Re: Setting up EAP-TLS as the ONLY authentication mechanism?
All that stuff is on by default to ensure that people who want more than a really dumb and minimal server can get up and running without having to try to find what combination of stuff needs to be enabled. So, eg proxying is enabled ..whats the issue? Unless you have actually edited proxy.conf to do something it won't do anything , there's no entry in clients.conf other than localhost too, so even if you had the required ports open to the world, nothing is going to happen. If all you want is EAP-TLS auth then its very easy to minimise to that configmuch much easier than having to learn the server better and trying to get there from a minimal config that doesn't work out if the box (ask those who have tried doing it that way...look at mailing list history for those that stripped the config out before then trying to get things to work) This isn't Apache, which does have a whole load of things on and can get you p0wned on port 80 if you have that open to the world alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
Thomas Hruska wrote: Nowhere in there does it explain why proxying is on by default. It just says that it can be turned off. I want to know why it is on by default in the first place. From what I'm beginning to understand, based on your reply, FreeRADIUS opens a port that isn't necessary for basic functionality as part of its default installation. That sort of behavior should at least raise an eyebrow if not a few red flags. You're unhappy that your questions got push-back. So you're pushing back in return. However... you know little or nothing about RADIUS, and I've been doing this for 20 years. I won't explain why there are no red flags in the default configuration. I *will* explain that it's unproductive for newbies to second-guess experts. The default client secrets(s) should be different from the default proxy secret(s) to avoid confusion for first-time users. So as a first-time user, you know more about their needs than someone who's done this for 20 years? I missed that it is there for testing. And I see why: Don't quote the config files at me. I wrote them. This just comes across as condescending, and lecturing me about the text I wrote. Again, defaults exist for a reason. The reasons for the defaults are what I'm actually after here. The reasons are given in the documentation, web pages, man pages, config files, etc. The defaults enable the server to do the Right Thing in the widest possible set of circumstances. i.e. so that newbies like you can get the server running with minimal work. Your response is to insult the developers, by claiming that the defaults raise red flags. Stop it. It's ignorant and annoying. All I was asking here was if commenting out those protocols in 'eap.conf' was all I have to do to disable them? A simple confirmation would suffice. I answered that. You're looking for reassurance that editing the config files won't cause the server to explode in flaming metal. It won't. Edit them. I admit that there is a little of that, but I'm just trying to save myself from breaking things too badly by understanding why the defaults are the defaults before I go and blow away large portions of config. The defaults are documented. See the comments in the config files. The procedure for editing the defaults is documented. See man radiusd. It's really not rocket science. You're looking for emotional reassurance that the server won't explode. I'm not going to give it. Instead, you should follow the documentation, and follow the documented methods for editing the configuration. If something goes wrong, it's just text. Put the old config back, and start again. And after doing this for 20 years, your message is typical of a particular class of newbie. The existing documentation is too complicated. Yet you don't ask a specific question. Instead, you have a long complicated post complaining about many things, and asking many questions. When I point this out, you start putting me down. I've had hundreds of conversations like this, and it's always annoying. Your entire approach is wrong. Read man radiusd. That documents the correct approach. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
On 3/24/2013 5:59 AM, Alan DeKok wrote: Thomas Hruska wrote: Nowhere in there does it explain why proxying is on by default. It just says that it can be turned off. I want to know why it is on by default in the first place. From what I'm beginning to understand, based on your reply, FreeRADIUS opens a port that isn't necessary for basic functionality as part of its default installation. That sort of behavior should at least raise an eyebrow if not a few red flags. You're unhappy that your questions got push-back. So you're pushing back in return. However... you know little or nothing about RADIUS, and I've been doing this for 20 years. And after doing this for 20 years, your message is typical of a particular class of newbie. The existing documentation is too complicated. Yet you don't ask a specific question. Instead, you have a long complicated post complaining about many things, and asking many questions. When I point this out, you start putting me down. I've had hundreds of conversations like this, and it's always annoying. Your entire approach is wrong. Read man radiusd. That documents the correct approach. The difference from your response to Arran's response to my questions is night and day. He was moderately polite while you were and are downright rude. I've met grizzled veteran developers before. You are one of those. As a developer myself, I know I've got two options: 1) Fend off the newbies constantly. 2) Write better documentation. With a dash of humor in the mix. If it isn't fun, then it isn't worth reading (or writing) it. I've found that the latter creates a MUCH better experience for everyone (i.e. the nuisances go away - hey, I've been where you are at as well). I've also found that *I* have to actually write the documentation because no one else will do it for me (e.g. Wikis don't really work for software). And it isn't a FAQ, it is real documentation naturally covering a wide range of common (and even uncommon) topics. I always include a documentation cycle in my software releases - and it takes about a week to two weeks to complete, but it is so worth it. Whenever a user asks a question, I check the documentation to make sure I wrote something about it, write a quick paragraph in a polite response, and link to the right place, knowing someone else will find the post + reply via a Google search later and won't ask the same question as a result. That's the other key factor - making sure stuff can be found via Google as a top result on the official site. Google is your first line of defense against newbies and, when you host the content yourself, you control that line of defense. On a different note, I've also found that telling people how long I've been writing software does nothing beneficial. You just get into a yelling match with those who have been writing software longer. Anyway, just a few things I've picked up over the years. I can tell when I'm not wanted, so I'll just drop off this list. Later. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Thomas Hruska CubicleSoft President I've got great, time saving software that you might find useful. http://cubiclesoft.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
Thomas Hruska wrote: The difference from your response to Arran's response to my questions is night and day. He was moderately polite while you were and are downright rude. As always, my first response is polite and answers your questions. I only get blunt when people argue with me. I'll also note that you've conveniently deleted all of my other points. I'll take that as evidence you agree with them. That's the other key factor - making sure stuff can be found via Google as a top result on the official site. Google is your first line of defense against newbies and, when you host the content yourself, you control that line of defense. Another lecture about how superior you are. On a different note, I've also found that telling people how long I've been writing software does nothing beneficial. You just get into a yelling match with those who have been writing software longer. If you've been writing software for a long time, you should have been able to figure out how to edit the default config. I can tell when I'm not wanted, so I'll just drop off this list. Later. I have no patience for people who are ignorant about a subject, and lecture me on it. This list is for people who want to solve RADIUS problems. If you focus on that, you're OK. If you complain about red flags because of your RADIUS ignorance, you will get told off, and rightly so. It's rude to be condescending to experts, and I won't have it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool-dhcp and Oracle
2013/3/23 Бен Томпсон b.thomp...@latera.ru: 2013/3/23 Arran Cudbard-Bell a.cudba...@freeradius.org: On 23 Mar 2013, at 12:22, Бен Томпсон b.thomp...@latera.ru wrote: Hello Everyone Could anyone advise me what would be required to us dhcp-ippool with Oracle? I had a quick look through the files in git and it seems to me that the only thing missing is queries.conf? If that is all that is required I am happy to do the work of porting the sql queries from the mysql version, but I just wanted the check that I am not missing something. Nope you're not. Please contribute a queries.conf file for Oracle and submit a pull request for master branch. Were actively trying to promote the use of the DHCP side, so such patches are very helpful. -Arran Hi Arran Thanks for the quick reply, I will try and do it in the next few days. Ben Hello Arran and everyone on the list I began work on testing with Oracle but I have come across a couple of issues. Firstly one of my SQL statements is throwing up an error, and secondly the server is sending a unicast reply when I need a broadcast. I should be able to fix the dodgy SQL but I wondered if anyone could help me fix the broadcast/unicast problem. Here is the full degug :- # /usr/local/sbin/radiusd -X radiusd: FreeRADIUS Version 3.0.0 (git #d3b1f0a), for host x86_64-unknown-linux-gnu, built on Mar 23 2013 at 21:22:40 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/mods-enabled/ including configuration file /usr/local/etc/raddb/mods-enabled/passwd including configuration file /usr/local/etc/raddb/mods-enabled/soh including configuration file /usr/local/etc/raddb/mods-enabled/digest including configuration file /usr/local/etc/raddb/mods-enabled/detail including configuration file /usr/local/etc/raddb/mods-enabled/echo including configuration file /usr/local/etc/raddb/mods-enabled/files including configuration file /usr/local/etc/raddb/mods-enabled/linelog including configuration file /usr/local/etc/raddb/mods-enabled/utf8 including configuration file /usr/local/etc/raddb/mods-enabled/chap including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients including configuration file /usr/local/etc/raddb/mods-enabled/unix including configuration file /usr/local/etc/raddb/mods-enabled/eap including configuration file /usr/local/etc/raddb/mods-enabled/sql including configuration file /usr/local/etc/raddb/mods-enabled/../sql/main/oracle/queries.conf including configuration file /usr/local/etc/raddb/mods-enabled/expiration including configuration file /usr/local/etc/raddb/mods-enabled/attr_rewrite including configuration file /usr/local/etc/raddb/mods-enabled/dhcp including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth including configuration file /usr/local/etc/raddb/mods-enabled/checkval including configuration file /usr/local/etc/raddb/mods-enabled/dhcp_sqlippool including configuration file /usr/local/etc/raddb/sql/ippool-dhcp/oracle/queries.conf including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap including configuration file /usr/local/etc/raddb/mods-enabled/preprocess including configuration file /usr/local/etc/raddb/mods-enabled/mschap including configuration file /usr/local/etc/raddb/mods-enabled/radutmp including configuration file /usr/local/etc/raddb/mods-enabled/detail.log including configuration file /usr/local/etc/raddb/mods-enabled/realm including configuration file /usr/local/etc/raddb/mods-enabled/pap including configuration file /usr/local/etc/raddb/mods-enabled/exec including configuration file /usr/local/etc/raddb/mods-enabled/logintime including configuration file /usr/local/etc/raddb/mods-enabled/replicate including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp including configuration file /usr/local/etc/raddb/mods-enabled/always including configuration file /usr/local/etc/raddb/mods-enabled/expr including files in directory /usr/local/etc/raddb/policy.d/ including configuration file /usr/local/etc/raddb/policy.d/control including configuration file /usr/local/etc/raddb/policy.d/cui including configuration file /usr/local/etc/raddb/policy.d/canonicalization including configuration file /usr/local/etc/raddb/policy.d/eap including configuration file /usr/local/etc/raddb/policy.d/operator-name including configuration file /usr/local/etc/raddb/policy.d/dhcp including configuration file
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
Blah blah. But you don't say what the issue is with the documentation...in fact your issue was with the default config and your requirements...which are actually both fully documented in the config. I don't see why you've dropped in from nowhere, thrown your ego around and then claim to be leaving. Expect help/advice in the future? Because if so, you've gone about it the wrong way really alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool-dhcp and Oracle
Бен Томпсон wrote: I began work on testing with Oracle but I have come across a couple of issues. Firstly one of my SQL statements is throwing up an error, and secondly the server is sending a unicast reply when I need a broadcast. I should be able to fix the dodgy SQL but I wondered if anyone could help me fix the broadcast/unicast problem. Here is the full degug :- The debug log Received DHCP-Discover of id 64b2e216 from 0.0.0.0:68 to 0.0.0.0:67 DHCP-Opcode = Client-Message DHCP-Hardware-Type = Ethernet DHCP-Hardware-Address-Length = 6 DHCP-Hop-Count = 0 DHCP-Transaction-Id = 1689444886 DHCP-Number-of-Seconds = 0 DHCP-Flags = 0 The broadcast flag isn't set. So the client is asking for a unicast response. (0) dhcp_sqlippool : expand: 'START TRANSACTION' - 'START TRANSACTION' rlm_sql (sql): Executing query: 'START TRANSACTION' rlm_sql_oracle: execute query failed in sql_query: ORA-00900: invalid SQL statement That needs to be fixed. I don't know much about Oracle, and I don't have an Oracle system running to test it. (0) DHCP: Reply will be sent unicast to your-ip-address Sending DHCP-Offer of id 64b2e216 to 10.99.0.11:68 You should be able to fix this by doing: update reply { DHCP-Flags = Broadcast } Which will force the server to send a broadcast reply. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool-dhcp and Oracle
2013/3/24 Alan DeKok al...@deployingradius.com: Бен Томпсон wrote: I began work on testing with Oracle but I have come across a couple of issues. Firstly one of my SQL statements is throwing up an error, and secondly the server is sending a unicast reply when I need a broadcast. I should be able to fix the dodgy SQL but I wondered if anyone could help me fix the broadcast/unicast problem. Here is the full degug :- The debug log Received DHCP-Discover of id 64b2e216 from 0.0.0.0:68 to 0.0.0.0:67 DHCP-Opcode = Client-Message DHCP-Hardware-Type = Ethernet DHCP-Hardware-Address-Length = 6 DHCP-Hop-Count = 0 DHCP-Transaction-Id = 1689444886 DHCP-Number-of-Seconds = 0 DHCP-Flags = 0 The broadcast flag isn't set. So the client is asking for a unicast response. (0) dhcp_sqlippool : expand: 'START TRANSACTION' - 'START TRANSACTION' rlm_sql (sql): Executing query: 'START TRANSACTION' rlm_sql_oracle: execute query failed in sql_query: ORA-00900: invalid SQL statement That needs to be fixed. I don't know much about Oracle, and I don't have an Oracle system running to test it. (0) DHCP: Reply will be sent unicast to your-ip-address Sending DHCP-Offer of id 64b2e216 to 10.99.0.11:68 You should be able to fix this by doing: update reply { DHCP-Flags = Broadcast } Which will force the server to send a broadcast reply. Alan DeKok. Hi Alan Many thanks for the quick reply. The SQL statement START TRANSACTION looks to be hard coded into rlm_sqlippool.c but I don't know enough about Oracle etiher to say why it is flagged as an error. However from looking at the code I assume that it is supposed to signify the begining of a batch of SQL statements which after execution will be be either committed or rolled back. My guess would be that it is a redundant command as according this page: http://stackoverflow.com/questions/1366851/how-do-i-find-out-if-an-oracle-database-is-set-to-autocommit - commit/rollback, is a purely client side thing. So if a client says to Oracle here are some statements which I will not commit straight away I guess the server reply's with why are you telling me?. If I am right then, I guess we can just remove the START TRANSACTION statement for Oracle, but unfoturnately I don't know enough myself to be sure. I do have access to and Oracle database though, so I am happy to do any testing, if someone else with more Oracle knowledge can advise what we should do. The broadcast flag did the trick thanks. Here is the DHCP discover section I am using :- dhcp DHCP-Discover { update control { Pool-Name := test_ip_pool } dhcp_sqlippool update reply { DHCP-Subnet-Mask = 255.255.255.0 DHCP-Domain-Name-Server = 192.168.12.1 DHCP-Router-Address = 10.99.0.1 DHCP-IP-Address-Lease-Time = 300 DHCP-DHCP-Server-Identifier = 10.99.0.100 } if (DHCP-Gateway-IP-Address == 0.0.0.0) { update reply { DHCP-Flags = Broadcast } } } However, it seems that none of the options are added to the reply, and for some reason an empty packet is sent to the client :- Received DHCP-Discover of id 3f1a9769 from 0.0.0.0:68 to 0.0.0.0:67 DHCP-Opcode = Client-Message DHCP-Hardware-Type = Ethernet DHCP-Hardware-Address-Length = 6 DHCP-Hop-Count = 0 DHCP-Transaction-Id = 1058707305 DHCP-Number-of-Seconds = 0 DHCP-Flags = 0 DHCP-Client-IP-Address = 0.0.0.0 DHCP-Your-IP-Address = 0.0.0.0 DHCP-Server-IP-Address = 0.0.0.0 DHCP-Gateway-IP-Address = 0.0.0.0 DHCP-Client-Hardware-Address = 00:0c:29:a6:a0:e7 DHCP-Message-Type += DHCP-Discover DHCP-Parameter-Request-List += DHCP-Subnet-Mask DHCP-Parameter-Request-List += DHCP-Broadcast-Address DHCP-Parameter-Request-List += DHCP-Time-Offset DHCP-Parameter-Request-List += DHCP-Router-Address DHCP-Parameter-Request-List += DHCP-Domain-Name DHCP-Parameter-Request-List += DHCP-Domain-Name-Server DHCP-Parameter-Request-List += DHCP-Domain-Search DHCP-Parameter-Request-List += DHCP-Hostname DHCP-Parameter-Request-List += DHCP-NETBIOS-Name-Servers DHCP-Parameter-Request-List += DHCP-NETBIOS DHCP-Parameter-Request-List += DHCP-Interface-MTU-Size DHCP-Parameter-Request-List += DHCP-Classless-Static-Route DHCP-Parameter-Request-List += DHCP-NTP-Servers Trying sub-section dhcp DHCP-Discover {...} (0) group DHCP-Discover { (0) - entering group DHCP-Discover {...} (0) update control { (0) } # update control = noop (0) policy dhcp_sqlippool.post-auth { (0) - entering policy dhcp_sqlippool.post-auth {...} (0) update request { (0) expand:
Re: ippool-dhcp and Oracle
Бен Томпсон wrote: The SQL statement START TRANSACTION looks to be hard coded into rlm_sqlippool.c but I don't know enough about Oracle etiher to say why it is flagged as an error. It's a configuration item. You can change it by editing the queries, and adding: allocate-begin = ... allocate-commit = ... allocate-rollback = ... They're not in the sample configuration, but those should work. However from looking at the code I assume that it is supposed to signify the begining of a batch of SQL statements which after execution will be be either committed or rolled back. Yes. My guess would be that it is a redundant command as according this page: http://stackoverflow.com/questions/1366851/how-do-i-find-out-if-an-oracle-database-is-set-to-autocommit - commit/rollback, is a purely client side thing. OK. In which case you may be able to set those strings to just . If I am right then, I guess we can just remove the START TRANSACTION statement for Oracle, but unfoturnately I don't know enough myself to be sure. Try it and see. The broadcast flag did the trick thanks. Here is the DHCP discover section I am using :- Good, thanks. (0) DHCP: Reply will be broadcast Sending DHCP-Offer of id 3f1a9769 to 255.255.255.255:68 (0) Finished request 0. Hmm... it *should* be also printing out DHCP encoding DHCP-Offer, along with all of the DHCP options it's sending. I'll see if I have time to take a look. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed to disconnect online user with custom table
Hi All, I've develop application which use freeradius and use coova as captive portal.I use jradius to communicate with freeradius. Now, new user will be store in my custom table (not in radcheck as default freeradius). Now i try to disconnect user online (use:admin) with command bellow : *sudo echo User-Name=admin | radclient -x localhost:3779 disconnect testing123* but i get no response like bellow : Sending Disconnect-Request of id 251 to 127.0.0.1 port 3779 User-Name = admin Sending Disconnect-Request of id 251 to 127.0.0.1 port 3779 User-Name = admin Sending Disconnect-Request of id 251 to 127.0.0.1 port 3779 User-Name = admin radclient: no response from server for ID 251 socket 3 I try to check 3779 port with netstat, but system not listen that port. Any suggestion how to solve this problem ? Thanks -- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool-dhcp and Oracle
2013/3/25 Alan DeKok al...@deployingradius.com: Бен Томпсон wrote: The SQL statement START TRANSACTION looks to be hard coded into rlm_sqlippool.c but I don't know enough about Oracle etiher to say why it is flagged as an error. It's a configuration item. You can change it by editing the queries, and adding: allocate-begin = ... allocate-commit = ... allocate-rollback = ... Thanks again for the info. I have figured it out now, and after looking at the queries.conf for for the standard sqlippool module added this to my queries.conf : # Commit anything outstanding before beginning a new batch of transactions allocate-begin = COMMIT start-begin = COMMIT alive-begin = COMMIT stop-begin = COMMIT on-begin = COMMIT off-begin = COMMIT I also tried pulled the latest git commit this morning and now I have a new couple of new errors :- (0) dhcp_sqlippool :expand: 'SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND expiry_time CURRENT_TIMESTAMP AND ROWNUM = 1 ORDER BY CASE WHEN username = '%{User-Name}' THEN 0 ELSE 1 END, CASE WHEN callingstationid = '%{Calling-Station-Id}' THEN 0 ELSE 1 END, expiry_time FOR UPDATE' - 'SELECT framedipaddress FROM radippool WHERE pool_name = 'test_ip_pool' AND expiry_time CURRENT_TIMESTAMP AND ROWNUM = 1 ORDER BY CASE WHEN username = 'DHCP-00:0c:29:a6:a0:e7' THEN 0 ELSE 1 END, CASE WHEN callingstationid = '00:0c:29:a6:a0:e7' THEN 0 ELSE 1 END, expiry_time FOR UPDATE' rlm_sql (sql): Executing query: 'SELECT framedipaddress FROM radippool WHERE pool_name = 'test_ip_pool' AND expiry_time CURRENT_TIMESTAMP AND ROWNUM = 1 ORDER BY CASE WHEN username = 'DHCP-00:0c:29:a6:a0:e7' THEN 0 ELSE 1 END, CASE WHEN callingstationid = '00:0c:29:a6:a0:e7' THEN 0 ELSE 1 END, expiry_time FOR UPDATE' rlm_sql_oracle: OCIDefineByPos() failed in sql_select_query: ORA-24424: Invalid attempt to define at position 0 rlm_sql (sql): Database query error 'ORA-24424: Invalid attempt to define at position 0 ' sqlippool_query1: database query error (0) dhcp_sqlippool :expand: 'COMMIT' - 'COMMIT' rlm_sql (sql): Executing query: 'COMMIT' (0) dhcp_sqlippool :escape: 'test_ip_pool' - 'test_ip_pool' (0) dhcp_sqlippool :expand: 'SELECT id FROM (SELECT id FROM radippool WHERE pool_name = '%{control:Pool-Name}') WHERE ROWNUM = 1' - 'SELECT id FROM (SELECT id FROM radippool WHERE pool_name = 'test_ip_pool') WHERE ROWNUM = 1' rlm_sql (sql): Executing query: 'SELECT id FROM (SELECT id FROM radippool WHERE pool_name = 'test_ip_pool') WHERE ROWNUM = 1' rlm_sql_oracle: OCIDefineByPos() failed in sql_select_query: ORA-24424: Invalid attempt to define at position 0 rlm_sql (sql): Database query error 'ORA-24424: Invalid attempt to define at position 0 ' sqlippool_query1: database query error I am not sure what is happening here so I will have to do some reading. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html