Re: Load Balancing
thanx john: yes i can run many instances of radclient. But i want on instance of radclient, that can send parallel requests to radius server. On Wed, Feb 13, 2013 at 12:56 PM, Johan Meiring jmeir...@pcservices.co.zawrote: On 2013/02/12 04:45 PM, Alan DeKok wrote: I tried to use Rad Client to send requests in Parallel, but i wasn't succeed. Could you please help me out to send parallel requests to proxy server??? Am I missing something, or can you not simply run more than once instance of radclient on more than one console? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/**disclaimer.htmlhttp://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing
On 2013/02/12 04:45 PM, Alan DeKok wrote: I tried to use Rad Client to send requests in Parallel, but i wasn't succeed. Could you please help me out to send parallel requests to proxy server??? Am I missing something, or can you not simply run more than once instance of radclient on more than one console? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing
On 13.02.2013 09:03, Muhammad Nadeem wrote: thanx john: yes i can run many instances of radclient. But i want on instance of radclient, that can send parallel requests to radius server. simply use echo User-Name=001AAD3F8165, NAS-IP-Address=10.192.100.4|radclient -p 100 -c 1 192.168.0.102 auth testing123 -x man radclient -c count Send each packet count times. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing
On Wed, Feb 13, 2013 at 4:33 PM, Muhammad Nadeem mnadeem8...@gmail.com wrote: for load testing. But when i use this with -p (to send requests in parallel), it only send one packet. here is the command out put [root@billing ~]# echo User-Name=001AAD3F8165, NAS-IP-Address=10.192.100.4|radclient -p 100 192.168.0.102 auth why dont -p sends requests in parallel ? Because you only feed it one request. Feed it a file which contains multiple request (read the manual/doc). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing
I used -c 1, and omit -p,, result was the same . 1 users were authenticated in 23 seconds :) . So i think no difference of using -p and -c together ?? M I right?? On Wed, Feb 13, 2013 at 1:32 PM, Muhammad Nadeem mnadeem8...@gmail.comwrote: will it send 1 parallel requests to free radius server why not simply use -c 1, instead of -p 100 -c 1. What will be the difference??? Thanks On Wed, Feb 13, 2013 at 1:16 PM, Olivier Beytrison oliv...@heliosnet.orgwrote: On 13.02.2013 09:03, Muhammad Nadeem wrote: thanx john: yes i can run many instances of radclient. But i want on instance of radclient, that can send parallel requests to radius server. simply use echo User-Name=001AAD3F8165, NAS-IP-Address=10.192.100.4|radclient -p 100 -c 1 192.168.0.102 auth testing123 -x man radclient -c count Send each packet count times. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Upgrading from FR 2.1.10 to 2.2.x
Hello, I've just completed the configuration of a 2.1.10 free radius server on CentOS 6.2 and want to upgrade to FR 2.2.x to remove the vulnerability. Does anyone have a guide or any advice on what I need to do and back up in order to ensure that I don't lose any of my site specific settings. I have configured it to work with AD using NTLM_Auth and Samba. Many thanks Jamie Jamie Lee Senior Infrastructure Development and Support Officer IT Services Department Goldsmiths, University of London - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing
On Wed, Feb 13, 2013 at 1:42 AM, Muhammad Nadeem mnadeem8...@gmail.com wrote: Could you please help me out to send parallel requests to proxy server??? Try radclient (see -p): http://linux.die.net/man/1/radclient Alternatively, try radperf: http://networkradius.com/radperf.html -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing
will it send 1 parallel requests to free radius server why not simply use -c 1, instead of -p 100 -c 1. What will be the difference??? Thanks On Wed, Feb 13, 2013 at 1:16 PM, Olivier Beytrison oliv...@heliosnet.orgwrote: On 13.02.2013 09:03, Muhammad Nadeem wrote: thanx john: yes i can run many instances of radclient. But i want on instance of radclient, that can send parallel requests to radius server. simply use echo User-Name=001AAD3F8165, NAS-IP-Address=10.192.100.4|radclient -p 100 -c 1 192.168.0.102 auth testing123 -x man radclient -c count Send each packet count times. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AVP EAP-KEY name support in FR
Hi, We are trying to bring up MACsec with Cisco and FR, and we are stuck because of Radius unable to send EAP-Key-Name AVP. Below is what is expected as per RFC4072 RFC4072 says A home Diameter server receiving a Diameter-EAP-Request with a Key-Name AVP with non-empty data MUST silently discard the AVP. In addition, the home Diameter server SHOULD include this AVP in Diameter-EAP-Response only if an empty EAP-Key-Name AVP was present in Diameter-EAP-Request. But radius server is not sending EAP-Key-Name AVP (Radius Attribute Type 102) even invalid AVP present in the Diameter-EAP-Request. Below is the debug print of radius Sending Access-Accept of id 647 to 10.20.64.9 port 1645 MS-MPPE-Recv-Key = 0x84e5c624c3bcdeadca3c6210f24bd7b8336921ccc1c58399d397afc75770332c MS-MPPE-Send-Key = 0xa6c4860cc8092c251502f5adc3ee13586e05fe84cbbb8b6793b08d9523d12b1f EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = user1 Does anyone have clue on this. Thanks, Srinivas CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Understanding the IP Pool module
On 02/13/2013 07:23 AM, Бен Томпсон wrote: One thing I still don't understand though is how best to use ippool for DHCP. I don't understand where and how I should call the module during a DHCP transaction. For example I can call it during DHCP-Discover, but it seems that if I call it again during DHCP-Request I might get different address even when the key is the same. I will continue to to study the code to see why this happens and if I figure it out I will report back with my findings. With difficulty, in short. The ippool module is old, and predates the DHCP functionality. You would need to fake up some RADIUS attributes in the DHCP packet, then ensure that ippool is called in a manner that hands out IPs correctly. This may prove to be impossible. There is an example of doing this with the sqlippool module, which is rather better suited to this; by customising the queries you can ensure that different IPs in DISCOVER/REQUEST are not a problem. See the GIT repo for details: https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/policy.d/dhcp https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-available/dhcp_sqlippool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AVP EAP-KEY name support in FR
On 02/13/2013 09:59 AM, Srinu Bandari wrote: Hi, We are trying to bring up MACsec with Cisco and FR, and we are stuck because of Radius unable to send EAP-Key-Name AVP. That's not supported in FreeRADIUS, I believe. It's been a while since I looked at it, but the whole extended EAP key management stuff was quite complex, and not widely used, so it hasn't been implemented. Patches welcome, I'm sure. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing
On 13.02.2013 09:38, Muhammad Nadeem wrote: I used -c 1, and omit -p,, result was the same . 1 users were authenticated in 23 seconds :) . So i think no difference of using -p and -c together ?? M I right?? Well yeah -p works only with a file (-f) so, feed your request multiple time to a file : for d in {1..1} ; do echo -e User-Name=001AAD3F8165\nNAS-IP-Address=10.192.100.4\n rad-requests.txt ; done (there need to be a empty line between request, hence the extra \n at the end) Send the requests, 100 at a time, and repeat 10 times radclient -c 10 -p 100 -f rad-requests.txt server:port auth secret Tested it here and works very well Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading from FR 2.1.10 to 2.2.x
First, check that centos doesn't have the security issue backported For upgrade, backup your current configuration directory eg cp -R /etc/raddb /etc/raddb.backup Then install the new version 2.1.10 and 2.2.0 are config compatible apart from one single option which isn't set by default (check the release notes). Freeradius install will not touch files that already exist...so you won't get any new options/comments in your config files so may lose visibility of any new features in that regard...but new config files and modules and virtual servers will appear in your config. So, radiusd -X of your current server , capture the startup output, then do the same again after the upgrade and compare the difference. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing
Athanx Fajar Actually Rad perf is not available on website. And i also used -p with radclient. But it didnot sent requests in parallel. On Wed, Feb 13, 2013 at 1:30 PM, Fajar A. Nugraha l...@fajar.net wrote: On Wed, Feb 13, 2013 at 1:42 AM, Muhammad Nadeem mnadeem8...@gmail.com wrote: Could you please help me out to send parallel requests to proxy server??? Try radclient (see -p): http://linux.die.net/man/1/radclient Alternatively, try radperf: http://networkradius.com/radperf.html -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing
ok, I followed your process. i make a file with User-Name and NAS-IP-Address attribute. and issue the following command radclient -c 10 -p 1000 -f radrequest.txt 192.168.0.112 auth testing123 But i only receive 10 access-accept packets. So what does it mean?? If upper command issues 1000 requests 10 times, so their should be 1 access-accept packets?? So please tell me where things are going worse :( On Wed, Feb 13, 2013 at 2:37 PM, Olivier Beytrison oliv...@heliosnet.orgwrote: On 13.02.2013 09:38, Muhammad Nadeem wrote: I used -c 1, and omit -p,, result was the same . 1 users were authenticated in 23 seconds :) . So i think no difference of using -p and -c together ?? M I right?? Well yeah -p works only with a file (-f) so, feed your request multiple time to a file : for d in {1..1} ; do echo -e User-Name=001AAD3F8165\nNAS-IP-Address=10.192.100.4\n rad-requests.txt ; done (there need to be a empty line between request, hence the extra \n at the end) Send the requests, 100 at a time, and repeat 10 times radclient -c 10 -p 100 -f rad-requests.txt server:port auth secret Tested it here and works very well Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin
On 02/12/2013 09:52 PM, Shawky Skaff wrote: Hi Guys, Could I please get a response to this? Have you considered the possibility that no-one knows? dialupadmin is largely abandonware; it's been removed from the GIT repo in master as no-one maintains it, or wants to. So, expertise on it is minimal, and interest in it even less so. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing
On 13.02.2013 11:45, Muhammad Nadeem wrote: ok, I followed your process. i make a file with User-Name and NAS-IP-Address attribute. and issue the following command radclient -c 10 -p 1000 -f radrequest.txt 192.168.0.112 auth testing123 But i only receive 10 access-accept packets. So what does it mean?? If upper command issues 1000 requests 10 times, so their should be 1 access-accept packets?? So please tell me where things are going worse :( This mean your text file contains only one packet. Check the content of radrequest.txt. there should be 30002 lines ... and each packet should be seperated by an blank line. -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stess test
Qasim, Your problem is with your MySQL Database. It is too slow to process the queries it is receiving. You've already been told, on this list (multiple times), fix your Database or hire a DBA who can. On Wed, Feb 13, 2013 at 10:59 AM, QASIM RAO qasim2...@hotmail.com wrote: Hi, i am using free radius for billing perpose of my application... i m am facing problem in stress testing on my local RADIUS server. that when i send 100 suncurent accounting request. in non-debug mode. but when i moniter mysql connections by using mysql adminstrator mysql connections suddenly increases arround hundred. which causes increase in process time of each time . pelase help me in this. Qasim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User mapping
Hi All, First of all, I would like to say that the website is very very useful. I have be able to setup pam_radius_auth with Kerberos, just by following the instructions on the website. Now to my question, does anybody know how to setup radius to it can map user to a local user. For example, user's username is 'test' but on the local machine the user should be logged on but with user (let's say) 'steve'. If it helps, I already have LDAP setup for accounts. So, is there a way to get ldap attribute uid and map it to maybe 'name' etc. Or the other way round..? Any help would be appreciated. Best Regards, Ahmed Sajid. -- Scanned by iCritical. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Understanding the IP Pool module
Бен Томпсон wrote: One thing I still don't understand though is how best to use ippool for DHCP. As Phil said, don't. Use the SQL IP pool module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AVP EAP-KEY name support in FR
Srinu Bandari wrote: We are trying to bring up MACsec with Cisco and FR, and we are stuck because of Radius unable to send EAP-Key-Name AVP. Below is what is expected as per RFC4072 Which, as you'll note, is a Diameter spec. FreeRADIUS doesn't implement Diameter. If you can get us a spec saying how to implement EAP-Key-Name, we can do it. Or, send a patch. Until then, it's a mystery. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User mapping
ahmed.sa...@stfc.ac.uk wrote: First of all, I would like to say that the website is very very useful. Thanks. I have be able to setup pam_radius_auth with Kerberos, just by following the instructions on the website. Documentation is good. Following the documentation is great. Now to my question, does anybody know how to setup radius to it can map user to a local user. For example, user’s username is ‘test’ but on the local machine the user should be logged on but with user (let’s say) ‘steve’. For the pam_radius_auth module? You can't. For FreeRADIUS, you can use rlm_passwd to map a key to another value. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin
Hi Guys, Could I please get a response to this? Have you considered the possibility that no-one knows? dialupadmin is largely abandonware; it's been removed from the GIT repo in master as no-one maintains it, or wants to. So, expertise on it is minimal, and interest in it even less so. Check out DaloRadius which is maintained and very good. http://sourceforge.net/projects/daloradius/ Regards Wayne - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading from FR 2.1.10 to 2.2.x
On 02/13/2013 04:03 AM, Jamie Lee wrote: Hello, I’ve just completed the configuration of a 2.1.10 free radius server on CentOS 6.2 and want to upgrade to FR 2.2.x to remove the vulnerability. Does anyone have a guide or any advice on what I need to do and back up in order to ensure that I don’t lose any of my site specific settings. I have configured it to work with AD using NTLM_Auth and Samba. Red Hat has shipped the 2.1.12-4 RPM with the CVE fix applied, not sure if CentOS has kept up. We have not shipped 2.2 for RHEL 6. You'll either have to build an RPM (see http://wiki.freeradius.org/guide/Red-Hat-FAQ for how to do that) or build from the tarball. All the configuration is under /etc/raddb, make sure that's backed up. As a general rule it's good practice to put your configuration files under source code control anyway. If you use an RPM to update configuration files you've modified will be moved to .rpmsave, look for those after the install completes and adjust accordingly. If memory serves me correctly 2.2.x has logic in it to that ignores .rpmnew,, .rpmsave, .bak, ~, apt files, etc. so their presence won't cause problems like they used to. Running rpm freeradius -qV before installing will verify the installed files and tell you any you've modified. If you install via make install nothing will be preserved. Any other data stored in your backends (e.g. SQL, LDAP) shouldn't be affected and you're on your own to back that up anyway. HTH, John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing
thanks a lot olivier... This stuff really worked for me.. cheers On Wed, Feb 13, 2013 at 4:05 PM, Olivier Beytrison oliv...@heliosnet.orgwrote: On 13.02.2013 11:45, Muhammad Nadeem wrote: ok, I followed your process. i make a file with User-Name and NAS-IP-Address attribute. and issue the following command radclient -c 10 -p 1000 -f radrequest.txt 192.168.0.112 auth testing123 But i only receive 10 access-accept packets. So what does it mean?? If upper command issues 1000 requests 10 times, so their should be 1 access-accept packets?? So please tell me where things are going worse :( This mean your text file contains only one packet. Check the content of radrequest.txt. there should be 30002 lines ... and each packet should be seperated by an blank line. -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: anonymous user when proxying
On 13.02.2013 15:46, Hocine M wrote: Hi, Some user who are proxied (eduroam) are acconted with username = anonymous@realm I don't want to have anonymous user in my database, do i have to reject anonymous users in post-proxy section or there is something to do to force user to use inner identity? If this is a remote user connected within your institution, and the home radius does NOT copy the inner identity to the outer tunnel, then you won't be able to know the real username of the user. You *could* reject users with an outer identity of anonymous@realm or just @realm, but you would not be eduroam-compliant anymore. for ref : https://confluence.terena.org/display/H2eduroam/eduroam+IdP second section, Anonymous outer identites Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User mapping
Hi Alan, Thanks for the quick reply. So, pam module can't be used. How can I set it up in Radius using rlm_password? Regards, Ahmed Sajid. -Original Message- From: freeradius-users-bounces+ahmed.sajid=stfc.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+ahmed.sajid=stfc.ac...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 13 February 2013 13:56 To: FreeRadius users mailing list Subject: Re: User mapping ahmed.sa...@stfc.ac.uk wrote: First of all, I would like to say that the website is very very useful. Thanks. I have be able to setup pam_radius_auth with Kerberos, just by following the instructions on the website. Documentation is good. Following the documentation is great. Now to my question, does anybody know how to setup radius to it can map user to a local user. For example, user’s username is ‘test’ but on the local machine the user should be logged on but with user (let’s say) ‘steve’. For the pam_radius_auth module? You can't. For FreeRADIUS, you can use rlm_passwd to map a key to another value. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
anonymous user when proxying
Hi, Some user who are proxied (eduroam) are acconted with username = anonymous@realm I don't want to have anonymous user in my database, do i have to reject anonymous users in post-proxy section or there is something to do to force user to use inner identity? here are files : _pre-proxy-detail-20130213 :_ Wed Feb 13 14:03:47 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User EAP-Message = 0x0201001f01616e6f6e796d6f75734073742d616e64726577732e61632e756b User-Name = anonym...@st-andrews.ac.uk NAS-Port = 25861 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x0393b59dea7efd51d506eb73899531ef Realm = st-andrews.ac.uk EAP-Type = Identity Proxy-State = 0x313031 Wed Feb 13 14:03:48 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User User-Name = anonym...@st-andrews.ac.uk NAS-Port = 25861 State = 0xe5a5ab65e5a7be1056566c4c9fd4c6e8 EAP-Message = 0x020200381500160301002d0129030193958cf5417b1d83d6a46747e4273b6050850d0a2360fec88d289a138166383002000a0100 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x5b389846257ea4135f53a64e6e1c5a48 Realm = st-andrews.ac.uk EAP-Type = EAP-TTLS Proxy-State = 0x313032 Wed Feb 13 14:03:48 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User User-Name = anonym...@st-andrews.ac.uk NAS-Port = 25861 State = 0xe5a5ab65e4a6be1056566c4c9fd4c6e8 EAP-Message = 0x020300061500 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x33638595ef790cd81017538ba1b1aaca Realm = st-andrews.ac.uk EAP-Type = EAP-TTLS Proxy-State = 0x313033 Wed Feb 13 14:03:48 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User User-Name = anonym...@st-andrews.ac.uk NAS-Port = 25861 State = 0xe5a5ab65e7a1be1056566c4c9fd4c6e8 EAP-Message = 0x020401441500160301010611020100543ce46842671b13a26b6cad59606bbe3e16c719ec529a476cad7c24bba97b253fb329f026b315098d3de8579f70193cfec9194b6874fab251539c927a85ef58914e6803758fe652d3f6aa75adb2194f12ed7670d81902cbaed23c93d1f099584e53b0dc7d5b2394cc2354b8681874efa66293cf0c6fa9a900311fb678ca09a4e2b58938f9f0ecc9bf5f2a03a7026b27e883863bf1e2c070716a198a0137441acdca2108707473328f187aefb3304e25fd244a9b799bff15c011f21fe5c4ecc81eff6bcfff66d5bc6ba8af469fc50faa1310e3aa2d395d33ef55c841a54a6e6837403084d77472bb51bca7 EAP-Message = 0x9931b51bda9aa98ad17d58055fef6e5e84b3371403010001011603010028ddea1f8780c6a9d3720778e46e560fd071eb9f9d57122dba9896f9ceb57a1b2a8362520d84d02749 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x7612d9dc287bd580845d59f08dcfbe34 Realm = st-andrews.ac.uk EAP-Type = EAP-TTLS Proxy-State = 0x313034 Wed Feb 13 14:03:48 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User User-Name = anonym...@st-andrews.ac.uk NAS-Port = 25861 State = 0xe5a5ab65e6a0be1056566c4c9fd4c6e8 EAP-Message = 0x02050053150017030100480e445bd302a42efdfef640de32d514973a61346521acdd65dc5bc693613769788942c27a2d6094dbc6da60622adb4cdf5554289d9f25f984016a59b3644d7f26e6add7c54d1f707a NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x7bd5e919aa147bf656ec791de2e403ad Realm = st-andrews.ac.uk EAP-Type = EAP-TTLS Proxy-State = 0x313035 Wed Feb 13 14:03:49 2013 Packet-Type = Accounting-Request Acct-Status-Type = Start Acct-Authentic = RADIUS Acct-Multi-Session-Id = SESS-25861-54b752-760627-f3b Acct-Session-Id = SESS-25861-54b752-760627-f3b User-Name = anonym...@st-andrews.ac.uk Event-Timestamp = Feb 13 2013 14:03:49 CET Trapeze-VLAN-Name = EduExterieurs Calling-Station-Id = 94-39-E5-B7-CB-51 NAS-Port-Id = AP86/1 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam NAS-Port = 25861 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Acct-Delay-Time = 0 Acct-Unique-Session-Id = b99f09261adf3886 Realm = st-andrews.ac.uk SQL-User-Name = anonym...@st-andrews.ac.uk Proxy-State = 0x313036 Wed Feb 13 14:03:49
Re: anonymous user when proxying
On 13/02/13 14:46, Hocine M wrote: Hi, Some user who are proxied (eduroam) are acconted with username = anonymous@realm Yes I don't want to have anonymous user in my database, do i have to reject anonymous users in post-proxy section or there is something to do to force user to use inner identity? No. Anonymous or empty outer ID is perfectly legal, and IIRC you'll be in contravention of the eduroam spec if you block this. If fact, empty outer ID is best-practice, and you'll drop a lot of people if you block it. What are you trying to achieve? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius form
Hi, I have used Proxy functionality of freeradius for load balancing and failover. But this decrease the performance a lot. (with direct requests i can authenticate 450 users/sec, but with proxy , only 26 users/sec). you've asked the same question before. the answer is to look at your configuration, read the docs and man pages for the parts and configure it so that it can handle many more when proxying. you have a delay/block somewhere. find it. fix it. this list is for advice/help...not for consultancy which you can pay for and get elsewhere alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: anonymous user when proxying
Hi, Some user who are proxied (eduroam) are acconted with username = anonymous@realm I don't want to have anonymous user in my database, do i have to reject anonymous users in post-proxy section or there is something to do to force user to use inner identity? anonymous outer identities are perfectly legal and valid in 802.1X environments with remote proxying - eg eduroam. if you block/reject suers who have an anonymous outerID then you are in violation of eduroam rules . users with JUST @realm as their outerID are also 100% valid (!) you need to investigate CUI (Chargeable-User-Identity) as thats EXACTLY what that attribute is for - to identify users based on something other than their outerID or Calling-Station-Id (both of which they can change!). alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: anonymous user when proxying
If users choose to protect their identity that is their prerogative. Using an anonymous outer identity in eduroam is best practice and you certainly shouldn't reject a user because they use an anonymous outer identity (see the eduroam service policy). The best you can do is configure your radius server to request a CUI from the IdP. However given how few sites implement CUI you won't get many responses. Regards Scott Armitage Hocine M hocine.maou...@free.fr wrote: Hi, Some user who are proxied (eduroam) are acconted with username = anonymous@realm I don't want to have anonymous user in my database, do i have to reject anonymous users in post-proxy section or there is something to do to force user to use inner identity? here are files : pre-proxy-detail-20130213 : Wed Feb 13 14:03:47 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User EAP-Message = 0x0201001f01616e6f6e796d6f75734073742d616e64726577732e61632e756b User-Name = anonym...@st-andrews.ac.ukmailto:anonym...@st-andrews.ac.uk NAS-Port = 25861 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x0393b59dea7efd51d506eb73899531ef Realm = st-andrews.ac.uk EAP-Type = Identity Proxy-State = 0x313031 Wed Feb 13 14:03:48 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User User-Name = anonym...@st-andrews.ac.ukmailto:anonym...@st-andrews.ac.uk NAS-Port = 25861 State = 0xe5a5ab65e5a7be1056566c4c9fd4c6e8 EAP-Message = 0x020200381500160301002d0129030193958cf5417b1d83d6a46747e4273b6050850d0a2360fec88d289a138166383002000a0100 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x5b389846257ea4135f53a64e6e1c5a48 Realm = st-andrews.ac.uk EAP-Type = EAP-TTLS Proxy-State = 0x313032 Wed Feb 13 14:03:48 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User User-Name = anonym...@st-andrews.ac.ukmailto:anonym...@st-andrews.ac.uk NAS-Port = 25861 State = 0xe5a5ab65e4a6be1056566c4c9fd4c6e8 EAP-Message = 0x020300061500 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x33638595ef790cd81017538ba1b1aaca Realm = st-andrews.ac.uk EAP-Type = EAP-TTLS Proxy-State = 0x313033 Wed Feb 13 14:03:48 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User User-Name = anonym...@st-andrews.ac.ukmailto:anonym...@st-andrews.ac.uk NAS-Port = 25861 State = 0xe5a5ab65e7a1be1056566c4c9fd4c6e8 EAP-Message = 0x020401441500160301010611020100543ce46842671b13a26b6cad59606bbe3e16c719ec529a476cad7c24bba97b253fb329f026b315098d3de8579f70193cfec9194b6874fab251539c927a85ef58914e6803758fe652d3f6aa75adb2194f12ed7670d81902cbaed23c93d1f099584e53b0dc7d5b2394cc2354b8681874efa66293cf0c6fa9a900311fb678ca09a4e2b58938f9f0ecc9bf5f2a03a7026b27e883863bf1e2c070716a198a0137441acdca2108707473328f187aefb3304e25fd244a9b799bff15c011f21fe5c4ecc81eff6bcfff66d5bc6ba8af469fc50faa1310e3aa2d395d33ef55c841a54a6e6837403084d77472bb51bca7 EAP-Message = 0x9931b51bda9aa98ad17d58055fef6e5e84b3371403010001011603010028ddea1f8780c6a9d3720778e46e560fd071eb9f9d57122dba9896f9ceb57a1b2a8362520d84d02749 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x7612d9dc287bd580845d59f08dcfbe34 Realm = st-andrews.ac.uk EAP-Type = EAP-TTLS Proxy-State = 0x313034 Wed Feb 13 14:03:48 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User User-Name = anonym...@st-andrews.ac.ukmailto:anonym...@st-andrews.ac.uk NAS-Port = 25861 State = 0xe5a5ab65e6a0be1056566c4c9fd4c6e8 EAP-Message = 0x02050053150017030100480e445bd302a42efdfef640de32d514973a61346521acdd65dc5bc693613769788942c27a2d6094dbc6da60622adb4cdf5554289d9f25f984016a59b3644d7f26e6add7c54d1f707a NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x7bd5e919aa147bf656ec791de2e403ad Realm = st-andrews.ac.uk EAP-Type = EAP-TTLS Proxy-State = 0x313035 Wed Feb 13 14:03:49 2013 Packet-Type = Accounting-Request Acct-Status-Type = Start Acct-Authentic = RADIUS Acct-Multi-Session-Id
[ann] Request rlm_otp testing
commit 397006810d88cf22f203e43130ea6a326d728eba Author: Arran Cudbard-Bell a.cudba...@freeradius.org Date: Tue Feb 12 19:48:00 2013 -0500 Use xlat for generating the OTP challenge reply-message Remove otp specific bin2hex hex2bin functions and use FR ones Fix formatting Fix warnings about signdedness of various strings. Insert Reply-Message attribute with T_OP_SET instead of T_OP_EQ Add basic code documentation for some functions The rlm_otp module has been updated to meet FreeRADIUS coding standards. As the FreeRADIUS project team does not have access to a token card system, so community testing is requested. The new code has been checked in to the master branch (what will become FreeRADIUS version 3.0). Please report any issues to http://bugs.freeradius.org. Please report successfull test reports to freeradius-devel. Replies to this list will not be received. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS dev team - Maintainer Please contribute documentation: http://wiki.freeradius.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: anonymous user when proxying
Le 13/02/2013 17:09, a.l.m.bu...@lboro.ac.uk a écrit : Hi, Some user who are proxied (eduroam) are acconted with username = anonymous@realm I don't want to have anonymous user in my database, do i have to reject anonymous users in post-proxy section or there is something to do to force user to use inner identity? anonymous outer identities are perfectly legal and valid in 802.1X environments with remote proxying - eg eduroam. if you block/reject suers who have an anonymous outerID then you are in violation of eduroam rules . users with JUST @realm as their outerID are also 100% valid (!) you need to investigate CUI (Chargeable-User-Identity) as thats EXACTLY what that attribute is for - to identify users based on something other than their outerID or Calling-Station-Id (both of which they can change!). alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ok, i'll try to set up CUI . thank for all, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius form
thanks alan.. so you mean that i am not configuring things in a good way. that's why the proxy has become a bottle neck ??? On Wed, Feb 13, 2013 at 9:04 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, I have used Proxy functionality of freeradius for load balancing and failover. But this decrease the performance a lot. (with direct requests i can authenticate 450 users/sec, but with proxy , only 26 users/sec). you've asked the same question before. the answer is to look at your configuration, read the docs and man pages for the parts and configure it so that it can handle many more when proxying. you have a delay/block somewhere. find it. fix it. this list is for advice/help...not for consultancy which you can pay for and get elsewhere alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AVP EAP-KEY name support in FR
Alan, EAP key identifier must be sent as a part of Access-Accept message in EAP Key-Name AVP (Radius Attribute Type 102). This what Cisco Documentation states: The switch has no visibility into the details of the EAP session between the supplicant and the authentication server, so it cannot derive the MSK or the CAK directly. Instead, the switch receives the CAK from the authentication server in the Access-Accept message at the end of the IEEE 802.1X authentication. The CAK is delivered in the RADIUS vendor-specific attributes (VSAs) MS-MPPE-Send-Key and MS-MPPE-Recv-Key. Along with the CAK, the authentication server sends an EAP key identifier that is derived from the EAP exchange and is delivered to the authenticator in the EAP Key-Name attribute of the Access-Accept message. From 802.1X: The EAP Session-Id for EAP-TLS is specified in IETF RFC 5216 and IETF RFC 5247 and IETF RFC 4072 define the RADIUS EAP-Key-Name Attribute (Type 102) used to convey the EAP Session-Id And from RFC5216: Session-Id = 0x0D || client.random || server.random client.random = Nonce generated by the TLS client. server.random = Nonce generated by the TLS server. So, we need to send Session-ID value as EAP Key-Name AVP (Radius Attribute Type 102) part of Access-Accept message. Hope this is what you are expecting. Thanks, Srinivas B -Original Message- From: freeradius-users-bounces+sbandari=vitesse@lists.freeradius.org [mailto:freeradius-users-bounces+sbandari=vitesse@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 13 February 2013 19:27 To: FreeRadius users mailing list Subject: Re: AVP EAP-KEY name support in FR Srinu Bandari wrote: We are trying to bring up MACsec with Cisco and FR, and we are stuck because of Radius unable to send EAP-Key-Name AVP. Below is what is expected as per RFC4072 Which, as you'll note, is a Diameter spec. FreeRADIUS doesn't implement Diameter. If you can get us a spec saying how to implement EAP-Key-Name, we can do it. Or, send a patch. Until then, it's a mystery. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html