Re: Workload in freeradius? platform
Arran Cudbard-Bell a.cudba...@freeradius.org wrote: If you keep this up, I'll unsubscribe nabble.com, too. Very little of anything worthwhile comes from there. Really though. The majority of the posts from nabble are just idiotic. There's something about actually taking the time to subscribe to the mailing list which seems to filter out a lot of the time wasters. GMANE is what I use, so do not think about nuking that. If you just move this to USENET, that probably will fix a huge chunk of the noise problem and then you also can use killfiles...*hint* :) Cheers -- Alexander Clouter .sigmonster says: Take your Senator to lunch this week. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fast session resumption memory leak?
Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: We recently upgraded to 2.1.12 and I have at the same time enabled SSL fast session resumption; in the last 6 days, FreeRADIUS on the server that is currently handling most of our auth has consumed 27% of the RAM. Is anyone else running fast session resumption and seeing these symptoms, or not? well, due to the way the log files and logrotate clash, our servers have a daily restart right now so this masks any such issue so cant say :-| I probably asked this already but why not syslog-ng and mmdd.log as an output? Cheers -- Alexander Clouter .sigmonster says: Postage will be paid by addressee. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac access mixed ldap access same NAS
Alejandro Gandara agand...@optaresolutions.com wrote: does someone know if Its possible mix MAC auth with ldap AUTH in the same NAS. Depends on the NAS: http://www.digriz.org.uk/lanwarden Cisco support MAC-auth and *fallback* to 802.1X; for this to work reliably you must attempt MAC-auth first, and if that fails force the client to do 802.1X...otherwise you run into a nightmare of race conditions. For us, we do both our MAC-auth and 802.1X authentications and authorizations with LDAP so yes...it does work, rather well too. If people keep poking me, I'll put up more documentation... Cheers -- Alexander Clouter .sigmonster says: I'm having fun HITCHHIKING to CINCINNATI or FAR ROCKAWAY!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: avoiding ldap access in authorize
Fred fred.mai...@gmail.com wrote:
If I want to test those values, i used to to something like :
if ( Ldap-Group == AdminRW ) { do something }
This makes a new ldap access to be done by the server for an array
attribute which has already been retrieved by server.
Is there any other way to check those (already retrieved values)
without making a new ldap call because of Ldap-Group == xxx
conditional ?
You might be able to make use of either foreach:
http://lists.cistron.nl/pipermail/freeradius-users/2011-June/msg00334.html
...or without patching, %{radiusGroupName[*]}:
http://freeradius.1045715.n5.nabble.com/foreach-attribute-array-td2787874.html
Cheers
--
Alexander Clouter
.sigmonster says: Guillotine, n.:
A French chopping center.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Beginner's Guide
Alexander Clouter a...@digriz.org.uk wrote: The content is generally rather good, and aside from a few typos, the book is let only on some relatively *minor* points: [snipped] * unfortunately short EAP section, ignoring session resumption and why particular EAP methods meet particular needs * EAP tests done with JRadius and not eapol_test Okay, I only had gotten to page 200 of 300, a smidgin before the EAP section. The details regarding the particulars of the EAP methods are covered (although session resumption unfortunately is not) and a footnote exists for eapol_test...but I do think a configuration example for eapol_test is far better (especially as it is just wpasupplicant along with all it's documentation; trivial to then use the same config in wpasupplicant). One thing that is a shame is the EAP/(T)TLS/PEAP bits make no mention of certificate *subject* validation...only CA pinning which is a shame. One without the other is generally pointless, you might as well not bother at all :( The price is reasonable, and if you are a complete newbie, it will get you on your feet. The book definitely does what it says on the tin and I would give it a 7 out of 10... I'll bump it up to an 8, as the proxying section is rather nice and clear... :) Cheers -- Alexander Clouter .sigmonster says: buzzword, n: The fly in the ointment of computer literacy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl
Alex rsm alex-...@hotmail.com wrote:
And added the following in src/modules/rlm_perl/example.pl
sub authorize {
print This is a TEST\n;
.
}
However, When I send a simple test request I don't see my debug line.
I also don't see the message perl loaded when start Freeradius in
debug mode (radiusd -X).
I am pretty sure stdout is not plumbed up for rlm_perl, and neither is
stderr so you will not see anything.
Of course reading the documentation brings enlightenment in the form of
'radiusd::radlog(1, ...);'... :-/
Searching for 'debug' on the wiki page says many useful things:
http://wiki.freeradius.org/Rlm_perl
...and even less surprisingly it's the same as whats in
src/modules/rlm_perl/example.pl.
*sigh*
Cheers
--
Alexander Clouter
.sigmonster says: Mongoose knghtbrd: and the meek shall inherit k-mart
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Beginner's Guide
Ian Pilcher arequip...@gmail.com wrote: I'm a complete newbie to RADIUS, looking to make use of the features of my new smart switches and wireless access point to secure my home network, so the title certainly sounds right. Has anyone had a look at this book yet? If so, what are your thoughts? I am currently reviewing it and hopefully in the next few days will put up my thoughts on it: http://www.digriz.org.uk/review-book-freeradius-beginners-guide The author (Dirk van der Walt) lurks on this mailing list. The content is generally rather good, and aside from a few typos, the book is let only on some relatively *minor* points: * use of vendor specifics (Mikrotik/Coova focus), this is probably is related to the authors day-job :) * unfortunately short EAP section, ignoring session resumption and why particular EAP methods meet particular needs * EAP tests done with JRadius and not eapol_test * rlm_filter coverage is a bit short (less than one page) * debugging/diagnosis is covered *far* too late in the book and then generally not at all. Missing are hints on how to make your life easier as a sysadmin (liberal use of screen+tee, rlm_detail and it would not have gone amiss a network monitoring probe thing) All trivially fixed in a revision two if such a thing comes about. Arguably though, and no doubt quite rightly, my points above probably would be better addressed by a FreeRADIUS *reference* book rather than a beginners guide...so I probably am being mean :) The price is reasonable, and if you are a complete newbie, it will get you on your feet. The book definitely does what it says on the tin and I would give it a 7 out of 10... Cheers -- Alexander Clouter .amongst says: Dibble's First Law of Sociology: Some do, some don't. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and FreeRADIUS environment.
Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Master/slave, or replication and remote accounting, if you want one true source let radius deal with the sql rather than trying anything with sql. Final advice would be to use postgresql rather than mysql, our performance increase was a magnitude better when we ditched mysql Our experience has been that using MySQL pretty much guarantees you *will* be burnt...especially with the replication. Cheers -- Alexander Clouter .sigmonster says: I'm having a MID-WEEK CRISIS! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need a little regex help
Commonn Systems ad...@commonn.com wrote: I guess all the regex gurus will laugh at my request Only if you had not figured it out ;) I figured it out, for others, looks like this works: .*:SSID_ABC ! Typically regex is complicated to new comers as there are three (important) types (online documentation typically does not differentiate between what is being documented): * basic (obsolete) * extended (POSIX.2) * perl The first two are handled by 'man 7 regex' whilst the last is 'man perlre'. Sadly, for now, FreeRADIUS only supports the first two, but you would have to be crazy to use just basic regex. Cheers -- Alexander Clouter .sigmonster says: Tact, n.: The unsaid part of what you're thinking. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alexander Clouter a...@digriz.org.uk wrote: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Priming up my end for a burn in... 24 hours later, still churning happily. Running 2.1.12 (bfe2c025). Cheers -- Alexander Clouter .sigmonster says: The only constant is change. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan DeKok al...@deployingradius.com wrote:
I've put some pre releases of 2.1.12 on the web site:
http://git.freeradius.org/pre/
Please let me know if there are any problems. If not, this can become
2.1.12.
Something handy to add if it is not too late.
We suffered a power failure today which caused our 802.1X/MAC-auth
clients to surge their accounting traffic. All due to the following in
post-auth:
# defaults
update reply {
[snipped]
Acct-Interim-Interval := 3600
}
Would be handy to change Acct-Interim-Interval to something like:
update reply {
Acct-Interim-Interval := 3000 + %{rand:1200}
}
This would give me Acct-Interim-Interval set to 1hr+-10mins.
As it is set now, I just got 1MB of journal recorded to file accounting
data landing on my systems :)
Cheers
--
Alexander Clouter
.sigmonster says: The chief cause of problems is solutions.
-- Eric Sevareid
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding multivalued attributes in control list.
Arran Cudbard-Bell a.cudba...@freeradius.org wrote: No your check will not iterate over every instance of a value. In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl. Last time I checked[1] it seemed trivial to backport to 2.1.x. Cheers [1] http://lists.cistron.nl/pipermail/freeradius-users/2011-June/msg00334.html -- Alexander Clouter .sigmonster says: An algorithm must be seen to be believed. -- D. E. Knuth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan DeKok al...@deployingradius.com wrote: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Priming up my end for a burn in... Cheers -- Alexander Clouter .sigmonster says: And on the seventh day, He exited from append mode. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication probation for VLAN
Arran Cudbard-Bell a.cudba...@freeradius.org wrote: * Tunnel-Private-Group-Id:0 = 5* string != integer Tunnel-Private-Group-Id is a string. Eww gross. Ok I thought unlang did the conversions automagically But obviously not Apparently it does work, the OP seems to neglected to mention that one chunk of the debug was for the outer layer, the other the inner auth :-/ Cheers -- Alexander Clouter .sigmonster says: Misfortunes arrive on wings and leave on foot. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication probation for VLAN
joao...@gmail.com joao...@gmail.com wrote:
This model is funcionaç, however have a problem (very serious), Radius does
not know from which SSID the client is trying to authenticate, or whether it
decides the basis solely of the Realm authentication of the client. I need
to make the Radius check the VLAN that is associated with the request for
user authentication. Check through the debug radius that an Access-Request
packet has the following information:
...
rad_recv: Access-Request packet from host 192.168.254.48 port 32769, id=204,
length=184
User-Name = joao@fpti
Calling-Station-Id = 68-a3-c4-85-c5-89
Called-Station-Id = 00-26-cb-94-65-60:FPTI
NAS-Port = 29
NAS-IP-Address = 192.168.254.48
NAS-Identifier = WLC-PTI
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
* Tunnel-Private-Group-Id:0 = 5*
string != integer
Tunnel-Private-Group-Id is a string.
I have to do a similar thing to map a silly attribute coughed up by
Cisco's useless WLC:
policy.conf
rewrite.quirk.wlc {
if (NAS-IP-Address == 172.16.3.124 NAS-Identifier == wlc-01) {
switch %{Airespace-Wlan-Id} {
case 1 {
update request {
NAS-Port-Id := eduroam
}
}
case 5 {
update request {
NAS-Port-Id := UTILICOM
}
}
case 6 {
update request {
NAS-Port-Id := BTOpenzone
}
}
case 7 {
update request {
NAS-Port-Id := soas-wpa-psk
}
}
case {
update request {
NAS-Port-Id := UNKNOWN
}
}
}
...
}
You should use (I am almost certain you should not be looking at tagged
attributes, so drop the ':0' too):
notice the
if (Tunnel-Private-Group-Id == 5) {
[stuff]
}
Cheers
--
Alexander Clouter
.sigmonster says: Do not apply to broken skin.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm parsing and \r = =0D
}) {
update reply {
Reply-Message := Realm Blackholed
}
reject
}
# [snipped local MAC-Auth hooks]
# workaround crappy load-balancing
if (Realm == DEFAULT) {
update control {
Load-Balance-Key := %{User-Name}
%{Calling-Station-Id}
}
handled
}
Autz-Type Status-Server {
ok
}
}
post-auth {
Post-Auth-Type Reject {
redundant {
sql.dot1x
ok
}
attr_filter.access_reject
eap-has-no-reply-message
# detail
}
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := unauthorised
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if ((EAP-Message) !(Ldap-UserDn)) {
cache_ldap-userdn
}
if (Realm == DEFAULT) {
update reply {
Tunnel-Private-Group-Id := eduroam
}
}
# to be removed once we register personal workstations
elsif (Realm == %{config:local.MY.realm}) {
update reply {
Tunnel-Private-Group-Id := users-unmanaged
}
}
if (reply:Tunnel-Private-Group-Id != unauthorised) {
update reply {
# Cisco only support a max of 65535
Session-Timeout := 64800
}
}
redundant {
sql.dot1x
ok
}
attr_filter.soas-auth
eap-has-no-reply-message
}
If enough people pester me I might get around to 'generalising' this.
There is already some effort in this space, Arran
Cudbard-Bell(@freeradius.net) used to work in Academentia over in
Rightpondia and put together a slightly different approach (without a
focus around proxy.conf that I use, it's pretty much what the rest of
the .ac.uk sector use I think, I of course have to be different):
http://www.ja.net/services/authentication-and-authorisation/janet-roaming/documentation.html
http://www.ja.net/documents/services/janet-roaming/sussex-freeradius-case-study.pdf
FreeRADIUS v2.0.2 Implementation to support eduroam at the University
of Sussex.
It's all good stuff though. Pick the approach that makes the most sense
to you and more naturally fits your needs. I like priming FreeRADIUS
with the realm-proxy mapping and leaving it to it's devices, others
prefer to explicitly use unlang in authorize{}.
Do contact me off list if you want some help and think this could be
getting off topic; although there are a *lot* of eduroam'ers here on the
list.
Cheers
--
Alexander Clouter
.sigmonster says: DIDI ... is that a MARTIAN name, or, are we in ISRAEL?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Want to silently discard the request if authentication module as?web?service client connecting to the web service server is down.
Ankur G anku...@globallogic.com wrote: We have a little different scenario. We have two different instances of web server connecting to two different Radius server such that if one of the radius server not able to connect the webserver, radius client can fail over to another radius server which has a different web-server connecting. Find below is the scenario: /--W1--\ -- /--- R1 ---\ --- C /--W2--\ -- /--- R2 ---\ Why can't R1 talk to W1 *and* W2? Your module should be able to try using both surely (if W1 fails, it should try W2)? I suspect it would be a strange network failure if W1 and W2 are unreachable to R1 but R2 could still speak to W2 (misconfiguration rather than node/router failure)? Well, you should still use FAIL in your module rather than REJECT if something internal to the module has failed. Combine this with what Alan already has pointed you to, do_not_respond in policy.conf, and you should be able to get to where you want to be. Cheers -- Alexander Clouter .sigmonster says: If you sow your wild oats, hope for a crop failure. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH to use CHAP
chesschi chess...@gmail.com wrote: I try to authenticate ssh users via PAM using FreeRadius. Is it possible to use CHAP for the authentication between radius server and radius client? SSH client - SSH server - PAM - Radius Client - CHAP- Radius Server As far as I am aware, this cannot be done; unless you can find a PAM RADIUS plugin that supports CHAP. You should use SSH public keys. If you want that centrally managed have a look at putting your users SSH keys into LDAP: http://freshmeat.net/projects/lpkfuse Cheers -- Alexander Clouter .sigmonster says: List at least two alternate dates. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Returning attributes based on group membership using NTLM_AUTH
Moe, John j...@hatch.com.au wrote: 3) How much/what options do I need to configure in the ldap module config? I've configured server, basedn, filter, groupname_attribute, groupmembership_filter and groupmembership_attribute, but all I get is Operations error. If I add identity and secret, I get a Referral failure. I've also tried the chase_referrals and rebind options, both with and without the identity/secret optinos, but they don't seem to change anything. What does the following give you from the command line: ldapsearch -LLL -x -h mygc.my.domain.name -b dc=my,dc=domain,dc=name sAMAccountName=username Operations error (1) Additional information: : LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece However, if I take out the -x, I got an error saying my Kerberos ticket had expired. I did a kdestroy and kinit again, with the -x, it still gave the error above. Without the -x, I get what looks like a listing of all the account attributes. However, at the bottom, it says: # search reference ref: ldap://DomainDnsZones.my.domain.name/DC=DomainDnsZones,DC=my,DC=domain,DC =name # search result search: 5 result: 0 Success # numResponses: 3 # numEntries: 1 # numReferences: 1 So something still isn't right. To use kerberos with ldapsearch you need to be looking at the SASL options in the manpage; probably just -Q would be needed. Until you can get 'ldapsearch' to work, you are unlikely to get FreeRADIUS to work. From the debug output and your description, it sounds more like a how you are using LDAP rather than how FreeRADIUS is using LDAP problem. If you can get ldapsearch to display the attributes you are after, then you can start to tinker with FreeRADIUS. Yeah, I kinda figured it was a I'm not sure how to configure LDAP properly to talk to my AD. Thanks for the assistance. I'll have a play around with ldapsearch for a while and see if I can't figure this out. Found some useful bits at (eugh, Gentoo): http://en.gentoo-wiki.com/wiki/Active_Directory_Authentication_using_LDAP#OpenLDAP_configuration_files And if I use ldp.exe (comes with Windows), or Softerra's LDAP Browser, I can connect to the same host, bind using the same credentials, use the same basedn and search using the same filter, and I get results. So I'm not sure what I'm doing wrong. It might be worth putting wireshark on the windows workstation running ldp.exe if you get desperate. It might give you some hints. (although I see you have already figured things out in your next posting) OT and perhaps reply off list, but I'm curious why you say e to PHP, and what you would use instead? Flamebait! I nearly fell for it. :) You have permission to Google-stalk me if you really want to know what I use. Cheers -- Alexander Clouter .sigmonster says: What soon grows old? Gratitude. -- Aristotle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Want to silently discard the request if authentication module as web?service client connecting to the web service server is down.
Ankur G anku...@globallogic.com wrote:
But If the exposed web-service is down, Radius server simply reject the
authentication request with the response message as Access_Rejected.
We want Radius server instead of rejecting, simply discard the
authentication request which will allow the RADIUS *client* to failover to
another RADIUS server.
...surely the other RADIUS server the client has listed will also be
unable to process the request as the web service is down?
If you have multiple web-service instances about, then your
perl/python/exec code should failover to using other instances.
I find it hard how this situation would help you in practise (W - web,
R - RADIUS server, C - RADIUS client) as surely if R1 is unable to
talk to W, having C failover to R2 is not going to help?
/--- R1 ---\
W ------ C
\--- R2 ---/
If you have W1 and W2, then R1 and R2 should be able to talk to both.
So while going through the FreeRadius configuration i came across the section
in sites-avaliable/default file under post-auth section which state that
Access-Reject packets are sent through the REJECT sub-section of the
post-auth section. and is as follow:
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
#sql
attr_filter.access_reject
}
If you think this is the right approach, could you please provide me the
sample
code using which if i could check for the rlm status code and could silently
discard the responses other than the RLM_MODULE_OK and
RLM_MODULE_REJECTED.
http://wiki.freeradius.org/Modules2#Module+Return+Codes
RLM_MODULE_FAIL looks like a better option to use, although it will not
give you what you want; but it would enable you to use unlang to perform
other tasks.
Cheers
--
Alexander Clouter
.sigmonster says: You fill a much-needed gap.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Returning attributes based on group membership using NTLM_AUTH
Moe, John j...@hatch.com.au wrote: So I've gone back to FR's LDAP module and thought I'd give ldap_debug a try, despite the warning. Surprisingly, it spit out one extra line in my debug: rlm_ldap: performing search in dc=my,dc=domain,dc=name, with filter (sAMAccountName=username) Unable to chase referral ldap://my.domain.name/dc=my,dc=domain,dc=name; (-1: Can't contact LDAP server) rlm_ldap: ldap_search() failed: Referral If I copy and paste that url ldap://my.domain.name/dc=my,dc=domain,dc=name; into my Windows box, it opens LDAP Browser and connects just fine to my domain, so I assume the syntax of that is right. And if I use just my.domain.name in ldapsearch as the host, it works there as well. Any idea why this wouldn't work? Looks like[2] if you do not make an anonymous bind to AD your problems might go away or alternatively change you base to to be not the root of your directory. Out of curiousity, do I need to configure OpenLDAP on the server at all? Or does this module's conf take care of that for me, for this purpose? No need in theory, I personally do just to fix up certificate validation[1] when using ldapsearch and whatnot though. Cheers [1] TLS_CACERT /etc/ssl/certs/ca-certificates.crt [2] http://lists.cistron.nl/pipermail/freeradius-users/2005-December/msg00228.html and http://bytes.com/topic/php/answers/11274-use-php-authenticate-ad -- Alexander Clouter .sigmonster says: You are magnetic in your bearing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Returning attributes based on group membership using NTLM_AUTH
Moe, John j...@hatch.com.au wrote:
Oh goodie, I'm getting somewhere. :-)
...except on the top posting front email-nazi/. ;P
1) So, I don't need to uncomment ldap in the authenticate section, as it's
not going to do the password validation, right?
Sounds right.
2) Do I just configure the module, put ldap in the authorize section of
sites-enables/default, and put Ldap-Group in the check-items?
Indeed.
3) How much/what options do I need to configure in the ldap module config?
I've configured server, basedn, filter, groupname_attribute,
groupmembership_filter and groupmembership_attribute, but all I get is
Operations error. If I add identity and secret, I get a Referral
failure.
I've also tried the chase_referrals and rebind options, both with and without
the identity/secret optinos, but they don't seem to change anything.
What does the following give you from the command line:
ldapsearch -LLL -x -h mygc.my.domain.name -b dc=my,dc=domain,dc=name
sAMAccountName=username
Until you can get 'ldapsearch' to work, you are unlikely to get
FreeRADIUS to work. From the debug output and your description, it
sounds more like a how you are using LDAP rather than how FreeRADIUS
is using LDAP problem.
If you can get ldapsearch to display the attributes you are after, then
you can start to tinker with FreeRADIUS.
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = mygc.my.domain.name
port = 389
password =
identity =
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = allow -- remember to make this 'require'
tls {
start_tls = no
require_cert = allow -- remember to make this 'require'
}
basedn = dc=my,dc=domain,dc=name
filter = (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
auto_header = no
access_attr_used_for_allow = yes
chase_referrals = yes
rebind = yes
groupname_attribute = cn
groupmembership_filter = ((objectClass=group)(member=%Ldap-UserDn}))
groupmembership_attribute = memberOf
dictionary_mapping = /etc/raddb/ldap.attrmap
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = no
}
[snipped]
rlm_ldap: Entering ldap_groupcmp()
[files] expand: dc=my,dc=domain,dc=name - dc=my,dc=domain,dc=name
[files] expand: %{Stripped-User-Name} -
[files] expand: %{User-Name} - username
[files] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -
(sAMAccountName=username)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to mygc.my.domain.name:389, authentication 0
rlm_ldap: bind as / to mygc.my.domain.name:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=my,dc=domain,dc=name, with filter
(sAMAccountName=username)
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
If you have the stomach, a quick Google search takes you to the PHP
website[1] (e) but there is a posting that you should find useful.
Looks like with Win2k3 you must have referrer following turned off and
you cannot search the *whole* base of your directory, you can only
search a sub-branch. I suspect the fix is nothing more than setting
'basedn' to ou=lusers,dc=my,dc=domain,dc=name.
Cheers
[1] http://www.php.net/manual/en/function.ldap-search.php#45388
--
Alexander Clouter
.sigmonster says: Without fools there would be no wisdom.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
Alan DeKok al...@deployingradius.com wrote: The radiusd keeps closing and i have to restart it. I am running 2.1.11 on this server but i have recently upgraded to this and it was happening before. The program uses up all the memory on the computer which is 4GB and I have enclosed a picture of this. I can send what ever config files you need to help me discover this problem. We are using a MySql database to keep track of customer accounts and usage. Try the v2.1.x branch from http://git.freeradius.org That will become 2.1.12 soon. Well...been running v2.1.x (8e71524f) for a while now and not seen any problems. I was running 2.1.11 on the other node and that still died with unable to insert event, interestingly again just after a Status-Server message was received. RAM, CPU, IO usage at the time and for the whole time since FreeRADIUS was started was all normal (from my torrus[1] graphs). Will keep you posted if anything crops up...touch wood it seems okay. Cheers [1] http://torrus.org/ is amazing, especially combined with snmpd on hosts too -- Alexander Clouter .sigmonster says: HOST SYSTEM RESPONDING, PROBABLY UP... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cleanup Stale Sessions - needed?
Paolo Di Francesco paolo.difrance...@level7.it wrote: we searched before asking, but we did not find any reference. If you have references of previous conversations, please send me the pointers privately. http://lmgtfy.com/?q=site%3Ahttp%3A%2F%2Flists.cistron.nl%2Fpipermail%2Ffreeradius-users%2F+sql+session+clean Cheers -- Alexander Clouter .sigmonster says: Got a dictionary? I want to know the meaning of life. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
Alan DeKok al...@deployingradius.com wrote: [1] http://torrus.org/ is amazing, especially combined with snmpd on hosts too It looks very nice. The nice bit is that it is trivial to configure. All you do is load up a command with the IP addresses you want to poke along with the SNMP communitities and you quickly have five minutely graphs for *every* port on your network; and various server with SNMPd running. Simples -- Alexander Clouter .sigmonster says: Apathy is not the problem, it's the solution - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using multiple authentication modules.
Mrinal K sinha.mri...@gmail.com wrote:
I am trying to authenticate users using client certificates and when
that is verified I intend to use perl module for checking other
attributes and verify that from database. Till now I was trying to
configure freeradius to do EAP-TLS and then execute the perl
module(rlm_perl). Both of them work perfectly fine independently but I
donot know if we can put them together. I believe I can do something
similar(checking certificate using EAP and then execute a script)
using exec-program-wait but considering its depricability and per
thread overhead will like the rlm_perl.
Without including your FreeRADIUS configuration there is very little
anyone here can do to help you other than ask have you just tried using
both modules?
authorize {
...
eap
perl
...
}
authenticate {
eap
perl
}
Cheers
--
Alexander Clouter
.sigmonster says: Yow! Is my fallout shelter termite proof?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: num_answers_to_alive
Stefan Winter stefan.win...@restena.lu wrote: The documentation says that 3..10 are *useful* ranges, but doesn't mention that everything else is forbidden. In particular, I would like to use 1, not 3. The idea is: the server was dead before, but now it managed to send a reply back - so it must have been fixed. I would like to mark it alive immediately. Is that unreasonable? Similar to 'link flapping' (think OSPF/BGP), you should use heuristics as things are not just black and white. If a service simply had two states up and down then that probably would be okay, but we also have 'unstable'. Imagine this state coming from: * overloaded RADIUS server (or backend DB) * link congestion between RADIUS servers Having a value of three, says not just alive but also alive and has been for a while; this could be further interpreted that the service is stable as well as alive. If the system briefly came back and died then on attempt two or three you would have likely seen a failure. Hope I am explaining myself well :) Cheers -- Alexander Clouter .sigmonster says: BOFH excuse #256: You need to install an RTFM interface. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
Alexander Clouter a...@digriz.org.uk wrote:
I am though currently trying to pin down a bug where FreeRADIUS just
closes it's-self down for no reason at all. I have run tcpdump during
the clean shutdown, and see it is not malformed traffic causing the
problem, RAM usage is normal, open FD's is sane, etc etc. Caught the
event many times with gdb, but it's not a SIG, just a regular exit().
Currently now running FreeRADIUS in production with -X to see if there
is anything in the full debug logs...
Caught it!
[snipped]
rlm_sql (sql.dot1x): Reserving sql socket id: 1
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql.dot1x): Released sql socket id: 1
++[sql.dot1x] returns ok
++? if (invalid)
? Evaluating (invalid) - FALSE
++? if (invalid) - FALSE
++? if (failed)
? Evaluating (failed) - TRUE
++? if (failed) - TRUE
++- entering if (failed) {...}
+++? if (Acct-Status-Type == Stop (!(Acct-Session-Time) || Acct-Session-Time
== 0) Packet-Transmit-Counter 5)
? Evaluating (Acct-Status-Type == Stop ) - FALSE
??? Skipping (Acct-Session-Time)
?? Skipping (Acct-Session-Time == 0)
? Skipping (Packet-Transmit-Counter 5)
+++? if (Acct-Status-Type == Stop (!(Acct-Session-Time) || Acct-Session-Time
== 0) Packet-Transmit-Counter 5) - FALSE
++- if (failed) returns ok
} # server dot1x.decoupled-accounting
Finished request 10642.
Cleaning up request 10642 ID 25817 with timestamp +5748
Going to the next request
Detail listener /var/log/freeradius/radacct/journal/dot1x/detail.acct.*
state replied signalled 0 waiting 0.214551 sec
Waking up in 0.1 seconds.
Waking up in 0.1 seconds.
rad_recv: Status-Server packet from host 127.0.0.1 port 50412, id=38, length=38
[event.c:3002] Failed to insert event
There seem to be a bunch of malloc()'s where it could fail lurking
behind INSERT_EVENT(). I am pretty sure that the system is not running
out of RAM (it is a 512MB box) but I am now priming up snmpd and RRD to
track this over time.
Any ideas?
Cheers
--
Alexander Clouter
.sigmonster says: The faster we go, the rounder we get.
-- The Grateful Dead
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
Fajar A. Nugraha l...@fajar.net wrote: On Thu, Jul 28, 2011 at 4:42 PM, Alexander Clouter a...@digriz.org.uk wrote: rad_recv: Status-Server packet from host 127.0.0.1 port 50412, id=38, length=38 [event.c:3002] Failed to insert event There seem to be a bunch of malloc()'s where it could fail lurking behind INSERT_EVENT(). I am pretty sure that the system is not running out of RAM (it is a 512MB box) but I am now priming up snmpd and RRD to track this over time. Any ideas? What happens when you send Status-Server packet manually (see man radclient for example)? Does the failure happen? Status-Server is sent from localhost once a second as part of the failover system I use: http://www.digriz.org.uk/ha-ospf-anycast The script used is: http://www.digriz.org.uk/ha-ospf-anycast?action=AttachFiledo=gettarget=radius-probe I do not think it is related to it as sometimes days can pass between the daemon exiting and on this occasion it was only an hour or two. If it was related to the cumulative number of requests being processed, I would expect a roughly regular 'death' interval. I do not think it is load related either as we have had the system die at all hours of the day. Cheers -- Alexander Clouter .sigmonster says: Unix soit qui mal y pense [Unix to him who evil thinks?] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
Alan DeKok al...@deployingradius.com wrote: Alexander Clouter wrote: rad_recv: Status-Server packet from host 127.0.0.1 port 50412, id=38, length=38 [event.c:3002] Failed to insert event Ouch. Indeed. It did only start to happen once I upgraded to 2.1.11 from 2.1.10. Of course I was originally plagued by the OP's problem of the memory leak when using git v2.1.x between these releases; which might have hidden this particular problem. Before 2.1.11, FreeRADIUS ran fine for weeks. There seem to be a bunch of malloc()'s where it could fail lurking behind INSERT_EVENT(). I am pretty sure that the system is not running out of RAM (it is a 512MB box) but I am now priming up snmpd and RRD to track this over time. Any ideas? Hmm... 512MB isn't a lot for a modern system. And on Linux, malloc() never fails. ...plenty though. Over nearly 12 hours of use, RAM usaged for FreeRADIUS is still at 15MB for one of my nodes and the other is 17MB. Linux is using the 280MB for filesystem cache and still has 180MB free! The other alternative is some kind of internal API problem. But those should all be fixed in git head. If you think there is something relevent in v2.1.x since 2.1.11 then I'll give it a go sooner rather than later. Can you think of something that might not be system RAM related but maybe caused by another possible RAM limit, heap, stack whatever it is (not quite my forte)? Cheers -- Alexander Clouter .sigmonster says: Money may buy friendship but money cannot buy love. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Groups and Dynamic VLAN assignment
stich86 stic...@gmail.com wrote: there is a possibility to get Tunnel-Private-Group-ID and others from the LDAP groups and not users file? i've read many times docs/rlm_ldap but cant get out of this problem :( Next time, try the freeradius-users@ archive too (true of *any* mailing list)? Is it possible to do this configuration in conjunction with redundant ldap configuration?? http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg71133.html Cheers -- Alexander Clouter .sigmonster says: Is there life before breakfast? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
john j...@rcsaccess.net wrote: The radiusd keeps closing and i have to restart it. I am running 2.1.11 on this server but i have recently upgraded to this and it was happening before. The program uses up all the memory on the computer which is 4GB and I have enclosed a picture of this. I can send what ever config files you need to help me discover this problem. We are using a MySql database to keep track of customer accounts and usage. IIRC the fix you need it: https://github.com/alandekok/freeradius-server/commit/731e733b I recommend, if possible, to just use the v2.1.x tree which is 'stable' just not a marked official release. http://git.freeradius.org/ I am though currently trying to pin down a bug where FreeRADIUS just closes it's-self down for no reason at all. I have run tcpdump during the clean shutdown, and see it is not malformed traffic causing the problem, RAM usage is normal, open FD's is sane, etc etc. Caught the event many times with gdb, but it's not a SIG, just a regular exit(). Currently now running FreeRADIUS in production with -X to see if there is anything in the full debug logs... Just a warning, but I would imagine there would be other grumblings on the list (or I have missed them and it's already fixed...). Cheers -- Alexander Clouter .sigmonster says: I can't stand squealers; hit that guy. -- Albert Anastasia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS use_tunneled_reply and Mac OSX
Scott Armitage s.p.armit...@lboro.ac.uk wrote: I have noticed that when authenticating using TTLS/MSCHAPv2 that the outer-identity is used in the RADIUS reply packet even if the use_tunneled_reply is set to yes for TTLS in eap.conf Does anyone know the reason for this? TLS session resumption? Also TTLS/MSCHAPv2 is possibly for you actually TTLS/EAP-MSCHAPv2 which means you get in effect an inner-inner tunnel if I remember correctly. Have a nosey at: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg71026.html Cheers -- Alexander Clouter .sigmonster says: Rubber bands have snappy endings! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General wiki rules
Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
There is no better alternative. You need to indent code blocks for
them to be easily legible, as it breaks them out of the normal flow of
the document.
I think that's Phil's point. The code he is cutting and pasting in is
no doubt already indented. However, what it probably has is either:
* no initial indentation (start tab or space)
* that indential probably is a tab rather than spacespace
I love dokuwiki for documentation, but it is a right ballache to find
that when you cut and paste in your configuration snippet I *then* have
to go through spacespacehomedown-cursorgoto 10 before it is
usable.
Sure it seems not a biggy, but it is a right turnoff and makes us all
less inclinded to put in the effort.
If it's going to be a huge issue I could probably add something to
gollum which converts pre tags into the appropriate white space
scheme before committing the text to the repository. Would you still
have an issue with this?
That would be pretty schweet. I would not 'pre-process' the text, I
would make sure those pre/{{{/whatever remains intact so you do not
suffer indentation pain when editing existing content.
Cheers
--
Alexander Clouter
.sigmonster says: I'm having a MID-WEEK CRISIS!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan ldap radiusd
Serge van Namen svna...@snow.nl wrote: In our situation the user is bound to a VLAN, so on every workstation in the building the user authenticates and the switchport becomes a member of the correct VLAN. I *strongly* recommend not mixing host and user authentication, it's just too much of a brain explitive. What happens on a computer you can SSH, terminal services into...user or host authentication? Sure you can generalise, but you might as well just ignore the problem altogether. Another example, user A walks in and authenticates themselves to the network and goes into VLAN x, that user then goes to lunch and evil user B starts to use the machine... Obviously we all have our own policies and needs, but I recommend you push the 'user authentication' (authorisation too) into a higher level such as the application/server and not try to do it at the network layer. This does not mean you cannot use user authentication to bootstrap host authentication. For example our mindset here at work is that the user is stating I am responsible for this MAC address during this session...they might also be authorised to register that workstation into a particular VLAN to create some workstation credentials. 'un-registered' (user bootstrapped) workstations go into VLAN 'users-unmanaged' whilst our equipment goes into 'users-staff'. Hope that makes sense...? :) Correct me if I'm wrong but then we have to administer a separate database for hosts ( and in our case users ) Now we have 2 auth-types en autz-type's. 1 connects with cn=x,dc=example,dc=com (VLANid x) 1 connects with cn=y,dc=example,dc=com (VLANid y) Depending on the realm the user indicates when logging in (user@realm), autheticates and puts the Tunnel-Private-Group-Id in the reply with the correct VLAN id. Well, you could just have users members of network groups instead (do *not* repurpose an existing group). I would suggest, if you have the time, create an enrollment page. Unknown MAC addresses (even with a valid *user* 802.1X session) are redirected to a webpage to register the machine into a network (typically only one, maybe your helpdesk members would be permitted to register the equipment into a number of groups). This does not mean that you use MAC-auth for that machine, but the enrollment session could generate workstation credentials (EAP-TLS) to use or you could still enforce that user 802.1X credentials (not necessarily the original registraters one) need to be used to gain access. This means you can permit users to register up to five devices for example. The problem: When using 'Login Window' based 802.1x. So when user puts in it's user/pass at the login window, it does it's 802.1x magic. But with user@realm, LDAP doesnt understands this ofcourse, so the @realm needs to be stripped when authenicating to LDAP. So: user@realm --- radius reads the realm, strips the @realm so LDAP understands, makes it's auth/autz-type. I hope you catch my drift. :) This is covered in the FreeRADIUS documentation (and numerous 'eduroam' examples, it looks like you are aiming for this type of thing). 'suffix' is what you want in your authorize section, you then pass to the ldap module 'Stripped-User-Name'. Cheers -- Alexander Clouter .sigmonster says: Massachusetts has the best politicians money can buy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan ldap radiusd
Serge van Namen svna...@snow.nl wrote: 'un-registered' (user bootstrapped) workstations go into VLAN 'users-unmanaged' whilst our equipment goes into 'users-staff'. Hope that makes sense...? :) Do you mean: unauthorized, user be put in default (jailed) vlan? I work for a university so we have a lot of equipment that we do not maintain but is owned by the students/staff that needs to connect. So, we have three main workstation VLANs: * unauthorised * users-unmanaged * users-staff Unknown MAC addresses go into 'unauthorised' which is a sandpit network which does nothing more than redirect the web browser to our 'unauthorised workstation' webpage[1]. There they are permitted to get to a few websites (microsoft.com, etc) and to the instructions/tools they need to configure their computer for 802.1X. When they are 802.1Xing, they get put into 'users-unmanaged' which gives them all the access they could want, and that I am willing to give them. One day, when I find the time, I will have a 'pre-registration' VLAN (or more likely dual-purpose 'unauthorised') for unrecognised MAC addresses that have gotten past 'unauthorised' by doing 802.1X with some user credentials. 'users-staff' is currently MAC-auth workstations that we maintain, the helpdesk would not love me if I forced them to configure each workstation for 802.1X (we are condemned with Novell and not AD...but apparently not for much longer). :) One day, to get into 'users-staff', you will need to do EAP-TLS, but for now it is just MAC-auth. There is no different level of access betwork 'users-staff' and 'users-unmanaged' here, we just wanted to keep equipment that we maintain and equipment we do not in different subnets. Mainly to keep the subnet's small :) Cheers [1] http://www.soas.ac.uk/itsupport/personal-equipment/unauthorised-workstation.html -- Alexander Clouter .sigmonster says: Where do you think you're going today? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and, ?more?broadly, setting Stripped-User-Name)
Phil Mayers p.may...@imperial.ac.uk wrote:
Unfortunately, when you set nostrip in the config, it doesn't add a
Stripped-User-Name attribute to the request, but when you unset it,
rlm_realms adds a Stripped-User-Name attribute and also updates the
User-Name attribute to the same value.
I am 90% sure that's not what rlm_realm does. We use unlang to process
realms now, but I am certain we used it with nostrip and it left the
original User-Name intact and populated Stripped-User-Name.
You are right, we use rlm_realm and it leaves User-Name unadulterated.
This sounds like maybe the *inner* auth User-Name is realmless and
making it's way out into outer.reply. When you use 'User-Name' in
post-auth{} you will get reply:User-Name rather than request:User-Name
if I remember correctly.
The fix is to *reject* inner-authentications that are realm-less.
Cheers
--
Alexander Clouter
.sigmonster says: You are the only person to ever get this message.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan ldap radiusd
Serge van Namen svna...@snow.nl wrote: I accomplished to strip the username, it authenticates successfully against LDAP. But eventually it fails on EAP I think, because the username isn't the original from the request. [snipped] users: Matched entry DEFAULT at line 7 modcall[authorize]: module files returns ok for request 3 What does this do? You must not change User-Name at all...I suspect somewhere in your configuration you are doing so to try to fix another problem. If you want the User-Name to be realmless then use Stripped-User-Name or use unlang to populate something like Tmp-String-0. rlm_ldap: - authorize rlm_ldap: performing user authorization for userA radius_xlat: '(uid=userA)' radius_xlat: 'ou=y,ou=people,dc=example,dc=com' What are you xlat'ing? Can we see your configuration? Are you using ldap xlat to set User-Name? If so, don't! Cheers -- Alexander Clouter .sigmonster says: fortune: not found - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unmatched ( or \(, and, more broadly, setting Stripped-User-Name
In article 795d5ee4-7536-431e-926a-98e70efa1...@vt.edu you wrote:
So, one of my last things here is making sure I can get at the
stripped usernames for my domain users, as they're authorized by their
stripped name, not the name w/ which they're authenticating. Forex,
if I'm using my AD credentials to log in, User-Name = hokies\dawson,
but I'm authorized for WLAN access as 'dawson,' not 'hokies\dawson.'
Although to prevent down the road severe levels of pain when enabling
eduroam you should be using something like 'daw...@hokies.vt.edu', could
you not just use 'ntdomain' (a built in module that will do this for
you)? 'ntdomain' should create Realm and Stripped-User-Name in the
manner you want.
That's all well and good, as I should just be able to use
Stripped-User-Name in my queries and it'll be fine (assuming it
exists, using the :- operator and doing a little logic there, which I
have working fine). However, I haven't found a way, or maybe just the
right way, to get the realms module to create that stripped user name
at the right time, and when I use the perl module to create it and add
it to the list, it doesn't seem to come out the other side, like so:
[snipped]
I _tried_ getting this working in unlang, but that got mess pretty
fast, and started complaining about unmatched parens:
I was going to ask why you were not doing the perl stuff in unlang. :)
(1)? elsif (%{User-Name} =~ /^(.*\\)(.*)$/)
(1) expand: %{User-Name} - hokies\dawson
ERROR: Failed compiling regular expression: Unmatched ( or \(
(1) - if (%{User-Name} !~ /^.*\/.*$/) returns updated
where the relevant part of sites-enabled/default authorize section
looks thus:
elsif(%{User-Name} =~ /^(.*\\)(.*)$/){
update request{
Stripped-User-Name := %{$`}
}
}
$' and $` is a perlism. You want something like (look at policy.conf
rewrite.calling_station_id and rewrite.called_station_id as an example):
if (User-Name =~ /^[^\\]\\?(.*)$/) {
update request {
Stripped-User-Name := %{1}
}
}
Untested, but hopefully you get the idea. :)
Cheers
--
Alexander Clouter
.sigmonster says: Sauron is alive in Argentina!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan ldap radiusd
Serge van Namen svna...@snow.nl wrote:
I'm working on a proof-of-concept for 802.1x and dynamic vlan's on
switches.
All this works perfectly with user@realm, but now I want to read the
vlan ID from a ldap attribute and then send the radius request with
that value in Tunnel-Private-Group-ID.
Reading an attribute for this is argubly silly in the context of LDAP.
Better to test for a group membership otherwise you might aswell shovel
everything in a relational database like SQL.
For us we create host LDAP objects, and then those objects are members
of a LDAP group which has details regarding the VLAN in it (and
subnetting, etc etc).
I am slowly cobbling bits together on my website[1]. My post-auth looks
like:
post-auth {
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := unauthorised
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if ((EAP-Message) !(Ldap-UserDn)) {
cache_ldap-userdn
}
lanwarden_vlan
if (!(control:Tunnel-Private-Group-Id) ||
control:Tunnel-Private-Group-Id == ) {
if (Realm == DEFAULT) {
update reply {
Tunnel-Private-Group-Id := eduroam
}
}
# to be removed once we register personal workstations
elsif (Realm == %{config:local.MY.realm}) {
update reply {
Tunnel-Private-Group-Id :=
users-unmanaged
}
}
}
else {
update reply {
Tunnel-Private-Group-Id :=
%{control:Tunnel-Private-Group-Id}
}
}
if (reply:Tunnel-Private-Group-Id != unauthorised) {
update reply {
# Cisco only support a max of 65535
Session-Timeout := 64800
}
}
}
'cache_ldap-userdn' you can find in the archives and the reasoning for
it, meanwhile lanwarden_vlan lurks in policy.conf and looks like:
lanwarden_vlan {
if ((control:Ldap-UserDn)) {
if (%{md5:%{client:secret}%{Calling-Station-Id}%l} =~
/[0-7]$/) {
update control {
Tunnel-Private-Group-Id :=
%{ldap_lanwarden1:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?((objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}
}
if (control:Tunnel-Private-Group-Id == ) {
update control {
Tunnel-Private-Group-Id :=
%{ldap_lanwarden2:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?((objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}
}
}
}
else {
update control {
Tunnel-Private-Group-Id :=
%{ldap_lanwarden2:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?((objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}
}
if (control:Tunnel-Private-Group-Id == ) {
update control {
Tunnel-Private-Group-Id :=
%{ldap_lanwarden1:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?((objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}
}
}
}
}
}
It looks horrible as xlat does *not* support failover. :(
Cheers
[1] http://www.digriz.org.uk/lanwarden
--
Alexander Clouter
.sigmonster says: You are so boring that when I see you my feet go to sleep.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Yet another multiple SSID setup question
Nick Kartsioukas lists.freerad...@change.nightwind.net wrote:
Thanks for the hints! I think I've got my eap.conf set up as I need it.
After some errors from freeradius and further document exploration, it
looks like what I need for the authorize section is this:
rewrite_called_station_id
if(Called-Station-Ssid == staff) {
mschap_staff
}
if(Called-Station-Ssid == lab) {
mschap_lab
}
if(Called-Station-Ssid == student_wpa) {
ldap
}
if(Called-Station-Ssid == student) {
ldap
}
I would *strongly* recommend you run just one SSID and use VLAN
assignment in post-auth to
post-auth {
...
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := unauthorised
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if (Ldap-Group == foobar) {
update reply {
Tunnel-Private-Group-Id := staff
}
}
else {
...
}
}
The huge advantage is that *every* user at your organisation can follow
the same instructions to connect to the wireless (and wired) network.
It is also then trivial to put in 'eduroam'; if you use 'eduroam' from
day one (*strongly* recommended to avoid pain down the road).
Cheers
--
Alexander Clouter
.sigmonster says: Youth is the trustee of posterity.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Yet another multiple SSID setup question
Nick Kartsioukas lists.freerad...@change.nightwind.net wrote:
Okay...let's say I have an SSID for students and an SSID for staff.
Students authenticate against LDAP, which stores passwords as salted
SHA1 hashes. Staff authenticate against Windows ActiveDirectory.
I've found where the WLC sends the SSID to FreeRADIUS, so I can get at
that. My question is, how do I set up the EAP-TTLS/PAP session for the
Student SSID and the separate PEAP/MSCHAPv2 session for the Staff SSID?
Are these configured as different virtual servers? Or just different
modules that I call from the users file like so:
DEFAULT Auth-Type := student_module, Called-Station-SSID := student
DEFAULT Auth-Type := staff_module, Called-Station-SSID := staff
Just duplicate what you see in eap.conf to look something like:
eap EAP_student {
# set this to peap for staff
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
max_sessions = 4096
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = ${local.cert.password}
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
cipher_list = AES:HIGH:!aNULL:!eNULL:@STRENGTH
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = auth
}
# comment 'ttls' and uncomment following for staff
#peap {
#default_eap_type = mschapv2
#copy_request_to_tunnel = no
#use_tunneled_reply = yes
#virtual_server = auth
#}
#
#mschapv2 {
#send_error = yes
#}
}
eap EAP_staff {
}
authorize {
...
if (Airespace-Wlan-Id == student_ssid) {
EAP_student
}
else {
EAP_staff
}
...
}
Cheers
--
Alexander Clouter
.sigmonster says: Remember to say hello to your bank teller.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki - Once upon a time there was documentation
Gary Gatten ggat...@waddell.com wrote: RADIUS - Half the complexity of Diameter Don't encourage him... Cheers -- Alexander Clouter .sigmonster says: Life is NP-hard, and then you die. -- Dave Cock - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tunneled-User-Name
d.thembiliyag...@lancaster.ac.uk wrote:
I am using EAP-TTLS and MSCHAPv2 to authenticate with FreeRadius
server.How can I get the tunnelled User-Name (User-Name used in inner
authentication phase) using unlang in FreeRADIUS server? Now I can only
get the User-Name used for the outer authentication (ex: anonymous).
PAP is easy, but MSCHAPv2 is typically EAP-MSCHAPv2 so you have a
double-inner in play. The best suggestion I have (after years of
tweaking it to be just right) is in your inner authorize use:
authorize {
update outer.request {
User-Name := %{request:User-Name}
}
update reply {
User-Name := %{request:User-Name}
}
[snipped]
update reply {
Auth-Type := %{control:Auth-Type}
}
}
On the outer layer, you then use
'%{%{reply:User-Name}:-%{request:User-Name}}' to get the username. This
means you get the inner username for:
* PAP, MSCHAPv2 and EAP-MSCHAPv2 authentications
* when your inner server rejects the request (ie. bad password) (this
is why you stuff the inner username into outer.request
* TTLS/PEAP has the option of TLS cached sessions which is *good*,
doing things this way means you still get the inner name for
resumed sessions
As a bonus, the Auth-Type is extractable..if you use TLS cached
sessions, then this will be EAP.
Cheers
--
Alexander Clouter
.sigmonster says: It was Penguin lust... at its ugliest.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running external programs
rihad ri...@mail.ru wrote: Hi, all. We have some legacy software that ran under XTradius (xtradius.sourceforge.net). The important thing was to execute an external program for every auth accounting request. Now I need to recreate all that on another server, and I must use the same legacy billing software. Unfortunately one can no longer build the old XTradius on modern FreeBSDs, apparently it has some variable linkage problems. Can that simple task be done in FreeRADIUS instead? Can it be configured to call an external program (Auth-Type External in XTradius)? http://lmgtfy.com/?q=freeradius+exec Cheers -- Alexander Clouter .sigmonster says: Have no friends not equal to yourself. -- Confucius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running external programs
* rihad ri...@mail.ru [2011-07-07 15:09:22+0500]: On 07/07/2011 12:28 PM, Alexander Clouter wrote: rihadri...@mail.ru wrote: Hi, all. We have some legacy software that ran under XTradius (xtradius.sourceforge.net). The important thing was to execute an external program for every auth accounting request. Now I need to recreate all that on another server, and I must use the same legacy billing software. Unfortunately one can no longer build the old XTradius on modern FreeBSDs, apparently it has some variable linkage problems. Can that simple task be done in FreeRADIUS instead? Can it be configured to call an external program (Auth-Type External in XTradius)? http://lmgtfy.com/?q=freeradius+exec Cheers I forgot to mention that the authentication program is meant to deny or grant user access. Will rlm_exec do that? It will require a desire on the part of the user to read the documentation in order to utilise that functionality... Regards -- Alexander Clouter .sigmonster says: Noncombatant: A dead Quaker. -- Ambrose Bierce - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac-Auth
Paulo Maia phc.m...@gmail.com wrote: Here is the thing , im trying to use Mac-Auth , I managed to get working using authorized-macs files , although i need to use a mysql table witch i already have with the ssid and mac-address fields and i need to add an operator to expired macs , coz i work at a college campus and students mac-addresses need to expire acording to their course period. A far better way is to use 802.1X and get the user to use their username and password to connect. Once their course ends, the account is expired and the student no longer can connect. If you do go down this route, I strongly recommend you hook up locally with the local http://www.eduroam.org/ outfit if that is an option for you. 802.1X (using PEAP) can be now pre-primed on Windows laptops laptops for free so you can just pass out an installer to the students to get themselves connected: https://su1x.swan.ac.uk/ Believe me, collecting and managing MAC addresses is not something I would wish on anyone. Cheers -- Alexander Clouter .sigmonster says: Ninety percent of baseball is half mental. -- Yogi Berra - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.10: authentication (uid and password) or (macaddress)?in LDAP
Maciej ??ukasz Wojszkun maciej.wojsz...@blstream.com wrote: somebody can tell me how I should configure freeradius to authenticate in order (all is in openldap): check mac-address in ldap if exist authenticate computer else authenticate with uid/password or try authenticate using macaddress if rejected - try authenticate via uid/password The complication comes in as the initial authentication can be an EAP (802.1X) or a MAC-auth request. You cannot do MAC-auth on an EAP request and pass back Access-Accept immediently...the client will get confused and probably just keep hammering your RADIUS server to authenticate. On a wired socket, with Cisco kit at least, you do get the option to try a MAC-auth first, and if the RADIUS server comes back with Access-Reject then the switch will move into 802.1X which works *very* well. You have not stated if you want to do this on a wired or wireless connection. You have not actually stated if 802.1X is even involved and that this could just be a web portal. At my workplace (a medium sized university) we store all our MAC addresses in LDAP and it works well for us. If the MAC address is not 'registered' then the client has to use an 802.1X authentication. Cheers -- Alexander Clouter .sigmonster says: When you don't know what to do, walk fast and look worried. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pre-check OTP token
Cor Bosman c...@xs4all.nl wrote:
Would their be some way, in either the PAM stage, or in the FreeRadius
stage before Exec to pre-validate if ive got a token-reponse? They're
always 10 digit numbers.
unlang is your friend:
http://freeradius.org/radiusd/man/unlang.html
Something like the following should probably help you:
authorize {
preprocess
...
if (User-Password !~ /^[0-9]{10}$/) {
update reply {
Reply-Message := ZOMG, TEH WORLD IS ENDINGS!
}
reject
}
otp-exec-thingy
...
}
Cheers
--
Alexander Clouter
.sigmonster says: Good day for overcoming obstacles. Try a steeplechase.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and IdenticalClients
Fajar A. Nugraha l...@fajar.net wrote:
# TEST
Client 10.1.131.1
# Specifies a list of other clients that have an identical setup.
# You can use this parameter to avoid having to create separate
# Client clauses for lots of otherwise identical clients
IdenticalClients X.X.X.X Y.Y.Y.Y Z.Z.Z.Z
FR allows you to specify something like this on clients.conf
X.X.X.0/24 using ipaddr and netmask
I suspect you can use 'templates {}' too, we use it in proxy.conf, I
cannot see why it could not be used in clients.conf too.
Cheers
--
Alexander Clouter
.sigmonster says: You are deeply attached to your friends and acquaintances.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: patch files for pam_radius - adding an 'Always Prompt' option for?one-time passcodes
Nick Owen no...@wikidsystems.com wrote: We recently had a customer that wanted to check a password against AD via kerberos and then an one-time passcode against a WiKID Strong Authentication server via radius. We found that PAM passed the AD password to our OTP server, which failed. We have added a pam option always prompt in the attached code. This will force a WiKID passcode: prompt regardless of any previous password entry. This can be changed, of course. Better to lead with the OTP as then you fend off brute force and dictionary attacks. Cheers -- Alexander Clouter .sigmonster says: If you had any brains, you'd be dangerous. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP redundant with LDAP-Group within users file
Phil Mayers p.may...@imperial.ac.uk wrote:
Not as easy as it sounds ;-) 12 radius pairs (singe server with the
same config) at 10 locations, 3 ldap server at 3 different locations
For countervail lost of one or two locations, loadbalancing will be
very complex.
If the three sites have an IGP running between them (OSPF, EIGRP, iBGP,
ISIS, whatever) then you can anycast the ldap servers. No single point
of failure and cheap to do.
self-promo
http://www.digriz.org.uk/ha-ospf-anycast
/self-promo
It does not have a LDAP example, but you can trivially take the RADIUS
or DNS probe and modify it to use ldapsearch.
Sure.
People are looking into better LDAP failover in redundant {} stanzas.
LDAP-Group is a bit harder though.
A quick hack would be to use rlm_exec if you do not have have a high
RADIUS packet rate, the alternative would be rlm_perl/rlm_python. I'm
happy to put something like this together as we could benefit from it.
I envision it working by in the users file you fill up an attribute
(say, 'Foobar-Ldap-Group') with the group checks you want to make and an
Accept[1]. The module would check for the presence of the attribute,
and Ldap-User-Dn (if not, be a noop) and flip the Accept to Reject if
things do not work out.
Another ways would be to pass an LDAP filter from user/unlang in a
similar manner (multi-value attribute that's concatinated).
It would at least take the presure off needing LDAP-Group to be
redundant today.
Cheers
[1] for use, we have typically use the following type of thing (or it's
inverse with a follow through clause):
Huntgroup == foo, Ldap-Group == cheesy, Auth-Type := Accept
Huntgroup == foo, Ldap-Group == chips, Auth-Type := Accept
Huntgroup == foo, Auth-Type := Reject
--
Alexander Clouter
.sigmonster says: Don't compare floating point numbers solely for equality.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP redundant with LDAP-Group within users file
Phil Mayers p.may...@imperial.ac.uk wrote: Unfortunately, when you supply 1 LDAP server, this is handled internally by libldap, and libldap tries the LDAP servers in series, not in parallel. So there will always be some outage. FreeRADIUS does not currently have connection pools, and they're a bit hard with LDAP because libldap doesn't have a great API. The API is good enough. I keep meaning to do this for the sql module (well, postgresql) but it can be done for libldap too. Open the socket directly in freeradius, using SOCK_NONBLOCK - connect() - SO_RCVTIMEO/SO_SNDTIMEO and then pass that all to ldap_init_fd(). connect() can now catch timeouts with select() and it means we also catch networking errors rather than just server/client errors. I await Alan's show me the money^Wpatch...well maybe I'll find some time next week. Cannot have Imperial stealing the whole show :) Cheers -- Alexander Clouter .sigmonster says: You will have many recoverable tape errors. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed creating handler
Alan DeKok al...@deployingradius.com wrote: Stefan Winter wrote: Would this behaviour fit to this problem cause? Worth trying the usec fix in GIT? The fix for rlm_detail sigh Just so you know, that was the bug causing my poor ARM boxen to OOM kill FreeRADIUS. At least I now do not need to install an experimental armel valgrind :) Cheers -- Alexander Clouter .sigmonster says: Expect the worst, it's the least you can do. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multivalued (LDAP) Attributes and string matching, or regexes
Jason Antman jant...@oit.rutgers.edu wrote:
I don't really know anything about it, and haven't seen mention of it
outside of the modules list, but perhaps I could use rlm_perl or
rlm_python? Does anyone know about the efficiency of these? I know I'm
approaching this from the standpoint of a traditional programming
language, but the way I see it, I just need to loop over the values of
the employeeType[] attribute, and have some sort of variable to store
state...
I thought I remembered this popping up recently, I would have mentioned
it earlier but my Google-Fu at the time was weak and I though I was
imagining things.
If you checkout v2.1.x[1] and then type:
$ git checkout -b foreach
$ git cherry-pick a3221304
$ git cherry-pick 11aa4442
$ git cherry-pick ba18f024
$ git cherry-pick de60e732
$ mumble, compile, mumble, install, mumble
It will either:
* give you foreach[2] ('man 5 unlang')
* make your pants explode[3]
Cheers
[1] http://git.freeradius.org/
[2]
http://freeradius.1045715.n5.nabble.com/regex-matching-can-be-convinced-to-be-TRUE-if-you-re-insistive-enough-td4422200.html
[3] http://www.youtube.com/watch?v=Ysw4Xv6JI_w (0:00 - 0:30 seconds)
--
Alexander Clouter
.sigmonster says: BOFH excuse #138:
BNC (brain not connected)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Migrating to threaded rlm_perl
Energ po...@ponch.ru wrote: Please, help me with understanding of concept how to rewrite my perl module to work with threaded perl. Now it looks like this: [snipped thread unsafe code] While non-threaded perl it works as expected. But threading breaks creation of Shared memory (cuz it want to do it for every thread). I also wonder, do i need to post fetch_url inside CLONE sub or not. So, the main question: is there any part of code in rlm, that suppose to run only once ( create shared memory in my situation) or how to correctly solve problem with IPC within the confines of freeradius. You should have a read of: http://perldoc.perl.org/perlmod.html#BEGIN,-UNITCHECK,-CHECK,-INIT-and-END I would recommend you do not use IPC::Shareable and instead look to use BerkeleyDB instead with locks...also means whatever in in your hash is remembered across FreeRADIUS restarts. Cheers [1] http://search.cpan.org/dist/BerkeleyDB/BerkeleyDB.pod -- Alexander Clouter .sigmonster says: BOFH excuse #192: runaway cat on system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Migrating to threaded rlm_perl
Energ po...@ponch.ru wrote:
But, would it make any difference by using BEGIN{} block for creating shared
memory segment? Wont threaded rlm_perl process this section in every thread
it starts?
Threaded to FreeRADIUS means those methods you define are reentrant.
IIRC BEGIN{} is called only when rlm_perl fires up, afterwards your
methods are called whenever required, pre-emptively.
Cheers
--
Alexander Clouter
.sigmonster says: You mean you don't want to watch WRESTLING from ATLANTA?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chain two authentication modules together
madmatrix hailum...@gmail.com wrote:
Alexander, one thing I'm still confused here is why we put otp and
ldap all in authorization block in freeradius not the authentication?
As I'm an idiot. They should also be present in the authenticate
section.
In authorise, your OTP python method checks to see if it is a valid
authentication syntax (creating a challenge if necessary) returning
reject if it it invalid. It validates and rewrites User-Password to
contain just the bare password, whilst you can create a custom
dictionary attribute (for example User-OTP) that is sperately processed
in authenticate.
So, for example:
authorize {
...
# User-Password is 'foo bar'
python-otp
# User-Password is 'foo'
# User-OTP is 'bar'
ldap
...
}
authenticate {
...
Auth-Type python-otp {
otp
ldap
}
...
}
Cheers
--
Alexander Clouter
.sigmonster says: Price does not include taxes.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chain two authentication modules together
madmatrix hailum...@gmail.com wrote:
Thanks a lot Alexander. I'm familiar with python. So rlm_python might
a good choice for me. The main thing I want to do is to give remote
vpn client a two-factor authentication.
Depending on how your VPN works and what the clients can support, you
could use the OTP to create the tunnel, and then EAP on the inside to
authenticate (and VLAN assign) the user. It would complement any
wireless/wired 802.1X solution you have on site perfectly too.
Although a good plan, as the OTP being the first hop means your user
credentials cannot be brute forced, your might find it complicated to
pull off; at a first glance I am not sure how something like IPsec could
be OTPised...maybe you will get more luck with OpenVPN.
Since freeradius, pam and all opensource otp solution are available, I
think free two-factor authentication is doable instead the expensive
RSA solution.
Always bear in mind, as long as the man hours you put in are less or
roughly equal to the RSA solution (over a three year period), then
that's a worthwhile approach. Also gives you something to present as a
talk to other organisations. :)
So the first authentication is against our AD. If successful, the
system should generate one time password and send it to user through
SMS or the other ways. The user then put otp into the 2nd challenge
prompt. Freeradius authenticate this otp against otp server.
I already tried using pam to authenticate against AD or OTP. I was
trying to use PAM stack to make this happen. But it's hard to put some
scripts to send password to user between the two PAM modules. So I
turned to FreeRadius to see if it can have some ways to do this.
For your initial version, I recommend when the user is prompted for a
password, you get them to type otp password (RSA style). Check
the OTP *first* and then validate the password. You RADIUS
configuration will look like:
authorize {
your_python_otp_script
ldap
}
'your_python_otp_script' will *rewrite* User-Password so that when it
gets to the ldap module it's as if the user just sent their password
without the OTP. Of course if the OTP is incorrect,
your_python_otp_script can return instantly reject giving you your two
factor authentication.
So if I use rlm_python, I can utilize some existing executable files
(like ldapsearch, ldapcompare, otp_auth) to directly authenticate
against LDAP and OTP. To send OTP to user is much easier to do in
python too. Am I correct?
rlm_python will let you change how your OTP system functions quickly
which is helpful as:
* newer flexibility technologies come along you want to use
* users fix the initial approach too complicated. As the brains is
really all in a python script, you should find it trivial to
change to meet their needs
One word of warning, do *not* use system()/exec() or whatever python
uses. Use a native LDAP module. Same with the OTP/SMS approach if
possible. Calling OS commands like that, especially when there are
native libraries, is generally a Bad Idea(tm) and the coding gods *will*
smite you for your crimes.
Cheers
--
Alexander Clouter
.sigmonster says: Time as he grows old teaches all things.
-- Aeschylus
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chain two authentication modules together
madmatrix hailum...@gmail.com wrote: What I'm wanting to do is integrate LDAP and OTP. The OTP I want to use doesn't have interface to radius. So I'm planning to get that OTP source code into a new FR module. For LDAP part, I just want to include the existing module to the new one. Is this doable? I guess I may need implant the LDAP module code into the new module too. I *strongly* recommend you use rlm_perl/rlm_python. I found it very straight forward to quickly implement rfc2289 with eap-gtc. The whole authentication process is: 1. LDAP authentication. 2. If successful, do something and request 2nd OTP authencation. If not, reject the authentication. I think you might find yourself having to either: * combined password of form ldap password otp challenge response * two separate RADIUS authentications, say use PAM to first do a regular RADIUS password check and also require a second check to another RADIUS server (a FreeRADIUS virtual server for example) that then does the OTP As you have not described what the problem is (EAP for 802.1X, web portal, PAM backed authentication, etc?) it is hard to give you advice. From what I read here, the new module must be the way to do this. But is there any easy way to integrate existing module like LDAP into the new module? If you use rlm_perl/rlm_python, you will find the job much easier, fast on the prototyping front and maintenance will be a lot less trouble (ie, no need to recompile things as an example). Cheers -- Alexander Clouter .sigmonster says: Don't feed the bats tonight. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multivalued (LDAP) Attributes and string matching, or regexes
Peter Lambrechtsen plambrecht...@gmail.com wrote:
I find the easist way to do it is to use a custom users file to allow /
prevent access based on exact matches of LDAP attributes.
then you can say if STAFF = Accept, if STAFF OFFSITE Accept, otherwise
reject.
This is how we do it here:
http://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html
Depending on how you have things set up locally and how you are trying
to skin this particular cat, but you could just use an LDAP filter to
get all this done and keep the logic out of FreeRADIUS (although I
probably would *not* recommend it):
filter = ((objectClass=Person)(employeeType=staff*)(!(employeeType=staff
retired))(|(!(loginDisabled=*))(loginDisabled=FALSE))(cn=%{Stripped-User-Name}))
Means you get the effect as if the user did not even exist.
Just throwing another option out there...although I would recommend the
users file with a bunch of fall throughs personally.
Cheers
--
Alexander Clouter
.sigmonster says: All phone calls are obscene.
-- Karen Elizabeth Gordon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: If in post-auth
seb2020 girard@gmail.com wrote:
I have a problem in my post-auth configuration. I have write this with the
help of my other topic in this forum:
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := unauthorised
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if (%{Aruba-Essid-Name} == ssid_student) {
if (%{reply:MailUtilisateur} =~ /^[a-z0-9._-]+@students.XXX.ch/) {
update reply {
Tunnel-Private-Group-Id := std
Aruba-User-Role := std
}
} else {
update reply {
Tunnel-Private-Group-Id := std_false
Aruba-User-Role := std_false
}
}
}
elsif (%{Aruba-Essid-Name} == ssid_staff) {
if (%{reply:MailUtilisateur} =~ /^[a-z0-9._-]+@XXX.ch/) {
update reply {
Tunnel-Private-Group-Id := staff
Aruba-User-Role := staff
}
} else {
update reply {
Tunnel-Private-Group-Id := staff_false
Aruba-User-Role := staff_false
}
}
And this is the result of radiusd -X :
Just like it say, Aruba-Essid-Name is : expand: %{Aruba-Essid-Name} -
ssid_staff, but it doesn't work with my if. Why is it not going to the
elsif ?
I suspect it is your use of '} else {', if you use the following
instead I would not be surprised if it started working:
}
else {
IIRC FreeRADIUS does not parse that well, after all unlang is not a
language :)
FYI, I probably would do the above with:
if (reply:MailUtilisateur !~ /^[a-z9-0._-]+@(students\.)?XXX\.ch$/) {
update reply {
Reply-Message := Invalid MailUtilisateur Format
}
reject
}
if (Aruba-Essid-Name == ssid_student) {
if (($1) $1 == students.) {
update reply {
Tunnel-Private-Group-Id := std
Aruba-User-Role := std
}
}
else {
update reply {
Tunnel-Private-Group-Id := std_false
Aruba-User-Role := std_false
}
}
}
else {
...
}
The regex should extract a usable value when present.
Cheers
--
Alexander Clouter
.sigmonster says: wok, n.:
Something to thwow at a wabbit.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on User-Name with regex
ivaylosp ivayl...@gmail.com wrote:
User-Name = 1234abcdefg
12341234567
if (User-Name =~ /[1-4]{4}[A-Za-z0-9]{6}/)
This matches four numbers and then *six* alphanumerics; anywhere in your
string (substr-esque)...might not be what you want?
Did you mean to include a '/^$/'?
Cheers
--
Alexander Clouter
.sigmonster says: Old programmers never die, they just become managers.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmetation fault: [eap] Passing reply from proxy back into the tunnel
Simon L. fantasn...@ki.tng.de wrote: I hope anyone got this before and can give a solution. Please have a look in my debug log attached. Going to need some GDB lovin' too. http://freeradius.org/radiusd/doc/bugs If you are compiling from source, I recommend you go with the git version which might already have a fix: http://git.freeradius.org/ Cheers -- Alexander Clouter .sigmonster says: He's just like Capistrano, always ready for a few swallows. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One client, multiple NAS-Port-Types
DaveA daldw...@uwaterloo.ca wrote: I am looking for some guidance on configuring clients that will send requests with different NAS-Port-Type???s. Devices: HP Procurve, Cisco, Aruba wireless controllers Possible NAS-Port-Types: Ethernet, Virtual, Wireless, Async Ex., for an HP procurve switch, the possibilities will be: 1. CLI access (admin) ??? NAS-Port-Type = Virtual 2. 802.1X (users) ??? Nas-Port-Type = Ethernet In this case, I would like to send CLI and 802.1x requests to different virtual servers, because I accomplish #1 painlessly with ldap, and #2 gets more complicated with ads and eduroam in the mix. The switch (NAS) will support sending those different requests to different RADIUS servers. Assign two different IP's to your RADIUS servers and send the relevent request to the relevent FreeRADIUS virtual server. The solution is in the NAS, not FreeRADIUS :) Cheers -- Alexander Clouter .sigmonster says: Them as has, gets. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server Sertificate
Lubenski, Zeev [GCS] zlube...@lgsinnovations.com wrote: This leads to believe that certificate is not mandatory ? ...which leads us to wonder why you want to use EAP-TLS? Probably best to answer: * what is it you are trying to do * how are you trying to accomplish it * what are you expecting to happen * what is actually happening Cheers -- Alexander Clouter .sigmonster says: You enjoy the company of other people. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to change ++[files] returns noop into ++[files] returns?reject
thomas.d...@24-7-it-services.de wrote: in the section authorize I include the module file. (/etc/raddb/users) At the moment I get an noop if a user is not found in the file. How can I change it to return a reject, if a user is not found? Now: ++[files] returns noop Destination: ++[files] returns reject Depending on how your 'brain' logic flows, you can prime a default reject and then use matching rules later to turn that to an accept like so: DEFAULT Auth-Type := Reject Fall-Through = Yes [your existing config here] Alternatively, you can bolt the following to the end: DEFAULT Auth-Type := Reject I prefer to 'deny, allow' (in Apache speak), but you might prefer 'allow, deny'. Cheers -- Alexander Clouter .sigmonster says: Have a taco. -- P. S. Beagle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius redundancy
Student University studen...@gmail.com wrote: my testing lab like this : Node1 (FreeRadius+MySQL) Node2 (FreeRadius+MySQL) i am setting Master-Master MySQL Replication between this two node , initially it seems OK , now i am going to deploy this in production environment You have not said anything about how you are using the SQL servers so I have no idea whether what you are doing is good or bad or overkill. i asked if any one have further investigation (issues , recommendations ) , or any advice MySQL *will* burn you. Be sensible and use PostgreSQL. Cheers -- Alexander Clouter .sigmonster says: BOFH excuse #350: paradigm shift...without a clutch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sidenote: WPA Enterprise configuration and troubleshooting guides
Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: go on, join eduroam. I got a @illinois.edu lurker this week here at soas.ac.uk :) Cheers -- Alexander Clouter .sigmonster says: Wagner's music is better than it sounds. -- Mark Twain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius redundancy
Student University studen...@gmail.com wrote: i need to deploy two redundant Freeradius servers , anyone have like experience to share ,,, If your network topology can support it (speak to your network sysadmin) then you can get the ether to do the failover/high-availability without having to buy an expensive and/or complicated load-balancer: http://www.digriz.org.uk/ha-ospf-anycast Cheers -- Alexander Clouter .sigmonster says: If you knew what to say next, would you say it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multuple ldap freeradius ssid
seb2020 girard@gmail.com wrote:
I have test your solution like that :
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := unauthorised
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if (request:User-Name =~ /^.{3,4}$/) {
update reply {
Tunnel-Private-Group-Id := staff
}
}
elsif (request:User-Name =~ /^.{7,8}$/) {
update reply {
Tunnel-Private-Group-Id := student
}
}
if (reply:Tunnel-Private-Group-Id != unauthorised) {
update reply {
# Cisco only support a max of 65535
Session-Timeout := 64800
}
}
But, if I test with this account : aaa (7 letters), I have a reponse
like that : Tunnel-Private-Group-Id:0 = staff. This is not correct
And I have place this code in this file /site-enabled/default in the section
post-auth. Is that correct ?
Without the output from 'radiusd -X', I cannot help you.
Regards
--
Alexander Clouter
.sigmonster says: Am I accompanied by a PARENT or GUARDIAN?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multuple ldap freeradius ssid
seb2020 girard@gmail.com wrote:
I have a question. I already read how to make this, but I'm not sur if
it works !
So, what do I want ? I have 2 SSID : students and an other staff. I
want to have to ldap instance for authenticating my users.
You really do *not* want to do this. Have both the staff and students
connect to the same SSID (for example 'eduroam') and use your RADIUS
server to use an LDAP group check (or username style) to find out how to
treat them. For example, place them into a different VLAN.
In the /module/ldap, I have set ldap students { some stuff } and ldap
staff { some stuff}. But now, what i need to do ?
My access point is Aruba. I can use this value Aruba-Essid-Name for
choosing which instance i need to use. In the
/site-avaible/inner-tunel, what i need to do ?
Something like that ?
FreeRADIUS is (was?) a bit picky about how the if/else layout is, so you
need:
if (Aruba-Essid-Name == students) {
...students...
}
elsif {
...staff...
}
I *strongly* recommend you go with the single SSID and use RADIUS in the
background; getting everyone at a latter date to move to a different
SSID is a real pain.
Thanks for your reply, and sorry for my english, I'm French ;)
We forgive you... ;)
Cheers
--
Alexander Clouter
.sigmonster says: A modem is a baudy house.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multuple ldap freeradius ssid
seb2020 girard@gmail.com wrote:
I will do what you say me ! I will make one SSID and check with the group my
user with the OU of the user.
My user is by example : user.group.locality.tree
How I can retreive the numbers of letters in my loginname ?
And this verification, I need to make in this file /site-avaible/inner-tunel
? with something like that ? But how i can retreive the length of the
username with this code ? Use Regex ?
modules/ldap:
ldap {
basedn = ou=%{Tmp-String-0},o=XXX
...
}
sites-available/...
authorize {
if (username have 3 letters) {
update request {
Tmp-String-0 = ou=xx,ou=xx
}
}
elsif (username have 8 letters) {
update request {
Tmp-String-0 = ou=xx,ou=xx
}
}
}
That's not going to work to great, it's also horrible :)
If you do not have the option to use 'Ldap-Group' (you should be able to
use LDAP groups, otherwise, why are you using LDAP?) to test group
membership, then you will need to use something like what's below.
In finally, I want to put my students in the VLAN students, and the staff in
the VLAN staff
The 'RFC' way to do it is add something like the following to your
post-auth{} section ('authorize'/'authenticate' will Reject invalid
users):
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := unauthorised
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if (request:User-Name =~ /^.{3}$/) {
update reply {
Tunnel-Private-Group-Id := staff
}
}
elsif (request:User-Name =~ /^.{8}$/) {
update reply {
Tunnel-Private-Group-Id := student
}
}
if (reply:Tunnel-Private-Group-Id != unauthorised) {
update reply {
# Cisco only support a max of 65535
Session-Timeout := 64800
}
}
Aruba might expect something different, so you should check with *them*
(remember, this is a FreeRADIUS support mailing list, *not* an Aruba
one).
Cheers
--
Alexander Clouter
.sigmonster says: A vivid and creative mind characterizes you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.8 + Mikrotik
Ahmed Syed zerocoo...@gmail.com wrote: Can someone give me a hint how to solve following: We are using PPPoE server with FreeRadius autentification and we are using Simultaneous Use Checking. We are limiting number of simultaneous connections to 1. The problem is in nonstandard situation when PPPoE server is nonstandardly restarted and there will stay open sessions on the radius. New connections are unauthorized because of simultaneous checking. We must manually delete open sessions. All users are Reject/authetication failed that time... Set your Acct-Interim-Interval to something low (say 300 seconds) and amend your SQL check for Simultaneous-Use so that it ignores stale data that has not been updated in more than 900 seconds (a value three times larger than Acct-Interim-Interval). You need to have serious words with your NAS vendor why you are not seeing accounting on-off packets (your NAS will send a 'reset' accounting packet to your RADIUS server that you can use to trigger an early session stop for all the users). Cheers -- Alexander Clouter .sigmonster says: Accordion, n.: A bagpipe with pleats. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acct segfault in git v2.1.x
Updating to git's v2.1.x to go on a post-Easter bughunt and found the following accounting packet[1] seems to segfault freeradius: tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes 11:30:34.398885 IP6 (hlim 51, next-header UDP (17) payload length: 258) 2001:630:1:128::185.42390 2001:630:1b:6003:90c0:802a:d873:c284.1813: [bad udp cksum 51b1!] RADIUS, length: 250 Accounting Request (4), id: 0x1b, Authenticator: 44b81fb81af404cb48816ad0c2afc497 NAS IP Address Attribute (4), length: 6, Value: 128.86.129.105 Accounting Status Attribute (40), length: 6, Value: Stop Username Attribute (1), length: 19, Value: 223...@soas.ac.uk NAS Port Attribute (5), length: 6, Value: 0 NAS Port Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11 Accounting Session ID Attribute (44), length: 27, Value: 223313@s7CC5376FE7E3-C189 Accounting Input Octets Attribute (42), length: 6, Value: 42426 Accounting Output Octets Attribute (43), length: 6, Value: 351596 Accounting Input Packets Attribute (47), length: 6, Value: 301 Accounting Output Packets Attribute (48), length: 6, Value: 379 Accounting Termination Cause Attribute (49), length: 6, Value: Idle Timeout Framed IP Address Attribute (8), length: 6, Value: 128.86.184.37 Calling Station Attribute (31), length: 14, Value: 7CC5376FE7E3 Called Station Attribute (30), length: 14, Value: 000B860E5100 Accounting Session Time Attribute (46), length: 6, Value: 06:40 min Accounting Delay Attribute (41), length: 6, Value: 00 secs Vendor Specific Attribute (26), length: 15, Value: Vendor: Unknown (14823) Vendor Attribute: 5, Length: 7, Value: eduroam Vendor Specific Attribute (26), length: 11, Value: Vendor: Unknown (14823) Vendor Attribute: 6, Length: 3, Value: N/A Vendor Specific Attribute (26), length: 20, Value: Vendor: Unknown (14823) Vendor Attribute: 1, Length: 12, Value: pre-employee Vendor Specific Attribute (26), length: 12, Value: Vendor: Unknown (14823) Vendor Attribute: 2, Length: 4, Value: Unknown Attribute (103), length: 6, Value: Proxy State Attribute (33), length: 20, Value: OSC-Extended-Id=27 The gdb backtrace is: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x42b7b470 (LWP 9963)] 0x402dc2bc in strnlen () from /lib/libc.so.6 (gdb) where #0 0x402dc2bc in strnlen () from /lib/libc.so.6 #1 0x403075d8 in fnmatch () from /lib/libc.so.6 #2 0x409da598 in do_detail (instance=0x114e50, request=0x43443240, packet=0x43446dd8, compat=value optimized out) at rlm_detail.c:301 #3 0x00022110 in call_modsingle (component=3, c=value optimized out, request=0x43443240) at modcall.c:297 #4 modcall (component=3, c=value optimized out, request=0x43443240) at modcall.c:670 #5 0x0001ec94 in indexed_modcall (comp=3, idx=0, request=0x43443240) at modules.c:737 #6 0xeefc in rad_accounting (request=0x43443240) at acct.c:93 #7 0x0002f16c in radius_handle_request (request=0x43443240, fun=0xee60 rad_accounting) at event.c:3780 #8 0x00026a4c in request_handler_thread (arg=value optimized out) at threads.c:525 #9 0x400818cc in start_thread () from /lib/libpthread.so.0 #10 0x40330bdc in clone () from /lib/libc.so.6 #11 0x40330bdc in clone () from /lib/libc.so.6 Backtrace stopped: previous frame identical to this frame (corrupt stack?) If you need the FreeRADIUS -X malarkey, then do ask, it is just tricker to get on a production box... :) Cheers [1] http://stuff.digriz.org.uk/freeradius-acct-segfault.pcap -- Alexander Clouter .sigmonster says: Preserve the old, but know the new. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct segfault in git v2.1.x
Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: NAS Port Attribute (5), length: 6, Value: 0 NAS-Port 0 are you serious? ;-) Hey, *you* are the proxying it ;P Vendor Specific Attribute (26), length: 12, Value: Vendor: Unknown (14823) Vendor Attribute: 2, Length: 4, Value: ..thats an interesting one. Unknown Attribute (103), length: 6, Value: as is that. unpopulated/corrupt attributes. Just unprintable, check the pcap file linked to in the original email for ahem and giggles. what are you doing with this accounting packet when it arrives? 'detail' module? SQL ? Journalled accounting, it's picked up by decoupled account virtual server. Cheers -- Alexander Clouter .sigmonster says: Generic Fortune. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Port ID
Lars Witter eagl...@gmx.de wrote: i've a question about the database fileds NASPortId and NASPortType for radius in radacct. what's the meaning oder those fields? NASPortType is always filled with Async ... NASPortId is filled with different Integers. I've read the sources of ppp, but i didn't found out anything. :-( Best place to look is in the actual RFC's to be honest: http://tools.ietf.org/html/rfc2865#section-5.41 - NAS-Port-Type http://tools.ietf.org/html/rfc2869#section-5.17 - NAS-Port-Id For a list of valid types either grep the dictionaries or look at: http://www.iana.org/assignments/radius-types/radius-types.txt Cheers -- Alexander Clouter .sigmonster says: You auto buy now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Database
SC@ sca1...@hotmail.com wrote: I know this website but I didn't find... maybe it is in but where ? i think i have asked kindly... This is a forum, when someone have difficulties we help him... The people who occupy a forum though are generally not paid to help out and do so with their free time. Saying I have a problem tell me what to do without showing *any* effort at all at your end or how far your attempts have got you so far is not the way to encourage people to help you out. Maybe if you actually did the following we would be more eager: 1. clearly stated what you want to do 2. say I have been reading x, y and z... 3. show us the debug and configuration you are using 4. explain what you think is wrong and why you are unable to fix it So, you can ask as politely as you want but it's not going to actually get you anywhere. You have to see it from our point of view, so far it seems to us, the problem is not important enough to you to detail here its specifics or for you to actually read the documentation, so obviously is not important enough for us all to burn our *free* and *volunteered* time on? Cheers -- Alexander Clouter .sigmonster says: You will be misunderstood by everyone. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about FreeRadius+radiusmanager+mikrotik
Tanjil Ahmed tan...@tanjil.net wrote: after few mins he can able to login.. pls help me to solve this problem! ...only if you help us to help you. http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 http://wiki.freeradius.org/index.php/FAQ#Debugging_it_yourself http://wiki.freeradius.org/index.php/FAQ#But_it_worked_with_another_RADIUS_server.21 You so far have not: * shown any signs of reading the documentation * shown any signs of reading the FAQ * shown any signs of doing any research into your problem * produce any *useful* debug after being asked What might be handy for us is: * what your NAS sends in an Access-Request * what you are expecting to send back as a reply * the debug output for a successful request * your config file(s) You are so far doing the same as a regular end user shouting DOES NOT WORK FIX IT NOW!!?!? and refusing to provide any information at all about: 1. what are you trying to do (Access-Accept looks like?) 2. how are you trying to do it (config/debug) 3. what are you expecting to happen (where you think the debug goes wrong, SQL, LDAP, files queries) 4. what is actually happening (RADIUS response, if any) Please, throw is a freeking bone here...try starting with the documentation, Google and the FreeRADIUS mailing list archives. Regards -- Alexander Clouter .sigmonster says: What this country needs is a good five cent microcomputer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap server connection timeout
Daniel Davidson dani...@igb.uiuc.edu wrote:
My new wireless network tested great, but now that I have rolled it out
to the entire building, I get error messages like:
Mon May 2 15:15:06 2011 : Error: rlm_ldap: ldap_search() failed: Timed
out while waiting for server to respond. Please increase the timeout.
And when these trigger, nearly everyone gets disconnected for about 5
seconds. Possible relevant code from ldap module:
ldap {
#private stuff -- BUT CRUCIAL!
ldap_connections_number = 15
timeout = 10
timelimit = 10
net_timeout = 5
}
The only existing firewalls are on the machines themselves and the ip
range of the servers are open with each other. Any ideas?
I am guessing your LDAP server is *way* too slow when processing the
queries are making it munch through. Typical 'first-timer' mistakes are
that you are not indexing the important attribtues. For example our
filter looks like:
filter =
((objectClass=Person)(|(businessCategory=staff)(businessCategory=student)(cn=avg*))(|(!(loginDisabled=*))(loginDisabled=FALSE))(cn=%{Stripped-User-Name}))
This takes ~0.02s to respond for us, how long does it take to process
the query at your end (test with the following and remember to test
the server when it is under load, which is probably why it worked
before you widely deployed it):
time ldapsearch -h ldap-server.example.com -x -LLL 'query'
Where query is what you see FreeRADIUS make in the output of 'radiusd
-X'.
Cheers
--
Alexander Clouter
.sigmonster says: Out of register space (ugh)
-- vi
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, bind addresses, and multihoming
Gary T. Giesen gie...@snickers.org wrote: In this configuration, freeradius will always respond from 192.168.1.250, even if the initial request was sent to 1.2.3.4. This is obviously breaking things for me, as I'd rather not have freeradius listen on every interface on the server (and there are a number of them). Am I doing something wrong? Am I expecting the wrong behaviour? Or is this a bug? What's the: * OS * output of 'ip route' and 'ip route get src-ip-of-request' If you are multihomed (can get to the same IP via more than one interface/gateway) then it should work. If you have miconfigured the server so that it does not how to route to src-ip-of-request via the interface it saw the packet come in on, then you will have a problem (although I would have expected no reply at all). Cheers -- Alexander Clouter .sigmonster says: Vax Vobiscum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple ldaps (SSL) backends and only the first queried works.?Possible bug?
Daniele Albrizio albri...@univ.trieste.it wrote: I suspect the cacertfile attribute is not correctly re-instantiated and only the value of the first request is used to check against when instantiating a new ldaps connection. Without a doubt the chaining is not working on your LDAP servers. What is the full output of: openssl s_client -connect myAD.ds.units.it:636 -showcerts openssl s_client -connect myopenldap.units.it:636 -showcerts You can pipe the server cert (cut'n'paste on stdin) through the following to see the useful parts of the certs: openssl x509 -noout -text You probably will find if you change those tls 'demands' to 'never' things work, but then it kinda is self defeating :) Cheers -- Alexander Clouter .sigmonster says: You can't break eggs without making an omelet. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, bind addresses, and multihoming
Tanjil Ahmed tan...@tanjil.net wrote: why radius is not bind auto MAC from user in first time use?like mikrotik user manager have this option... ...dear user, why do people keep hijacking mailing list threads and use the *Reply-To* button rather than *Compose* in their email clients? is there any way? Indeed. Regards -- Alexander Clouter .sigmonster says: Talk is cheap because supply always exceeds demand. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPs will not be assigned
Phil Mayers p.may...@imperial.ac.uk wrote: My goal is a hotspot for a coffee. My freeRadius is on Debian and the Access Point is an Vodafone WLAN Router. All Function of the Vodafone Router are disabled. Only Network Security WPA/WPA2 and Authentication: 802.1X, Server IP: 192.168.2.1, Server Port: 1812, Secret Key: testing123 If I try to authenticated with an Apple Mac, I get the access but no IP, so I don't have Internet. What I'm doing wrong ?? VLAN assignment on wireless networks is with DHCP, not Radius. The radius Framed-IP-Address attribute is not useful. *ahem* s/VLAN/IP/ IP assignment on You need to run a DHCP server. Indeed, do not mention though FreeRADIUS can do DHCP though ;) Cheers -- Alexander Clouter .sigmonster says: If you're not careful, you're going to catch something. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running FreeRadius daemon in debug mode
Mike Hale eyeronic.des...@gmail.com wrote: I'm running the latest yum version of freeradius2 on a 32bit CentOS 5.5 install. Although not relevent, please next time take a moment to actually find out the FreeRADIUS version as this is a *FreeRADIUS* mailing list and not a CentOS mailing list... To additionally make things complicated, we actually do not know if you are actually running the latest CentOS release (unlikely but 'stale' mirror?) or if you have added additional RPM sources. I'm using service radius start to launch the daemon. I'm trying to figure out how to use the service method to launch the process in debug mode. I can start it in debug mode when calling it from the command line just fine. I thought it might be as simple as modifying the radiusd script file in /init.d with the -x switch, but that causes errors. Does anyone have a working copy of the init.d script I could look at? That's a Bad Idea(tm). Learn to use 'screen'[1], 'tee' and call freeradius with 'radiusd -X | tee /tmp/debug' manually. Cheers [1] http://www.kuro5hin.org/story/2004/3/9/16838/14935 -- Alexander Clouter .sigmonster says: An adequate bootstrap is a contradiction in terms. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius proxy caching users
Ivan Luska lu...@ics.muni.cz wrote: Hello, I use Freeradius as proxy server. Is it possible to cache authenticated users on the proxy and resend access-accept to these users, if home server fails? If you look through the archives and find out how to failover to a virtual server to proxy through instead it is possible. You would need to script up something with rlm_perl/rlm_python to build up a cache, and the virtual failover system would then have to query that cache. Cheers -- Alexander Clouter .sigmonster says: Manoj I *like* the chicken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
GreenUA green_...@mail.ru wrote: I reviewed RFC and FAQ, but i can't fined sane info about configuration of freeRADIUS server (on Windows) to send access-challenge message on access-request. ...because running FreeRADIUS is not a sane thing to do. My configuration is (users.conf): [snipped AWOL radiusd.conf file] Guys pls help me with the answer or if it's possible give me some link or manual in which i can fined the answer. The best links on FreeRADIUS can be found at: http://wiki.freeradius.org/index.php/FAQ#Debugging_it_yourself http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 Cheers -- Alexander Clouter .sigmonster says: Check your local listings. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
Arran Cudbard-Bell a.cudba...@gmail.com wrote: On Apr 11, 2011, at 1:40 PM, Alexander Clouter wrote: GreenUA green_...@mail.ru wrote: I reviewed RFC and FAQ, but i can't fined sane info about configuration of freeRADIUS server (on Windows) to send access-challenge message on access-request. ...because running FreeRADIUS is not a sane thing to do. Shouldn't that be running Windows is not a sane thing to do? :P Bah, and it would have looked so awesome if I didn't screw it up. *ahem* ...because running FreeRADIUS on Windows is not a sane thing to do. ta da Cheers -- Alexander Clouter .sigmonster says: Some restrictions may apply. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP-group filter search is failing
joezamosc joezam...@yahoo.com wrote: Alexander - you have a point - WANN is under OU - I've made an adjustment in modules/ldap and changed groupname_attribute to ou groupname_attribute = ou 'groupname_attribute' should be 'cn', unless your LDAP directory is very broken ;) And after running ldapsearch -h server -x -b dc=corp,dc=development,dc=com ou=wann dn member I get... # extended LDIF # # LDAPv3 # base lt;DC=corp,DC=development,DC=comgt; with scope subtree # filter: ou=wann # requesting: ALL # # WANN, Departments, corp.development.com dn: OU=WANN,OU=Departments,DC=corp,DC=development,DC=com objectClass: top objectClass: organizationalUnit ou: WANN distinguishedName: OU=WANN,OU=Departments,DC=corp,DC=development,DC=com instanceType: 4 whenCreated: 20110405164142.0Z whenChanged: 20110405164142.0Z uSNCreated: 10913685 uSNChanged: 10913685 name: WANN objectGUID:: Eqi2LbFChke1MJ1VS9a4GA== objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=corp,DC=development,DC=com 'ou' is more akin to a 'directory' in a filesystem rather than something that records any useful information. What do ldapsearch's give you for 'cn=wann' and 'member=CN=RobertTest1,ou=WANN,ou=Departments,dc=corp,dc=development,dc=com'? Cheers -- Alexander Clouter .sigmonster says: You have a truly strong individuality. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP-group filter search is failing
joezamosc joezam...@yahoo.com wrote: The 10th line from the bottom of the snippet returns with the following... rlm_ldap::ldap_groupcmp: ldap_get_values() failed I'm waiting for a subsequent [ldap] performing search in my DN and to match with filter (cn=WANN) But it's not happening. It is happening, you have to read the debug ;) [ldap] performing search in ou=Departments,dc=corp,dc=development,dc=com, with filter ((cn=WANN)(|((objectClass=GroupOfNames)(member=CN\3dRobertTest1\2cOU\3dWANN\2cOU\3dDepartments\2cDC\3dcorp\2cDC\3ddevelopment\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRobertTest1\2cOU\3dWANN\2cOU\3dDepartments\2cDC\3dcorp\2cDC\3ddevelopment\2cDC\3dcom Any insight? You are hunting for the group under 'ou=Departments,dc=corp,dc=development,dc=com', effectively doing: ldapsearch -h server -x -b ou=Departments,dc=corp,dc=development,dc=com '((cn=WANN)(|((objectClass=GroupOfNames)(member=CN...' I'm guessing that's not where 'cn=WANN' lives? What does the following give you? ldapsearch -h server -x -b dc=corp,dc=development,dc=com cn=wann dn member Cheers -- Alexander Clouter .sigmonster says: Creditor, n.: A man who has a better memory than a debtor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Per Vendor NAS-Port documentation
Olivier Bilodeau obilod...@inverse.ca wrote: If there's nothing yet, maybe they can create a wiki page for it? I'd be willing to edit the entries, either on the wiki if I can get an account, or offline and batch up the responses into wiki markup. As suggested, I created a Wiki page: http://wiki.freeradius.org/NAS-Port I added what we have so far. I'll try to remember to maintain it. NAS-Port-Id not useful or am I missing something? I get 'FastEthernet1/0/2' and what not which is good enough for me. Obviously that is just what our Cisco 3750's knock out, and I guess other vendors might vary. Cheers -- Alexander Clouter .sigmonster says: He don't know me vewy well, DO he? -- Bugs Bunny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap Authentication question
Ramon Escriba escr...@cells.es wrote: Has any one a clue of what I did wrong? attempts to read Ramon's mind attempts to use remote viewing to see output of debugging Actually, forget it... http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 Regards -- Alexander Clouter .sigmonster says: Conscience is what hurts when everything else feels so good. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_linelog and syslog over UDP
Alan DeKok al...@deployingradius.com wrote: are there any plans to add logging to *remote* syslog servers to the rlm_linelog module? Would be kinda cute; we want to log authentication results to a central statistics collection host - and going through re-send on the local syslog instance is a superfluous extra step. I see what you mean, but that involves writing a module which opens a UDP socket to a remote syslog server, and then creates syslog-formatted messages. That's probably not hard (~500 lines?), but not a priority right now. I am unsure why something like syslog-ng could not just be installed and do the syslog'ing instead today? You can either use the file/pipe source drivers to do whats needed. RFC 5424 also says that TCP/TLS should be preferred to UDP for sending to remote machines. ...queuing, message drop,tail/head drop, it's not trivial. Cheers -- Alexander Clouter .sigmonster says: Better late than never. -- Titus Livius (Livy) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing EAP with freeradius...
Robert Roll robert.r...@utah.edu wrote:
I'd like to try load balancing EAP/PEAP/MSCHAPV2 using freeradius. I
looked at the proxy.conf and it seems that there are two options,
because you have to insure the same end client talks to the same
radius server. There seems to be client-balance that uses IP source
addresses and there is Load-Balance-Key something like
update control {
Load-Balance-Key := %{NAS-IP-Address} %{NAS-Port} %{User-Name}
%{Calling-Station-ID}
}
Currently, we have a Radiator server that uses client mac-addresses for this
purpose. If I do
want to use the Load-Balance-Key, I'm honestly not sure where to put the
update of the
Load-Balance-Key.. Does it go in the proxy.conf ?
Straight into your 'authorize' section, as close to the top as you
like/can. The following is roughly what we use, we only do it for
'Realm == DEFAULT' as that is for our 'eduroam'ing userbase:
authorize {
preprocess
suffix
[unlang/policy that is used for *all* packets]
eap {
ok = return
}
# done after eap so we find can record what guests are using
if (Realm == DEFAULT) {
update control {
Load-Balance-Key := %{NAS-IPv6-Address} %{NAS-IP-Address} %{NAS-Port}
%{User-Name} %{Calling-Station-Id}
}
# break out of 'authorize' early to spare CPU cycles
handled
}
[unlang/policy that is used for all *non-proxied* packets]
}
Cheers
--
Alexander Clouter
.sigmonster says: People who push both buttons should get their wish.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Accept vs Tunneled reply
David Peterson dav...@wirelessconnections.net wrote: These values are unique per user. Is there an elegant way to copy this to the post-auth section? The following might help? http://lists.freeradius.org/mailman/htdig/freeradius-users/2011-January/msg00353.html Cheers -- Alexander Clouter .sigmonster says: What garlic is to food, insanity is to art. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Accept vs Tunneled reply
David Peterson dav...@wirelessconnections.net wrote: I am wondering if it's a misconfiguration of a group reply. I have those attributes listed as a group-reply. Would putting the attributes in the normal vs the group reply put them in a different portion of the response? As you have the User-Name/whatever-wimax utilises now movable from the inner-layer to the outer you can just do you policy on the outer layer instead. Do authentication on the inner-tunnel, whilst authorisation keep to the outer layer... Cheers -- Alexander Clouter .sigmonster says: Stay the curse. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Status of 2.1.11/OSCP Implementation
Alan DeKok al...@deployingradius.com wrote: But let me rephrase my initial question: Would you consider this feature stable? Try it and see. This isn't commercial software with dozens of people in the QA department. *You* are the QA department. I was under the general impression that QA is no longer done for commercial software either... Sorry, couldn't resist. Cheers -- Alexander Clouter .sigmonster says: BOFH excuse #189: SCSI's too wide. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius/LDAP per NAS access
Guy g...@britewhite.net wrote:
I now have FreeRadius granting access and using LDAP for username and
password information.
My next challenge, using the same Radius and LDAP server I would like
to grant different users access via different NAS clients.
eg in LDAP I would have:
uid=guy
services: VPN
services: WiFi
If I have the services: VPN then I would be allowed to connect to
the VPN server and if I don't have that entry in my LDIF then it would
not be allowed to access.
Any ideas on how to do this, simply?
...Dear Lazyweb eh? You should really *attempt* to try, or show you
have attempted something,
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59481.html
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg62699.html
Now use %{client:keyword} in your LDAP xlat search query...
To be honest though, your approach *abuses* LDAP, you should be adding
them to a *group*, not bloating-up and overloading the user object;
otherwise you might as well use something horrible like SQL...
Cheers
--
Alexander Clouter
.sigmonster says: A woman can never be too rich or too thin.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
decoupled accounting cron check
Hi,
For those out there using decoupled accounting, especially in an
'eduroam' environment, might find the following helpful.
I receive a lot of random rubbish from the various NAS's deployed
internationally send to my FreeRADIUS installation. Such moments of fun
are accounting stop packets with a zero session length
(CISCO_ACCOUNTING_HACK) resulting in a DoS when received in the
decoupled accounting case...plus the other usual hings that trigger
corner cases my custom (bad?) SQL statements do not catch when logging
this information to our database.
The unfortunate outcome means after a bad accounting packet, the
mountpoint I use for recording my journal fills up until FreeRADIUS
hangs with no warning (meanwhile FreeRADIUS works fine so it is not
something trivially monitored by NAGIOS or such).
The solution I slapped together is a quick minutely run script by cron
that notifies me by email when a problem occurs.
My preference is to place my detail journal files on a separate tmpfs
mountpoint (as I use low powered ARM boxes, OpenRD's if you are curious,
that only have a NAND):
tmpfs /var/log/freeradius/radacct/journal tmpfs
nosuid,nodev,noexec,size=32M,mode=700,uid=freerad,gid=freerad 0 0
Then the following script is used.
#!/bin/sh
MOUNT=/var/log/freeradius/radacct/journal
TRIGGER=1024
RCPT=j...@example.com b...@example.com
MESSAGE=FreeRADIUS is on the road to implosion...yer might want to look into
it.
Cheers
SELF=$(basename $0)
if [ -e /var/lock/$SELF ]; then
if [ $(df $MOUNT | tail -n1 | awk '{ print $3 }') -lt $(($TRIGGER/2))
]; then
rm /var/lock/$SELF
else
exit 1
fi
fi
[ $(df $MOUNT | tail -n1 | awk '{ print $3 }') -lt $TRIGGER ] exit 0
DATE=$(date -R)
TO=$(echo $RCPT | sed 's/ /, /g')
cat EOF | /usr/sbin/sendmail -i $RCPT
To: $TO
Date: $DATE
Subject: $MOUNT exceeds ${TRIGGER}kB
$MESSAGE
EOF
[ $? -eq 0 ] touch /var/lock/$SELF
exit 1
That's it. The above script will email you only a single time when more
that 1024kB of journal is sitting around waiting to be processed and
will re-enable notifications once it drops to half the trigger mark
(512kB).
Cheers
--
Alexander Clouter
.sigmonster says: T-shirt:
Life is *not* a Cabaret, and stop calling me chum!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: decoupled accounting cron check
Arran Cudbard-Bell a.cudba...@gmail.com wrote:
So does the detail reader read the packet, find that its invalid and
then retry the same packet?
Yes...after waiting 30 seconds then retrying.
For 'valid' packets, it is handy, as I get to fix my SQL, but there will
come a point where is safe[1] and I will probably look to rely more on
the approach Alan just posted...but maybe it is more interesting not to.
Bah, it's only accounting packets, I have ~99%+ of them, who really
cares in the 'eduroam' world if I get the final 10^-$BIGNUM :)
Cheers
[1] I thought I actually had it covered this week, but it imploded
twice and I added a few more CASE's and %{%{...}:-0}'s
--
Alexander Clouter
.sigmonster says: To teach is to learn twice.
-- Joseph Joubert
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
