Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10
Hello,
Never played around with groups using rlm_sql and the default schema..
I am reading what i assume is saying that it should be possible to have several
groups to a account and each group should be able to supply that specific
groups radgroupreply attributes..
Number 4 below sure sounds like it should get all the accounts groups first and
then process them according to priority? Below test shows it only reads the
first group? And no matter what priority..
Is that how it should work or what am i missing here?
1.Search the radcheck table for any check attributes specific to the user
2.If check attributes are found, and there's a match, pull the reply items from
the radreply table for this user and add them to the reply
3.Group processing then begins if any of the following conditions are met:
◦The user IS NOT found in radcheck
◦The user IS found in radcheck, but the check items don't match
◦The user IS found in radcheck, the check items DO match AND Fall-Through is
set in the radreply table
◦The user IS found in radcheck, the check items DO match AND the read_groups
directive is set to 'yes'
4.If groups are to be processed for this user, the first thing that is done is
the list of groups this user is a member of is pulled from the usergroup table
ordered by the priority field. The priority field of the usergroup table allows
us to control the order in which groups are processed, so that we can emulate
the ordering in the users file. This can be important in many cases.
5.For each group this user is a member of, the corresponding check items are
pulled from radgroupcheck table and compared with the request. If there is a
match, the reply items for this group are pulled from the radgroupreply table
and applied.
6.Processing continues to the next group IF:
◦There was not a match for the last group's check items OR
◦Fall-Through was set in the last group's reply items (The above is exactly the
same as in the users file)
7.Finally, if the user has a User-Profile attribute set or the Default Profile
option is set in the sql.conf, then steps 4-6 are repeated for the groups that
the profile is a member of.
To test it i added som data to
mysql select * from radcheck;
++--+---++---+
| id | username | attribute | op | value |
++--+---++---+
| 8 | alex | Password | := | test |
++--+---++---+
mysql select * from radusergroup;
+--+--+--+
| username | groupname| priority |
+--+--+--+
| alex | mega-admin-group |0 |
| alex | cisco_admin |1 |
+--+--+--+
mysql select * from radgroupreply;
++--+++--+
| id | groupname| attribute | op | value
|
++--+++--+
| 1 | mega-admin-group | Reply-Message | = | test-mega-admin-reply-attribute
|
| 2 | mega-admin-group | NAS-Identifier | = | test-NAS
|
| 3 | cisco_admin | Service-Type | = | NAS-Prompt-User
|
| 4 | cisco_admin | cisco-avpair | = | shell:priv-lvl=15
|
++--+++--+
5 rows in set (0.00 sec)
root@noc1:/etc/freeradius# radtest -x alex test localhost 1812 testing123
Sending Access-Request of id 69 to 127.0.0.1 port 1812
User-Name = alex
User-Password = test
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=63
Reply-Message = test-mega-admin-reply-attribute
NAS-Identifier = test-NAS -- Only replies from
group mega-admin-group
And freeradius debug is showing it only checked replies from the first group..
rad_recv: Access-Request packet from host 127.0.0.1 port 49061, id=3, length=56
User-Name = alex
User-Password = test
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
rlm_perl: rlm_perl::Itux DEBUG::Inside authorize Function.
rlm_perl: Added pair User-Name = alex
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair NAS-Port = 1812
rlm_perl: Added pair NAS-IP-Address = 10.173.2.10
++[perl] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = alex, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[sql] expand: %{User-Name} - alex
[sql] sql_set_user escaped user -- 'alex'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
SV: Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10
Sorry forget about priority i thought higher was first..Which it wasn’t.. Still
is it possible to get replies from multiple groups an account belongs to?
Cheers
Alex
Från:
freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org
[mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org]
För Alexander Silveröhrt
Skickat: den 12 april 2013 09:33
Till: freeradius-users@lists.freeradius.org
Ämne: Group questions..several group memberships to one account. FreeRADIUS
Version 2.1.10
Hello,
Never played around with groups using rlm_sql and the default schema..
I am reading what i assume is saying that it should be possible to have several
groups to a account and each group should be able to supply that specific
groups radgroupreply attributes..
Number 4 below sure sounds like it should get all the accounts groups first and
then process them according to priority? Below test shows it only reads the
first group? And no matter what priority..
Is that how it should work or what am i missing here?
1.Search the radcheck table for any check attributes specific to the user
2.If check attributes are found, and there's a match, pull the reply items from
the radreply table for this user and add them to the reply
3.Group processing then begins if any of the following conditions are met:
◦The user IS NOT found in radcheck
◦The user IS found in radcheck, but the check items don't match
◦The user IS found in radcheck, the check items DO match AND Fall-Through is
set in the radreply table
◦The user IS found in radcheck, the check items DO match AND the read_groups
directive is set to 'yes'
4.If groups are to be processed for this user, the first thing that is done is
the list of groups this user is a member of is pulled from the usergroup table
ordered by the priority field. The priority field of the usergroup table allows
us to control the order in which groups are processed, so that we can emulate
the ordering in the users file. This can be important in many cases.
5.For each group this user is a member of, the corresponding check items are
pulled from radgroupcheck table and compared with the request. If there is a
match, the reply items for this group are pulled from the radgroupreply table
and applied.
6.Processing continues to the next group IF:
◦There was not a match for the last group's check items OR
◦Fall-Through was set in the last group's reply items (The above is exactly the
same as in the users file)
7.Finally, if the user has a User-Profile attribute set or the Default Profile
option is set in the sql.conf, then steps 4-6 are repeated for the groups that
the profile is a member of.
To test it i added som data to
mysql select * from radcheck;
++--+---++---+
| id | username | attribute | op | value |
++--+---++---+
| 8 | alex | Password | := | test |
++--+---++---+
mysql select * from radusergroup;
+--+--+--+
| username | groupname| priority |
+--+--+--+
| alex | mega-admin-group |0 |
| alex | cisco_admin |1 |
+--+--+--+
mysql select * from radgroupreply;
++--+++--+
| id | groupname| attribute | op | value
|
++--+++--+
| 1 | mega-admin-group | Reply-Message | = | test-mega-admin-reply-attribute
|
| 2 | mega-admin-group | NAS-Identifier | = | test-NAS
|
| 3 | cisco_admin | Service-Type | = | NAS-Prompt-User
|
| 4 | cisco_admin | cisco-avpair | = | shell:priv-lvl=15
|
++--+++--+
5 rows in set (0.00 sec)
root@noc1:/etc/freeradius# radtest -x alex test localhost 1812 testing123
Sending Access-Request of id 69 to 127.0.0.1 port 1812
User-Name = alex
User-Password = test
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=63
Reply-Message = test-mega-admin-reply-attribute
NAS-Identifier = test-NAS -- Only replies from
group mega-admin-group
And freeradius debug is showing it only checked replies from the first group..
rad_recv: Access-Request packet from host 127.0.0.1 port 49061, id=3, length=56
User-Name = alex
User-Password = test
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
rlm_perl: rlm_perl::Itux DEBUG::Inside authorize Function.
rlm_perl: Added pair User-Name = alex
SV: Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10
And sorry again… I forgot old Fall-Through= yes which of course made it work.. I thank myself for my excellent answers☺ Cheers Alex Från: freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org [mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org] För Alexander Silveröhrt Skickat: den 12 april 2013 09:41 Till: FreeRadius users mailing list Ämne: SV: Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10 Sorry forget about priority i thought higher was first..Which it wasn’t.. Still is it possible to get replies from multiple groups an account belongs to? Cheers Alex Från: freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org [mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org] För Alexander Silveröhrt Skickat: den 12 april 2013 09:33 Till: freeradius-users@lists.freeradius.org Ämne: Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10 Hello, Never played around with groups using rlm_sql and the default schema.. I am reading what i assume is saying that it should be possible to have several groups to a account and each group should be able to supply that specific groups radgroupreply attributes.. Number 4 below sure sounds like it should get all the accounts groups first and then process them according to priority? Below test shows it only reads the first group? And no matter what priority.. Is that how it should work or what am i missing here? 1.Search the radcheck table for any check attributes specific to the user 2.If check attributes are found, and there's a match, pull the reply items from the radreply table for this user and add them to the reply 3.Group processing then begins if any of the following conditions are met: ◦The user IS NOT found in radcheck ◦The user IS found in radcheck, but the check items don't match ◦The user IS found in radcheck, the check items DO match AND Fall-Through is set in the radreply table ◦The user IS found in radcheck, the check items DO match AND the read_groups directive is set to 'yes' 4.If groups are to be processed for this user, the first thing that is done is the list of groups this user is a member of is pulled from the usergroup table ordered by the priority field. The priority field of the usergroup table allows us to control the order in which groups are processed, so that we can emulate the ordering in the users file. This can be important in many cases. 5.For each group this user is a member of, the corresponding check items are pulled from radgroupcheck table and compared with the request. If there is a match, the reply items for this group are pulled from the radgroupreply table and applied. 6.Processing continues to the next group IF: ◦There was not a match for the last group's check items OR ◦Fall-Through was set in the last group's reply items (The above is exactly the same as in the users file) 7.Finally, if the user has a User-Profile attribute set or the Default Profile option is set in the sql.conf, then steps 4-6 are repeated for the groups that the profile is a member of. To test it i added som data to mysql select * from radcheck; ++--+---++---+ | id | username | attribute | op | value | ++--+---++---+ | 8 | alex | Password | := | test | ++--+---++---+ mysql select * from radusergroup; +--+--+--+ | username | groupname| priority | +--+--+--+ | alex | mega-admin-group |0 | | alex | cisco_admin |1 | +--+--+--+ mysql select * from radgroupreply; ++--+++--+ | id | groupname| attribute | op | value | ++--+++--+ | 1 | mega-admin-group | Reply-Message | = | test-mega-admin-reply-attribute | | 2 | mega-admin-group | NAS-Identifier | = | test-NAS | | 3 | cisco_admin | Service-Type | = | NAS-Prompt-User | | 4 | cisco_admin | cisco-avpair | = | shell:priv-lvl=15 | ++--+++--+ 5 rows in set (0.00 sec) root@noc1:/etc/freeradius# radtest -x alex test localhost 1812 testing123 Sending Access-Request of id 69 to 127.0.0.1 port 1812 User-Name = alex User-Password = test NAS-IP-Address = 10.173.2.10 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=63 Reply-Message = test-mega-admin-reply-attribute NAS-Identifier = test-NAS -- Only replies from group mega-admin-group
SV: perl examples
Since i was just in the making of some hooks using DBI I took some time to copy
paste something that could be something towards the thing you wanted?
This is just an example so don't take it to serious..
I also don't think you should do it as post_auth hook but a authorize hook so
Don't forget to add module = /etc/freeradius/myscript.pl and uncomment
#func_authorize = authorize ANDS/OR #func_post_auth = post_auth in modules/perl
And add perl and sql tp your default
vi sites-enabled/default
authorize {
preprocess
perl## ---
auth_log
sql ## ---
expiration
logintime
}
## Example myscript.pl script ##
#!/usr/bin/perl
use strict;
use warnings;
use diagnostics;
use DBI;
use Data::Dumper;
### Radius HASH Tables ###
our (%RAD_REQUEST, %RAD_REPLY, %RAD_CHECK);
use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */
use constantRLM_MODULE_FAIL= 1;# /* module failed, don't reply */
use constantRLM_MODULE_OK=2;# /* the module is OK, continue */
use constantRLM_MODULE_HANDLED= 3;# /* the module handled the request,
so stop. */
use constantRLM_MODULE_INVALID= 4;# /* the module considers the request
invalid. */
use constantRLM_MODULE_USERLOCK= 5;# /* reject the request (user is
locked out) */
use constantRLM_MODULE_NOTFOUND= 6;# /* user not found */
use constantRLM_MODULE_NOOP= 7;# /* module succeeded without doing
anything */
use constantRLM_MODULE_UPDATED= 8;# /* OK (pairs modified) */
use constantRLM_MODULE_NUMCODES= 9;# /* How many return codes there are
*/
sub authorize{
### DB Connection variables ###
our ($driver) = mysql;
our ($user) = dbuser;
our ($pw) = mypassword;
our ($database) = radius;
our ($host) = localhost:3306;
our $dsn = DBI:$driver:$database:$host;
## For good manners you should add something here that only makes the
db connect if code eq Access-Request or something something...
our $dbh = DBI-connect ($dsn, $user, $pw, { RaiseError = 1 });
our $sth;
### Other variables ###
my $NAS_IP_ADDRESS = $RAD_REQUEST{'NAS-IP-Address'};
my $CALLING_STATION_ID = $RAD_REQUEST{'Calling-Station-Id'};
my $NAS_PORT_ID = $RAD_REQUEST{'NAS-Port-Id'};
my $USER_NAME = $RAD_REQUEST{'User-Name'};
my $MAC = $RAD_REQUEST{'some-Client-Hardware-Addr'};
my $VENDOR_ID = $RAD_REQUEST{'some-DHCP-Vendor-Class-Id'};
if (!$VENDOR_ID)
{
$RAD_REQUEST{'some-DHCP-Vendor-Class-Id'} = NO_VENDOR_ID;
}
### ETC ETC...
$sth = $dbh-prepare(SELECT vlan FROM my_vlan_table WHERE
NAS_IP_ADDRESS = '$NAS_IP_ADDRESS' AND CALLING_STATION_ID =
'$CALLING_STATION_ID'); ## -- Or something.
$sth-execute ();
my $VLAN = $sth-fetchrow_array();
$sth-finish ();
if (!$VLAN)
{
### SOmething something
### Or maybe a default account..
$RAD_REQUEST{'User-Name'} = my_default_user_account;
$RAD_REPLY{'Auth-Type'} = Accept;
$RAD_REPLY{'User-Name'} = $USER_NAME;
$RAD_REPLY{'needed-reply-attribute-Subsc-ID-Str'} = $MAC;
$RAD_REPLY{'needed-reply-attribute-Subsc-Prof-Str'} =
direct_access;
$RAD_REPLY{'needed-reply-attribute-SLA-Prof-Str'} =
150-BB-10-10;
### ETC ETC...
}
else
{
$RAD_REPLY{'vlan-id-attribute-to-send-back'} = $VLAN;
$RAD_REPLY{'Auth-Type'} = Accept;
$RAD_REPLY{'User-Name'} = $USER_NAME;
$RAD_REPLY{'needed-reply-attribute-Subsc-ID-Str'} = $MAC;
$RAD_REPLY{'needed-reply-attribute-Subsc-Prof-Str'} =
direct_access;
$RAD_REPLY{'needed-reply-attribute-SLA-Prof-Str'} =
150-BB-10-10;
}
$dbh-disconnect ();
return RLM_MODULE_OK;
}
-Ursprungligt meddelande-
Från:
freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org
[mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org]
För Alex Sharaz
Skickat: den 8 april 2013 13:37
Till: FreeRadius users mailing list
Ämne: perl examples
Hi,
There don't seem to be many examples relating to using perl to access remote
databases in fact there don't seem to be many perl examples at all.
Got example.pl configured a wee bit and running on test server but could do
with a better db related example.
Unfortunately my perl skills aren't ts good as they could be.
In post-auth I want to
extract the nas-ip address and calling station-id of the client device
open a db connection and perform a query that'll let me decide what vlan-id to
send back in the access-accept packet
write
SV: disconected after one second
Hard to know what you missconfigured but...i can give you some usual suspects maybe.. Also can you post a show subscribers active all while trying to auth. Also debug with Term mon debug aaa rad-attr debug rad-packet Your forward policy looks wicked Forward-Policy == in:CLIPS-DEFAULT are you sure that is the name of your forwarding policy? And if you are using netop make sure that this forwarding policy is the one in the database. Also double check that you have below Metering and policing on the router and that they are configured with the right rate and burst. Qos-Policing-Profile-Name = customer-out Qos-Metering-Profile-Name = customer-in Also if you are using netop check that you have those customer-out and customer-in in Netops service attribute Variation/bandwidth variation and that they point to existing valid customer-out and customer-in on the router. From the look of it from your reply attributes they should look like.. qos policy customer-out metering rate 20480 burst 10 ! qos customer-in policing rate 2048 burst 1 ! And of course make sure you have a context with the name CLIPS to bound the session to. And since i have never used below attributes in a SME before that makes me suspicious..Just make sure they aren't doing anything crazy:) Connect-Info == 1 Port-Limit == 1 Cheers Alex -Ursprungligt meddelande- Från: freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org [mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org] För Lukasz Kopiszka Skickat: den 4 april 2013 15:19 Till: freeradius-users@lists.freeradius.org Ämne: disconected after one second Hi, I have strange problem host can't receive IP becouse he get Acct-Status-Type = Stop Acct-Update-Reason = AAA_LOAD_ACCT_SESSION_DOWN after one second before: Acct-Status-Type = Start Acct-Update-Reason = AAA_LOAD_ACCT_SESSION_UP short log: Sending Access-Accept of id 126 to 91.231.70.5 port 1812 Service-Type = Outbound-User Framed-IP-Address == 91.231.71.17 Acct-Interim-Interval == 300 Service-Type == Outbound-User Connect-Info == 1 Port-Limit == 1 DHCP_Max_Leases == 1 Context-Name == CLIPS HTTP-Redirect-Profile-Name == Forward-Policy == in:CLIPS-DEFAULT QOS-Rate-Outbound == 20480 QOS-Rate-Inbound == 2048 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 91.231.70.5 port 1812, id=223, length=385 User-Name = 00:17:08:2e:76:d2 Acct-Status-Type = Start Acct-Session-Id = 01007800029F-515D7656 Service-Type = Outbound-User Acct-Update-Reason = AAA_LOAD_ACCT_SESSION_UP NAS-Identifier = ALFASYSTEM NAS-Port = 33619968 NAS-Real-Port = 553649127 NAS-Port-Type = Virtual NAS-Port-Id = 2/1 vlan-id 999 clips 131743 Medium-Type = DSL Mac-Addr = 00-17-08-2e-76-d2 Platform-Type = SE-100 OS-Version = 6.5.1.5 Acct-Authentic = RADIUS Port-Limit = 1 DHCP-Max-Leases = 1 Framed-IP-Address = 91.231.71.17 Source-Validation = Enabled DHCP-Option = \014\014\004alfa Acct-Interim-Interval = 600 Forward-Policy = in:CLIPS-DEFAULT QOS-Rate-Outbound = 20480:0:0 QOS-Rate-Inbound = 2048:0:0 Qos-Policing-Profile-Name = customer-out Qos-Metering-Profile-Name = customer-in Event-Timestamp = Apr 4 2013 14:47:18 CEST start rad_recv: Accounting-Request packet from host 91.231.70.5 port 1812, id=224, length=603 User-Name = 00:17:08:2e:76:d2 Acct-Status-Type = Stop Acct-Session-Id = 01007800029F-515D7656 Service-Type = Outbound-User Acct-Update-Reason = AAA_LOAD_ACCT_SESSION_DOWN NAS-Identifier = ALFASYSTEM NAS-Port = 33619968 NAS-Real-Port = 553649127 NAS-Port-Type = Virtual NAS-Port-Id = 2/1 vlan-id 999 clips 131743 Medium-Type = DSL Mac-Addr = 00-17-08-2e-76-d2 Platform-Type = SE-100 OS-Version = 6.5.1.5 Acct-Authentic = RADIUS Port-Limit = 1 DHCP-Max-Leases = 1 Framed-IP-Address = 91.231.71.17 Source-Validation = Enabled DHCP-Option = \014\014\004alfa Acct-Session-Time = 1 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Gigawords = 0 Acct-Output-Gigawords = 0 Acct-Input-Packets-64 = 0x Acct-Output-Packets-64 = 0x Acct-Input-Octets-64 = 0x Acct-Output-Octets-64 = 0x Acct-Mcast-In-Packets = 0 Acct-Mcast-Out-Packets = 0 Acct-Mcast-In-Octets = 0 Acct-Mcast-Out-Octets = 0 Acct-Mcast-In-Packets-64 = 0x Acct-Mcast-Out-Packets-64 = 0x Acct-Mcast-In-Octets-64 = 0x Acct-Mcast-Out-Octets-64 = 0x Acct-Interim-Interval
SV: Freeradius several segfaults at heavy load and startup ?
Hello Alan, And thanks for the reply. If you mean that my customhooks perl scripts for rlm_perl deals with any threads then no. If you mean that our compilation of perl which was installed with from apt-get is compiled in a strange way..Then I have no idea what. Br Alex Från: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] Skickat: den 28 november 2012 09:07 Till: Alexander Silveröhrt; freeradius-users@lists.freeradius.org Ämne: Re: Freeradius several segfaults at heavy load and startup ? -X runs as a single thread Is your perl multi-threaded? Does your PERL code deal with threads? alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. * DISCLAIMER * This message and any attachment are confidential and may be privileged or otherwise protected from disclosure and may include proprietary information. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: Freeradius several segfaults at heavy load and startup ?
Same here doesn't even start without LD_PRELOAD. -Ursprungligt meddelande- Från: freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org [mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org] För Johan Meiring Skickat: den 28 november 2012 11:52 Till: freeradius-users@lists.freeradius.org Ämne: Re: Freeradius several segfaults at heavy load and startup ? On 2012/11/28 11:50 AM, Phil Mayers wrote: root@itop0-db0:/scripts# LD_PRELOAD=/usr/lib/libperl.so.5.10 Why are you fiddling with LD_PRELOAD? On my debian boxes FR cannot run without preload. There is something on the mailing list about it a while back. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html * DISCLAIMER * This message and any attachment are confidential and may be privileged or otherwise protected from disclosure and may include proprietary information. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: SV: Freeradius several segfaults at heavy load and startup ?
Hello, Yes running perl hooks with DBI But using both finish and disconnect properly. Here is versions for people asking for it. Linux version 2.6.32-5-amd64 (Debian 2.6.32-45) (da...@debian.org) (gcc version 4.3.5 (Debian 4.3.5-4) freeradius: FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at 20:41:03 perl v5.10.1 (*) built for i486-linux-gnu-thread-multi Alan do you know how to supply gdb with the argument to run LD_PRELOAD=/usr/lib/libperl.so.5.10 /usr/sbin/freeradius Otherwise it will only fail to load the DBI.so Best regards Alex -Ursprungligt meddelande- Från: alan buxey [mailto:a.l.m.bu...@lboro.ac.uk] Skickat: den 28 november 2012 10:46 Till: Alexander Silveröhrt Kopia: freeradius-users@lists.freeradius.org Ämne: Re: SV: Freeradius several segfaults at heavy load and startup ? Hi, And thanks for the reply. If you mean that my customhooks perl scripts for rlm_perl deals with any threads then no. do you deal with all file handlers, database handlers etc in your code cleanly... or do you just ditch them? the PERL module will be called at the same time by many FR threadsso unless you make the script resident then you'll likely to be facing issues. either way, at least follow docs/bugs and get the gdb output for when things go wrong alan * DISCLAIMER * This message and any attachment are confidential and may be privileged or otherwise protected from disclosure and may include proprietary information. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: Freeradius several segfaults at heavy load and startup ?
Versions: Linux version 2.6.32-5-amd64 (Debian 2.6.32-45) (da...@debian.org) (gcc version 4.3.5 (Debian 4.3.5-4) freeradius: FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at 20:41:03 perl v5.10.1 (*) built for i486-linux-gnu-thread-multi mysql Server version: 5.5.27-1~dotdeb.0-log (Debian) And again if not started with LD_PRELOAD then DBI will fail root@itop1-db1:~# freeradius Can't load '/usr/local/lib/perl/5.10.1/auto/DBI/DBI.so' for module DBI: /usr/local/lib/perl/5.10.1/auto/DBI/DBI.so: undefined symbol: PL_memory_wrap at /usr/lib/perl/5.10/DynaLoader.pm line 192. at /usr/local/lib/perl/5.10.1/DBI.pm line 266 BEGIN failed--compilation aborted at /usr/local/lib/perl/5.10.1/DBI.pm line 266. Compilation failed in require at /etc/freeradius/customhook.pl line 10. Just followed the solution from the mailing list and it worked to get DBI working. http://lists.freeradius.org/pipermail/freeradius-users/2008-September/031333.html best regards Alex -Ursprungligt meddelande- Från: freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org [mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org] För Phil Mayers Skickat: den 28 november 2012 10:50 Till: freeradius-users@lists.freeradius.org Ämne: Re: Freeradius several segfaults at heavy load and startup ? On 11/28/2012 04:28 AM, Alexander Silveröhrt wrote: Hello, Wondered if anyone have any idea about below. If started with flag -X everything starts up ok but without -X then it crashes with these messages in the log.(atleast most of the time if one is persistent then it may well start up properly sometimes without the -X flag) As soon as it starts ok then there seems to be no problem whatsoever. Which version? It runs perfectly with the same config and perl hooks at a lab machine where there are no traffic. Searching through the web doesn't give much info? Any ideas would be appreciated. Thank you. Alex root@itop0-db0:/scripts# LD_PRELOAD=/usr/lib/libperl.so.5.10 Why are you fiddling with LD_PRELOAD? Presumably the perl module is the problem, but you shouldn't need to PRELOAD anything (and in fact, shouldn't, as the ABI might have changed). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html * DISCLAIMER * This message and any attachment are confidential and may be privileged or otherwise protected from disclosure and may include proprietary information. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius several segfaults at heavy load and startup ?
Hello, Wondered if anyone have any idea about below. If started with flag -X everything starts up ok but without -X then it crashes with these messages in the log.(atleast most of the time if one is persistent then it may well start up properly sometimes without the -X flag) As soon as it starts ok then there seems to be no problem whatsoever. It runs perfectly with the same config and perl hooks at a lab machine where there are no traffic. Searching through the web doesn't give much info? Any ideas would be appreciated. Thank you. Alex root@itop0-db0:/scripts# LD_PRELOAD=/usr/lib/libperl.so.5.10 /usr/sbin/freeradius root@itop0-db0:/scripts# ps -ef | grep freeradius root 30086 29914 0 08:10 pts/100:00:00 grep freeradius root@itop0-db0:/scripts#dmesg . .. ... [2233283.445884] freeradius[617]: segfault at 212 ip f72238d4 sp ffb85050 error 4 in rlm_perl-2.1.10.so[f7221000+5000] [2233430.045210] freeradius[2673]: segfault at 212 ip f72328d4 sp 4e50 error 4 in rlm_perl-2.1.10.so[f723+5000] [2233671.048040] freeradius[2730]: segfault at 212 ip f72928d4 sp fffe4370 error 4 in rlm_perl-2.1.10.so[f729+5000] [2233840.528299] freeradius[2776]: segfault at 212 ip f72248d4 sp ffb06020 error 4 in rlm_perl-2.1.10.so[f7222000+5000] [5223187.548213] freeradius[2380]: segfault at 1002 ip f71e88d4 sp ffe0dfc0 error 4 in rlm_perl-2.1.10.so[f71e6000+5000] [5887868.065533] freeradius[31931]: segfault at 1002 ip f71bb8d4 sp ffb46d50 error 4 in rlm_perl-2.1.10.so[f71b9000+5000] [5946015.698283] freeradius[1746]: segfault at 88 ip f6ed29d1 sp e2df5810 error 4 in libmysqlclient_r.so.16.0.0[f6e53000+1af000] [5951643.541290] freeradius[11237]: segfault at 15 ip f76aac1a sp f56287a0 error 4 in libperl.so.5.10.1[f761+14a000] [5951657.770507] freeradius[11386]: segfault at c ip f76d3a17 sp f66a98d0 error 4 in libperl.so.5.10.1[f768f000+14a000] [6026380.012188] freeradius[11693]: segfault at 4 ip f6f1252e sp f0ff77d0 error 6 in libmysqlclient_r.so.16.0.0[f6e94000+1af000] [6026442.934483] freeradius[5466]: segfault at 8 ip f767a611 sp f5e4c930 error 4 in libperl.so.5.10.1[f7633000+14a000] [6026462.851031] freeradius[5547]: segfault at 8 ip f75ec611 sp f5dbe930 error 4 in libperl.so.5.10.1[f75a5000+14a000] [6544711.773094] freeradius[29963]: segfault at 8 ip f7616611 sp f6e0e930 error 4 in libperl.so.5.10.1[f75cf000+14a000] [6544722.667507] freeradius[29984]: segfault at 8 ip f75e1611 sp f4db1930 error 4 in libperl.so.5.10.1[f759a000+14a000] [6544822.799431] freeradius[30080]: segfault at 8d160fc ip f76a81b1 sp f32fc540 error 4 in libperl.so.5.10.1[f75e6000+14a000] [6544885.122348] freeradius[30118]: segfault at 8 ip f75f7611 sp f5dc9930 error 4 in libperl.so.5.10.1[f75b+14a000] [6544895.128894] freeradius[30137]: segfault at 8 ip f76bc611 sp f6eb4930 error 4 in libperl.so.5.10.1[f7675000+14a000] [6544905.352401] freeradius[30152]: segfault at 8 ip f766d611 sp f6640930 error 4 in libperl.so.5.10.1[f7626000+14a000] [6544946.136776] freeradius[30196]: segfault at 8 ip f76a5611 sp f4e75930 error 4 in libperl.so.5.10.1[f765e000+14a000] [6544966.088368] freeradius[30212]: segfault at c ip f764aa17 sp f66208d0 error 4 in libperl.so.5.10.1[f7606000+14a000] * DISCLAIMER * This message and any attachment are confidential and may be privileged or otherwise protected from disclosure and may include proprietary information. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS performance information (tuning, benchmark)
On Tue, Jul 24, 2012 at 01:49:27PM +0100, Phil Mayers wrote: On 24/07/12 13:26, Andrei Petru Mura wrote: radperf -s -f ../users.csv -p 800 -a pap 10.3.1.1 auth radiussomething ... 0.1s : 3758 s: 5897 10s : 344 ... I would need a sever able to manage a much greater amount of users ( 5, up to 100). The number of users isn't too important, I suspect. Number of rows shouldn't matter much (O(log N)) for database. It may matter for radperf, but you don't need to have _all_ of your users in users.csv for this. Try this: convert your SQL users into a users text file, like so: username Cleartext-Password := password ...and disable SQL, then re-run the test. Exactly. I would have suggested to test without SQL overhead myself. Then you can compare the result to PostgreSQL (and probably, to other DBs, like MySQL, Oracle/DB2, bdb/gdbm etc if you like). -- With best regards, xrgtn signature.asc Description: Digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reg: Different databases with single frerradius
Hello, On Fri, Jun 29, 2012 at 03:13:45PM +0700, Fajar A. Nugraha wrote: or for different realms (e.g. all user @domain1 will read data from db1, while all user @domain1 will read data from db2). most probably he'd like to differentiate them by IMSI ranges. P.S. I don't know how to do this or if this is even possible. -- With best regards, xrgtn signature.asc Description: Digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reg: IMSI based authentication.
Hello,
On Tue, Jun 26, 2012 at 08:39:39AM +0100, Malla
reddy Sama wrote:
Now I want to do IMSI based authentication with
radius. Please can anyone help me on how to do
IMSI based authentication.
Just use IMSI (3GPP-IMSI? Calling-Station-Id?) as
User-Name, then insert Auth-Type := Accept line
for that username into radcheck table:
insert into radcheck(username, attribute, op, value)
values ('255019501234567', 'Auth-Type', ':=', 'Accept');
--
With best regards,
xrgtn
signature.asc
Description: Digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Building FreeRADIUS on HP-UX B.11.31 ia64 (gcc, 32bit)
Hello,
There are 2 problems with HP-UX build (I use GNU
gcc and native ld):
1. ld options '+b libdir' are passed without
'-Wl,' prefix directly to gcc (not to ld):
gcc -shared -Wl,+h -Wl,rlm_acctlog-2.1.12.so -Wl,+nodefaultrpath -o
.libs/rlm_acctlog-2.1.12.so .libs/rlm_acctlog.o +b
/comptel/ilink/src/freeradius-server-2.1.12/src/lib/.libs:/comptel/ilink/32/lib
/comptel/ilink/src/freeradius-server-2.1.12/src/lib/.libs/libfreeradius-radius.so
-lnsl -lrt -lpthread -lc
gcc: +b: No such file or directory
gcc:
/comptel/ilink/src/freeradius-server-2.1.12/src/lib/.libs:/comptel/ilink/32/lib:
No such file or directory
make[6]: *** [rlm_acctlog.la] Error 1
Probably, native ld is never invoked directly
in FreeRADIUS build, so I've hacked ./configure
script in this place:
if test $with_gnu_ld = no; then
hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
hardcode_libdir_separator=:
case $host_cpu in
hppa*64*|ia64*)
hardcode_libdir_flag_spec_ld='+b $libdir'
hardcode_direct=no
hardcode_shlibpath_var=no
;;
*)
hardcode_direct=yes
export_dynamic_flag_spec='${wl}-E'
# hardcode_minus_L: Not really in the search PATH,
# but as the default location of the library.
hardcode_minus_L=yes
;;
esac
fi
I replaced hardcode_libdir_flag_spec_ld='+b $libdir'
with hardcode_libdir_flag_spec_ld='${wl}+b ${wl}$libdir'
(quick and dirty fix), and this allowed me to
continue:
2. raddb/Makefile uses one-argument form of
'ln -s', which is not present on HP-UX:
make[2]: Entering directory
`/comptel/ilink/src/freeradius-server-2.1.12/raddb'
Usage: ln [-f] [-i] [-s] f1 f2
ln [-f] [-i] [-s] f1 ... fn d1
make[2]: *** [all] Error 2
make[2]: Leaving directory `/comptel/ilink/src/freeradius-server-2.1.12/raddb'
I've fixed it this way:
sed -i.orig 's/\(\ln -s [^ ]*\);/\1 .;/' raddb/Makefile
Regarding the 1st problem, I think the proper fix
should instead ensure that
hardcode_libdir_flag_spec is passed to gcc while
hardcode_libdir_flag_spec_ld is passed to native
ld only. These flags are not used in Makefiles,
rules.mak or Make.inc, they are defined and used
in ./configure - generated libtool script.
I'll see if I can make a proper fix there.
--
With best regards,
xrgtn
signature.asc
Description: Digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRADIUS on HP-UX B.11.31 ia64 (gcc, 32bit)
Hello, On Fri, Jun 22, 2012 at 12:16:00PM +0300, Alexander Gattin wrote: 1. ld options '+b libdir' are passed without '-Wl,' prefix directly to gcc (not to ld): gcc +b src/lib/.libs was in fact started by ./libtool: /comptel/ilink/src/freeradius-server-2.1.12/libtool --mode=link gcc -release 2.1.12 \ -module -export-dynamic -o rlm_acctlog.la \ -rpath /comptel/ilink/32/lib rlm_acctlog.lo rlm_acctlog.c /comptel/ilink/src/freeradius-server-2.1.12/src/lib/libfreeradius-radius.la -lnsl -lrt -lpthread gcc -shared -Wl,+h -Wl,rlm_acctlog-2.1.12.so -Wl,+nodefaultrpath -o .libs/rlm_acctlog-2.1.12.so .libs/rlm_acctlog.o +b /comptel/ilink/src/freeradius-server-2.1.12/src/lib/.libs:/comptel/ilink/32/lib /comptel/ilink/src/freeradius-server-2.1.12/src/lib/.libs/libfreeradius-radius.so -lnsl -lrt -lpthread -lc gcc: +b: No such file or directory I've made 2nd attempt at fixing the problem. I think that having distinct hardcode_libdir_flag_spec and hardcode_libdir_flag_spec_ld sets of flags is essential. You may want to link directly with native HP-UX /usr/bin/ld, and then you should use hardcode_libdir_flag_spec_ld, or you may want to use gcc and pass +b option and its value from gcc to linker using -Wl, prefixes. With libtool you don't have and don't use distinct c-link and native-link modes, though. libtool is run with --mode=link and then it must decide which type of linker arguments to use by itself. My patch infers this (c-link vs native-link) by looking at 1st non-option argument to the libtool -- usually it's a command name, like cc, gcc or ld. The relevant part of libtool comes from ltmain.sh, so I'm ataching a patch for ltmain.sh (after applying the patch you'll need to re-run ./configure in order to produce new ./libtool). P.S. I'm actually fixing bug in ltmain.sh v1.5.22, and I suspect that the hardcode_libdir_flag_spec_ld problem is already fixed in newer versions of ltmain.sh. 1.5.22 is pretty old (2005/12/18). -- With best regards, xrgtn --- ltmain.sh.orig 2011-09-30 17:12:07.0 +0300 +++ ltmain.sh 2012-06-22 13:14:17.0 +0300 @@ -3880,7 +3880,12 @@ test -n $hardcode_libdirs; then libdir=$hardcode_libdirs if test -n $hardcode_libdir_flag_spec_ld; then - eval dep_rpath=\$hardcode_libdir_flag_spec_ld\ + case $nonopt in + *cc | cc* | *++ | gcc* | *-gcc* | g++* | xlc*) + eval dep_rpath=\$hardcode_libdir_flag_spec\;; + *) + eval dep_rpath=\$hardcode_libdir_flag_spec_ld\;; + esac else eval dep_rpath=\$hardcode_libdir_flag_spec\ fi signature.asc Description: Digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS + LDAP authentication problem
Hello all, Thanks for your fast answers. Matthew, as I understood from link you've posted I have to use TTLS/GTC to be able to use MD5 passwords. Can you help me understand how can I do that? I've tried to reset all configuration to default as Alan suggested but I still see that MSCHAPv2 auth fails. I've posted full log of freeradius here: http://pastebin.com/ijf649gP Thanks in advance, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS + LDAP authentication problem
Hello Alan, Finally I got it. I had to change client settings and now everything is fine. Thanks a lot, Alexander On Wed, Apr 25, 2012 at 3:45 PM, Alan DeKok al...@deployingradius.comwrote: Alexander Kulbiy wrote: Matthew, as I understood from link you've posted I have to use TTLS/GTC to be able to use MD5 passwords. Can you help me understand how can I do that? Edit the configuration on the client PC, to set TTLS/GTC. I've tried to reset all configuration to default as Alan suggested but I still see that MSCHAPv2 auth fails. Because you can't do MS-CHAP with MD5 passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
optimize sqlippool scheme
hi Is anyone have a success story of optimizing ippool sql table to make it work faster? The default scheme is very slow, and then you have about 25000 subscribers it's not work. I trying to add indexes to this table. It make fast selects, but slow updates. [code] CREATE TABLE `radippool` ( `id` int(11) unsigned NOT NULL AUTO_INCREMENT, `pool_name` varchar(30) NOT NULL, `framedipaddress` varchar(15) NOT NULL DEFAULT '', `nasipaddress` varchar(15) NOT NULL DEFAULT '', `calledstationid` varchar(30) NOT NULL, `callingstationid` varchar(30) NOT NULL, `expiry_time` datetime DEFAULT NULL, `username` varchar(64) NOT NULL DEFAULT '', `pool_key` varchar(30) NOT NULL, PRIMARY KEY (`id`), KEY `allocate-find` (`pool_name`,`expiry_time`,`callingstationid`) ) ENGINE=MyISAM AUTO_INCREMENT=34817 DEFAULT CHARSET=utf8 [/code] Next I tried to make table from the begin. Here it is [code] CREATE TABLE `radippool_new` ( `id` int(4) unsigned NOT NULL AUTO_INCREMENT, `pool_name` tinyint(1) unsigned NOT NULL, `framedipaddress` int(4) unsigned NOT NULL, `nasipaddress` int(4) unsigned DEFAULT NULL, `calledstationid` bigint(8) unsigned NOT NULL, `callingstationid` bigint(8) unsigned NOT NULL, `expiry_time` timestamp NULL DEFAULT NULL, `username` varchar(64) NOT NULL, `pool_key` int(5) unsigned NOT NULL DEFAULT '0', PRIMARY KEY (`id`), KEY `allocate-find` (`pool_name`,`expiry_time`,`callingstationid`) USING BTREE ) ENGINE=InnoDB AUTO_INCREMENT=34817 DEFAULT CHARSET=utf8 ROW_FORMAT=COMPACT COMMENT='Ip pool for customers' CREATE TABLE `radippool_names` ( `id` tinyint(1) unsigned NOT NULL AUTO_INCREMENT, `pool_name` varchar(64) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM AUTO_INCREMENT=5 DEFAULT CHARSET=utf8 [/code] It's working two time faster, than default with updates queries. But two time slower with selects queries. Maybe some one have a good modification of ippool table or another changes of default scheme, and could share it? *Regards,* Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: optimize sqlippool scheme
One more question. Where can I take nas-type value to use it in user authorization? Radius take it from mysql nasinfo table at startup. I take it from DB every time subscriber try to authorize. Regards, Alexander. 2012/1/12 Fajar A. Nugraha l...@fajar.net On Thu, Jan 12, 2012 at 6:36 PM, Alexander Kosykh avkos...@gmail.com wrote: hi Is anyone have a success story of optimizing ippool sql table to make it work faster? The default scheme is very slow, and then you have about 25000 subscribers it's not work. I have over 1 million subscribers. Then again, I'm using mysql cluster :) I trying to add indexes to this table. It make fast selects, but slow updates. Duh! :D That's why having a dba is important. If you can't do it yourself, hire one. Or learn to be one. Depending on your deployment scale, the cost is justifiable. Seriously. [code] CREATE TABLE `radippool` ( `id` int(11) unsigned NOT NULL AUTO_INCREMENT, `pool_name` varchar(30) NOT NULL, `framedipaddress` varchar(15) NOT NULL DEFAULT '', `nasipaddress` varchar(15) NOT NULL DEFAULT '', `calledstationid` varchar(30) NOT NULL, `callingstationid` varchar(30) NOT NULL, `expiry_time` datetime DEFAULT NULL, `username` varchar(64) NOT NULL DEFAULT '', `pool_key` varchar(30) NOT NULL, PRIMARY KEY (`id`), KEY `allocate-find` (`pool_name`,`expiry_time`,`callingstationid`) ) ENGINE=MyISAM AUTO_INCREMENT=34817 DEFAULT CHARSET=utf8 [/code] You really shouldn't use myisam for heavy-write tables. Maybe some one have a good modification of ippool table or another changes of default scheme, and could share it? It's kinda complicated. I've been meaning to submit a patch, but it's just not that easy. For starters, about mysql storage engines: - myisam - good for majority of reads, terrible for writes. Plus it lacks transactional support, which usually means that with the default setup you can either hand out duplicate IP to clients, or stuck with slow table locks. - innodb - somewhat balanced for both read-write, and have transactional support, but mostly disk-bound. especially if you enforce cosistency by flushing to disk on every transaction. - memory - good-enough for writes (i.e. not disk-bound, obviously), but still suffer from table locks - NDB (i.e. mysql cluster) - good for lots of parallel writes, usually not disk-bound Now performance-wise using NDB or memory would be best, but it won't be the best choice for common mysql setups. You MIGHT be able to gain some improvements by using innodb (without changing anything else). Maybe. Then there's the problem with queries. The default sqlippool query would basically lock the table during IP assignment (due to SELECT ... FOR UPDATE). I opted to change the query to NOT use table locks (using randomization instead), at the expense of possible duplicate ip assignment. In my case when a client gets duplicate IP, the NAS will reject the user, so the user will dial again, and (hopefully) get a unique free ip address this time. It's an acceptable workaround for me, but it won't be implementable in normal setups. Add to that the fact that I had to implement it using stored procedures, and you can see how it gets pretty complicated. So in short, for now: - revert your changes - try changing the engine to innodb - if it's still too slow, hire a dba, and/or be prepared to implement mysql cluster (or something like clustrix) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: optimize sqlippool scheme
I have interim accounting value 10 minutes and IP lease time is 30 minutes. 2012/1/12 Phil Mayers p.may...@imperial.ac.uk On 01/12/2012 11:59 AM, Fajar A. Nugraha wrote: That's why having a dba is important. If you can't do it yourself, hire one. Or learn to be one. Depending on your deployment scale, the cost is justifiable. Seriously. Agreed, this is the key. SQL optimisation is a specialist task, and if you lack the specialist skills, you need to acquire them. However, I'm quite surprised that you're having problems with 25k subscribers; that's not a large table. What is the query rate? Do you have very low interim accounting values perhaps, meaning you're extending the IP lease times too frequently? So in short, for now: - revert your changes - try changing the engine to innodb - if it's still too slow, hire a dba, and/or be prepared to implement mysql cluster (or something like clustrix) - use postgres ;o) In all seriousness, It's worth noting that postgres does have the advantage that select ... for update uses row-level locking, not table level. So, you can allocate IPs without fear of duplication, transactionally. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-use check but don't reject
Hi I'm using Simultaneous-use := 1 and sql for check on my Freeradius server. When the radius found that customer connected already it reject customer with Reply-Message := \r\nYou are already logged in - access denied\r\n\n. Is the way do not reject customer to be able connect customer and redirect them to Error page? Regards, Alexander. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use check but don't reject
The question is not how to make captive portal on my NAS, the question is how do not reject customer, who reached max value of simultaneous-use? Regards, Alexander. 2011/12/20 Alan DeKok al...@deployingradius.com Alexander Kosykh wrote: I'm using Simultaneous-use := 1 and sql for check on my Freeradius server. When the radius found that customer connected already it reject customer with Reply-Message := \r\nYou are already logged in - access denied\r\n\n. Is the way do not reject customer to be able connect customer and redirect them to Error page? See the documentation for your NAS or captive portal. This isn't an issue for RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use check but don't reject
I tried to do this in my config
session {
# radutmp
#
# See Simultaneous Use Checking Queries in sql.conf
sql
if (Post-Auth-Type == reject) {
ok
block_auth_error # my own policy
}
}
but radius answer is reject whatever and pppoe didn't up
2011/12/21 Alan Buxey a.l.m.bu...@lboro.ac.uk
Hi,
The question is not how to make captive portal on my NAS, the
question is
how do not reject customer, who reached max value of simultaneous-use?
if you dont care about them reaching that value, then why are you
checking?
but if you really do want to redirect them to an error page - then you
need to
read/check how to do that with your NAS (as Alan said, read your NAS
documentation)
and instead of the current Simultaneous-Use result, put your own result in
(whatever
RADIUS attributes/values you need to set for your user to get redirected
to some error
pagehowever that is don by your NAS)
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use check but don't reject
Hi. I knew how to make all you wrote above. I need to know how to accept customer, when sim-use rejected him. Regards, Alexander. 2011/12/21 Fajar A. Nugraha l...@fajar.net On Wed, Dec 21, 2011 at 5:29 AM, Fajar A. Nugraha l...@fajar.net wrote: On Wed, Dec 21, 2011 at 4:18 AM, Alexander Kosykh avkos...@gmail.com wrote: I tried to do this in my config but radius answer is reject whatever and pppoe didn't up You know what, since you say it's pppoe, I can share a setup on my environment that might be adaptable for you. The situation: - pppoe - IP address is (normally) allocated by nas, dynamically, using public IP address - AAA using freeradius The problem: - we want disabled users to still be able to login, but they'd be placed on a special network where they'd only be able to access an info page (or, in your terms, error page) The solution: - setup a private IP pool on the NAS (e.g. 10.x.x.x) - put disabled users in a special group (e.g. disabled-users) - setup sqlippool for that IP address pool (e.g. disabled-users-pool) - setup a special DNS server (any authoritative DNS server supporting wildcard will do) that will resolve all DNS record to a special web server. - setup routing on the NAS so that the private IP pool can access the DNS server and the web server, but it can't access public IP address - add radgroupcheck entry for that group which points to the pool (e.g. Pool-Name := disabled-users-pool) - add radgroupreply entry which will tell users to use the special DNS server (e.g MS-Primary-DNS-Server := 10.0.0.10) That way, when a user in disabled-users group logs in, he'd get a private IP address, and whatever address he typed in browser will bring him to the info page. You might be able to adapt it to your needs by adding Pool-Name and MS-Primary-DNS-Server attribute dynamically using unlang, based on an sql query which checks whether a user is already logged in or not. Somewhat complicated, but should work. If you're still having trouble understanding the example, better ask an expert to help you. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use check but don't reject
How to make checkrad, if disable all in session section? acct-stop
packets is lost sometimes and sql think that customer is online, but he
didn't.
Regards,
Alexander.
2011/12/21 Fajar A. Nugraha l...@fajar.net
On Wed, Dec 21, 2011 at 12:56 PM, Alexander Kosykh avkos...@gmail.com
wrote:
Hi.
I knew how to make all you wrote above.
Are you sure?
I need to know how to accept
customer, when sim-use rejected him.
Cause if you do, you wouldn't ask that.
Easiest way: simply remove sql (or radutmp, depends on what you
use) from session section. Then simultaneous-use check will be
disabled (e.g. user will be accepted no matter whether they're already
logged in or not).
You will still be able to examine user status and limit using unlang
from %{control:Simultanenous-Use} (which gets its value from
radcheck/radgroupcheck) and %{sql:
whatever-you-find-as-simul_count_query-on-sql/mysql/dialup.conf}.
Using those two values you add reply items (either vlan assignment,
IP/DNS assignment, and so on).
--
Fajar
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use check but don't reject
Do you have some examples, which work fast to handle 10 AAA/second and check sim-use without freeradius standart methods? Regards, Alexander. 2011/12/21 Fajar A. Nugraha l...@fajar.net I belive I responded to a similar question yesterday (search the list archive). You just have to deal with it. Design your system with the full knowledge that SOME accounting packets will be lost - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Workload in freeradius? platform
Arran Cudbard-Bell a.cudba...@freeradius.org wrote: If you keep this up, I'll unsubscribe nabble.com, too. Very little of anything worthwhile comes from there. Really though. The majority of the posts from nabble are just idiotic. There's something about actually taking the time to subscribe to the mailing list which seems to filter out a lot of the time wasters. GMANE is what I use, so do not think about nuking that. If you just move this to USENET, that probably will fix a huge chunk of the noise problem and then you also can use killfiles...*hint* :) Cheers -- Alexander Clouter .sigmonster says: Take your Senator to lunch this week. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fast session resumption memory leak?
Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: We recently upgraded to 2.1.12 and I have at the same time enabled SSL fast session resumption; in the last 6 days, FreeRADIUS on the server that is currently handling most of our auth has consumed 27% of the RAM. Is anyone else running fast session resumption and seeing these symptoms, or not? well, due to the way the log files and logrotate clash, our servers have a daily restart right now so this masks any such issue so cant say :-| I probably asked this already but why not syslog-ng and mmdd.log as an output? Cheers -- Alexander Clouter .sigmonster says: Postage will be paid by addressee. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac access mixed ldap access same NAS
Alejandro Gandara agand...@optaresolutions.com wrote: does someone know if Its possible mix MAC auth with ldap AUTH in the same NAS. Depends on the NAS: http://www.digriz.org.uk/lanwarden Cisco support MAC-auth and *fallback* to 802.1X; for this to work reliably you must attempt MAC-auth first, and if that fails force the client to do 802.1X...otherwise you run into a nightmare of race conditions. For us, we do both our MAC-auth and 802.1X authentications and authorizations with LDAP so yes...it does work, rather well too. If people keep poking me, I'll put up more documentation... Cheers -- Alexander Clouter .sigmonster says: I'm having fun HITCHHIKING to CINCINNATI or FAR ROCKAWAY!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: avoiding ldap access in authorize
Fred fred.mai...@gmail.com wrote:
If I want to test those values, i used to to something like :
if ( Ldap-Group == AdminRW ) { do something }
This makes a new ldap access to be done by the server for an array
attribute which has already been retrieved by server.
Is there any other way to check those (already retrieved values)
without making a new ldap call because of Ldap-Group == xxx
conditional ?
You might be able to make use of either foreach:
http://lists.cistron.nl/pipermail/freeradius-users/2011-June/msg00334.html
...or without patching, %{radiusGroupName[*]}:
http://freeradius.1045715.n5.nabble.com/foreach-attribute-array-td2787874.html
Cheers
--
Alexander Clouter
.sigmonster says: Guillotine, n.:
A French chopping center.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Beginner's Guide
Alexander Clouter a...@digriz.org.uk wrote: The content is generally rather good, and aside from a few typos, the book is let only on some relatively *minor* points: [snipped] * unfortunately short EAP section, ignoring session resumption and why particular EAP methods meet particular needs * EAP tests done with JRadius and not eapol_test Okay, I only had gotten to page 200 of 300, a smidgin before the EAP section. The details regarding the particulars of the EAP methods are covered (although session resumption unfortunately is not) and a footnote exists for eapol_test...but I do think a configuration example for eapol_test is far better (especially as it is just wpasupplicant along with all it's documentation; trivial to then use the same config in wpasupplicant). One thing that is a shame is the EAP/(T)TLS/PEAP bits make no mention of certificate *subject* validation...only CA pinning which is a shame. One without the other is generally pointless, you might as well not bother at all :( The price is reasonable, and if you are a complete newbie, it will get you on your feet. The book definitely does what it says on the tin and I would give it a 7 out of 10... I'll bump it up to an 8, as the proxying section is rather nice and clear... :) Cheers -- Alexander Clouter .sigmonster says: buzzword, n: The fly in the ointment of computer literacy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl
Alex rsm alex-...@hotmail.com wrote:
And added the following in src/modules/rlm_perl/example.pl
sub authorize {
print This is a TEST\n;
.
}
However, When I send a simple test request I don't see my debug line.
I also don't see the message perl loaded when start Freeradius in
debug mode (radiusd -X).
I am pretty sure stdout is not plumbed up for rlm_perl, and neither is
stderr so you will not see anything.
Of course reading the documentation brings enlightenment in the form of
'radiusd::radlog(1, ...);'... :-/
Searching for 'debug' on the wiki page says many useful things:
http://wiki.freeradius.org/Rlm_perl
...and even less surprisingly it's the same as whats in
src/modules/rlm_perl/example.pl.
*sigh*
Cheers
--
Alexander Clouter
.sigmonster says: Mongoose knghtbrd: and the meek shall inherit k-mart
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Beginner's Guide
Ian Pilcher arequip...@gmail.com wrote: I'm a complete newbie to RADIUS, looking to make use of the features of my new smart switches and wireless access point to secure my home network, so the title certainly sounds right. Has anyone had a look at this book yet? If so, what are your thoughts? I am currently reviewing it and hopefully in the next few days will put up my thoughts on it: http://www.digriz.org.uk/review-book-freeradius-beginners-guide The author (Dirk van der Walt) lurks on this mailing list. The content is generally rather good, and aside from a few typos, the book is let only on some relatively *minor* points: * use of vendor specifics (Mikrotik/Coova focus), this is probably is related to the authors day-job :) * unfortunately short EAP section, ignoring session resumption and why particular EAP methods meet particular needs * EAP tests done with JRadius and not eapol_test * rlm_filter coverage is a bit short (less than one page) * debugging/diagnosis is covered *far* too late in the book and then generally not at all. Missing are hints on how to make your life easier as a sysadmin (liberal use of screen+tee, rlm_detail and it would not have gone amiss a network monitoring probe thing) All trivially fixed in a revision two if such a thing comes about. Arguably though, and no doubt quite rightly, my points above probably would be better addressed by a FreeRADIUS *reference* book rather than a beginners guide...so I probably am being mean :) The price is reasonable, and if you are a complete newbie, it will get you on your feet. The book definitely does what it says on the tin and I would give it a 7 out of 10... Cheers -- Alexander Clouter .amongst says: Dibble's First Law of Sociology: Some do, some don't. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and FreeRADIUS environment.
Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Master/slave, or replication and remote accounting, if you want one true source let radius deal with the sql rather than trying anything with sql. Final advice would be to use postgresql rather than mysql, our performance increase was a magnitude better when we ditched mysql Our experience has been that using MySQL pretty much guarantees you *will* be burnt...especially with the replication. Cheers -- Alexander Clouter .sigmonster says: I'm having a MID-WEEK CRISIS! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need a little regex help
Commonn Systems ad...@commonn.com wrote: I guess all the regex gurus will laugh at my request Only if you had not figured it out ;) I figured it out, for others, looks like this works: .*:SSID_ABC ! Typically regex is complicated to new comers as there are three (important) types (online documentation typically does not differentiate between what is being documented): * basic (obsolete) * extended (POSIX.2) * perl The first two are handled by 'man 7 regex' whilst the last is 'man perlre'. Sadly, for now, FreeRADIUS only supports the first two, but you would have to be crazy to use just basic regex. Cheers -- Alexander Clouter .sigmonster says: Tact, n.: The unsaid part of what you're thinking. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alexander Clouter a...@digriz.org.uk wrote: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Priming up my end for a burn in... 24 hours later, still churning happily. Running 2.1.12 (bfe2c025). Cheers -- Alexander Clouter .sigmonster says: The only constant is change. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan DeKok al...@deployingradius.com wrote:
I've put some pre releases of 2.1.12 on the web site:
http://git.freeradius.org/pre/
Please let me know if there are any problems. If not, this can become
2.1.12.
Something handy to add if it is not too late.
We suffered a power failure today which caused our 802.1X/MAC-auth
clients to surge their accounting traffic. All due to the following in
post-auth:
# defaults
update reply {
[snipped]
Acct-Interim-Interval := 3600
}
Would be handy to change Acct-Interim-Interval to something like:
update reply {
Acct-Interim-Interval := 3000 + %{rand:1200}
}
This would give me Acct-Interim-Interval set to 1hr+-10mins.
As it is set now, I just got 1MB of journal recorded to file accounting
data landing on my systems :)
Cheers
--
Alexander Clouter
.sigmonster says: The chief cause of problems is solutions.
-- Eric Sevareid
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding multivalued attributes in control list.
Arran Cudbard-Bell a.cudba...@freeradius.org wrote: No your check will not iterate over every instance of a value. In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl. Last time I checked[1] it seemed trivial to backport to 2.1.x. Cheers [1] http://lists.cistron.nl/pipermail/freeradius-users/2011-June/msg00334.html -- Alexander Clouter .sigmonster says: An algorithm must be seen to be believed. -- D. E. Knuth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan DeKok al...@deployingradius.com wrote: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Priming up my end for a burn in... Cheers -- Alexander Clouter .sigmonster says: And on the seventh day, He exited from append mode. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication probation for VLAN
Arran Cudbard-Bell a.cudba...@freeradius.org wrote: * Tunnel-Private-Group-Id:0 = 5* string != integer Tunnel-Private-Group-Id is a string. Eww gross. Ok I thought unlang did the conversions automagically But obviously not Apparently it does work, the OP seems to neglected to mention that one chunk of the debug was for the outer layer, the other the inner auth :-/ Cheers -- Alexander Clouter .sigmonster says: Misfortunes arrive on wings and leave on foot. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication probation for VLAN
joao...@gmail.com joao...@gmail.com wrote:
This model is funcionaç, however have a problem (very serious), Radius does
not know from which SSID the client is trying to authenticate, or whether it
decides the basis solely of the Realm authentication of the client. I need
to make the Radius check the VLAN that is associated with the request for
user authentication. Check through the debug radius that an Access-Request
packet has the following information:
...
rad_recv: Access-Request packet from host 192.168.254.48 port 32769, id=204,
length=184
User-Name = joao@fpti
Calling-Station-Id = 68-a3-c4-85-c5-89
Called-Station-Id = 00-26-cb-94-65-60:FPTI
NAS-Port = 29
NAS-IP-Address = 192.168.254.48
NAS-Identifier = WLC-PTI
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
* Tunnel-Private-Group-Id:0 = 5*
string != integer
Tunnel-Private-Group-Id is a string.
I have to do a similar thing to map a silly attribute coughed up by
Cisco's useless WLC:
policy.conf
rewrite.quirk.wlc {
if (NAS-IP-Address == 172.16.3.124 NAS-Identifier == wlc-01) {
switch %{Airespace-Wlan-Id} {
case 1 {
update request {
NAS-Port-Id := eduroam
}
}
case 5 {
update request {
NAS-Port-Id := UTILICOM
}
}
case 6 {
update request {
NAS-Port-Id := BTOpenzone
}
}
case 7 {
update request {
NAS-Port-Id := soas-wpa-psk
}
}
case {
update request {
NAS-Port-Id := UNKNOWN
}
}
}
...
}
You should use (I am almost certain you should not be looking at tagged
attributes, so drop the ':0' too):
notice the
if (Tunnel-Private-Group-Id == 5) {
[stuff]
}
Cheers
--
Alexander Clouter
.sigmonster says: Do not apply to broken skin.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm parsing and \r = =0D
}) {
update reply {
Reply-Message := Realm Blackholed
}
reject
}
# [snipped local MAC-Auth hooks]
# workaround crappy load-balancing
if (Realm == DEFAULT) {
update control {
Load-Balance-Key := %{User-Name}
%{Calling-Station-Id}
}
handled
}
Autz-Type Status-Server {
ok
}
}
post-auth {
Post-Auth-Type Reject {
redundant {
sql.dot1x
ok
}
attr_filter.access_reject
eap-has-no-reply-message
# detail
}
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := unauthorised
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if ((EAP-Message) !(Ldap-UserDn)) {
cache_ldap-userdn
}
if (Realm == DEFAULT) {
update reply {
Tunnel-Private-Group-Id := eduroam
}
}
# to be removed once we register personal workstations
elsif (Realm == %{config:local.MY.realm}) {
update reply {
Tunnel-Private-Group-Id := users-unmanaged
}
}
if (reply:Tunnel-Private-Group-Id != unauthorised) {
update reply {
# Cisco only support a max of 65535
Session-Timeout := 64800
}
}
redundant {
sql.dot1x
ok
}
attr_filter.soas-auth
eap-has-no-reply-message
}
If enough people pester me I might get around to 'generalising' this.
There is already some effort in this space, Arran
Cudbard-Bell(@freeradius.net) used to work in Academentia over in
Rightpondia and put together a slightly different approach (without a
focus around proxy.conf that I use, it's pretty much what the rest of
the .ac.uk sector use I think, I of course have to be different):
http://www.ja.net/services/authentication-and-authorisation/janet-roaming/documentation.html
http://www.ja.net/documents/services/janet-roaming/sussex-freeradius-case-study.pdf
FreeRADIUS v2.0.2 Implementation to support eduroam at the University
of Sussex.
It's all good stuff though. Pick the approach that makes the most sense
to you and more naturally fits your needs. I like priming FreeRADIUS
with the realm-proxy mapping and leaving it to it's devices, others
prefer to explicitly use unlang in authorize{}.
Do contact me off list if you want some help and think this could be
getting off topic; although there are a *lot* of eduroam'ers here on the
list.
Cheers
--
Alexander Clouter
.sigmonster says: DIDI ... is that a MARTIAN name, or, are we in ISRAEL?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Want to silently discard the request if authentication module as?web?service client connecting to the web service server is down.
Ankur G anku...@globallogic.com wrote: We have a little different scenario. We have two different instances of web server connecting to two different Radius server such that if one of the radius server not able to connect the webserver, radius client can fail over to another radius server which has a different web-server connecting. Find below is the scenario: /--W1--\ -- /--- R1 ---\ --- C /--W2--\ -- /--- R2 ---\ Why can't R1 talk to W1 *and* W2? Your module should be able to try using both surely (if W1 fails, it should try W2)? I suspect it would be a strange network failure if W1 and W2 are unreachable to R1 but R2 could still speak to W2 (misconfiguration rather than node/router failure)? Well, you should still use FAIL in your module rather than REJECT if something internal to the module has failed. Combine this with what Alan already has pointed you to, do_not_respond in policy.conf, and you should be able to get to where you want to be. Cheers -- Alexander Clouter .sigmonster says: If you sow your wild oats, hope for a crop failure. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH to use CHAP
chesschi chess...@gmail.com wrote: I try to authenticate ssh users via PAM using FreeRadius. Is it possible to use CHAP for the authentication between radius server and radius client? SSH client - SSH server - PAM - Radius Client - CHAP- Radius Server As far as I am aware, this cannot be done; unless you can find a PAM RADIUS plugin that supports CHAP. You should use SSH public keys. If you want that centrally managed have a look at putting your users SSH keys into LDAP: http://freshmeat.net/projects/lpkfuse Cheers -- Alexander Clouter .sigmonster says: List at least two alternate dates. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Returning attributes based on group membership using NTLM_AUTH
Moe, John j...@hatch.com.au wrote: 3) How much/what options do I need to configure in the ldap module config? I've configured server, basedn, filter, groupname_attribute, groupmembership_filter and groupmembership_attribute, but all I get is Operations error. If I add identity and secret, I get a Referral failure. I've also tried the chase_referrals and rebind options, both with and without the identity/secret optinos, but they don't seem to change anything. What does the following give you from the command line: ldapsearch -LLL -x -h mygc.my.domain.name -b dc=my,dc=domain,dc=name sAMAccountName=username Operations error (1) Additional information: : LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece However, if I take out the -x, I got an error saying my Kerberos ticket had expired. I did a kdestroy and kinit again, with the -x, it still gave the error above. Without the -x, I get what looks like a listing of all the account attributes. However, at the bottom, it says: # search reference ref: ldap://DomainDnsZones.my.domain.name/DC=DomainDnsZones,DC=my,DC=domain,DC =name # search result search: 5 result: 0 Success # numResponses: 3 # numEntries: 1 # numReferences: 1 So something still isn't right. To use kerberos with ldapsearch you need to be looking at the SASL options in the manpage; probably just -Q would be needed. Until you can get 'ldapsearch' to work, you are unlikely to get FreeRADIUS to work. From the debug output and your description, it sounds more like a how you are using LDAP rather than how FreeRADIUS is using LDAP problem. If you can get ldapsearch to display the attributes you are after, then you can start to tinker with FreeRADIUS. Yeah, I kinda figured it was a I'm not sure how to configure LDAP properly to talk to my AD. Thanks for the assistance. I'll have a play around with ldapsearch for a while and see if I can't figure this out. Found some useful bits at (eugh, Gentoo): http://en.gentoo-wiki.com/wiki/Active_Directory_Authentication_using_LDAP#OpenLDAP_configuration_files And if I use ldp.exe (comes with Windows), or Softerra's LDAP Browser, I can connect to the same host, bind using the same credentials, use the same basedn and search using the same filter, and I get results. So I'm not sure what I'm doing wrong. It might be worth putting wireshark on the windows workstation running ldp.exe if you get desperate. It might give you some hints. (although I see you have already figured things out in your next posting) OT and perhaps reply off list, but I'm curious why you say e to PHP, and what you would use instead? Flamebait! I nearly fell for it. :) You have permission to Google-stalk me if you really want to know what I use. Cheers -- Alexander Clouter .sigmonster says: What soon grows old? Gratitude. -- Aristotle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Want to silently discard the request if authentication module as web?service client connecting to the web service server is down.
Ankur G anku...@globallogic.com wrote:
But If the exposed web-service is down, Radius server simply reject the
authentication request with the response message as Access_Rejected.
We want Radius server instead of rejecting, simply discard the
authentication request which will allow the RADIUS *client* to failover to
another RADIUS server.
...surely the other RADIUS server the client has listed will also be
unable to process the request as the web service is down?
If you have multiple web-service instances about, then your
perl/python/exec code should failover to using other instances.
I find it hard how this situation would help you in practise (W - web,
R - RADIUS server, C - RADIUS client) as surely if R1 is unable to
talk to W, having C failover to R2 is not going to help?
/--- R1 ---\
W ------ C
\--- R2 ---/
If you have W1 and W2, then R1 and R2 should be able to talk to both.
So while going through the FreeRadius configuration i came across the section
in sites-avaliable/default file under post-auth section which state that
Access-Reject packets are sent through the REJECT sub-section of the
post-auth section. and is as follow:
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
#sql
attr_filter.access_reject
}
If you think this is the right approach, could you please provide me the
sample
code using which if i could check for the rlm status code and could silently
discard the responses other than the RLM_MODULE_OK and
RLM_MODULE_REJECTED.
http://wiki.freeradius.org/Modules2#Module+Return+Codes
RLM_MODULE_FAIL looks like a better option to use, although it will not
give you what you want; but it would enable you to use unlang to perform
other tasks.
Cheers
--
Alexander Clouter
.sigmonster says: You fill a much-needed gap.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Returning attributes based on group membership using NTLM_AUTH
Moe, John j...@hatch.com.au wrote: So I've gone back to FR's LDAP module and thought I'd give ldap_debug a try, despite the warning. Surprisingly, it spit out one extra line in my debug: rlm_ldap: performing search in dc=my,dc=domain,dc=name, with filter (sAMAccountName=username) Unable to chase referral ldap://my.domain.name/dc=my,dc=domain,dc=name; (-1: Can't contact LDAP server) rlm_ldap: ldap_search() failed: Referral If I copy and paste that url ldap://my.domain.name/dc=my,dc=domain,dc=name; into my Windows box, it opens LDAP Browser and connects just fine to my domain, so I assume the syntax of that is right. And if I use just my.domain.name in ldapsearch as the host, it works there as well. Any idea why this wouldn't work? Looks like[2] if you do not make an anonymous bind to AD your problems might go away or alternatively change you base to to be not the root of your directory. Out of curiousity, do I need to configure OpenLDAP on the server at all? Or does this module's conf take care of that for me, for this purpose? No need in theory, I personally do just to fix up certificate validation[1] when using ldapsearch and whatnot though. Cheers [1] TLS_CACERT /etc/ssl/certs/ca-certificates.crt [2] http://lists.cistron.nl/pipermail/freeradius-users/2005-December/msg00228.html and http://bytes.com/topic/php/answers/11274-use-php-authenticate-ad -- Alexander Clouter .sigmonster says: You are magnetic in your bearing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Returning attributes based on group membership using NTLM_AUTH
Moe, John j...@hatch.com.au wrote:
Oh goodie, I'm getting somewhere. :-)
...except on the top posting front email-nazi/. ;P
1) So, I don't need to uncomment ldap in the authenticate section, as it's
not going to do the password validation, right?
Sounds right.
2) Do I just configure the module, put ldap in the authorize section of
sites-enables/default, and put Ldap-Group in the check-items?
Indeed.
3) How much/what options do I need to configure in the ldap module config?
I've configured server, basedn, filter, groupname_attribute,
groupmembership_filter and groupmembership_attribute, but all I get is
Operations error. If I add identity and secret, I get a Referral
failure.
I've also tried the chase_referrals and rebind options, both with and without
the identity/secret optinos, but they don't seem to change anything.
What does the following give you from the command line:
ldapsearch -LLL -x -h mygc.my.domain.name -b dc=my,dc=domain,dc=name
sAMAccountName=username
Until you can get 'ldapsearch' to work, you are unlikely to get
FreeRADIUS to work. From the debug output and your description, it
sounds more like a how you are using LDAP rather than how FreeRADIUS
is using LDAP problem.
If you can get ldapsearch to display the attributes you are after, then
you can start to tinker with FreeRADIUS.
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = mygc.my.domain.name
port = 389
password =
identity =
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = allow -- remember to make this 'require'
tls {
start_tls = no
require_cert = allow -- remember to make this 'require'
}
basedn = dc=my,dc=domain,dc=name
filter = (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
auto_header = no
access_attr_used_for_allow = yes
chase_referrals = yes
rebind = yes
groupname_attribute = cn
groupmembership_filter = ((objectClass=group)(member=%Ldap-UserDn}))
groupmembership_attribute = memberOf
dictionary_mapping = /etc/raddb/ldap.attrmap
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = no
}
[snipped]
rlm_ldap: Entering ldap_groupcmp()
[files] expand: dc=my,dc=domain,dc=name - dc=my,dc=domain,dc=name
[files] expand: %{Stripped-User-Name} -
[files] expand: %{User-Name} - username
[files] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -
(sAMAccountName=username)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to mygc.my.domain.name:389, authentication 0
rlm_ldap: bind as / to mygc.my.domain.name:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=my,dc=domain,dc=name, with filter
(sAMAccountName=username)
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
If you have the stomach, a quick Google search takes you to the PHP
website[1] (e) but there is a posting that you should find useful.
Looks like with Win2k3 you must have referrer following turned off and
you cannot search the *whole* base of your directory, you can only
search a sub-branch. I suspect the fix is nothing more than setting
'basedn' to ou=lusers,dc=my,dc=domain,dc=name.
Cheers
[1] http://www.php.net/manual/en/function.ldap-search.php#45388
--
Alexander Clouter
.sigmonster says: Without fools there would be no wisdom.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
Alan DeKok al...@deployingradius.com wrote: The radiusd keeps closing and i have to restart it. I am running 2.1.11 on this server but i have recently upgraded to this and it was happening before. The program uses up all the memory on the computer which is 4GB and I have enclosed a picture of this. I can send what ever config files you need to help me discover this problem. We are using a MySql database to keep track of customer accounts and usage. Try the v2.1.x branch from http://git.freeradius.org That will become 2.1.12 soon. Well...been running v2.1.x (8e71524f) for a while now and not seen any problems. I was running 2.1.11 on the other node and that still died with unable to insert event, interestingly again just after a Status-Server message was received. RAM, CPU, IO usage at the time and for the whole time since FreeRADIUS was started was all normal (from my torrus[1] graphs). Will keep you posted if anything crops up...touch wood it seems okay. Cheers [1] http://torrus.org/ is amazing, especially combined with snmpd on hosts too -- Alexander Clouter .sigmonster says: HOST SYSTEM RESPONDING, PROBABLY UP... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cleanup Stale Sessions - needed?
Paolo Di Francesco paolo.difrance...@level7.it wrote: we searched before asking, but we did not find any reference. If you have references of previous conversations, please send me the pointers privately. http://lmgtfy.com/?q=site%3Ahttp%3A%2F%2Flists.cistron.nl%2Fpipermail%2Ffreeradius-users%2F+sql+session+clean Cheers -- Alexander Clouter .sigmonster says: Got a dictionary? I want to know the meaning of life. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
Alan DeKok al...@deployingradius.com wrote: [1] http://torrus.org/ is amazing, especially combined with snmpd on hosts too It looks very nice. The nice bit is that it is trivial to configure. All you do is load up a command with the IP addresses you want to poke along with the SNMP communitities and you quickly have five minutely graphs for *every* port on your network; and various server with SNMPd running. Simples -- Alexander Clouter .sigmonster says: Apathy is not the problem, it's the solution - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using multiple authentication modules.
Mrinal K sinha.mri...@gmail.com wrote:
I am trying to authenticate users using client certificates and when
that is verified I intend to use perl module for checking other
attributes and verify that from database. Till now I was trying to
configure freeradius to do EAP-TLS and then execute the perl
module(rlm_perl). Both of them work perfectly fine independently but I
donot know if we can put them together. I believe I can do something
similar(checking certificate using EAP and then execute a script)
using exec-program-wait but considering its depricability and per
thread overhead will like the rlm_perl.
Without including your FreeRADIUS configuration there is very little
anyone here can do to help you other than ask have you just tried using
both modules?
authorize {
...
eap
perl
...
}
authenticate {
eap
perl
}
Cheers
--
Alexander Clouter
.sigmonster says: Yow! Is my fallout shelter termite proof?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: num_answers_to_alive
Stefan Winter stefan.win...@restena.lu wrote: The documentation says that 3..10 are *useful* ranges, but doesn't mention that everything else is forbidden. In particular, I would like to use 1, not 3. The idea is: the server was dead before, but now it managed to send a reply back - so it must have been fixed. I would like to mark it alive immediately. Is that unreasonable? Similar to 'link flapping' (think OSPF/BGP), you should use heuristics as things are not just black and white. If a service simply had two states up and down then that probably would be okay, but we also have 'unstable'. Imagine this state coming from: * overloaded RADIUS server (or backend DB) * link congestion between RADIUS servers Having a value of three, says not just alive but also alive and has been for a while; this could be further interpreted that the service is stable as well as alive. If the system briefly came back and died then on attempt two or three you would have likely seen a failure. Hope I am explaining myself well :) Cheers -- Alexander Clouter .sigmonster says: BOFH excuse #256: You need to install an RTFM interface. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
Alexander Clouter a...@digriz.org.uk wrote:
I am though currently trying to pin down a bug where FreeRADIUS just
closes it's-self down for no reason at all. I have run tcpdump during
the clean shutdown, and see it is not malformed traffic causing the
problem, RAM usage is normal, open FD's is sane, etc etc. Caught the
event many times with gdb, but it's not a SIG, just a regular exit().
Currently now running FreeRADIUS in production with -X to see if there
is anything in the full debug logs...
Caught it!
[snipped]
rlm_sql (sql.dot1x): Reserving sql socket id: 1
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql.dot1x): Released sql socket id: 1
++[sql.dot1x] returns ok
++? if (invalid)
? Evaluating (invalid) - FALSE
++? if (invalid) - FALSE
++? if (failed)
? Evaluating (failed) - TRUE
++? if (failed) - TRUE
++- entering if (failed) {...}
+++? if (Acct-Status-Type == Stop (!(Acct-Session-Time) || Acct-Session-Time
== 0) Packet-Transmit-Counter 5)
? Evaluating (Acct-Status-Type == Stop ) - FALSE
??? Skipping (Acct-Session-Time)
?? Skipping (Acct-Session-Time == 0)
? Skipping (Packet-Transmit-Counter 5)
+++? if (Acct-Status-Type == Stop (!(Acct-Session-Time) || Acct-Session-Time
== 0) Packet-Transmit-Counter 5) - FALSE
++- if (failed) returns ok
} # server dot1x.decoupled-accounting
Finished request 10642.
Cleaning up request 10642 ID 25817 with timestamp +5748
Going to the next request
Detail listener /var/log/freeradius/radacct/journal/dot1x/detail.acct.*
state replied signalled 0 waiting 0.214551 sec
Waking up in 0.1 seconds.
Waking up in 0.1 seconds.
rad_recv: Status-Server packet from host 127.0.0.1 port 50412, id=38, length=38
[event.c:3002] Failed to insert event
There seem to be a bunch of malloc()'s where it could fail lurking
behind INSERT_EVENT(). I am pretty sure that the system is not running
out of RAM (it is a 512MB box) but I am now priming up snmpd and RRD to
track this over time.
Any ideas?
Cheers
--
Alexander Clouter
.sigmonster says: The faster we go, the rounder we get.
-- The Grateful Dead
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
Fajar A. Nugraha l...@fajar.net wrote: On Thu, Jul 28, 2011 at 4:42 PM, Alexander Clouter a...@digriz.org.uk wrote: rad_recv: Status-Server packet from host 127.0.0.1 port 50412, id=38, length=38 [event.c:3002] Failed to insert event There seem to be a bunch of malloc()'s where it could fail lurking behind INSERT_EVENT(). I am pretty sure that the system is not running out of RAM (it is a 512MB box) but I am now priming up snmpd and RRD to track this over time. Any ideas? What happens when you send Status-Server packet manually (see man radclient for example)? Does the failure happen? Status-Server is sent from localhost once a second as part of the failover system I use: http://www.digriz.org.uk/ha-ospf-anycast The script used is: http://www.digriz.org.uk/ha-ospf-anycast?action=AttachFiledo=gettarget=radius-probe I do not think it is related to it as sometimes days can pass between the daemon exiting and on this occasion it was only an hour or two. If it was related to the cumulative number of requests being processed, I would expect a roughly regular 'death' interval. I do not think it is load related either as we have had the system die at all hours of the day. Cheers -- Alexander Clouter .sigmonster says: Unix soit qui mal y pense [Unix to him who evil thinks?] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
Alan DeKok al...@deployingradius.com wrote: Alexander Clouter wrote: rad_recv: Status-Server packet from host 127.0.0.1 port 50412, id=38, length=38 [event.c:3002] Failed to insert event Ouch. Indeed. It did only start to happen once I upgraded to 2.1.11 from 2.1.10. Of course I was originally plagued by the OP's problem of the memory leak when using git v2.1.x between these releases; which might have hidden this particular problem. Before 2.1.11, FreeRADIUS ran fine for weeks. There seem to be a bunch of malloc()'s where it could fail lurking behind INSERT_EVENT(). I am pretty sure that the system is not running out of RAM (it is a 512MB box) but I am now priming up snmpd and RRD to track this over time. Any ideas? Hmm... 512MB isn't a lot for a modern system. And on Linux, malloc() never fails. ...plenty though. Over nearly 12 hours of use, RAM usaged for FreeRADIUS is still at 15MB for one of my nodes and the other is 17MB. Linux is using the 280MB for filesystem cache and still has 180MB free! The other alternative is some kind of internal API problem. But those should all be fixed in git head. If you think there is something relevent in v2.1.x since 2.1.11 then I'll give it a go sooner rather than later. Can you think of something that might not be system RAM related but maybe caused by another possible RAM limit, heap, stack whatever it is (not quite my forte)? Cheers -- Alexander Clouter .sigmonster says: Money may buy friendship but money cannot buy love. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Groups and Dynamic VLAN assignment
stich86 stic...@gmail.com wrote: there is a possibility to get Tunnel-Private-Group-ID and others from the LDAP groups and not users file? i've read many times docs/rlm_ldap but cant get out of this problem :( Next time, try the freeradius-users@ archive too (true of *any* mailing list)? Is it possible to do this configuration in conjunction with redundant ldap configuration?? http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg71133.html Cheers -- Alexander Clouter .sigmonster says: Is there life before breakfast? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
john j...@rcsaccess.net wrote: The radiusd keeps closing and i have to restart it. I am running 2.1.11 on this server but i have recently upgraded to this and it was happening before. The program uses up all the memory on the computer which is 4GB and I have enclosed a picture of this. I can send what ever config files you need to help me discover this problem. We are using a MySql database to keep track of customer accounts and usage. IIRC the fix you need it: https://github.com/alandekok/freeradius-server/commit/731e733b I recommend, if possible, to just use the v2.1.x tree which is 'stable' just not a marked official release. http://git.freeradius.org/ I am though currently trying to pin down a bug where FreeRADIUS just closes it's-self down for no reason at all. I have run tcpdump during the clean shutdown, and see it is not malformed traffic causing the problem, RAM usage is normal, open FD's is sane, etc etc. Caught the event many times with gdb, but it's not a SIG, just a regular exit(). Currently now running FreeRADIUS in production with -X to see if there is anything in the full debug logs... Just a warning, but I would imagine there would be other grumblings on the list (or I have missed them and it's already fixed...). Cheers -- Alexander Clouter .sigmonster says: I can't stand squealers; hit that guy. -- Albert Anastasia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS use_tunneled_reply and Mac OSX
Scott Armitage s.p.armit...@lboro.ac.uk wrote: I have noticed that when authenticating using TTLS/MSCHAPv2 that the outer-identity is used in the RADIUS reply packet even if the use_tunneled_reply is set to yes for TTLS in eap.conf Does anyone know the reason for this? TLS session resumption? Also TTLS/MSCHAPv2 is possibly for you actually TTLS/EAP-MSCHAPv2 which means you get in effect an inner-inner tunnel if I remember correctly. Have a nosey at: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg71026.html Cheers -- Alexander Clouter .sigmonster says: Rubber bands have snappy endings! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General wiki rules
Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
There is no better alternative. You need to indent code blocks for
them to be easily legible, as it breaks them out of the normal flow of
the document.
I think that's Phil's point. The code he is cutting and pasting in is
no doubt already indented. However, what it probably has is either:
* no initial indentation (start tab or space)
* that indential probably is a tab rather than spacespace
I love dokuwiki for documentation, but it is a right ballache to find
that when you cut and paste in your configuration snippet I *then* have
to go through spacespacehomedown-cursorgoto 10 before it is
usable.
Sure it seems not a biggy, but it is a right turnoff and makes us all
less inclinded to put in the effort.
If it's going to be a huge issue I could probably add something to
gollum which converts pre tags into the appropriate white space
scheme before committing the text to the repository. Would you still
have an issue with this?
That would be pretty schweet. I would not 'pre-process' the text, I
would make sure those pre/{{{/whatever remains intact so you do not
suffer indentation pain when editing existing content.
Cheers
--
Alexander Clouter
.sigmonster says: I'm having a MID-WEEK CRISIS!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan ldap radiusd
Serge van Namen svna...@snow.nl wrote: In our situation the user is bound to a VLAN, so on every workstation in the building the user authenticates and the switchport becomes a member of the correct VLAN. I *strongly* recommend not mixing host and user authentication, it's just too much of a brain explitive. What happens on a computer you can SSH, terminal services into...user or host authentication? Sure you can generalise, but you might as well just ignore the problem altogether. Another example, user A walks in and authenticates themselves to the network and goes into VLAN x, that user then goes to lunch and evil user B starts to use the machine... Obviously we all have our own policies and needs, but I recommend you push the 'user authentication' (authorisation too) into a higher level such as the application/server and not try to do it at the network layer. This does not mean you cannot use user authentication to bootstrap host authentication. For example our mindset here at work is that the user is stating I am responsible for this MAC address during this session...they might also be authorised to register that workstation into a particular VLAN to create some workstation credentials. 'un-registered' (user bootstrapped) workstations go into VLAN 'users-unmanaged' whilst our equipment goes into 'users-staff'. Hope that makes sense...? :) Correct me if I'm wrong but then we have to administer a separate database for hosts ( and in our case users ) Now we have 2 auth-types en autz-type's. 1 connects with cn=x,dc=example,dc=com (VLANid x) 1 connects with cn=y,dc=example,dc=com (VLANid y) Depending on the realm the user indicates when logging in (user@realm), autheticates and puts the Tunnel-Private-Group-Id in the reply with the correct VLAN id. Well, you could just have users members of network groups instead (do *not* repurpose an existing group). I would suggest, if you have the time, create an enrollment page. Unknown MAC addresses (even with a valid *user* 802.1X session) are redirected to a webpage to register the machine into a network (typically only one, maybe your helpdesk members would be permitted to register the equipment into a number of groups). This does not mean that you use MAC-auth for that machine, but the enrollment session could generate workstation credentials (EAP-TLS) to use or you could still enforce that user 802.1X credentials (not necessarily the original registraters one) need to be used to gain access. This means you can permit users to register up to five devices for example. The problem: When using 'Login Window' based 802.1x. So when user puts in it's user/pass at the login window, it does it's 802.1x magic. But with user@realm, LDAP doesnt understands this ofcourse, so the @realm needs to be stripped when authenicating to LDAP. So: user@realm --- radius reads the realm, strips the @realm so LDAP understands, makes it's auth/autz-type. I hope you catch my drift. :) This is covered in the FreeRADIUS documentation (and numerous 'eduroam' examples, it looks like you are aiming for this type of thing). 'suffix' is what you want in your authorize section, you then pass to the ldap module 'Stripped-User-Name'. Cheers -- Alexander Clouter .sigmonster says: Massachusetts has the best politicians money can buy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan ldap radiusd
Serge van Namen svna...@snow.nl wrote: 'un-registered' (user bootstrapped) workstations go into VLAN 'users-unmanaged' whilst our equipment goes into 'users-staff'. Hope that makes sense...? :) Do you mean: unauthorized, user be put in default (jailed) vlan? I work for a university so we have a lot of equipment that we do not maintain but is owned by the students/staff that needs to connect. So, we have three main workstation VLANs: * unauthorised * users-unmanaged * users-staff Unknown MAC addresses go into 'unauthorised' which is a sandpit network which does nothing more than redirect the web browser to our 'unauthorised workstation' webpage[1]. There they are permitted to get to a few websites (microsoft.com, etc) and to the instructions/tools they need to configure their computer for 802.1X. When they are 802.1Xing, they get put into 'users-unmanaged' which gives them all the access they could want, and that I am willing to give them. One day, when I find the time, I will have a 'pre-registration' VLAN (or more likely dual-purpose 'unauthorised') for unrecognised MAC addresses that have gotten past 'unauthorised' by doing 802.1X with some user credentials. 'users-staff' is currently MAC-auth workstations that we maintain, the helpdesk would not love me if I forced them to configure each workstation for 802.1X (we are condemned with Novell and not AD...but apparently not for much longer). :) One day, to get into 'users-staff', you will need to do EAP-TLS, but for now it is just MAC-auth. There is no different level of access betwork 'users-staff' and 'users-unmanaged' here, we just wanted to keep equipment that we maintain and equipment we do not in different subnets. Mainly to keep the subnet's small :) Cheers [1] http://www.soas.ac.uk/itsupport/personal-equipment/unauthorised-workstation.html -- Alexander Clouter .sigmonster says: Where do you think you're going today? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and, ?more?broadly, setting Stripped-User-Name)
Phil Mayers p.may...@imperial.ac.uk wrote:
Unfortunately, when you set nostrip in the config, it doesn't add a
Stripped-User-Name attribute to the request, but when you unset it,
rlm_realms adds a Stripped-User-Name attribute and also updates the
User-Name attribute to the same value.
I am 90% sure that's not what rlm_realm does. We use unlang to process
realms now, but I am certain we used it with nostrip and it left the
original User-Name intact and populated Stripped-User-Name.
You are right, we use rlm_realm and it leaves User-Name unadulterated.
This sounds like maybe the *inner* auth User-Name is realmless and
making it's way out into outer.reply. When you use 'User-Name' in
post-auth{} you will get reply:User-Name rather than request:User-Name
if I remember correctly.
The fix is to *reject* inner-authentications that are realm-less.
Cheers
--
Alexander Clouter
.sigmonster says: You are the only person to ever get this message.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan ldap radiusd
Serge van Namen svna...@snow.nl wrote: I accomplished to strip the username, it authenticates successfully against LDAP. But eventually it fails on EAP I think, because the username isn't the original from the request. [snipped] users: Matched entry DEFAULT at line 7 modcall[authorize]: module files returns ok for request 3 What does this do? You must not change User-Name at all...I suspect somewhere in your configuration you are doing so to try to fix another problem. If you want the User-Name to be realmless then use Stripped-User-Name or use unlang to populate something like Tmp-String-0. rlm_ldap: - authorize rlm_ldap: performing user authorization for userA radius_xlat: '(uid=userA)' radius_xlat: 'ou=y,ou=people,dc=example,dc=com' What are you xlat'ing? Can we see your configuration? Are you using ldap xlat to set User-Name? If so, don't! Cheers -- Alexander Clouter .sigmonster says: fortune: not found - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unmatched ( or \(, and, more broadly, setting Stripped-User-Name
In article 795d5ee4-7536-431e-926a-98e70efa1...@vt.edu you wrote:
So, one of my last things here is making sure I can get at the
stripped usernames for my domain users, as they're authorized by their
stripped name, not the name w/ which they're authenticating. Forex,
if I'm using my AD credentials to log in, User-Name = hokies\dawson,
but I'm authorized for WLAN access as 'dawson,' not 'hokies\dawson.'
Although to prevent down the road severe levels of pain when enabling
eduroam you should be using something like 'daw...@hokies.vt.edu', could
you not just use 'ntdomain' (a built in module that will do this for
you)? 'ntdomain' should create Realm and Stripped-User-Name in the
manner you want.
That's all well and good, as I should just be able to use
Stripped-User-Name in my queries and it'll be fine (assuming it
exists, using the :- operator and doing a little logic there, which I
have working fine). However, I haven't found a way, or maybe just the
right way, to get the realms module to create that stripped user name
at the right time, and when I use the perl module to create it and add
it to the list, it doesn't seem to come out the other side, like so:
[snipped]
I _tried_ getting this working in unlang, but that got mess pretty
fast, and started complaining about unmatched parens:
I was going to ask why you were not doing the perl stuff in unlang. :)
(1)? elsif (%{User-Name} =~ /^(.*\\)(.*)$/)
(1) expand: %{User-Name} - hokies\dawson
ERROR: Failed compiling regular expression: Unmatched ( or \(
(1) - if (%{User-Name} !~ /^.*\/.*$/) returns updated
where the relevant part of sites-enabled/default authorize section
looks thus:
elsif(%{User-Name} =~ /^(.*\\)(.*)$/){
update request{
Stripped-User-Name := %{$`}
}
}
$' and $` is a perlism. You want something like (look at policy.conf
rewrite.calling_station_id and rewrite.called_station_id as an example):
if (User-Name =~ /^[^\\]\\?(.*)$/) {
update request {
Stripped-User-Name := %{1}
}
}
Untested, but hopefully you get the idea. :)
Cheers
--
Alexander Clouter
.sigmonster says: Sauron is alive in Argentina!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan ldap radiusd
Serge van Namen svna...@snow.nl wrote:
I'm working on a proof-of-concept for 802.1x and dynamic vlan's on
switches.
All this works perfectly with user@realm, but now I want to read the
vlan ID from a ldap attribute and then send the radius request with
that value in Tunnel-Private-Group-ID.
Reading an attribute for this is argubly silly in the context of LDAP.
Better to test for a group membership otherwise you might aswell shovel
everything in a relational database like SQL.
For us we create host LDAP objects, and then those objects are members
of a LDAP group which has details regarding the VLAN in it (and
subnetting, etc etc).
I am slowly cobbling bits together on my website[1]. My post-auth looks
like:
post-auth {
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := unauthorised
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if ((EAP-Message) !(Ldap-UserDn)) {
cache_ldap-userdn
}
lanwarden_vlan
if (!(control:Tunnel-Private-Group-Id) ||
control:Tunnel-Private-Group-Id == ) {
if (Realm == DEFAULT) {
update reply {
Tunnel-Private-Group-Id := eduroam
}
}
# to be removed once we register personal workstations
elsif (Realm == %{config:local.MY.realm}) {
update reply {
Tunnel-Private-Group-Id :=
users-unmanaged
}
}
}
else {
update reply {
Tunnel-Private-Group-Id :=
%{control:Tunnel-Private-Group-Id}
}
}
if (reply:Tunnel-Private-Group-Id != unauthorised) {
update reply {
# Cisco only support a max of 65535
Session-Timeout := 64800
}
}
}
'cache_ldap-userdn' you can find in the archives and the reasoning for
it, meanwhile lanwarden_vlan lurks in policy.conf and looks like:
lanwarden_vlan {
if ((control:Ldap-UserDn)) {
if (%{md5:%{client:secret}%{Calling-Station-Id}%l} =~
/[0-7]$/) {
update control {
Tunnel-Private-Group-Id :=
%{ldap_lanwarden1:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?((objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}
}
if (control:Tunnel-Private-Group-Id == ) {
update control {
Tunnel-Private-Group-Id :=
%{ldap_lanwarden2:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?((objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}
}
}
}
else {
update control {
Tunnel-Private-Group-Id :=
%{ldap_lanwarden2:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?((objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}
}
if (control:Tunnel-Private-Group-Id == ) {
update control {
Tunnel-Private-Group-Id :=
%{ldap_lanwarden1:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?((objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}
}
}
}
}
}
It looks horrible as xlat does *not* support failover. :(
Cheers
[1] http://www.digriz.org.uk/lanwarden
--
Alexander Clouter
.sigmonster says: You are so boring that when I see you my feet go to sleep.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Yet another multiple SSID setup question
Nick Kartsioukas lists.freerad...@change.nightwind.net wrote:
Thanks for the hints! I think I've got my eap.conf set up as I need it.
After some errors from freeradius and further document exploration, it
looks like what I need for the authorize section is this:
rewrite_called_station_id
if(Called-Station-Ssid == staff) {
mschap_staff
}
if(Called-Station-Ssid == lab) {
mschap_lab
}
if(Called-Station-Ssid == student_wpa) {
ldap
}
if(Called-Station-Ssid == student) {
ldap
}
I would *strongly* recommend you run just one SSID and use VLAN
assignment in post-auth to
post-auth {
...
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := unauthorised
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if (Ldap-Group == foobar) {
update reply {
Tunnel-Private-Group-Id := staff
}
}
else {
...
}
}
The huge advantage is that *every* user at your organisation can follow
the same instructions to connect to the wireless (and wired) network.
It is also then trivial to put in 'eduroam'; if you use 'eduroam' from
day one (*strongly* recommended to avoid pain down the road).
Cheers
--
Alexander Clouter
.sigmonster says: Youth is the trustee of posterity.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Yet another multiple SSID setup question
Nick Kartsioukas lists.freerad...@change.nightwind.net wrote:
Okay...let's say I have an SSID for students and an SSID for staff.
Students authenticate against LDAP, which stores passwords as salted
SHA1 hashes. Staff authenticate against Windows ActiveDirectory.
I've found where the WLC sends the SSID to FreeRADIUS, so I can get at
that. My question is, how do I set up the EAP-TTLS/PAP session for the
Student SSID and the separate PEAP/MSCHAPv2 session for the Staff SSID?
Are these configured as different virtual servers? Or just different
modules that I call from the users file like so:
DEFAULT Auth-Type := student_module, Called-Station-SSID := student
DEFAULT Auth-Type := staff_module, Called-Station-SSID := staff
Just duplicate what you see in eap.conf to look something like:
eap EAP_student {
# set this to peap for staff
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
max_sessions = 4096
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = ${local.cert.password}
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
cipher_list = AES:HIGH:!aNULL:!eNULL:@STRENGTH
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = auth
}
# comment 'ttls' and uncomment following for staff
#peap {
#default_eap_type = mschapv2
#copy_request_to_tunnel = no
#use_tunneled_reply = yes
#virtual_server = auth
#}
#
#mschapv2 {
#send_error = yes
#}
}
eap EAP_staff {
}
authorize {
...
if (Airespace-Wlan-Id == student_ssid) {
EAP_student
}
else {
EAP_staff
}
...
}
Cheers
--
Alexander Clouter
.sigmonster says: Remember to say hello to your bank teller.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki - Once upon a time there was documentation
Gary Gatten ggat...@waddell.com wrote: RADIUS - Half the complexity of Diameter Don't encourage him... Cheers -- Alexander Clouter .sigmonster says: Life is NP-hard, and then you die. -- Dave Cock - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tunneled-User-Name
d.thembiliyag...@lancaster.ac.uk wrote:
I am using EAP-TTLS and MSCHAPv2 to authenticate with FreeRadius
server.How can I get the tunnelled User-Name (User-Name used in inner
authentication phase) using unlang in FreeRADIUS server? Now I can only
get the User-Name used for the outer authentication (ex: anonymous).
PAP is easy, but MSCHAPv2 is typically EAP-MSCHAPv2 so you have a
double-inner in play. The best suggestion I have (after years of
tweaking it to be just right) is in your inner authorize use:
authorize {
update outer.request {
User-Name := %{request:User-Name}
}
update reply {
User-Name := %{request:User-Name}
}
[snipped]
update reply {
Auth-Type := %{control:Auth-Type}
}
}
On the outer layer, you then use
'%{%{reply:User-Name}:-%{request:User-Name}}' to get the username. This
means you get the inner username for:
* PAP, MSCHAPv2 and EAP-MSCHAPv2 authentications
* when your inner server rejects the request (ie. bad password) (this
is why you stuff the inner username into outer.request
* TTLS/PEAP has the option of TLS cached sessions which is *good*,
doing things this way means you still get the inner name for
resumed sessions
As a bonus, the Auth-Type is extractable..if you use TLS cached
sessions, then this will be EAP.
Cheers
--
Alexander Clouter
.sigmonster says: It was Penguin lust... at its ugliest.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running external programs
rihad ri...@mail.ru wrote: Hi, all. We have some legacy software that ran under XTradius (xtradius.sourceforge.net). The important thing was to execute an external program for every auth accounting request. Now I need to recreate all that on another server, and I must use the same legacy billing software. Unfortunately one can no longer build the old XTradius on modern FreeBSDs, apparently it has some variable linkage problems. Can that simple task be done in FreeRADIUS instead? Can it be configured to call an external program (Auth-Type External in XTradius)? http://lmgtfy.com/?q=freeradius+exec Cheers -- Alexander Clouter .sigmonster says: Have no friends not equal to yourself. -- Confucius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running external programs
* rihad ri...@mail.ru [2011-07-07 15:09:22+0500]: On 07/07/2011 12:28 PM, Alexander Clouter wrote: rihadri...@mail.ru wrote: Hi, all. We have some legacy software that ran under XTradius (xtradius.sourceforge.net). The important thing was to execute an external program for every auth accounting request. Now I need to recreate all that on another server, and I must use the same legacy billing software. Unfortunately one can no longer build the old XTradius on modern FreeBSDs, apparently it has some variable linkage problems. Can that simple task be done in FreeRADIUS instead? Can it be configured to call an external program (Auth-Type External in XTradius)? http://lmgtfy.com/?q=freeradius+exec Cheers I forgot to mention that the authentication program is meant to deny or grant user access. Will rlm_exec do that? It will require a desire on the part of the user to read the documentation in order to utilise that functionality... Regards -- Alexander Clouter .sigmonster says: Noncombatant: A dead Quaker. -- Ambrose Bierce - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac-Auth
Paulo Maia phc.m...@gmail.com wrote: Here is the thing , im trying to use Mac-Auth , I managed to get working using authorized-macs files , although i need to use a mysql table witch i already have with the ssid and mac-address fields and i need to add an operator to expired macs , coz i work at a college campus and students mac-addresses need to expire acording to their course period. A far better way is to use 802.1X and get the user to use their username and password to connect. Once their course ends, the account is expired and the student no longer can connect. If you do go down this route, I strongly recommend you hook up locally with the local http://www.eduroam.org/ outfit if that is an option for you. 802.1X (using PEAP) can be now pre-primed on Windows laptops laptops for free so you can just pass out an installer to the students to get themselves connected: https://su1x.swan.ac.uk/ Believe me, collecting and managing MAC addresses is not something I would wish on anyone. Cheers -- Alexander Clouter .sigmonster says: Ninety percent of baseball is half mental. -- Yogi Berra - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.10: authentication (uid and password) or (macaddress)?in LDAP
Maciej ??ukasz Wojszkun maciej.wojsz...@blstream.com wrote: somebody can tell me how I should configure freeradius to authenticate in order (all is in openldap): check mac-address in ldap if exist authenticate computer else authenticate with uid/password or try authenticate using macaddress if rejected - try authenticate via uid/password The complication comes in as the initial authentication can be an EAP (802.1X) or a MAC-auth request. You cannot do MAC-auth on an EAP request and pass back Access-Accept immediently...the client will get confused and probably just keep hammering your RADIUS server to authenticate. On a wired socket, with Cisco kit at least, you do get the option to try a MAC-auth first, and if the RADIUS server comes back with Access-Reject then the switch will move into 802.1X which works *very* well. You have not stated if you want to do this on a wired or wireless connection. You have not actually stated if 802.1X is even involved and that this could just be a web portal. At my workplace (a medium sized university) we store all our MAC addresses in LDAP and it works well for us. If the MAC address is not 'registered' then the client has to use an 802.1X authentication. Cheers -- Alexander Clouter .sigmonster says: When you don't know what to do, walk fast and look worried. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pre-check OTP token
Cor Bosman c...@xs4all.nl wrote:
Would their be some way, in either the PAM stage, or in the FreeRadius
stage before Exec to pre-validate if ive got a token-reponse? They're
always 10 digit numbers.
unlang is your friend:
http://freeradius.org/radiusd/man/unlang.html
Something like the following should probably help you:
authorize {
preprocess
...
if (User-Password !~ /^[0-9]{10}$/) {
update reply {
Reply-Message := ZOMG, TEH WORLD IS ENDINGS!
}
reject
}
otp-exec-thingy
...
}
Cheers
--
Alexander Clouter
.sigmonster says: Good day for overcoming obstacles. Try a steeplechase.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and IdenticalClients
Fajar A. Nugraha l...@fajar.net wrote:
# TEST
Client 10.1.131.1
# Specifies a list of other clients that have an identical setup.
# You can use this parameter to avoid having to create separate
# Client clauses for lots of otherwise identical clients
IdenticalClients X.X.X.X Y.Y.Y.Y Z.Z.Z.Z
FR allows you to specify something like this on clients.conf
X.X.X.0/24 using ipaddr and netmask
I suspect you can use 'templates {}' too, we use it in proxy.conf, I
cannot see why it could not be used in clients.conf too.
Cheers
--
Alexander Clouter
.sigmonster says: You are deeply attached to your friends and acquaintances.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: patch files for pam_radius - adding an 'Always Prompt' option for?one-time passcodes
Nick Owen no...@wikidsystems.com wrote: We recently had a customer that wanted to check a password against AD via kerberos and then an one-time passcode against a WiKID Strong Authentication server via radius. We found that PAM passed the AD password to our OTP server, which failed. We have added a pam option always prompt in the attached code. This will force a WiKID passcode: prompt regardless of any previous password entry. This can be changed, of course. Better to lead with the OTP as then you fend off brute force and dictionary attacks. Cheers -- Alexander Clouter .sigmonster says: If you had any brains, you'd be dangerous. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP redundant with LDAP-Group within users file
Phil Mayers p.may...@imperial.ac.uk wrote:
Not as easy as it sounds ;-) 12 radius pairs (singe server with the
same config) at 10 locations, 3 ldap server at 3 different locations
For countervail lost of one or two locations, loadbalancing will be
very complex.
If the three sites have an IGP running between them (OSPF, EIGRP, iBGP,
ISIS, whatever) then you can anycast the ldap servers. No single point
of failure and cheap to do.
self-promo
http://www.digriz.org.uk/ha-ospf-anycast
/self-promo
It does not have a LDAP example, but you can trivially take the RADIUS
or DNS probe and modify it to use ldapsearch.
Sure.
People are looking into better LDAP failover in redundant {} stanzas.
LDAP-Group is a bit harder though.
A quick hack would be to use rlm_exec if you do not have have a high
RADIUS packet rate, the alternative would be rlm_perl/rlm_python. I'm
happy to put something like this together as we could benefit from it.
I envision it working by in the users file you fill up an attribute
(say, 'Foobar-Ldap-Group') with the group checks you want to make and an
Accept[1]. The module would check for the presence of the attribute,
and Ldap-User-Dn (if not, be a noop) and flip the Accept to Reject if
things do not work out.
Another ways would be to pass an LDAP filter from user/unlang in a
similar manner (multi-value attribute that's concatinated).
It would at least take the presure off needing LDAP-Group to be
redundant today.
Cheers
[1] for use, we have typically use the following type of thing (or it's
inverse with a follow through clause):
Huntgroup == foo, Ldap-Group == cheesy, Auth-Type := Accept
Huntgroup == foo, Ldap-Group == chips, Auth-Type := Accept
Huntgroup == foo, Auth-Type := Reject
--
Alexander Clouter
.sigmonster says: Don't compare floating point numbers solely for equality.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP redundant with LDAP-Group within users file
Phil Mayers p.may...@imperial.ac.uk wrote: Unfortunately, when you supply 1 LDAP server, this is handled internally by libldap, and libldap tries the LDAP servers in series, not in parallel. So there will always be some outage. FreeRADIUS does not currently have connection pools, and they're a bit hard with LDAP because libldap doesn't have a great API. The API is good enough. I keep meaning to do this for the sql module (well, postgresql) but it can be done for libldap too. Open the socket directly in freeradius, using SOCK_NONBLOCK - connect() - SO_RCVTIMEO/SO_SNDTIMEO and then pass that all to ldap_init_fd(). connect() can now catch timeouts with select() and it means we also catch networking errors rather than just server/client errors. I await Alan's show me the money^Wpatch...well maybe I'll find some time next week. Cannot have Imperial stealing the whole show :) Cheers -- Alexander Clouter .sigmonster says: You will have many recoverable tape errors. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to send empty value via radclient?
Hello, Need to send empty value in attribute via coa request for clear any value in current state of attribute and clear attribute itself: # /bin/echo Context-Name = local, Qos-Policing-Profile-Name='' , Qos-Metering-Profile-Name='' , Framed-IP-Address = yy.yy.yy.yy | /usr/local/bin/radclient -x -t 3 -c 1 -r 2 -p 4 xx.xx.xx.xx:3799 coa xx Sending CoA-Request of id 121 to xx.xx.xx.xx port 3799 Context-Name = dhcp Qos-Policing-Profile-Name = Qos-Metering-Profile-Name = Framed-IP-Address = yy.yy.yy.yy rad_recv: CoA-NAK packet from host xx.xx.xx.xx port 3799, id=121, length=32 Error-Cause = Missing-Attribute Event-Timestamp = Jun 27 2011 10:48:37 MSD Missing-Attribute is because NAS doesn't receive two attributes Qos-Policing-Profile-Name and Qos-Metering-Profile-Name because radclient doesn't really send it or filtered it, i.e. NAS only received Context-Name and Framed-IP-Address, is this possible to send empty value? -- Alexander Kubatkin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to send empty value via radclient?
27.06.11 11:45, Arran Cudbard-Bell пишет: On Jun 27, 2011, at 9:38 AM, Arran Cudbard-Bell wrote: RFC 2865 Page 24 string1-253 octets containing binary data (values 0 through 255 decimal, inclusive). Strings of length zero (0) MUST NOT be sent; omit the entire attribute instead. If your NAS requires zero length strings then its breaking the RADIUS protocol standard. Couldn't you just create default profiles and assign them instead? This is only exit for now and it was first what has been done. Thanks for your answer. I will try to terror vendor of my box. Just for clarify - this restriction applied to VSA attributes? or only standard? or whole attributes? -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter -- Alexander Kubatkin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed creating handler
Alan DeKok al...@deployingradius.com wrote: Stefan Winter wrote: Would this behaviour fit to this problem cause? Worth trying the usec fix in GIT? The fix for rlm_detail sigh Just so you know, that was the bug causing my poor ARM boxen to OOM kill FreeRADIUS. At least I now do not need to install an experimental armel valgrind :) Cheers -- Alexander Clouter .sigmonster says: Expect the worst, it's the least you can do. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multivalued (LDAP) Attributes and string matching, or regexes
Jason Antman jant...@oit.rutgers.edu wrote:
I don't really know anything about it, and haven't seen mention of it
outside of the modules list, but perhaps I could use rlm_perl or
rlm_python? Does anyone know about the efficiency of these? I know I'm
approaching this from the standpoint of a traditional programming
language, but the way I see it, I just need to loop over the values of
the employeeType[] attribute, and have some sort of variable to store
state...
I thought I remembered this popping up recently, I would have mentioned
it earlier but my Google-Fu at the time was weak and I though I was
imagining things.
If you checkout v2.1.x[1] and then type:
$ git checkout -b foreach
$ git cherry-pick a3221304
$ git cherry-pick 11aa4442
$ git cherry-pick ba18f024
$ git cherry-pick de60e732
$ mumble, compile, mumble, install, mumble
It will either:
* give you foreach[2] ('man 5 unlang')
* make your pants explode[3]
Cheers
[1] http://git.freeradius.org/
[2]
http://freeradius.1045715.n5.nabble.com/regex-matching-can-be-convinced-to-be-TRUE-if-you-re-insistive-enough-td4422200.html
[3] http://www.youtube.com/watch?v=Ysw4Xv6JI_w (0:00 - 0:30 seconds)
--
Alexander Clouter
.sigmonster says: BOFH excuse #138:
BNC (brain not connected)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Migrating to threaded rlm_perl
Energ po...@ponch.ru wrote: Please, help me with understanding of concept how to rewrite my perl module to work with threaded perl. Now it looks like this: [snipped thread unsafe code] While non-threaded perl it works as expected. But threading breaks creation of Shared memory (cuz it want to do it for every thread). I also wonder, do i need to post fetch_url inside CLONE sub or not. So, the main question: is there any part of code in rlm, that suppose to run only once ( create shared memory in my situation) or how to correctly solve problem with IPC within the confines of freeradius. You should have a read of: http://perldoc.perl.org/perlmod.html#BEGIN,-UNITCHECK,-CHECK,-INIT-and-END I would recommend you do not use IPC::Shareable and instead look to use BerkeleyDB instead with locks...also means whatever in in your hash is remembered across FreeRADIUS restarts. Cheers [1] http://search.cpan.org/dist/BerkeleyDB/BerkeleyDB.pod -- Alexander Clouter .sigmonster says: BOFH excuse #192: runaway cat on system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Migrating to threaded rlm_perl
Energ po...@ponch.ru wrote:
But, would it make any difference by using BEGIN{} block for creating shared
memory segment? Wont threaded rlm_perl process this section in every thread
it starts?
Threaded to FreeRADIUS means those methods you define are reentrant.
IIRC BEGIN{} is called only when rlm_perl fires up, afterwards your
methods are called whenever required, pre-emptively.
Cheers
--
Alexander Clouter
.sigmonster says: You mean you don't want to watch WRESTLING from ATLANTA?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chain two authentication modules together
madmatrix hailum...@gmail.com wrote:
Alexander, one thing I'm still confused here is why we put otp and
ldap all in authorization block in freeradius not the authentication?
As I'm an idiot. They should also be present in the authenticate
section.
In authorise, your OTP python method checks to see if it is a valid
authentication syntax (creating a challenge if necessary) returning
reject if it it invalid. It validates and rewrites User-Password to
contain just the bare password, whilst you can create a custom
dictionary attribute (for example User-OTP) that is sperately processed
in authenticate.
So, for example:
authorize {
...
# User-Password is 'foo bar'
python-otp
# User-Password is 'foo'
# User-OTP is 'bar'
ldap
...
}
authenticate {
...
Auth-Type python-otp {
otp
ldap
}
...
}
Cheers
--
Alexander Clouter
.sigmonster says: Price does not include taxes.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chain two authentication modules together
madmatrix hailum...@gmail.com wrote:
Thanks a lot Alexander. I'm familiar with python. So rlm_python might
a good choice for me. The main thing I want to do is to give remote
vpn client a two-factor authentication.
Depending on how your VPN works and what the clients can support, you
could use the OTP to create the tunnel, and then EAP on the inside to
authenticate (and VLAN assign) the user. It would complement any
wireless/wired 802.1X solution you have on site perfectly too.
Although a good plan, as the OTP being the first hop means your user
credentials cannot be brute forced, your might find it complicated to
pull off; at a first glance I am not sure how something like IPsec could
be OTPised...maybe you will get more luck with OpenVPN.
Since freeradius, pam and all opensource otp solution are available, I
think free two-factor authentication is doable instead the expensive
RSA solution.
Always bear in mind, as long as the man hours you put in are less or
roughly equal to the RSA solution (over a three year period), then
that's a worthwhile approach. Also gives you something to present as a
talk to other organisations. :)
So the first authentication is against our AD. If successful, the
system should generate one time password and send it to user through
SMS or the other ways. The user then put otp into the 2nd challenge
prompt. Freeradius authenticate this otp against otp server.
I already tried using pam to authenticate against AD or OTP. I was
trying to use PAM stack to make this happen. But it's hard to put some
scripts to send password to user between the two PAM modules. So I
turned to FreeRadius to see if it can have some ways to do this.
For your initial version, I recommend when the user is prompted for a
password, you get them to type otp password (RSA style). Check
the OTP *first* and then validate the password. You RADIUS
configuration will look like:
authorize {
your_python_otp_script
ldap
}
'your_python_otp_script' will *rewrite* User-Password so that when it
gets to the ldap module it's as if the user just sent their password
without the OTP. Of course if the OTP is incorrect,
your_python_otp_script can return instantly reject giving you your two
factor authentication.
So if I use rlm_python, I can utilize some existing executable files
(like ldapsearch, ldapcompare, otp_auth) to directly authenticate
against LDAP and OTP. To send OTP to user is much easier to do in
python too. Am I correct?
rlm_python will let you change how your OTP system functions quickly
which is helpful as:
* newer flexibility technologies come along you want to use
* users fix the initial approach too complicated. As the brains is
really all in a python script, you should find it trivial to
change to meet their needs
One word of warning, do *not* use system()/exec() or whatever python
uses. Use a native LDAP module. Same with the OTP/SMS approach if
possible. Calling OS commands like that, especially when there are
native libraries, is generally a Bad Idea(tm) and the coding gods *will*
smite you for your crimes.
Cheers
--
Alexander Clouter
.sigmonster says: Time as he grows old teaches all things.
-- Aeschylus
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chain two authentication modules together
madmatrix hailum...@gmail.com wrote: What I'm wanting to do is integrate LDAP and OTP. The OTP I want to use doesn't have interface to radius. So I'm planning to get that OTP source code into a new FR module. For LDAP part, I just want to include the existing module to the new one. Is this doable? I guess I may need implant the LDAP module code into the new module too. I *strongly* recommend you use rlm_perl/rlm_python. I found it very straight forward to quickly implement rfc2289 with eap-gtc. The whole authentication process is: 1. LDAP authentication. 2. If successful, do something and request 2nd OTP authencation. If not, reject the authentication. I think you might find yourself having to either: * combined password of form ldap password otp challenge response * two separate RADIUS authentications, say use PAM to first do a regular RADIUS password check and also require a second check to another RADIUS server (a FreeRADIUS virtual server for example) that then does the OTP As you have not described what the problem is (EAP for 802.1X, web portal, PAM backed authentication, etc?) it is hard to give you advice. From what I read here, the new module must be the way to do this. But is there any easy way to integrate existing module like LDAP into the new module? If you use rlm_perl/rlm_python, you will find the job much easier, fast on the prototyping front and maintenance will be a lot less trouble (ie, no need to recompile things as an example). Cheers -- Alexander Clouter .sigmonster says: Don't feed the bats tonight. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multivalued (LDAP) Attributes and string matching, or regexes
Peter Lambrechtsen plambrecht...@gmail.com wrote:
I find the easist way to do it is to use a custom users file to allow /
prevent access based on exact matches of LDAP attributes.
then you can say if STAFF = Accept, if STAFF OFFSITE Accept, otherwise
reject.
This is how we do it here:
http://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html
Depending on how you have things set up locally and how you are trying
to skin this particular cat, but you could just use an LDAP filter to
get all this done and keep the logic out of FreeRADIUS (although I
probably would *not* recommend it):
filter = ((objectClass=Person)(employeeType=staff*)(!(employeeType=staff
retired))(|(!(loginDisabled=*))(loginDisabled=FALSE))(cn=%{Stripped-User-Name}))
Means you get the effect as if the user did not even exist.
Just throwing another option out there...although I would recommend the
users file with a bunch of fall throughs personally.
Cheers
--
Alexander Clouter
.sigmonster says: All phone calls are obscene.
-- Karen Elizabeth Gordon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: If in post-auth
seb2020 girard@gmail.com wrote:
I have a problem in my post-auth configuration. I have write this with the
help of my other topic in this forum:
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := unauthorised
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if (%{Aruba-Essid-Name} == ssid_student) {
if (%{reply:MailUtilisateur} =~ /^[a-z0-9._-]+@students.XXX.ch/) {
update reply {
Tunnel-Private-Group-Id := std
Aruba-User-Role := std
}
} else {
update reply {
Tunnel-Private-Group-Id := std_false
Aruba-User-Role := std_false
}
}
}
elsif (%{Aruba-Essid-Name} == ssid_staff) {
if (%{reply:MailUtilisateur} =~ /^[a-z0-9._-]+@XXX.ch/) {
update reply {
Tunnel-Private-Group-Id := staff
Aruba-User-Role := staff
}
} else {
update reply {
Tunnel-Private-Group-Id := staff_false
Aruba-User-Role := staff_false
}
}
And this is the result of radiusd -X :
Just like it say, Aruba-Essid-Name is : expand: %{Aruba-Essid-Name} -
ssid_staff, but it doesn't work with my if. Why is it not going to the
elsif ?
I suspect it is your use of '} else {', if you use the following
instead I would not be surprised if it started working:
}
else {
IIRC FreeRADIUS does not parse that well, after all unlang is not a
language :)
FYI, I probably would do the above with:
if (reply:MailUtilisateur !~ /^[a-z9-0._-]+@(students\.)?XXX\.ch$/) {
update reply {
Reply-Message := Invalid MailUtilisateur Format
}
reject
}
if (Aruba-Essid-Name == ssid_student) {
if (($1) $1 == students.) {
update reply {
Tunnel-Private-Group-Id := std
Aruba-User-Role := std
}
}
else {
update reply {
Tunnel-Private-Group-Id := std_false
Aruba-User-Role := std_false
}
}
}
else {
...
}
The regex should extract a usable value when present.
Cheers
--
Alexander Clouter
.sigmonster says: wok, n.:
Something to thwow at a wabbit.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on User-Name with regex
ivaylosp ivayl...@gmail.com wrote:
User-Name = 1234abcdefg
12341234567
if (User-Name =~ /[1-4]{4}[A-Za-z0-9]{6}/)
This matches four numbers and then *six* alphanumerics; anywhere in your
string (substr-esque)...might not be what you want?
Did you mean to include a '/^$/'?
Cheers
--
Alexander Clouter
.sigmonster says: Old programmers never die, they just become managers.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmetation fault: [eap] Passing reply from proxy back into the tunnel
Simon L. fantasn...@ki.tng.de wrote: I hope anyone got this before and can give a solution. Please have a look in my debug log attached. Going to need some GDB lovin' too. http://freeradius.org/radiusd/doc/bugs If you are compiling from source, I recommend you go with the git version which might already have a fix: http://git.freeradius.org/ Cheers -- Alexander Clouter .sigmonster says: He's just like Capistrano, always ready for a few swallows. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One client, multiple NAS-Port-Types
DaveA daldw...@uwaterloo.ca wrote: I am looking for some guidance on configuring clients that will send requests with different NAS-Port-Type???s. Devices: HP Procurve, Cisco, Aruba wireless controllers Possible NAS-Port-Types: Ethernet, Virtual, Wireless, Async Ex., for an HP procurve switch, the possibilities will be: 1. CLI access (admin) ??? NAS-Port-Type = Virtual 2. 802.1X (users) ??? Nas-Port-Type = Ethernet In this case, I would like to send CLI and 802.1x requests to different virtual servers, because I accomplish #1 painlessly with ldap, and #2 gets more complicated with ads and eduroam in the mix. The switch (NAS) will support sending those different requests to different RADIUS servers. Assign two different IP's to your RADIUS servers and send the relevent request to the relevent FreeRADIUS virtual server. The solution is in the NAS, not FreeRADIUS :) Cheers -- Alexander Clouter .sigmonster says: Them as has, gets. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server Sertificate
Lubenski, Zeev [GCS] zlube...@lgsinnovations.com wrote: This leads to believe that certificate is not mandatory ? ...which leads us to wonder why you want to use EAP-TLS? Probably best to answer: * what is it you are trying to do * how are you trying to accomplish it * what are you expecting to happen * what is actually happening Cheers -- Alexander Clouter .sigmonster says: You enjoy the company of other people. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to change ++[files] returns noop into ++[files] returns?reject
thomas.d...@24-7-it-services.de wrote: in the section authorize I include the module file. (/etc/raddb/users) At the moment I get an noop if a user is not found in the file. How can I change it to return a reject, if a user is not found? Now: ++[files] returns noop Destination: ++[files] returns reject Depending on how your 'brain' logic flows, you can prime a default reject and then use matching rules later to turn that to an accept like so: DEFAULT Auth-Type := Reject Fall-Through = Yes [your existing config here] Alternatively, you can bolt the following to the end: DEFAULT Auth-Type := Reject I prefer to 'deny, allow' (in Apache speak), but you might prefer 'allow, deny'. Cheers -- Alexander Clouter .sigmonster says: Have a taco. -- P. S. Beagle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius redundancy
Student University studen...@gmail.com wrote: my testing lab like this : Node1 (FreeRadius+MySQL) Node2 (FreeRadius+MySQL) i am setting Master-Master MySQL Replication between this two node , initially it seems OK , now i am going to deploy this in production environment You have not said anything about how you are using the SQL servers so I have no idea whether what you are doing is good or bad or overkill. i asked if any one have further investigation (issues , recommendations ) , or any advice MySQL *will* burn you. Be sensible and use PostgreSQL. Cheers -- Alexander Clouter .sigmonster says: BOFH excuse #350: paradigm shift...without a clutch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sidenote: WPA Enterprise configuration and troubleshooting guides
Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: go on, join eduroam. I got a @illinois.edu lurker this week here at soas.ac.uk :) Cheers -- Alexander Clouter .sigmonster says: Wagner's music is better than it sounds. -- Mark Twain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius redundancy
Student University studen...@gmail.com wrote: i need to deploy two redundant Freeradius servers , anyone have like experience to share ,,, If your network topology can support it (speak to your network sysadmin) then you can get the ether to do the failover/high-availability without having to buy an expensive and/or complicated load-balancer: http://www.digriz.org.uk/ha-ospf-anycast Cheers -- Alexander Clouter .sigmonster says: If you knew what to say next, would you say it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multuple ldap freeradius ssid
seb2020 girard@gmail.com wrote:
I have test your solution like that :
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := unauthorised
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if (request:User-Name =~ /^.{3,4}$/) {
update reply {
Tunnel-Private-Group-Id := staff
}
}
elsif (request:User-Name =~ /^.{7,8}$/) {
update reply {
Tunnel-Private-Group-Id := student
}
}
if (reply:Tunnel-Private-Group-Id != unauthorised) {
update reply {
# Cisco only support a max of 65535
Session-Timeout := 64800
}
}
But, if I test with this account : aaa (7 letters), I have a reponse
like that : Tunnel-Private-Group-Id:0 = staff. This is not correct
And I have place this code in this file /site-enabled/default in the section
post-auth. Is that correct ?
Without the output from 'radiusd -X', I cannot help you.
Regards
--
Alexander Clouter
.sigmonster says: Am I accompanied by a PARENT or GUARDIAN?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multuple ldap freeradius ssid
seb2020 girard@gmail.com wrote:
I have a question. I already read how to make this, but I'm not sur if
it works !
So, what do I want ? I have 2 SSID : students and an other staff. I
want to have to ldap instance for authenticating my users.
You really do *not* want to do this. Have both the staff and students
connect to the same SSID (for example 'eduroam') and use your RADIUS
server to use an LDAP group check (or username style) to find out how to
treat them. For example, place them into a different VLAN.
In the /module/ldap, I have set ldap students { some stuff } and ldap
staff { some stuff}. But now, what i need to do ?
My access point is Aruba. I can use this value Aruba-Essid-Name for
choosing which instance i need to use. In the
/site-avaible/inner-tunel, what i need to do ?
Something like that ?
FreeRADIUS is (was?) a bit picky about how the if/else layout is, so you
need:
if (Aruba-Essid-Name == students) {
...students...
}
elsif {
...staff...
}
I *strongly* recommend you go with the single SSID and use RADIUS in the
background; getting everyone at a latter date to move to a different
SSID is a real pain.
Thanks for your reply, and sorry for my english, I'm French ;)
We forgive you... ;)
Cheers
--
Alexander Clouter
.sigmonster says: A modem is a baudy house.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
