Re: Case statement error
Hi, Ah... a fix wasn't pulled over from v3.0.x to master. I've just done that now. server now starts with such switch/case config present. cheers! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username format
Hi, Does FreeRADIUS give a fig about what the username is? If it were all numeric, say 123456789 I guess it is happy with that? It's just a string to FreeRADIUS? FreeRADIUS is just a RADIUS serverand hence any decisions made by it are all down to defined policies. so if you have a policy that cares about username format, case sensitivity etc...or have a backend that has such feelings and emotions then you will find out :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case statement error
Hi, this error is also present with 3.1.0 when using the provided orginate-coa virtual-server - so its reproducable with a minimally adjusted configuration (just drop originate-coa from sites-available to sites-enabled) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: clone break freeradius
hi, you must ensure you 'sign out' of the AD before you clone as otherwise both objects are the same...and, as you have found, doing something with the cloen breaks the first server. or just dont bind to the AD before cloning. to fix, you need to ensure that both machines have their own identity (eg /etc/hosts and $HOSTNAME all refer to a unique name per machine) and that there is nothing in the AD referencing either system. THEN net ads join each boxbut this isnt a freeradius question. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
Hi, I'e installed oracle instant client from rpm packages (basic + devel) okay. if you've done this rather than manually installing from Oracle then its most likely that the paths are different...you will need to check where your Oracle files have been installed and use those paths instead alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
Hi, Thu Oct 10 11:52:16 2013 : Info: WARNING: Module rlm_eap became unblocked for request 47516341 ...since the return of our students this year. I am 99% sure this is ntlm_auth being slow, and I have a strong suspicion this is related to some changes in our AD infrastructure over the summer. I've contacted our AD guys about a couple of tweaks they can do for 'legacy' authentications (as microsoft call it) - but I'm also looking at samba4 - as it has a new option that will balance ntlm_auth against all known boxes rather than the first box it latches onto - to spread the load. I'm also now getting suspicious about a couple of tuesday patches that got deployed over summer... (we're also thinking about EAP-TLS again ;-) ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
Hi, Any chance you can point me in the direction of these? heres one: http://support.microsoft.com/kb/2688798 Semi-related, but to my annoyance we're seeing rather less SSL resumption than I would expect, given that iOS and Android both do it by default. Cisco wireless problem? theres go to be something messing us up here as we are using the same FreeRADIUS as last year (2.2.0), seeing the same number of concurrent clients as at the end of the last academic year (around 8k) and we didnt have this number of those errors then alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
Hi, Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4 server for EAP-MSCHAPv2). But at least it exists on RHEL/CentOS as a package. it can also BE an AD master etc. anyway, you dont know how tempting it was to yum install samba4 on our production system ;-) I'd certainly like to see some samba3.x versus samba4 benchmarks in this sort of context alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
Hi, Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable Alan uses OSX so I'm *SURE* it compiles fine with the right support stuff present - you should have been compiling it before the official release ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
Hi, It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. # radiusd -fxx -l stdout yep. if you try 'radiusd -X' it will tell you to run it like that. # radiusd -fXx -l stdout # ./sbin/radiusd -Cfxx -l stdout single thread methods wont work with RADSEC being present. the docs probably need a slight update with the presence of TLS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco WLC probes in FR 2.2.1
Hi,
if (Service-Type == NAS-Prompt-User) {
if (NAS-IP-Address =~ /^172\.17\.107\./) {
if (User-Name =~ /^wisms\-testing/) {
update control {
Auth-Type := Accept
}
ouch do you realise how dangerous that is? there
should be no need to send an access accept packet back
to these probes - a reject should suffice - and that would stop
an end user subverting your system by simply using
that UserName (if they are using wpa_supplicant they could
add that NAS-Prompt-User attribute)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
Hi, If everyone's in favor, I'll release 2.2.2 on Monday. hold request now its monday AM and the load has gone back to higher levels the server is freaking out and freezing witht he last message in the log being Mon Oct 7 07:50:28 2013 : Error: [event.c:2318] Internal sanity check failed (thats it...no other output - the server needs a restart, it doesnt process anything else once it hits this error) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco WLC probes in FR 2.2.1
Hi, We're finding these nuggets of code as we dig deeper into James's legacy config. If the Access-Accept response is not required, then presumably I can ditch that entire code block and let the wisms-testing auth attempt go through the system as any other user. yesbut you'd be better off just sending an immediate Access-Reject or these probes go through your whole config and hit your backend authentication servers for no reason. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco WLC probes in FR 2.2.1
Hi, Well you want the probes to go through and hit your backed authentication servers, and your databases, and any external resource. ..and get a valid user with access accept? bad. you are better off just semding a reject - just like RADIUS status server probes. it would be nice if the WISM would do proper RADIUS status-server probe insteadbut since cisco want you to buy ACS/ISE and that doesnt do nice things - then I guess we can live in hope - after all, if you were REALLY going to validate what the WISM and RADIUS server can do, you'd want your status check to go through your remote RADIUS server proxiesas the user might be a visitor or from some 3rd party org that you peer with - then we get into the whole business of the status probes being more intelligent with multiple realms etc etc... this is WAY off topic now ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
Hi, More debug output would help. The last patch came from output sent by Stefan. The patch seems to help. But there's an underlying issue which is harder to debug. It looks like a Linux specific IPv6 problem. I don't see any issue with v4. interesting..the culprit may have been found. put HEAD onto server this afternoon... the logs had plenty of core messages but look Sun Oct 6 15:13:55 2013 : Error: WARNING: Unresponsive child for request 1821224, in component core module thread Sun Oct 6 15:13:56 2013 : Error: WARNING: Unresponsive child for request 1821229, in component core module thread Sun Oct 6 15:13:56 2013 : Info: WARNING: Child is hung for request 1821224 in component core module thread. Sun Oct 6 15:13:57 2013 : Info: WARNING: Child is hung for request 1821229 in component core module thread. Sun Oct 6 15:13:58 2013 : Info: WARNING: Child is hung for request 1821224 in component core module thread. Sun Oct 6 15:13:58 2013 : Info: WARNING: Child is hung for request 1821229 in component core module thread. Sun Oct 6 15:14:00 2013 : Info: WARNING: Child is hung for request 1821224 in component core module thread. Sun Oct 6 15:14:00 2013 : Info: WARNING: Child is hung for request 1821229 in component core module thread. Sun Oct 6 15:14:03 2013 : Info: WARNING: Child is hung for request 1820598 in component core module thread. Sun Oct 6 15:14:04 2013 : Info: WARNING: Child is hung for request 1821224 in component core module thread. Sun Oct 6 15:14:04 2013 : Info: WARNING: Child is hung for request 1821229 in component core module thread. Sun Oct 6 15:14:09 2013 : Info: WARNING: Child is hung for request 1821224 in component core module thread. Sun Oct 6 15:14:09 2013 : Info: WARNING: Child is hung for request 1821229 in component core module thread. Sun Oct 6 15:14:18 2013 : Info: Ready to process requests. no 'bad logs' since that restart logged. clarification/agreement from Stefan or others? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
Hi, a couple of logic issues that meant case/switch and if() worked different to 2.x - thats been fixed. ..and an issue if your server does a lot of proxying work - in which worker threads arent dealt with properly - your log file will be full of core and module messages if you are being hit. this *MIGHT* be fixed in HEAD. we are testing at the moment (looking good). if you arent doing the former and not hit by the latter you dont need to worry. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
Hi, If I asked particularly nicely, and promised you a beer at the next networkshop we were both in attendance at, would you be willing to try git head? I'll take the beer - am running HEAD since last night on one server :-) (as I said to Alan, i'll report at end of day) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
Hi early report :( 2.2.2 HEAD still showing: Fri Oct 4 13:20:43 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:20:45 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:20:47 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:20:51 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:20:52 2013 : Info: WARNING: Child is hung for request 3766906 in component core module thread. Fri Oct 4 13:20:56 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:21:03 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:21:15 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:21:17 2013 : Info: WARNING: Child is hung for request 3766906 in component core module thread. Fri Oct 4 13:21:32 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:21:57 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:27:32 2013 : Info: WARNING: Child is hung for request 3797280 in component core module thread. Fri Oct 4 13:27:40 2013 : Info: WARNING: Child is hung for request 3797280 in component core module thread. Fri Oct 4 13:27:51 2013 : Info: WARNING: Child is hung for request 3797280 in component core module thread. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho not working
Hi, I would like to display the active Radius connections. When I run radwho I get the following results (showing nothing but the titles) even though I know I have an active connection: using the utmp/wtmp modules? what does your FreeRADIUS debug show when someone logging in? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running RADIUS in permanent debug mode with rotating log
Hi, this is FreeRADIUS list, not general Linux lsit - I'd suggest looking at some guides for the EXACT thing you need eg http://www.cyberciti.biz/faq/linux-unix-formatting-dates-for-display/ (and ensure your escape quotes are the right way around) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho not working
Hi, I am not blaming, I am just wanting to get the radwho command to work. I have now turned on accounting info to be sent from the StrongSwan server to the FreeRadius server. For I can see the accounting info in /var/log/radius/radacct/IP_Address/detail-20131003 file. However I am still getting the same results with the radwho command, showing just the titles, with no connections? same reponse - output of radiusd -X please alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: control flow in FreeRADIUS authorize section
Hi,
A simple thing:
infected case
update control {
Tmp-String-0 := stop
}
...
if (Tmp-String-0 != stop) {
BUNCH OF UNLANG CODE
}
That should work. Ugly, but functional.
this is pretty much what I was going to suggest. ugly, yes. but sometimes
simple is best.
and its much easier for a non unlang'y person to understand the logic! :)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to change the radius default testing123 password
Hi, Thanks for your reply. However, I have already changed the instances of the password testing123 in the following files: if you are dealing with a shared secret between a NAS and the FreeRADIUS server, there are only 2 thigns to configure 1) the shared secret on the NAS - I would guess this is storngswan.conf for you 2) the shared secret in the clients.conf file - this is whats used to reference the incoming request from the NAS all other parts are system components eg proxy.conf has a default internal one - and if you were proxying to OTHER RADIUS servers, then you would change their entries IF you has set them to testing123 - most people wouldnt - they would use their own choices. of course, when thigns go wrong, run in full debug mode and see whats printed out when you connect via the NAS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP session matching the State variable (and other various messages)
Hi, Sep 30 12:56:36 newdvlanb radiusd[10152]: rlm_eap: No EAP session matching the State variable. Sep 30 12:00:21 dvlanc radiusd[16053]: WARNING: Child is hung for request 782076 in component authenticate module peap. Sep 30 12:57:08 newdvlanb radiusd[10152]: Discarding duplicate request from client resnet1-WiSM-A port 32770 - ID: 126 due to unfinished request 187554 Sep 30 12:58:24 newdvlanb radiusd[10152]: Discarding conflicting packet from client Rich-core-WiSM-E port 32769 - ID: 155 due to recent request 207181. Any one have any similar battle scars that I can learn from (server performance tweaks, optimizations, etc?). I've optimized as best I can the SQL component. This all seems related to the samba/winbind/ntlm_auth. we are always in a battle with performance and load. you've already had a pretty good description of what the messages mean but I can offer another possible cause - in the PEAP module hang - I would suspect that you have the MSCHAP retry password option set? if so, you're waiting for the user to get around to typing in their details again...and again and again as they get it wrong or typo-fixed by their smartphone or tablet. we see similar messages at busy times of new devices (like start of year) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP password in log files
Hi, Is there any way to prevent FreeRadius from showing the password in logs (debug logs) when authentication is done via LDAP? dont run in debug mode. debug mode is there for a reason - to debug problems. verify if things like passwords are correct. look at the mailing list archive - this question comes up each month. if you dont want passwords to be printed, edit the source code to change the function. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Phone CA verification debugging
Hi, encountering some issues with those (yet quite rare) people with Windows Phone 8 (WP8) systems. WP8 devices are yet able to connect without (any) CA or common name verification, but seem to fail when I let them check the CA by choosing it from the device' CA store. (As usual), the client-side error message is not helpful at all (it fails to connect without any error message). we've had no problems with self-signed CA or with 3rd party CA and standard RADIUS certificate BUT the certificate must have CRLDP (CRL distribution point) URL defined. that can either be at CA level or RADIUS level - or both. eg crlDistributionPoints = URI:http://yoururl.here/ca.crl in the server extensions. the HEAD for 2.2.x and 3.x FreeRADIUS has the required change to the certificate generating code for this if you want to check/validate/verify alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for Version 2.2.1
Hi, ..so many new features... thought 3.x was where the new features and dev work was going into ;-) PS has anyone tested it with MariaDB? Wondering if its 100% drop-in compatible? (I'm postgres myself but looks like MySQL is dying) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
Hi,
Could not authenticate user Username%Password with plaintext password
challenge/response password authentication succeeded
thats okay. means you couldnt do PAP and only MSCHAPv2 worked. expected for
that command.
In this Step, i must edit the following line with this text in the file:
/etc/freeradius/modules/mschap
ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
But my default commented ntml_auth looks like this:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
the docs and default values have seperated over time.
In my default ntlm_auth, the option
--domain=%{%{mschap:NT-Domain}:-MYDOMAIN} is missing. Should i add it?
depends on what you want to do and need to do. do you TRUST your clients to be
sending the correct
domain? I dont...so I've set the domain manually.
$ radtest -t mschap bob hello localhost 0 testing123
First Line:
bob Cleartext-Password := hello
whats the users file got to do with anything? if you have clashing usernames
you will have a few problems.
i expect you are trying to test your AD? the radtest failed due to incorrect
password.. ie the AD is not bob/hello
I'd recommend using 'eapol_test' for better/advanced testing - its part of the
wpa_supplicant
package.
@Mathieu
Is there a current RADIUS-book that you can recommend?
FreeRADIUS for beginners is a good current book
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debugging No EAP session matching the State variable
Hi, Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. turn on full debug for just a single User-Name or Calling-Station-Id (check radmin docs). whats your authentication clean-up/tidy up times - as if the clients dont respond then the session is cleared away and so no matching state/session will be found. also, what clients are these? Android, for example, has an annoying thign where 802.1X networks that have credentials stored need the credential store to be unlocked before they'll authenticate to that 802.1X network again. also, check your wireless domain. find some of these clients (CSI) on your wireless management dashboard and find out what their relationship with nearest APs is - they could be being mobile between APs in a nasty way or during authencication so a packet or 2 is mising. remmeber, with eg 802.1X and PEAP you've got 11 packets or more to be shunted over wireless (and UDP!) for an authentication. if you've allowed clients to join to APs at really low rates and borderline connections, this can cause grief. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debug show cleartext password
Hi, i am getting a problem on Freeradius installed on CentOS. When i set the service Radiusd in debug mode and send an access request (default type PAP) through Radtest the debug show the password in cleartext. Is there an option to do not show the fiedl User-Password in cleartext? debug shows all. the RADIUS server knows all. the point of debug is to debug..and you might have eg incorrect password. this question is asked frequently - a quick look at mailing list history would show you.and the answer is no. dont run in debug if you dont want to see debug. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debug show cleartext password
Hi, no. I guess we should do something with it to make it FIPS compliant but it's not a big priority. You're welcome to submit a patch. ..you mean sniffable by NSA? it passes that requirement already ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
Hi, mv raddb raddb-noinst mkdir raddb touch raddb/all.mk make install do 'mkdir raddb/mods-config' you've 'messed around' with the configuration directory which assumes that mods-config exists... i guess that could be fixed to make dir directory first if it doesnt exist. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with initial setup solved
Hi, NEVER agreed. still a useful reference. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (was) RE: how to limit the repeating ldap lookups
Hi, If you think that sucks, wait till you see the horrible things you have to do to generate a .mobileconfig without access to an OSX server license. what, download the iPhone Configuration Utility? yes, quite horrible ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Troubleshooting PostgreSQL Integration
hi, yes, it was receivedover a bank holiday weekend. not surprised you didnt get an answer...we were all enjoying the break. the DB seems to be loading up and being connected to (and you can check this with loggin on the pgsql server...) however, THIS bit is your problems rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: - [sql] Error generating query; rejecting user rlm_sql (sql): Released sql socket id: 4 ++[sql] returns fail Invalid user: [radiususer/radiususerPW] (from client MY.PUBLIC.IP.ADDRESS port 1812) a blank expansion for the SQL query - what have you done to the dialup.conf file in the postgres directory of sql directory?? you can edit sql.conf to enable the SQL trace file to see whats going on too alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS basic setup for PEAP using example certificates
Hi, I'm trying to setup a very basic test server using FreeRADIUS (running on Ubuntu 12.04) that uses PEAP with the example certificates generated by FreeRADIUS. out of the box, freeRADIUS works - you just need, for testing to add your user/pass to the 'users' file and your NAS to the clients.conf alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting realms based on calling client
Hi,
Initially FreeRadius would not start and I did get an error indicating
that the remote_secret_reject module failed to load. There was no reason
given even with -XXX. I found since then that I was missing a brace.
Now I can get FreeRadius to start. I still seem to be missing something
though, since my policy does not work. Here it is:
remote_secret_reject {
if ((Realm == secret.campus.ca) ((Client-Shortname == proxy1.net)
|| (Client-Shortname == proxy2.net))) {
reject
}
}
radiusd -X
it will show the logic, the variables and the result. you can then see why
things arent working
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS basic setup for PEAP using example certificates
hi, check permissions/owner etc of /etc/freeradius and the contents alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple policy files
Hi,
Thanks for this. So you're saying that there can only be one policy
{} section in the whole server, and if I wish to load two sets of
policies I will have to merge the two files?
each policy has its own name/tag - in FR 3, there is a policy.d directory
in which policy files get put...each containing names/actions.
(all in unlang)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Talloc sanity error (3.0 release branch, reproxying from PEAP inner tunnel)
Hi,
peap {
default_eap_type = mschapv2
proxy_tunneled_request_as_eap = yes
copy_request_to_tunnel = no
use_tunneled_reply = yes
tls = eduroam-eap-tls
}
okay
Any request that tries to go to the proxy causes this to happen:
Wed Aug 7 11:57:35 2013 : Debug: (5) - entering if
(%{FreeRADIUS-Proxied-To} == 127.0.0.1) {...}
Wed Aug 7 11:57:35 2013 : Debug: (5)update control {
Wed Aug 7 11:57:35 2013 : Debug: (5) Proxy-To-Realm := idpi
Wed Aug 7 11:57:35 2013 : Debug: (5)} # update control = ok
Wed Aug 7 11:57:35 2013 : Debug: (5) - if (%{FreeRADIUS-Proxied-To} ==
127.0.0.1) returns ok
Wed Aug 7 11:57:35 2013 : Debug: (5)... skipping else for request 5:
Preceding if was taken
} # server eduroam_idp
Wed Aug 7 11:57:35 2013 : Debug: (5) eap_peap : Got tunneled reply code 0
Wed Aug 7 11:57:35 2013 : Debug: PEAP: Tunneled authentication will be
proxied to idpi
Wed Aug 7 11:57:35 2013 : Info: talloc: access after free error - first
free may be at src/main/util.c:230
Wed Aug 7 11:57:35 2013 : Info: Bad talloc magic value - access after free
this sample doesnt show enough of the process..
how did you configure the server...from scratch or copy pasting bits over from
a 2.x ?
does this 'eap' module use its own virtual_server or does it inherit the
virtual_server that
instigated it (you have no 'virtual_server = blah' line in your peap{}
section...so i assume
its using eduroam_idp VS for the unwrapping?)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to store session info in external database?
Hi,
Hi, I would like to store freeradius session information like
Acct-Session-Id, Acct-Start-Time, Acct-Stop-Time, Acct-Input-Octets,
Acct-Output-Octets, Framed-IP-Address, NAS-IP-Address in external
database.
the defauly config does this - you just need to edit the SQL module to
be appropriate to your database (and have a DB you can write to!) and then
use the 'sql' option in the accounting section (thats the section that will have
those details as they are in RADIUS Accounting packets).
accounting {
# sql
}
look. there.
to optimise you might then want to look at other virtual servers to do this
stuff like
bufferedsql or the remote accounting proxy one.and then make sure your DB is
optimisedboth running environment (memory allocation, disk platters etc) ,
the
table indexes and the DB engine used for the tables.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
Hi, I forgot to mention that I am using freeradius-2.2.0-2.el6.x86_64. Should this version support it or not? no, it wont support it. you need the latest code from the GIT to use that feature. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
Hi,
Is there any other flag/function that would indicate that an
Access-Challenge packet was received from the NAS?
dont know..I have the following on a 2.2.0 box in the authenticate section:
if (handled (Response-Packet-Type == Access-Challenge)) {
attr_filter.access_challenge.post-auth
handled # override the updated code from attr_filter
note the (Response-Packet-Type == Access-Challenge) bit.
what does your debug show you?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I don't want to see clear text password in debug mode
Hi, My password is encrypted with MD5 but it can be seen in the debug screen. Is there any way to disallow or masquerade the use's password in debug mode ??? its debug mode. the entire purpose is to ensure that things are what they appear to be and silly things like, 'its doesnt work!' are found to be your password handling etc. the server knows the password is you are dealing with PAP or MD5 etc etc - thats the nature of such a server. why are you running in debug mode? you shouldnt for production systems - the server sees the same sorts of logs as ther daemons - if you dont run mailservers or web servers in full debugging mode you wouldnt know that. if you really dont like it then you can edit the source code to replace the print function with eg ***obfuscated*** or such and then hope that you never need to work with some obscure issue. you might also want to check what logging/detail logging you have on. a server can be configured to log good passwors to file and the detail.log module will be slapping the password into auth_log files if not told not to. this is also why you should be moving away from such passwords - challenge response style passwords wont give you this issue. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius -username for authentication is not picking from users file.
Hi, User-Password = \334a\004\305\355x\321\332G\306\362b\226~\355+ that lineand the following in the debug: Fri Aug 2 16:45:38 2013 : Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! are quite clear. incorrect shared secret. ensure that your server has an entry for your remote system in the clients.conf file and that you are using the correct shared secret on the radtest command line. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, file users: DEFAULT Ldap-Group == Huntgroup-Name == multiple lines? the first line is CHECK items. other lines are REPY items alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, It was my mistake, when i was testing. Corrected DEFAULT Ldap-Group == , Huntgroup-Name == Still not working as i want. output? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, Here comes: rlm_ldap::ldap_groupcmp: User found in group radiusd -X its what the docs say. for a reason alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure tunnel to freeradius
Hi, We have a a supplicant that is our own box doing client 802.1x authentication using freeradius. We do not establish a TLS/IPSec connection between the supplicant and freeradius. We need to establish a secure channel between the supplicant and freeradius. NAS or supplicant? a supplicant never talks to the RADIUS - its all done via the NAS. there are plenty of options to you - you already have thought about one method - use a VPN (DTLS/IPsec based...up to you) to tunnel the RADIUS though. or , if the NAS can do it, think about RADSEC - FreeRADIUS 3 supports RADSEC and its the way to go unless you want to forget RADIUS and use DIAMETER instead. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure tunnel to freeradius
Hi, Does freeradius support RFC 6614 for the same? 'tls' virtual server in HEAD version of FreeRADIUS (currently version 3 in beta) if you NEED to tick to FreeRADIUS 2.x (as you 'need' to secure) - then RADSECProxy can be put in as a brudge between your remote and the FR instance alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Diffrent authentication based by SSID
Hi,
In that situation i need to have active, both sql and ldap, authorization
modules in inner-tunnel. So users, who should identify by login/pass in
guest SSID, can be authenticate via inner-tunnel ldap module. I don't want
this.
use whatever you want to use. what do you use now? all you need to do is
distinguish between
the two types of requests. and handle them how you want. will the guest SSID be
802.1X
if so, inner-tunnel is available by default (as thats used for EAP) - if not,
then you wont
configure anything in there.
each SSID will be presented to your RADIUS server with particular
attributes...you will
be able to use those to decide what to do eg
if (%{whatever-attribute} =~ /sometext/ ) {
ldap
}
else {
sql
}
that sort of thing. and to be honest. you WILL need some decent data source
for advancing your
RADIUS into something scalable and usable...ie SQL or LDAP - sticking with a
flat users file
will end up with tears in most systems.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Hi, I was thinking this should be easy, but it's been two weeks and I give up... well, depends how you do itif you do it easy it is easy, no? users file abc Cleartext-Password := xyz, NAS-Identifier = staff Reply-Message Welcome on-board staff member dont forget, if this is 802.1X etc then your users wont see the reply-message...so dont rely on it for telling them things! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate against one module, if fail attempt authentication against another
Hi, If the user authenticates against to radius server and fails NTLM_AUTH, the request will then be authenticated against PAM and if it still fails it will be rejected. use a bit of the unlang construct with the failover method. http://wiki.freeradius.org/config/Fail%20over so, try ntlm_auth, if that fails, 'ignore' the result and fire off PAM etc etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: omnisniff
Hi, Feel free to add your own feature requests :) number of UDP packets - i.e. is/was the datagram fragmented? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Name containing a $
Hi,
Your previous answer gives an example using the unlang regex syntax,
including the case-insensitive operator at the end. But I was hoping to find
an elegant way to do case-insensitive matching in proxy.conf, where the
comments admit that the syntax breaks the rules of unlang regex matching.
Putting an 'I' at the end hasn't worked for me.
I'd love to do this:
realm ~FOO\\.EDU$i {
stuff here
}
Is the case-insensitive behavior supported in proxy.conf?
dont do that.
use unlang to define a proper realm contruct and then use that. either using
native or with case eg either
something like this,
if(%{realm} =~ /foo.edu/i {
update request {
Realm := foo.edu
}
}
then
switch %{Realm} {
case NULL {
}
case foo.edu {
update control {
Proxy-To-Realm := foo.edu
}
}
# etc etc
}
or this:
if(%{realm} =~ /foo.edu/i {
update request {
Realm := foo.edu
}
update control {
Proxy-To-Realm := foo.edu
}
}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
Hi, Sorry, I've been unclear. What I meant was that I strongly suspect nas-radius comms will either be v4 or v6 for a given pairing at any one time, for periods of minutes or hours. Hence treating the addresses as separately should be fine hmm, yes, we treat each as a seperate entity i'll have to check if cisco even let you define the same instance to have a v4 and v6 address...its doubtful but you never know. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Name containing a $
Hi,
Is there a way to tell radius to not do something based on the User-Name
containing a $ ? I am doing dynamic VLAN assignment and I'd like to skip
that for computer logins. I looked at unlang and I didn't see a way to
check for a character in a username.
use unlang regex check...you'll need to escape the $ as thats end of line
for regex. hosts should be matched with eg
if (User-Name =~ /^host\/.*\\.YOUR\\.AD\\.REALM$/i) {
stuff goes here
}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
Hi, Still... maybe for a later version... if the input looks like an IP address, guessing the address family isn't all that hard. unlike your using IPv4 in its IPv6 incantation What if the NAS started just using the SRC IPv6 address in packets, and source IP protection was enabled? well, then things might be interesting. if the NAS was configured to talk to an IPv6 RADIUS server then I'd expect it to be using its IPv6 source address and if you have DAI/etc on the network then that would have to be factored in I don't have any experience managing an IPv6 enabled network. Does anyone else? Or is it all too new? new? its been around for more than the lifetime of some people on this list! ;-) you'll probably have noticed that any stuff from us here has the fallback if IPv6 isnt present - so the usual Framed-Address/NAS-IP-Address assumptions all have to be checked in the server/config - I first started noting these issues when we configured remote systems to talk to our IPv6 addresses - finding top-level entries in /var/log/radiusd/ because the IPv4 stuff was missing oh yes, warning needed to ensure that the filesystem you use likes : in filenames! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
Hi, My guess is dual-stack NAS-RADIUS is going to be rare. ummm. take a hold on that assertion. the joy of dual-stack deployment is that you need to ensure your servers are ready on IPv4 and IPv6 - and as part of that, you need to ensure that your using both methods in case either your IPv4 goes...or your IPv6 goes. we use both IPv4 and IPv6 on our kit...and our servers are configured for both..as are our NAS kit that can do IPv6 for RADIUS (we had some discussion about the best fall-over order to use..which in itself is interesting) my personal view is that network/sys admins who are avoiding IPv6 as much as they can are just storing themselves up for a whole lot of pain later when its forced onto them by internet evolution...embrace the IPv6 now whilst you can do it in your own time. it not like you havent been given over 15 years of advance notice ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu FreeRadius does not recoginize some perl.so symbols and does not compile from source and is also outdated (Why is there no new version in SID? Is the package still maintained?)
Hi, I put the FreeRadius list on CC because I get technical solution from here. the version from freeradius.org works - you need to contact Debian to get them to fix their packages. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
Hi,
While trying that I also build a 3.0 GIT HEAD and there were a few
problems, I trippeled about:
- HINTS does not work the way it did before. Especially this no
longer works for me:
DEFAULT User-Name =~ ^v104([^@]+)
User-Name := %{1}@V104.GMVL.DE
I bleieve hitns is going the way of the dodo eventually - unlang can do the
work for you eg
if (%{User-Name} =~ ^v104([^@]+) ) {
update request {
%{User-Name} := %{1}@V104.GMVL.DE
}
}
or somesuch.
Message is: (0) WARNING: Unknown value specified for Post-Auth-Type. Cannot
perform requested action.
as already said, this is just no reject part on post-auth - this has been
common since 2.2.x
- freeradius gives me a segmentation fault as soon as I put 'perl' in
the authorize section and do one authentication request.
thats more interesting. We run PERL with 3.x here and havent seen such an
issue wonder
if your PERL environment is different
it would be sooo much better for you to be running (or ready to run!) 3.x at
this point in time
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificate expiration proble
Hi, I am trying to configure eap with some customized certificates, I have configured eap.config correctly. But I am getting the error of certificate expired. Although i have the latest certificates. certificate has expired. FreeRADIUS has no reason to lie. check the startup output of 'radiusd -X' - look for when it loads the certs. then use openssl to read those certs to see what the values are - server cert, CA certor client cert. whatever you're using eg openssl x509 -in server.pem -noout -text alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 - Shared Secret is incorrect
Hi, I´m wondering, if I miss something or why do Info-Messages about Invalid-Message-Authenticator not appear in the default radius.log anymore? Even can´t get it with such messages only appear in debug mode as logging to file could be a DoS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: 2.2.0 - Shared Secret is incorrect
Hi, But it DID appear in earlier versions of freeradius with default settings for logging. And I don´t see the difference to something logging Erros like Error: Ignoring request to authentication address * port 1812 from unknown client x.x.x.x port 1092 regarding the mentioned DoS problem. We´re using a logfile monitoring for years in order to find misconfigured NAS of ours. Seems we cannot do this with freeradius 2.2.0 anymore? if you dont like how it works and have a local use case, then just change the code. its only a few lines to log in normal mode rather than only when in debug. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
Hi, I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned. there are hundreds of sites using this sort of configuration for eduroam - so its perfectly possible and fine (and standard!) so you're going wrong somewhere. so, thats the piece of mind part. where has it gone wrong? well, firstly, is there DHCP etc on the VLAN this client is being dropped onto? have you tested the network? what happens if the AP only handles that VLAN? is this a 'fat/autonomous' AP? if so, then only latest firmware can handle multiple VLANS per 802.1X SSID with multiple BSSIDs present. are you returning ALL the VLAN attributes needed to assign VLAN on the AP? not JUST the VLAN number..name ah yes, are you sending NAME or VLAN int he VLAN tag? are you sending the replys from the tunnel = check eap.conf settings! debug output helps a lot so yes, send it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
Hi, The specific configuration works fine I remove the following line from users file: Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private- Group-ID := 218 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 218 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
Hi, Here you can download the (almost complete) debug log. Near the end I added a text to make evident when I disconnected. http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.php?lang=en please dont ask me to visit random web sites that require to to click on things etc. just email the output to this list. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP support for Free Radius
Hi, To get by the work of those kittens I set up a remote login to run radmin commands and parse the output so it is suitable for mrtg. It has worked well for me. I use the munin plugin to graph auths/accts alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP using different CA?
Hi, Currently we have 1000´s of users self-signed certificates (EAP-TLS), and we´re planning to move our main authentication method to PEAP, but keeping the certificates in use while valid. To avoid the need of installing our CA certificate on every Windows machine, we´ll buy the server certificate from a public CA. Can Freeradius allow me to have both methods at the same time, ie, the PEAP with the public CA and certificate users with our 'self-signed' CA? easy /easier with FreeRADIUS 3 as you can define different TLS parameters for each EAP IIRC :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to get vendor-specific attribute value pairs
Hi, Thank you Arran, that's what I suspected but hoped that there would be another way to find out. I'll see if Netgear is willing to approve existence of AV pairs (and if theyre willing to share them). on some kit you can run a command to see the VSA list/desc most vendors will document their AV pairs - buried somewhere on their support sites alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS for switch authentication
Hi, Ready to process requests. rad_recv: Accounting-Request packet from host 10.141.1.129 port 49154, id=0, length=84 snip thats an accounting packet alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS for switch authentication
Hi, Sending Access-Accept of id 0 to 10.141.1.129 port 49154 ^^ Access-Accept sent from the server. the RADIUS server has done its thing. if the NAS isnt working then you have missed some configuration option on the NAS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS for switch authentication
Hi, (Sorry if this is OT) As I understand, I couldn't use 802.1x authentication on just the switches themselves? Since a client must have certificates to authenticate to a server. What i just wanted to accomplish is to authenticate the switches only on the radius server, so this md5 encryption I had setup should be sufficient? what you do is up to you. a standard NAS will have several configuration options - allowing RADIUS for admin access or RADIUS for host/client access or both. why cant you just do 802.1X on thw switch? yes, clients need certs but thats the same as WiFi - you could get a RADIU server cert signed by a known CA in the OS (which isnt best but would allow thigns to just work) Last question, could I just create a single user to be used by multiple switches? Is there any conflict going to happen? Switch count on branches ranges from 15-50. once again, depends on config. why do you think you cant? do you have strong user authorization/session checks? its just a user alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-challenge timeout on IOS
Hi, waits a long time until timing out waiting for user input. I'd like to also discover how other NAS's behave using this and have found the timeout on a particular cisco 1131 access point to be quite short. most NAS devices have configurable options for their RADIUS/EAP timers. note that you will need to adjust RADIUS server too - as the server also has its own timeout/clear-up timers Session-timeout and Idle-timeout are attributes mentioned by the cisco docs but neither of these seem to be what I'm after. they control the end clients, not the RADIUS clients (the NAS) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and non-EAP on same port?
Hi, We'd like to simplify our configuration and use the same port for both. the default configuration does that alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: something like huntgroups?
Hi, We have a generic VPN profile that we'd like to allow *all* users to login to - this works well. When users login to the secret profile, then the following VPN attribute is included in the request: Vendor-3076-Attr-146 = 0x554d44 use/load the dictionary.cisoc.vpn3000 dictionary file (its what ASA have inherited) the 146 attribute isnt present currently so just add it to the file after the Member-Of entry eg eg ATTRIBUTE CPVN3000-Member-Of 145 string ATTRIBUTE CPVN3000-Tunnel-Group-Name 146 string theres a tonne of other attributes missing from that dictionaryhavent got time to send through the change right now. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius ldap auth sort of working ?
Hi,
and this is the output from radius (ran as radiusd -X)
http://pastebin.com/MT0txW2c
please post to the list - avoids more work at this end.
the output shows this:
Found Auth-Type = LDAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by testuser_1 with password letmein_1
[ldap] user DN: uid=testuser_1,ou=People,dc=vps03,dc=local
[ldap] (re)connect to 127.0.0.1:389, authentication 1
[ldap] bind as uid=testuser_1,ou=People,dc=vps03,dc=local/letmein_1 to
127.0.0.1:389
[ldap] waiting for bind result ...
[ldap] Bind failed with invalid credentials
++[ldap] returns reject
i don't understand. it auths but then it doesn't.. the final result
is not successful
it does a SEARCH for authorization. finds some details...then it checks
authentication...and doesnt work. verify that you can connect/verify
with this user/password combo. LDAP is not an authentication method..its
just an oracle of data really
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius radcheck change
Hi, Am trying to have my users' credentials or attributes change say a when a user hits their expiry date, their profile drops to one that does not expire but can only get to a certain page, requesting them to renew their account, Some kind of redirection, but after account has expired. How best can i achieve this? depends ont he kit and technology being usedwith 802.1X you could bump them onto a VLAN thats got a captive portal... with captive portal systems you can use one of thr WiSPr attributes to define the captive page (or whatever attribute the docs for your kit tells you to use). alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changed Attributes
Hi, Alc-IPsec-Interface: Unknown attribute requires a hex string, not private_ipsec so give it a hex string then private_ipsec is 707269766174655f6970736563 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username/Host authorization
Hi, I'm now sure that the best way for us is MAC Address filtering. thats a way of doing the 'host' part. the user can then be authenticated by an EAP method. ie authorization stage can check the calling-station-id (MAC address) and, if not known, just reject. then, if known carry on to the user authentication by 802.1X as already said, you have to know what you want and the technologies available alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changed Attributes
Hi, I am creating attributes for the user using the scripts below but on running the radtest i get the failure attributes ; which seems to have changed. I am using Freeradius 2.1.0 . user1test Auth-Type := Local, User-Password == testpassword Framed-IP-Address = 172.162.3.33, Framed-IP-Netmask = 255.255.255.0, Alc-Primary-Dns = 4.4.2.2, Alc-Primary-Nbns = 8.8.4.4, Alc-IPsec-Serv-Id = 199920, Alc-IPsec-Interface = public_ipsec, Alc-IPsec-SA-Lifetime = 1200, Alc-IPsec-SA-Encr-Algorithm = aes128, Alc-IPsec-SA-Auth-Algorithm = sha1 1) its Cleartext-Password := NOT User-Password == 2) formatting is VERY important...I hope you dont have blank lines between each entry 3) ensure that these attributes that you are using are in a dictionary file and that the dictionary file is being read by the server when it starts alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap
Hi, Always start simple. Run radtest on the RADIUS server box using 127.0.0.1 ... THEN move to running against it from other systems once you've verified all authentication etc is working Works on localhost. Trying to get radius to authenticate against an ldap serer. if localhost works, then the authentications cannot get though to the server on its IP socket so you need to edit the host firewall (ad any other ACLs that might be blocking the traffic) iptables -L -n - check for UDP 1812 being allowed as for what you say you are doing and what you are doing...that radtest is simply sending RADIUS auths to a RADIUS serverthen the server will use whatever methods you have configured for AAA - right now its doing absolutely nothing at all as the server is not receiving your packets - this has nothing to do with an LDAP server right now alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap
Hi, Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/00.0.0.0/0tcp dpt:1812 you see this - TCP read a little about RADIUS it uses UDP change your rule to allow UDP port 1812 # radtest evergr...@plumgrid.com Y0V2T2VAKI 192.168.10.14 0 d1sc0verplum Is not sending my radius request to the ldap server (192.168.10.14)? we, it isbut there is NOTHING an LDAP server can do with a RADIUS request. you send RADIUS requests to a RADIUS serverthe RADIUS server will then open up required connections to backend systems (eg LDAP to an LDAP server, SQL to an SQL server etC) to deal with AAA requirements. I dont use HTTP to talk to an SSH server In which case, how do I test that freeradius is working with ldap? you fire a RADIUS authentication against the RADIUS server radtest username password radius-server port secret Does this mean I need to set up say a WiFi router to use WPA2 Enterprise and send auth requests to the radius server and then the radius server passes requests to the ldap server. This yes. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changed Attributes
Hi, But when i comment the attributes the radtest is successful did you check my other statement: 3) ensure that these attributes that you are using are in a dictionary file and that the dictionary file is being read by the server when it starts well? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap
Hi, I had it wide open. Someone suggested I add the tcp above. who suggested that? standard basic old fashioned RADIUS uses UDP ports 1812,1813 and 1814 - even older versions pre IANA adjustments would have used UDP 1645 and 1646 I get that. What I want the RADIUS server to do is query the LDAP server, rather than say a database or the /etc/freeradius/users file. right. so first of all, send the radtest packets to the RADIUS server - or get an access point to do that. the see what is happening and configure the RADIUS server so that its using LDAP in the authorization/authentication sections - uncomment 'ldap' and then edit the LDAP module. the queries will then go to your LDAP server as configured in the LDAP module. then note what you CAN and CANT do with an LDAP server - what password storage mechanisms will work with PEAP being used by a WPA2 Enterprise client etc Yes, I get that. I am trying to prove via radtest that the radius server can authenticate to the radius server, just as the users file can authenticate to the radius server. the users file doesnt authenticate to the RADIUS server...you're getting things the wrong way around. the RADIUS server uses the users file as an oracle to check a username/password.(and to set return values) So, I can run radtest only using credentials in /etc/freeradius/users? you can use radtest (or eapol_test from the wpa_supplicant package) to send an authentication request to the RADIUS server. the server is then configured to use whatever user/pass storage you wantthere is NOTHING to force it only to use the users file when using radtest. some people use ActiveDirectory, some use SQL, some use LDAP, some use some RESTFUL API. very few use the users file for serious production use ;) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems freeradius and samba4
Hi,
With user administrator not worked. look log file
[ldap] performing user authorization for test
[ldap] expand: ((objectClass=user)(sAMAccountName=%{User-Name})) -
((objectClass=user)(sAMAccountName=test))
[ldap] expand: dc=batlab,dc=corp - dc=batlab,dc=corp
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] closing existing LDAP connection
[ldap] (re)connect to 192.168.0.4:389, authentication 0
[ldap] bind as /X to 192.168.0.4:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
^
[ldap] performing search in dc=batlab,dc=corp, with filter
((objectClass=user)(sAMAccountName=test))
[ldap] ldap_search() failed: Operations error
[ldap] search failed
^
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns fail
Any Idea
i'd suggest that you get aquainted with your LDAP directory structure and
ensure that you are looking in the right place with the right filter
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building RPMS from main branch 3.x relase
Hi, On 21 Jun 2013, at 20:18, Divyesh Raithatha divyesh.raitha...@gmail.com wrote: Hello, Has anyone successfully built RPM's from the main branch 3.x? I am trying to build one but keep on running into errors. Similar to the ones I saw with the version 2.x.x branch (regarding version numbers, patches, libray file names) until the changes were pushed by Fajar on May 9th. Feel free to cherry-pick them across. I just build an RPM directly from the source ignoring all the extra patchesany valid patches would already be in the GIT release ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap
Hi, freeradius silently drop packets from unknown client. unless run in debug mode at which point it'll clearly print out Ignoring request to blahblah from unknown client x.x.x.x port alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log auth message
Hi, I`m not able to debug, what does macro RAUTH do :(. Coudl you please help me, thx. ah. just noticed this is actually with 3.x - yes, the older releases logged but current version doesnt. I'll have to help you out with this as I need logging on that platform :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnect
Hi, ) ENGINE=MyISAM DEFAULT CHARSET=latin1; urgh. i'll have to agree with others here MyISAM should have died many years ago..its a plague on any bust MySQL box. use at least InnoDB - which is supported by MySQL natively for many a year. and before any complaints about users who can only follow instructions on web page or such there are PLENTY of basic guides and basic my.cnf examples for pretty decent InnoDB configurations (and there are plenty of automagic MySQL optimisation checker scripts that can tune those value to be optimal for the system (CPU/thread/memory/caching etc) however, interesting/useful tool for those that need it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log auth message
Hi, When i use parameter -x, everythink works correct ( i see auth log message ): that'll be because with -x or -X the service runs as root. without those arguments it will run as th user configured in the radiusd.conf - please ensure that user/group is able to write into that location alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log auth message
Hi, Hi, I never run radiusd as root user ( for both cases ). yes you do - when you are running in '-x' mode The user/group is able to write, because i see general log message Wed Jun 19 08:18:49 2013 : Info: Loaded virtual server default Wed Jun 19 08:18:49 2013 : Info: Loaded virtual server default Wed Jun 19 08:18:49 2013 : Info: Ready to process requests. IIRC that stuff is done before the server drops down to lower priv check your permissions, check your audit logs (if running SELinux). standard installs do not have this issue. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminate eap-ttls
Hi, I have managed to setup a simple test using eapol_test as per http://www.openlogic.com/wazi/bid/188089/Authenticating-Wi-Fi-Users-with-FreeRADIUS thats a rather old...and random URL. why not look at official docs? and it all works as described except that I have to use ca.pem instead of server.pem. I think this might be because the example uses an older version of FreeRadius? yes, ca_cert=/home/carla/server.pem is wrong. thats basically checking the RADIUS server cert..not the CAeapol_test wants to verify the CA with that config option. What I really need to do is proxy the inner message to another Radius server which will do the authentication but I cannot get this to work. Whatever I try, I always see an EAP-Message avp heading off to the remote server. I have looked at the proxy-inner-tunnel virtual server but am unsure how to use it. tell EAP to send the message to somewhere else other than inner-tunnel virtual server the inner-tunnel virtual server is a local instance you need to proxyso define a remote pool as per proxy.conf examples alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
Hi, I will make it short and easy. You can't do LDAP authentication with 802.1x. EAP needs the password of the user in cleartext. if it's not in your ldap, you're screwed. ..EAP-TTLS/PAP ? ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
Hi, Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. ..and save some more hits to LDAP by wrapping the call to it in the authorization stage to just the EAP Identity packet :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminate eap-ttls
Hi, This *is* proxying the inner tunnel; the inner tunnel auth is also EAP, and you're sending it to the remote server. Thanks, this is NOT what I want to do. I want to send the inner message, not the tunnel and do PAP on the remote server. okay. so you need to start by terminating the EAP on your server...so you need the current out of the box configuration and use the inner-tunnel...but then you want to then proxy the PAP authentication - that would be done with some 'update control' unlang alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
Hi, He he he... if I recall correctly I came up with something like: yes, thats the one. quoted as 'most evil unlang ever' if I recall have used it on many occasions...does the job well ...as the EAP module was updated to return ok on identity/mschap responses. Yet another reason to upgrade! yep...as well as proper pools of LDAP servers in 3.x alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius | shared secret is incorrect | unprintable characters in the password
Hi, check the shared secret you have defined in clients.conf on the server. check the shared secret you are using on the client check the server debug logs etc to see WHAT IP the client is coming through - if you are using a localhost address or nameif using the name it might be using another IP socket connection which may be matching one of the other default values present in clients.conf alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: talloc.h not found but libtalloc-dev is installed
Hi, This is on debian squeeze and I have libtalloc-dev installed. I also tried adding --with-talloc-include-dir=/usr/include but this did not help. what version of talloc does debian ship? I've no problems with talloc on CentOS or SUSE alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing failure during setup
Hi, I have the added each machine as a client of the other for testing in clients.conf they both have the shared secret aaabbb incorrect shared secret someone. double check your proxy.conf on each system. the retry etc is likely to be because the first challenge failed due to the incorrect shared secret (which will drop the packet) therefore the server tried again. note, RADIUS uses UDP, so RADIUS 'conversations' are all unique packets...not an 'ongoing TCP' style conversation - which means things can be broken in one direction. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
