preproxy_users
Hi
I use this line many years in the preacct_users file ( freeradius 2.1.X )
DEFAULT Called-Station-Id == orangewap
Called-Station-Id := %{Called-Station-Id}.%{3GPP-SGSN-Address}
It`s not work in freeradius-2.2.0, i got error message
[files] preproxy_users: Matched entry DEFAULT at line 39
[files] WARNING: Unknown module 3GPP-SGSN-Address in string expansion %
++[files] returns ok
Peter Balšianok
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Detail file
I read it before i sent email. But my accounting radius servers receives packets from many devices ( each packet contains different group of AVPs ). Therefore Is it possible to configure linelog module to store all AVPs ( everytime, not only defined part of accounting packet ). -Original Message- From: freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org [mailto:freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, November 27, 2012 10:41 PM To: FreeRadius users mailing list Subject: Re: Detail file BALSIANOK, Peter wrote: Is there any way to change / simulate functionality of the detail module like this ? Timestamp=“ Tue Nov 27 15:03:35 2012“[delimiter]Packet-Type = Accounting-Request[delimiter]NAS-Port-Type = Virtual[delimiter] NAS-Port-Type = Virtual[delimiter] [end of line] See the linelog module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius several segfaults at heavy load and startup ?
-X runs as a single thread Is your perl multi-threaded? Does your PERL code deal with threads? alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configure Huntgroups
Any one kindly reply. Regards, Arshad Ahmed Network Engineer From: arshadkha...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: Configure Huntgroups Date: Tue, 27 Nov 2012 10:01:19 +0500 Hi, I have configure multiple hunt groups for different purposes like VPN (VPN Server IP), Netflow Services (Netflow Server IP) and hence define their respective group in Window Active directory platform. Now, i need to provide time base VPN access to some users so i made a group in active directory and configure its respective file ntlm_auth4 so now onwards one huntgroup and two ntlm_auth group, one for normal vpn access and one for timebase. But this configuration is not working and every time its going to check in ntlm_auth2 condition. Kindly advice. DEFAULT Auth-Type := ntlm_auth4,Huntgroup-Name == vpn, Login-Time := Sa-Su0800-1300 Fall-Through = Yes DEFAULT Auth-Type := ntlm_auth3,Huntgroup-Name == netflow Fall-Through = Yes DEFAULT Auth-Type := ntlm_auth2,Huntgroup-Name == vpn Fall-Through = Yes DEFAULT Auth-Type = ntlm_auth Regards, Arshad Ahmed Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: preproxy_users
Sounds like your old server had a local dictionary entry that your new server doesn't have alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: Freeradius several segfaults at heavy load and startup ?
Hello Alan, And thanks for the reply. If you mean that my customhooks perl scripts for rlm_perl deals with any threads then no. If you mean that our compilation of perl which was installed with from apt-get is compiled in a strange way..Then I have no idea what. Br Alex Från: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] Skickat: den 28 november 2012 09:07 Till: Alexander Silveröhrt; freeradius-users@lists.freeradius.org Ämne: Re: Freeradius several segfaults at heavy load and startup ? -X runs as a single thread Is your perl multi-threaded? Does your PERL code deal with threads? alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. * DISCLAIMER * This message and any attachment are confidential and may be privileged or otherwise protected from disclosure and may include proprietary information. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: Freeradius several segfaults at heavy load and startup ?
Hi, And thanks for the reply. If you mean that my customhooks perl scripts for rlm_perl deals with any threads then no. do you deal with all file handlers, database handlers etc in your code cleanly... or do you just ditch them? the PERL module will be called at the same time by many FR threadsso unless you make the script resident then you'll likely to be facing issues. either way, at least follow docs/bugs and get the gdb output for when things go wrong alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius several segfaults at heavy load and startup ?
On 11/28/2012 04:28 AM, Alexander Silveröhrt wrote: Hello, Wondered if anyone have any idea about below. If started with flag –X everything starts up ok but without –X then it crashes with these messages in the log.(atleast most of the time if one is persistent then it may well start up properly sometimes without the –X flag) As soon as it starts ok then there seems to be no problem whatsoever. Which version? It runs perfectly with the same config and perl hooks at a lab machine where there are no traffic. Searching through the web doesn’t give much info? Any ideas would be appreciated. Thank you. Alex root@itop0-db0:/scripts# LD_PRELOAD=/usr/lib/libperl.so.5.10 Why are you fiddling with LD_PRELOAD? Presumably the perl module is the problem, but you shouldn't need to PRELOAD anything (and in fact, shouldn't, as the ABI might have changed). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding Proxy sockets
On 11/28/2012 09:27 AM, ramakrishna wrote: Hi, I have been using freeradius 2.2 for a while now. When i start the radius server in debug mode, I observed server creating proxy sockets. please find the log below. * ... adding new socket proxy address * port 61412 ... adding new socket proxy address * port 61413 ... adding new socket proxy address * port 61414 *Listening on authentication address * port 1812 Listening on accounting address * port 1813 What i observed is every time i restart the server, i see the port numbers increasing instead of same port numbers being used. My question is does that mean that the previously used port numbers(61409, 61410, 61411) are not freed properly? No. The proxy socket doesn't define a port to bind to, since it's a client socket. The OS controls the port, and is responsible for it increasing over time. The old ports are freed just fine when the old process exits. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding Proxy sockets
Thanks Phil. That clarifies my doubt. On Wed, Nov 28, 2012 at 3:23 PM, Phil Mayers p.may...@imperial.ac.ukwrote: On 11/28/2012 09:27 AM, ramakrishna wrote: Hi, I have been using freeradius 2.2 for a while now. When i start the radius server in debug mode, I observed server creating proxy sockets. please find the log below. * ... adding new socket proxy address * port 61412 ... adding new socket proxy address * port 61413 ... adding new socket proxy address * port 61414 *Listening on authentication address * port 1812 Listening on accounting address * port 1813 What i observed is every time i restart the server, i see the port numbers increasing instead of same port numbers being used. My question is does that mean that the previously used port numbers(61409, 61410, 61411) are not freed properly? No. The proxy socket doesn't define a port to bind to, since it's a client socket. The OS controls the port, and is responsible for it increasing over time. The old ports are freed just fine when the old process exits. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html -- Best Regards, M.Rama Krishna Prasad, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius several segfaults at heavy load and startup ?
On 2012/11/28 11:50 AM, Phil Mayers wrote: root@itop0-db0:/scripts# LD_PRELOAD=/usr/lib/libperl.so.5.10 Why are you fiddling with LD_PRELOAD? On my debian boxes FR cannot run without preload. There is something on the mailing list about it a while back. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius several segfaults at heavy load and startup ?
On 28/11/12 10:52, Johan Meiring wrote: On 2012/11/28 11:50 AM, Phil Mayers wrote: root@itop0-db0:/scripts# LD_PRELOAD=/usr/lib/libperl.so.5.10 Why are you fiddling with LD_PRELOAD? On my debian boxes FR cannot run without preload. Yuck. It's probably some libtool horror in 2.x. It might work in master / 3.x There is something on the mailing list about it a while back. Well, that ought to be fixed. But I don't use rlm_perl, and the code is incomprehensible gibberish (hey, it's perl - it's mandatory!) so I'm not going to touch it ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: preproxy_users
I use standard dictionary attribute 3GPP-SGSN-Address, which is located in ( in old and new one version of freeradius ) /app/radius/freeradius-2.2.0/share/freeradius/dictionary.3gpp:ATTRIBUTE 3GPP-SGSN-Address6ipaddr My accouting packet looks like : [radiusd@tdrad1 test]$ /app/radius/freeradius-2.2.0/bin/radclient -x -t 10 -r 1 -f wapgtw/acct.req -d /app/radius/freeradius-2.2.0/etc/raddb/ggsn-acct/ localhost:2813 acct testing123 Sending Accounting-Request of id 153 to 127.0.0.1 port 2813 NAS-Port-Type = Virtual X-Ascend-Dial-Number = U+0557\331\025 Acct-Session-Id = d597d91572f51ab3 Proxy-State = 0x323036 Service-Type = Framed-User Called-Station-Id = orangewap Acct-Link-Count = 1 X-Ascend-Metric = 1928665779 Acct-Authentic = Local Acct-Status-Type = Start NAS-IP-Address = 10.64.192.1 X-Ascend-PRI-Number-Type = 8 3GPP-SGSN-Address = 213.151.252.35 Calling-Station-Id = 421905012405 X-Ascend-IPX-Alias = 4294967295 Framed-Protocol = GPRS-PDP-Context User-Name = 421908503371 NAS-Identifier = ggsn-01-bb1.orange.sk Acct-Multi-Session-Id = d597d9153962de6b Framed-IP-Address = 10.64.210.141 [files] preproxy_users: Matched entry DEFAULT at line 39 [files] WARNING: Unknown module 3GPP-SGSN-Address in string expansion % ++[files] returns ok Any help ? From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] Sent: Wednesday, November 28, 2012 9:57 AM To: BALSIANOK, Peter; freeradius-users@lists.freeradius.org Subject: Re: preproxy_users Sounds like your old server had a local dictionary entry that your new server doesn't have alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Policy.conf - multiple @
hi,
..theres also an error in v2.2 policy.conf
#
# Realm begins with a dot
# e.g. u...@.site.com
#
if (User-Name !~ /@\\./) {
update reply {
Reply-Message+ = Rejected: Realm begins with a
dot
}
reject
}
MUST, in fact, be:
#
# Realm begins with a dot
# e.g. u...@.site.com
#
if (User-Name =~ /@\\./) {
update reply {
Reply-Message += Rejected: Realm begins with a
dot
}
reject
}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Policy.conf - multiple @
hi,
if(User-Name =~ /@(.+)?@/i ) {
=
Would this not be simpler just by using '/@.*@/' ?
its good to get feedback.
yes, theres no need for case insensitive for this oneand also, we dont care
about feeding the results to a following processso no need for the brackets.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Policy.conf - multiple @
Hello,
Just taking a look at the FreeRadius 2.2 policy.conf file, and noticed
this section:
=
#
# reject Multiple @'s
# e.g. u...@site.com@site.com
#
if(User-Name =~ /@(.+)?@/i ) {
=
Would this not be simpler just by using '/@.*@/' ?
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sending authentication-requests to multiple radius-servers
Hello. I have a short question: Is it possible to send an authentication-request from a client to multiple servers simultaneously ? +--+ /-| radius A | +++--+ / +--+ | client |---| radius proxy |X +++--+ \ +--+ \-| radius B | +--+ We now authenticate with HMAC-based One Time Password Token (aka event-based token) from a Cisco ASA via radius to only one freeradius-server. But we want to establish a second authentication server for failover reasons. When using event based tokens, it's absolute necessary that every server receives the same authentication request simultaneously from the client to trigger the next event on the server side. Best Regards, Stefan Kuegler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail file
BALSIANOK, Peter wrote: I read it before i sent email. But my accounting radius servers receives packets from many devices ( each packet contains different group of AVPs ). Therefore Is it possible to configure linelog module to store all AVPs ( everytime, not only defined part of accounting packet ). See doc/variables.txt This is documented. But... there really isn't any point. Why is so vital to have them all on one line? Why not just use the detail file? Do the extra linefeeds really cause that much panic? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Detail file
Sorry, i didnt read doc/variables.txt carefully ( missed %Z ). To have one packet in one line ( AVPs separated with delimiter ) from my point of view is better (simple). Of course i can parse current detail file format :). Last question. Is writing to detail file serialized ( paralel threads can write data at the same time to one file ) ? -Original Message- From: freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org [mailto:freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, November 28, 2012 3:41 PM To: FreeRadius users mailing list Subject: Re: Detail file BALSIANOK, Peter wrote: I read it before i sent email. But my accounting radius servers receives packets from many devices ( each packet contains different group of AVPs ). Therefore Is it possible to configure linelog module to store all AVPs ( everytime, not only defined part of accounting packet ). See doc/variables.txt This is documented. But... there really isn't any point. Why is so vital to have them all on one line? Why not just use the detail file? Do the extra linefeeds really cause that much panic? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Policy.conf - multiple @
On Wed, Nov 28, 2012 at 01:09:44PM +, John Horne wrote:
#
if(User-Name =~ /@(.+)?@/i ) {
=
Would this not be simpler just by using '/@.*@/' ?
That's not quite the same, as it would match more than the original
regex. OK the parenthesis aren't needed, however consider the following
username:
bob@@realm
The original regex will not match this however the simpler one will.
'/@.+@/' would be more compatible.
Ben
--
Ben Brown
Systems Engineer
Plusnet PLC | www.plus.net
Registered Office: Plusnet | The Balance | 2 Pinfold Street | Sheffield | S1 2GU
Registered in England no: 3279013
This email and any attachments contains Plusnet information, which may be
privileged or confidential. It's meant only for the individual(s) or entity
named above. If you're not the intended recipient, note that disclosing,
copying, distributing or using this information is prohibited. If you've
received this email in error, please let me know immediately on the email
address above. Thank you.
We monitor our email system, and may record your emails.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail file
BALSIANOK, Peter wrote: Sorry, i didnt read doc/variables.txt carefully ( missed %Z ). To have one packet in one line ( AVPs separated with delimiter ) from my point of view is better (simple). Of course i can parse current detail file format :). I wouldn't agree with simpler. But it's your system. Last question. Is writing to detail file serialized ( paralel threads can write data at the same time to one file ) ? The server works, and doesn't do stupid things. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending authentication-requests to multiple radius-servers
Stefan Kuegler wrote: Is it possible to send an authentication-request from a client to multiple servers simultaneously ? Not really, no. We now authenticate with HMAC-based One Time Password Token (aka event-based token) from a Cisco ASA via radius to only one freeradius-server. But we want to establish a second authentication server for failover reasons. That's different. When using event based tokens, it's absolute necessary that every server receives the same authentication request simultaneously from the client to trigger the next event on the server side. Well.. database synchronization really isn't a RADIUS problem. You're better off fixing the token system so that it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: preproxy_users
BALSIANOK, Peter wrote: I use standard dictionary attribute 3GPP-SGSN-Address, which is located in ( in old and new one version of freeradius ) ... [radiusd@tdrad1 test]$ /app/radius/freeradius-2.2.0/bin/radclient -x -t 10 -r 1 -f wapgtw/acct.req -d /app/radius/freeradius-2.2.0/etc/raddb/ggsn-acct/ localhost:2813 acct testing123 ... [files] WARNING: Unknown module 3GPP-SGSN-Address in string expansion % Are you running 2.2.0 on the server side? Older versions of the server had issues where they didn't like a number as the first character of an attribute expansion. 2.2.0 fixed that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail file
On 28/11/12 14:57, BALSIANOK, Peter wrote: Last question. Is writing to detail file serialized ( paralel threads can write data at the same time to one file ) ? Yes. The detail writer (and reader) use locking. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius several segfaults at heavy load and startup ?
Alexander Silveröhrt wrote: Wondered if anyone have any idea about below. If started with flag –X everything starts up ok but without –X then it crashes with these messages in the log. Older versions of rlm_perl didn't lock enough of the data structures. So it could have threading issues. Upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: Freeradius several segfaults at heavy load and startup ?
Same here doesn't even start without LD_PRELOAD. -Ursprungligt meddelande- Från: freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org [mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org] För Johan Meiring Skickat: den 28 november 2012 11:52 Till: freeradius-users@lists.freeradius.org Ämne: Re: Freeradius several segfaults at heavy load and startup ? On 2012/11/28 11:50 AM, Phil Mayers wrote: root@itop0-db0:/scripts# LD_PRELOAD=/usr/lib/libperl.so.5.10 Why are you fiddling with LD_PRELOAD? On my debian boxes FR cannot run without preload. There is something on the mailing list about it a while back. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html * DISCLAIMER * This message and any attachment are confidential and may be privileged or otherwise protected from disclosure and may include proprietary information. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 28/11/2012 1:07 π.μ., Arran Cudbard-Bell wrote: I just did build on fresh ubuntu 12.10 VM and it looks fine to me root@shinyhead-ldap:~/build/freeradius-server# ldd debian/tmp/usr/sbin/freeradius linux-vdso.so.1 = (0x7fffae945000) libfreeradius-radius.so = /usr/lib/freeradius/libfreeradius-radius.so (0x7fddc5958000) libdl.so.2 = /lib/x86_64-linux-gnu/libdl.so.2 (0x7fddc574d000) libpthread.so.0 = /lib/x86_64-linux-gnu/libpthread.so.0 (0x7fddc552f000) libcrypt.so.1 = /lib/x86_64-linux-gnu/libcrypt.so.1 (0x7fddc52f6000) libcrypto.so.1.0.0 = /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x7fddc4f2f000) libssl.so.1.0.0 = /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x7fddc4cd2000) libc.so.6 = /lib/x86_64-linux-gnu/libc.so.6 (0x7fddc4913000) /lib64/ld-linux-x86-64.so.2 (0x7fddc5b96000) libz.so.1 = /lib/x86_64-linux-gnu/libz.so.1 (0x7fddc46fc000) -Arran Just installed the packages and the server started first time. Indeed it does seem to work on Ubuntu 12.04. I also tried it on a fresh Debian squeeze system and what I see is consistent to what I posted previously: # ldd build/bin/radiusd linux-vdso.so.1 = (0x7fffe5bff000) libfreeradius-radius.so = not found build/lib/.libs/rlm_acctlog.so (0x7ff8685a2000) build/lib/.libs/rlm_always.so (0x7ff86839f000) [...] I am trying to figure out what tool or build-dep may be causing this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Policy.conf - multiple @
Hi, That's not quite the same, as it would match more than the original regex. OK the parenthesis aren't needed, however consider the following username: bob@@realm that would be a wrong and illegal entry...so needs to be rejected too. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail file
On 28 Nov 2012, at 15:05, Alan DeKok al...@deployingradius.com wrote: BALSIANOK, Peter wrote: Sorry, i didnt read doc/variables.txt carefully ( missed %Z ). To have one packet in one line ( AVPs separated with delimiter ) from my point of view is better (simple). Of course i can parse current detail file format :). I wouldn't agree with simpler. But it's your system. It's also going to go away in version 3.0 along with all the other one letter expansions. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Policy.conf - multiple @
On 28 Nov 2012, at 15:08, alan buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, That's not quite the same, as it would match more than the original regex. OK the parenthesis aren't needed, however consider the following username: bob@@realm that would be a wrong and illegal entry...so needs to be rejected too. When ya'll decided what you want the regexps to be, send a pull request? :) -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius like WPA2-PSK
Hello, Is there any way that freeradius act as WPA-PSK?? What i am trying to deploy is a wi-fi network with only one password that is changed every week. Right now I have a open wireless signal distributed over 20 wi-fi routers. This signal is used by all the clients of the hotel, so there is no way to distribute certificate to the clients. -- Paulo Marcon. -- “Não sabendo que era impossível, foi lá e fez.” Jean Cocteau -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius like WPA2-PSK
Paulo wrote: Is there any way that freeradius act as WPA-PSK?? What i am trying to deploy is a wi-fi network with only one password that is changed every week. Right now I have a open wireless signal distributed over 20 wi-fi routers. This signal is used by all the clients of the hotel, so there is no way to distribute certificate to the clients. WPA2-Enterprise with PEAP authentication is automatically recognized by most new clients these days. The clients will prompt for a username and a password. If you generate an ntcrypt (by shelling out of FR to a utility to do so) for an inbound username/password on the RADIUS side from a known cleartext password on the fly, you can arrange things such that that password is accepted for any username. No certificate is required on the client side. The server will need a certificate signed by an authority that is already trusted by the clients ($$$). You can also abuse MS domain notation to select from a set of passwords for different groups, but that will require the users to correctly type a backslash, which can be asking a bit much for certain types of users. So yes, but there is no way to get rid of the username box in the login prompt, you just need to tell the users (when you give them the password) to enter something in the username box. Also without provisioning and distributing a client-side-verification profile, your users may be hijacked by an AP pretending to be one of yours, as long as it knows the password and has any valid cert; but this is the case with WPA2-PSK as well (worse, in fact, without the server-side certificate.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending authentication-requests to multiple radius-servers
Some NASes can successfully use several servers. If the first one doesn't respond, the request will be sent to the next RADIUS server On 11/28/2012 4:07 PM, Alan DeKok wrote: Stefan Kuegler wrote: Is it possible to send an authentication-request from a client to multiple servers simultaneously ? Not really, no. We now authenticate with HMAC-based One Time Password Token (aka event-based token) from a Cisco ASA via radius to only one freeradius-server. But we want to establish a second authentication server for failover reasons. That's different. When using event based tokens, it's absolute necessary that every server receives the same authentication request simultaneously from the client to trigger the next event on the server side. Well.. database synchronization really isn't a RADIUS problem. You're better off fixing the token system so that it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
External HTTPS authentication
Hello mailing list. What I'm actually trying to accomplish is this: I already have a modified version of an OpenID server, that doesn't require any user/password. The whole authentication is based on EAP-TLS between the browser and the Apache server, using the certificate email to identify the current user. (I control the whole CA chain, so I can trust the certificate embedded emails). I'd like to make FreeRADIUS forward the user certificate (client side, WPA2-Enterprise scheme certificate, I mean) to my OpenID (Apache server with EAP-TLS) and, if the connection is correctly established, authenticate the user and move him to the correct VLAN. This way, I could have an integrated network and services (single sign-on) authentication process, completely transparent to the end-user (except for the network So, if there was any already available module that could, for example, authenticate the RADIUS user using a foreign webservice or something like that, I think I could modify/adapt it to my EAP-TLS scenario. Any suggestions? Thanks in advance and congratulations for the nice community, -- Thiago Lima - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending authentication-requests to multiple radius-servers
On 28 Nov 2012, at 14:02, Stefan Kuegler freerad...@kuegler.org wrote: Hello. I have a short question: Is it possible to send an authentication-request from a client to multiple servers simultaneously ? +--+ /-| radius A | +++--+ / +--+ | client |---| radius proxy |X +++--+ \ +--+ \-| radius B | +--+ We now authenticate with HMAC-based One Time Password Token (aka event-based token) from a Cisco ASA via radius to only one freeradius-server. But we want to establish a second authentication server for failover reasons. When using event based tokens, it's absolute necessary that every server receives the same authentication request simultaneously from the client to trigger the next event on the server side. Is there really a requirement for the Authentication-Request to hit simultaneously, or just within a short period of time? Most OTP token systems do have a built in fudge period where the previous token code will still be accepted. If this is the case you should be able to tune failover period so that it occurs within the period and tune the retransmit times on the NAS so that it provides enough requests to trigger the failover. Alternatively you can use multicast. There's some alpha code for v3 which Alan wrote a while back but has not been integrated. It allows you to listen on a multicast IP address for RADIUS packets and would allow you to do what you've described. Let me know if you want to try this and i'll merge it into the main repo. You could also use rlm_replicate to duplicate the packet, but there's currently no way of checking the aliveness of a realm at runtime, so you'd end up sending duplicate requests to whatever the primary OTP server was. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending authentication-requests to multiple radius-servers
You could also use rlm_replicate to duplicate the packet, but there's currently no way of checking the aliveness of a realm at runtime, so you'd end up sending duplicate requests to whatever the primary OTP server was. and that wouldn't help if you were actually wanting to authenticate the user instead of just performing some kind of synchronisation between the OTP servers. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: External HTTPS authentication
Why not just using EAP-TLS as the auth as-is, since you control the horizontal and vertical if the certs and CA (CA can sign your RADIUS server cert). Then just use some post-auth to pass request to your backend to work out what VLAN to return? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: Freeradius several segfaults at heavy load and startup ?
-Ursprungligt meddelande- On my debian boxes FR cannot run without preload. On Wed, Nov 28, 2012 at 03:57:34PM +, Alexander Silveröhrt wrote: Same here doesn't even start without LD_PRELOAD. What versions of Debian and FreeRADIUS are these reports referring to? Are you using FR compiled yourself, or own-built packages (from git?), or the standard Debian packages from their repo? Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: nas config in sql table
in the mysql database, i would like only the 'nas' table, and not other tables (radcheck, ...). Is it possible? Regards laurent - Mail original - De: Alan DeKok al...@deployingradius.com À: FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé: Mardi 27 Novembre 2012 22:03:28 Objet: Re: nas config in sql table laurent.fe...@free.fr wrote: Hello, I saw in many messages that with the module sql it is possible to do authentication against sql table No, it's not possible to do that. SQL is a *database*. Databases store data. They don't do authentication. SQL is used to store known good passwords. See the documentation and the Wiki for examples of how to store these passwords in SQL. and also to have the NAS definition in another table. Is it possible to have only the configuration of NAS in a sql table? The authorization and authentication are done with other modules (perl scriptings). Yes. There is no requirement to do everything in SQL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: SV: Freeradius several segfaults at heavy load and startup ?
Hello, Yes running perl hooks with DBI But using both finish and disconnect properly. Here is versions for people asking for it. Linux version 2.6.32-5-amd64 (Debian 2.6.32-45) (da...@debian.org) (gcc version 4.3.5 (Debian 4.3.5-4) freeradius: FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at 20:41:03 perl v5.10.1 (*) built for i486-linux-gnu-thread-multi Alan do you know how to supply gdb with the argument to run LD_PRELOAD=/usr/lib/libperl.so.5.10 /usr/sbin/freeradius Otherwise it will only fail to load the DBI.so Best regards Alex -Ursprungligt meddelande- Från: alan buxey [mailto:a.l.m.bu...@lboro.ac.uk] Skickat: den 28 november 2012 10:46 Till: Alexander Silveröhrt Kopia: freeradius-users@lists.freeradius.org Ämne: Re: SV: Freeradius several segfaults at heavy load and startup ? Hi, And thanks for the reply. If you mean that my customhooks perl scripts for rlm_perl deals with any threads then no. do you deal with all file handlers, database handlers etc in your code cleanly... or do you just ditch them? the PERL module will be called at the same time by many FR threadsso unless you make the script resident then you'll likely to be facing issues. either way, at least follow docs/bugs and get the gdb output for when things go wrong alan * DISCLAIMER * This message and any attachment are confidential and may be privileged or otherwise protected from disclosure and may include proprietary information. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: Freeradius several segfaults at heavy load and startup ?
Versions: Linux version 2.6.32-5-amd64 (Debian 2.6.32-45) (da...@debian.org) (gcc version 4.3.5 (Debian 4.3.5-4) freeradius: FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at 20:41:03 perl v5.10.1 (*) built for i486-linux-gnu-thread-multi mysql Server version: 5.5.27-1~dotdeb.0-log (Debian) And again if not started with LD_PRELOAD then DBI will fail root@itop1-db1:~# freeradius Can't load '/usr/local/lib/perl/5.10.1/auto/DBI/DBI.so' for module DBI: /usr/local/lib/perl/5.10.1/auto/DBI/DBI.so: undefined symbol: PL_memory_wrap at /usr/lib/perl/5.10/DynaLoader.pm line 192. at /usr/local/lib/perl/5.10.1/DBI.pm line 266 BEGIN failed--compilation aborted at /usr/local/lib/perl/5.10.1/DBI.pm line 266. Compilation failed in require at /etc/freeradius/customhook.pl line 10. Just followed the solution from the mailing list and it worked to get DBI working. http://lists.freeradius.org/pipermail/freeradius-users/2008-September/031333.html best regards Alex -Ursprungligt meddelande- Från: freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org [mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org] För Phil Mayers Skickat: den 28 november 2012 10:50 Till: freeradius-users@lists.freeradius.org Ämne: Re: Freeradius several segfaults at heavy load and startup ? On 11/28/2012 04:28 AM, Alexander Silveröhrt wrote: Hello, Wondered if anyone have any idea about below. If started with flag -X everything starts up ok but without -X then it crashes with these messages in the log.(atleast most of the time if one is persistent then it may well start up properly sometimes without the -X flag) As soon as it starts ok then there seems to be no problem whatsoever. Which version? It runs perfectly with the same config and perl hooks at a lab machine where there are no traffic. Searching through the web doesn't give much info? Any ideas would be appreciated. Thank you. Alex root@itop0-db0:/scripts# LD_PRELOAD=/usr/lib/libperl.so.5.10 Why are you fiddling with LD_PRELOAD? Presumably the perl module is the problem, but you shouldn't need to PRELOAD anything (and in fact, shouldn't, as the ABI might have changed). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html * DISCLAIMER * This message and any attachment are confidential and may be privileged or otherwise protected from disclosure and may include proprietary information. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: Freeradius several segfaults at heavy load and startup ?
Alexander Silveröhrt wrote: And again if not started with LD_PRELOAD then DBI will fail root@itop1-db1:~# freeradius Can't load '/usr/local/lib/perl/5.10.1/auto/DBI/DBI.so' for module DBI: /usr/local/lib/perl/5.10.1/auto/DBI/DBI.so: undefined symbol: PL_memory_wrap at /usr/lib/perl/5.10/DynaLoader.pm line 192. at /usr/local/lib/perl/5.10.1/DBI.pm line 266 BEGIN failed--compilation aborted at /usr/local/lib/perl/5.10.1/DBI.pm line 266. Compilation failed in require at /etc/freeradius/customhook.pl line 10. Debian-built perl (installed in /usr/lib/perl5) tries to load DBI module from locally built perl (installed in /usr/local/lib/perl). It's a bad idea. Try to install debian-built DBI module (libdbi-perl) and use it. I think the same error (mashup of multiple perl builds) was encountered by Johan Meiring. Debian-built freeradius uses debian-built perl. So only debian-built perl modules can be loaded by rlm_perl. You can easily test your debian-built perl supports loading of DBI (and so debian-built freeradius): /usr/bin/perl -e \ 'use DBI; print join(\n, DBI-available_drivers), \n;' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
