-11 12:07 ./etc/freeradius/dictionary % dpkg-deb -c freeradius_2.1.10+dfsg-2+squeeze1_amd64.deb | grep etc drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/modules/ -rw-r--r-- root/root 3357 2012-09-11 12:07 ./etc/freeradius/modules/otp -rw-r--r-- root/root 1255 2012-09-11 12:07 ./etc/freeradius/modules/attr_filter -rw-r--r-- root/root 269 2012-09-11 12:07 ./etc/freeradius/modules/dynamic_clients -rw-r--r-- root/root 509 2012-09-11 12:07 ./etc/freeradius/modules/cui -rw-r--r-- root/root 1232 2012-09-11 12:07 ./etc/freeradius/modules/smsotp -rw-r--r-- root/root 558 2012-09-11 12:07 ./etc/freeradius/modules/expr -rw-r--r-- root/root 5267 2012-09-11 12:07 ./etc/freeradius/modules/ldap -rw-r--r-- root/root 347 2012-09-11 12:07 ./etc/freeradius/modules/mac2vlan -rw-r--r-- root/root 571 2012-09-11 12:07 ./etc/freeradius/modules/pap -rw-r--r-- root/root 1968 2012-09-11 12:07 ./etc/freeradius/modules/passwd -rw-r--r-- root/root 1587 2012-09-11 12:07 ./etc/freeradius/modules/perl -rw-r--r-- root/root 3289 2012-09-11 12:07 ./etc/freeradius/modules/echo -rw-r--r-- root/root 601 2012-09-11 12:07 ./etc/freeradius/modules/sqlcounter_expire_on_login -rw-r--r-- root/root 139 2012-09-11 12:07 ./etc/freeradius/modules/chap -rw-r--r-- root/root 2104 2012-09-11 12:07 ./etc/freeradius/modules/mschap -rw-r--r-- root/root 379 2012-09-11 12:07 ./etc/freeradius/modules/ntlm_auth -rw-r--r-- root/root 1661 2012-09-11 12:07 ./etc/freeradius/modules/preprocess -rw-r--r-- root/root 680 2012-09-11 12:07 ./etc/freeradius/modules/mac2ip -rw-r--r-- root/root 2162 2012-09-11 12:07 ./etc/freeradius/modules/sql_log -rw-r--r-- root/root 4465 2012-09-11 12:07 ./etc/freeradius/modules/inner-eap -rw-r--r-- root/root 1510 2012-09-11 12:07 ./etc/freeradius/modules/radutmp -rw-r--r-- root/root 559 2012-09-11 12:07 ./etc/freeradius/modules/policy -rw-r--r-- root/root 642 2012-09-11 12:07 ./etc/freeradius/modules/pam -rw-r--r-- root/root 2903 2012-09-11 12:07 ./etc/freeradius/modules/counter -rw-r--r-- root/root 2502 2012-09-11 12:07 ./etc/freeradius/modules/linelog -rw-r--r-- root/root 543 2012-09-11 12:07 ./etc/freeradius/modules/unix -rw-r--r-- root/root 847 2012-09-11 12:07 ./etc/freeradius/modules/realm -rw-r--r-- root/root 1088 2012-09-11 12:07 ./etc/freeradius/modules/logintime -rw-r--r-- root/root 1336 2012-09-11 12:07 ./etc/freeradius/modules/attr_rewrite -rw-r--r-- root/root 2134 2012-09-11 12:07 ./etc/freeradius/modules/detail -rw-r--r-- root/root 273 2012-09-11 12:07 ./etc/freeradius/modules/digest -rw-r--r-- root/root 1724 2012-09-11 12:07 ./etc/freeradius/modules/detail.log -rw-r--r-- root/root 442 2012-09-11 12:07 ./etc/freeradius/modules/sradutmp -rw-r--r-- root/root 1522 2012-09-11 12:07 ./etc/freeradius/modules/files -rw-r--r-- root/root 816 2012-09-11 12:07 ./etc/freeradius/modules/etc_group -rw-r--r-- root/root 924 2012-09-11 12:07 ./etc/freeradius/modules/detail.example.com -rw-r--r-- root/root 354 2012-09-11 12:07 ./etc/freeradius/modules/smbpasswd -rw-r--r-- root/root 548 2012-09-11 12:07 ./etc/freeradius/modules/expiration -rw-r--r-- root/root 1376 2012-09-11 12:07 ./etc/freeradius/modules/checkval -rw-r--r-- root/root 3526 2012-09-11 12:07 ./etc/freeradius/modules/wimax -rw-r--r-- root/root 2200 2012-09-11 12:07 ./etc/freeradius/modules/ippool -rw-r--r-- root/root 420 2012-09-11 12:07 ./etc/freeradius/modules/always -rw-r--r-- root/root 766 2012-09-11 12:07 ./etc/freeradius/modules/exec -rw-r--r-- root/root 153 2012-09-11 12:07 ./etc/freeradius/modules/krb5 -rw-r--r-- root/root 287 2012-09-11 12:07
RE: Problems with 802.1x
Hi Eric, sorry, but i didnt understand that very well...Let me see, the FR should do what ?The guy that takes care of our database said all passwords were generated in MD5 and i dont know how to convertBut the 802.1x on microsoft windows works with MSCHAPv2Is there a solution for that ? Can FR translate the MD5 to MSCHAPv2 ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with 802.1x
Am 21.11.2012 23:20, schrieb Brekler Custodio: Hi Eric, sorry, but i didnt understand that very well... Let me see, the FR should do what ? The guy that takes care of our database said all passwords were generated in MD5 and i dont know how to convert But the 802.1x on microsoft windows works with MSCHAPv2 Is there a solution for that ? Can FR translate the MD5 to MSCHAPv2 ? No. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with 802.1x
Brekler Custodio wrote: Hi Eric, sorry, but i didnt understand that very well... Let me see, the FR should do what ? The guy that takes care of our database said all passwords were generated in MD5 and i dont know how to convert You don't convert them. You can't. But the 802.1x on microsoft windows works with MSCHAPv2 Is there a solution for that ? Can FR translate the MD5 to MSCHAPv2 ? The web page posted earlier says it's impossible. This means impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On Wed, Nov 21, 2012 at 11:13:40AM -0500, Alan DeKok wrote: I've pushed a few other minor fixes. make -j 8 now should work out of the box. Build install all now seems to work great. Thanks for everyone's patience. I think the new build system is worth it. Faster, simpler to understand, incremental builds, full dependencies, etc. (As usual after a tedious configure) 5.4 second build here. I'm still amazed at that :) The debian package builds now builds, too (much slower, it's serial make), but it's getting a library path wrong somewhere # /usr/sbin/freeradius /usr/sbin/freeradius: error while loading shared libraries: build/lib/relink/.libs/rlm_acctlog.so: cannot open shared object file: No such file or directory No time to look right now - maybe tomorrow. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
Matthew Newton wrote: Build install all now seems to work great. whew (As usual after a tedious configure) 5.4 second build here. I'm still amazed at that :) Using modern build tools helps a lot. The debian package builds now builds, too (much slower, it's serial make), but it's getting a library path wrong somewhere shrug The simplest way to fix that is to delete the old build system. # /usr/sbin/freeradius /usr/sbin/freeradius: error while loading shared libraries: build/lib/relink/.libs/rlm_acctlog.so: cannot open shared object file: No such file or directory It's installing the wrong binary. i.e. the one built with the new build system, *and* it's linking to the libraries in the build tree, not the ones in the installed directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 21.11.2012 17:13, Alan DeKok wrote: Olivier Beytrison wrote: Aside this, I've been able to compile and make the packages, it correctly loads the configuration, but I back at a previous problem : /usr/local/freeradius/etc/raddb/mods-enabled/eap[17]: Failed to link to module 'rlm_eap': /usr/local/freeradius/lib/rlm_eap.so: undefined symbol: eap_wireformat I've pushed a fix. It was an error in the new build system. I've made a fresh clone right now from git. Tested again. Building is ok. Freeradius still complains about rlm_eap [1]. Just to be sure I'll try to install the deb package on a clean system. Will report later about it. I've pushed a few other minor fixes. make -j 8 now should work out of the box. Thanks for everyone's patience. I think the new build system is worth it. Faster, simpler to understand, incremental builds, full dependencies, etc. It's alright, as long as I have working .debs for January 2013 ;) Olivier [1] freeradius -X freeradius: FreeRADIUS Version 3.0.0 (git #3857859), for host x86_64-pc-linux-gnu, built on Nov 22 2012 at 08:25:13 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. [snip] /etc/freeradius/mods-enabled/eap[17]: Failed to link to module 'rlm_eap': /usr/lib/freeradius/rlm_eap.so: undefined symbol: eap_wireformat /etc/freeradius/sites-enabled/default[321]: Failed to find eap in the modules section. /etc/freeradius/sites-enabled/default[263]: Errors parsing authenticate section. [Inferior 1 (process 29086) exited with code 01] -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html