free radius setup
I understand a bit more why people were bring up plain text passwords now. My radius server is being presented with peap ms-chapV2 credentials and I want it to receive authentication from my openldap server. It seems that the credentials in this format cannot be digested by openldap and acknowledged. The passwords in my openldap are encrypted as SHA Do I have this right? Is there an alternative. Maybe that FreeRadius 3.0.0 rc1 mentioned in one of the emails the other day? Thanks for your attention - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: free radius setup
Yes, I already saw that and this is why I am stuck. I am using Aruba 3000 Wireless controllers running the 6.2.X.X code. As I understand it when the laptop user selects the secure SSID they should be prompted for a username and password. This username and password will be presented to radius as peap MS-CHAPV2. Radius then needs to authenticate this against my Openldap where the passwords are encrypted as SHA, thus bad end. I could not find an encryption type in open ldap that would satisfy the chart. If it did work then I could take the info from radius accounting and pass it to our NAC control (Impulse Safe Connect) which will let the students onto the network after they pass some computer hygiene checks. I have a population of 2000 college students who have little idea of what security really is. And of course I am trying to do this on the typical budget provided by a non-profit such as my college is. Chris S. -Original Message- From: John Dennis [mailto:jden...@redhat.com] Sent: Tuesday, September 10, 2013 6:09 PM To: FreeRadius users mailing list Cc: Swenson, Chris Subject: Re: free radius setup On 09/10/2013 02:15 PM, Swenson, Chris wrote: I understand a bit more why people were bring up plain text passwords now. My radius server is being presented with peap ms-chapV2 credentials and I want it to receive authentication from my openldap server. It seems that the credentials in this format cannot be digested by openldap and acknowledged. The passwords in my openldap are encrypted as SHA Do I have this right? Is there an alternative. Maybe that FreeRadius 3.0.0 rc1 mentioned in one of the emails the other day? Before you go any further you need to read and understand the material on this page: http://deployingradius.com/documents/protocols/compatibility.html -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: free radius setup
-Original Message- From: freeradius-users-bounces+cswenson=curry@lists.freeradius.org [mailto:freeradius-users-bounces+cswenson=curry@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Tuesday, September 10, 2013 3:07 PM To: FreeRadius users mailing list Subject: Re: free radius setup On 10 Sep 2013, at 19:15, Swenson, Chris cswen...@curry.edu wrote: I understand a bit more why people were bring up plain text passwords now. My radius server is being presented with peap ms-chapV2 credentials and I want it to receive authentication from my openldap server. What happened to that web gateway? my vague understanding of what I was getting into led to a misstatement. It seems that the credentials in this format cannot be digested by openldap and acknowledged. The passwords in my openldap are encrypted as SHA Do I have this right? Is there an alternative. * Use a different EAP method, OR * Rehash all your credentials to NT-Password format, OR * Harvest passwords and store them in Plaintext Maybe that FreeRadius 3.0.0 rc1 mentioned in one of the emails the other day? No. It's good but it's not magic. You need the plaintext password for comparison, there's no way to transform the MSHCAPV2 responses in the cleartext password or to a SHA1 password. Back to the drawing board for me. I may be back with more questions. Thanks Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with initial setup
Thanks for the replies: Ok, uninstalled #1 and updated to freeradius2 radiusd started without a hitch withtesting Cleartext-Password := password in users file. When I ran radtest testing password localhost 0 testing123 Received -bash: /usr/bin/radtest: No such file or directory For academics sake here is the radius -X output. (definitely not my granddads radius ) [root@ldap1 raddb]# radiusd -X FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on Sep 25 2012 at 10:55:14 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default main { user = radiusd group = radiusd allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = radiusd prefix = /usr localstatedir = /var sbindir = /usr/sbin logdir = /var/log/radius run_dir = /var/run/radiusd libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy
RE: problem with initial setup
That did it, In the version 1 the radtest must have been installed with the radius, not as a separate package. I have now also successfully tested. I wonder why the in the ticket I opened with red hat support they did not suggest the upgrade. Thanks to all. Chris S. -Original Message- From: John Dennis [mailto:jden...@redhat.com] Sent: Monday, September 09, 2013 1:11 PM To: FreeRadius users mailing list Cc: Swenson, Chris Subject: Re: problem with initial setup On 09/09/2013 12:52 PM, Swenson, Chris wrote: Thanks for the replies: Ok, uninstalled #1 and updated to freeradius2 radiusd started without a hitch with testing Cleartext-Password := password in users file. When I ran radtest testing password localhost 0 testing123 Received -bash: /usr/bin/radtest: No such file or directory It's in the freeradius2-utils package. % yum install /usr/bin/radtest or % yum install freeradius2-utils or read how to use the yum package manager. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with initial setup
Hi all, I have not used radius in about 15 years and found a need recently. I have set up the rpm on a red hat 5.6 server and when I run radius -X the system starts fine with the expected info. When I enter the suggested as the first line in the users file testing Cleartext-Password := password And then rerun the radius -X it bombs and does not start. See output below. Without this running I cannot do the radtest. Thanks for any guidance. [root@ldap1 raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no /etc/raddb/users[91]: Parse error (check) for entry testing: Unknown attribute Cleartext-Password Errors reading /etc/raddb/users radiusd.conf[1059]: files: Module instantiation failed. radiusd.conf[1837] Unknown module files. radiusd.conf[1773] Failed to parse authorize section. [root@ldap1 raddb]# - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with initial setup solved
I guess I need to recycle my 2002 Shell O'Reilly book. -Original Message- From: freeradius-users-bounces+cswenson=curry@lists.freeradius.org [mailto:freeradius-users-bounces+cswenson=curry@lists.freeradius.org] On Behalf Of Swenson, Chris Sent: Monday, September 09, 2013 1:27 PM To: FreeRadius users mailing list Subject: RE: problem with initial setup That did it, In the version 1 the radtest must have been installed with the radius, not as a separate package. I have now also successfully tested. I wonder why the in the ticket I opened with red hat support they did not suggest the upgrade. Thanks to all. Chris S. -Original Message- From: John Dennis [mailto:jden...@redhat.com] Sent: Monday, September 09, 2013 1:11 PM To: FreeRadius users mailing list Cc: Swenson, Chris Subject: Re: problem with initial setup On 09/09/2013 12:52 PM, Swenson, Chris wrote: Thanks for the replies: Ok, uninstalled #1 and updated to freeradius2 radiusd started without a hitch with testing Cleartext-Password := password in users file. When I ran radtest testing password localhost 0 testing123 Received -bash: /usr/bin/radtest: No such file or directory It's in the freeradius2-utils package. % yum install /usr/bin/radtest or % yum install freeradius2-utils or read how to use the yum package manager. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: my Radius goal radius and openldap.
No, they are encrypted in the ldap database in md5 hash. I might be too old to do bleeding edge stuff like 3.0 RC1 I will take a look and a poke at it though. Thanks. -Original Message- From: freeradius-users-bounces+cswenson=curry@lists.freeradius.org [mailto:freeradius-users-bounces+cswenson=curry@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Monday, September 09, 2013 6:54 PM To: FreeRadius users mailing list Subject: Re: my Radius goal radius and openldap. On 9 Sep 2013, at 23:00, Swenson, Chris cswen...@curry.edu wrote: I already have functioning openldap with SSL. (actually a neat little multi master setup.) I would like to get this radius to authenticate against the openldap. You have plaintext passwords then? I have dug around Google and found some useful looking pages, but I wonder if anybody has any hot tips on this so I don't feel like I am completely reinventing the wheel. Use FreeRADIUS 3.0.0-rc1, the LDAP module is SIGNIFICANTLY better. For redundancy/resilience you can either just point the module at a round-robin FQDN, or set a comma delimited list of servers in the 'server' config item, libldap handles the failover. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
my Radius goal radius and openldap.
I already have functioning openldap with SSL. (actually a neat little multi master setup.) I would like to get this radius to authenticate against the openldap. I have dug around Google and found some useful looking pages, but I wonder if anybody has any hot tips on this so I don't feel like I am completely reinventing the wheel. Thanks Chris s. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: my Radius goal radius and openldap.
Yeah, bit the goal is that it is passed to the server via a secure web page. The end goal here is getting authenticated users the right to connect to the secure ssid's. The Aruba wireless controllers are supposed to do that. If I am way over my head I have a consultant on contract. RHIP. Sent from my Verizon Wireless 4GLTE smartphone - Reply message - From: Arran Cudbard-Bell a.cudba...@freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: my Radius goal radius and openldap. Date: Mon, Sep 9, 2013 7:34 pm On 10 Sep 2013, at 00:19, Swenson, Chris cswen...@curry.edu wrote: No, they are encrypted in the ldap database in md5 hash. Right, but you have the plaintext version from the user? I might be too old to do bleeding edge stuff like 3.0 RC1 I will take a look and a poke at it though. Fair enough. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
All, I could use some help in understanding my options for the following scenario: In our environment, FreeRADIUS currently writes its Accounting logs to the local drive - one file per authorized client. In addition to the local logging, the Security group wants the Accounting logs sent to their logging cluster (in real-time) so they can put them in their elasticsearch database and respond to incidents. My question: What is the best way to make both the Ops and Security groups happy given the below limitations: - The Security group does not want to pull the logs from MySQL, as they want to use logstash/elasticsearch and this would just complicate things. - The Ops group wants to avoid syslog because they fear syslog could block, causing their production FreeRADIUS servers to eventually stop responding to requests. -- The options we are exploring, in order of preference: 1. Robust Accounting - the Ops team believes there is a way to have the logs written to two locations simultaneously - locally and remotely, and if the remote connection is lost it does not impact operations. Is this possible? Does anyone have a sample config they could share? 2. Re-configure FreeRADIUS to write to one giant log-file, rotated hourly. A script would then essentially 'tail -f' the log file and stream the logs to the Security group (and would handle the hourly filename changes obviously). 3. Re-configure FreeRADIUS to log to syslog, and have syslog write to a local file AND send remotely to the Security group. The Ops group wants to avoid syslog if at all possible. 4. Re-configure FreeRADIUS to also log to MySQL. The Security group would then have to figure out a way to pull the data out in near-real time and insert it into their own database, which they would like to avoid. Any comments or suggestions are welcome. Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
Arran, Thank you for taking the time to so clearly lay things out - it seems like rlm_replicate will do exactly what we want! I'm going to look into using redis, as it is supported by logstash out-of-the-box and I'm guessing I'll get the benefit of 'guaranteed delivery'. What would happen to the FreeRADIUS processes should my client be unable to connect back to the redis 'server' (for whatever reason) for an extended period of time? Also, should I be nervous about using the redis module in production given the 'Experimental' redis module description in the 2.1.1 changelog? Thanks, Chris P.s. My apologies for replying via the digest - you replied before I had time to switch off of digests. Date: Thu, 5 Sep 2013 19:11:35 +0100 From: Arran Cudbard-Bell a.cudba...@freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously Message-ID: e1c61c30-b39e-4d42-9532-1b113dbc2...@freeradius.org Content-Type: text/plain; charset=us-ascii On 5 Sep 2013, at 18:29, Chris Decker csd...@psu.edu wrote: All, I could use some help in understanding my options for the following scenario: In our environment, FreeRADIUS currently writes its Accounting logs to the local drive - one file per authorized client. In addition to the local logging, the Security group wants the Accounting logs sent to their logging cluster (in real-time) so they can put them in their elasticsearch database and respond to incidents. Well you don't want the main log file from the daemon which makes it easier. That can only go to one place. There are four types modules you could use for this: - linelog - detail - replicate - the db modules (ldap, sql, redis) Linelog can log to files or syslog, you construct the format lines using static text and attributes. Detail can only log to files, it just dumps the contents of an attribute list to a file. Replicate fires and forgets a copy of the Accounting-Request to a remote server. The DB modules just log to a table. You can list any combination of those modules in the accounting section of the server to write to multiple destinations. It's generally sensible to log one copy of the accounting packets to disk on the box it was received, most people use the detail module for this. For the other consumers, if they want off-box logging and don't want syslog, forward them a copy of the packet using rlm_replicate. This copies the incoming packet to another destination. It doesn't block, and doesn't wait for a response, meaning it will be affected by packet loss. But that shouldn't be an issue on a campus network if you set the QoS priorities correctly, and hey, at least no congestive failure. For consuming those packets at the other end, you can use another instance of FreeRADIUS (and configure it to not responsd), or radsniff can be used to pick them off the wire with libpcap, and output them in something very similar to detail format. I've adopted radsniff as a bit of a pet project until FreeRADIUS 3.0.0 is released (were currently in feature freeze, so I needed something to hack on). So if you want additional features like outputting packet 'signatures' to syslog, and are willing to test the code then I'd be happy to add it in. My question: What is the best way to make both the Ops and Security groups happy given the below limitations: - The Security group does not want to pull the logs from MySQL, as they want to use logstash/elasticsearch and this would just complicate things. Yeah and who wants to manage SQL tables with millions of rows, eww. - The Ops group wants to avoid syslog because they fear syslog could block, causing their production FreeRADIUS servers to eventually stop responding to requests. Ok. The options we are exploring, in order of preference: 1. Robust Accounting - the Ops team believes there is a way to have the logs written to two locations simultaneously - locally and remotely, and if the remote connection is lost it does not impact operations. Is this possible? Does anyone have a sample config they could share? Um, that's a pretty basic feature of the server, just list multiple modules in the accounting section. 2. Re-configure FreeRADIUS to write to one giant log-file, rotated hourly. A script would then essentially 'tail -f' the log file and stream the logs to the Security group (and would handle the hourly filename changes obviously). Sure. Unlike core logging, modules will re-open the file handle each time they write an entry, this is nice because you can just move the files out of the way at rotate time, and not so nice, because it's slow. Depends on load as to whether this is ok. 3. Re-configure FreeRADIUS to log to syslog, and have syslog write to a local file
Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
Arran - Ignore my 'What would happen to the FreeRADIUS processes… question - I meant to delete that before sending my message. On Sep 5, 2013, at 9:34 PM, Chris Decker csd...@psu.edu wrote: Arran, Thank you for taking the time to so clearly lay things out - it seems like rlm_replicate will do exactly what we want! I'm going to look into using redis, as it is supported by logstash out-of-the-box and I'm guessing I'll get the benefit of 'guaranteed delivery'. What would happen to the FreeRADIUS processes should my client be unable to connect back to the redis 'server' (for whatever reason) for an extended period of time? Also, should I be nervous about using the redis module in production given the 'Experimental' redis module description in the 2.1.1 changelog? Thanks, Chris P.s. My apologies for replying via the digest - you replied before I had time to switch off of digests. Date: Thu, 5 Sep 2013 19:11:35 +0100 From: Arran Cudbard-Bell a.cudba...@freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously Message-ID: e1c61c30-b39e-4d42-9532-1b113dbc2...@freeradius.org Content-Type: text/plain; charset=us-ascii On 5 Sep 2013, at 18:29, Chris Decker csd...@psu.edu wrote: All, I could use some help in understanding my options for the following scenario: In our environment, FreeRADIUS currently writes its Accounting logs to the local drive - one file per authorized client. In addition to the local logging, the Security group wants the Accounting logs sent to their logging cluster (in real-time) so they can put them in their elasticsearch database and respond to incidents. Well you don't want the main log file from the daemon which makes it easier. That can only go to one place. There are four types modules you could use for this: - linelog - detail - replicate - the db modules (ldap, sql, redis) Linelog can log to files or syslog, you construct the format lines using static text and attributes. Detail can only log to files, it just dumps the contents of an attribute list to a file. Replicate fires and forgets a copy of the Accounting-Request to a remote server. The DB modules just log to a table. You can list any combination of those modules in the accounting section of the server to write to multiple destinations. It's generally sensible to log one copy of the accounting packets to disk on the box it was received, most people use the detail module for this. For the other consumers, if they want off-box logging and don't want syslog, forward them a copy of the packet using rlm_replicate. This copies the incoming packet to another destination. It doesn't block, and doesn't wait for a response, meaning it will be affected by packet loss. But that shouldn't be an issue on a campus network if you set the QoS priorities correctly, and hey, at least no congestive failure. For consuming those packets at the other end, you can use another instance of FreeRADIUS (and configure it to not responsd), or radsniff can be used to pick them off the wire with libpcap, and output them in something very similar to detail format. I've adopted radsniff as a bit of a pet project until FreeRADIUS 3.0.0 is released (were currently in feature freeze, so I needed something to hack on). So if you want additional features like outputting packet 'signatures' to syslog, and are willing to test the code then I'd be happy to add it in. My question: What is the best way to make both the Ops and Security groups happy given the below limitations: - The Security group does not want to pull the logs from MySQL, as they want to use logstash/elasticsearch and this would just complicate things. Yeah and who wants to manage SQL tables with millions of rows, eww. - The Ops group wants to avoid syslog because they fear syslog could block, causing their production FreeRADIUS servers to eventually stop responding to requests. Ok. The options we are exploring, in order of preference: 1. Robust Accounting - the Ops team believes there is a way to have the logs written to two locations simultaneously - locally and remotely, and if the remote connection is lost it does not impact operations. Is this possible? Does anyone have a sample config they could share? Um, that's a pretty basic feature of the server, just list multiple modules in the accounting section. 2. Re-configure FreeRADIUS to write to one giant log-file, rotated hourly. A script would then essentially 'tail -f' the log file and stream the logs to the Security group (and would handle the hourly filename changes obviously). Sure. Unlike core logging, modules will re-open the file handle each time they write an entry, this is nice because you can just move
Re: ntlm_auth not respected
Thank you for setting me on the right track; I have followed the directions on http://deployingradius.com/documents/configuration/active_directory.html (the bottom section on MSCHAP) and have ntlm_auth in the authenticate {} - as per those directions. When I run the ntlm_auth command manually, it works find / as does running wbinfo -a root@leopard:/etc/freeradius# wbinfo -a wyse1%K503D plaintext password authentication succeeded challenge/response password authentication succeeded Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 60046, id=111, length=113 User-Name = wyse1 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 MS-CHAP-Challenge = 0xe07a375bed09f1f7 MS-CHAP-Response = 0x0001065b157b183b4d29d455414b184c57af4912b1d74f4ed726 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = wyse1, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv1 with NT-Password [mschap]expand: %{Stripped-User-Name} - [mschap]... expanding second conditional [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap]expand: %{User-Name:-None} - wyse1 [mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} - --username=wyse1 [mschap] mschap1: e0 [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=e07a375bed09f1f7 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=065b157b183b4d29d455414b184c57af4912b1d74f4ed726 Exec-Program output: Reading winbind reply failed! (0xc001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] MS-CHAP-Response is incorrect. ++[mschap] returns reject Failed to authenticate the user. Login incorrect (mschap: External script says Reading winbind reply failed! (0xc001)): [wyse1/via Auth-Type = mschap] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - wyse1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 111 to 127.0.0.1 port 60046 Waking up in 4.9 seconds. Cleaning up request 0 ID 111 with timestamp +15 Ready to process requests. On Aug 22, 2013, at 5:50 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 21/08/13 23:44, Chris Parker wrote: Okay, pardon my confusion then. I had been following a howto online and it reported that the command when run manually will produce the key. Either way, I'm still having a failure in MSCHAP with radtest that I'm not quite grasping. Well, as I explained in my other email, mschap == challenge/response, modules/ntlm_auth != challenge/response. To reiterate, modules/ntlm_auth is almost certainly not what you want, and is not intended to be used as-is. I would unconfigure it and concentrate on getting modules/mschap working. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
Sorry for the individual emails, but I got things working with MSCHAP (w/ ntlm_auth) and WPA-EAP. My issue was that when I got the two winbind errors, I did some more searching and there's the potential that the freerad user did not have access to pipe named: /var/run/samba/winbindd That pipe is owned as follows: drwxr-x--- 2 root winbindd_priv 60 Aug 22 11:15 winbindd_privileged/ That being the case, you need to add the user freerad to that group, so it can execute with the right privileges. Sending Access-Request of id 52 to 127.0.0.1 port 1812 User-Name = wyse1 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 MS-CHAP-Challenge = 0xf38d9f1a3dcb27e9 MS-CHAP-Response = 0x0001941d3ff95601f8f335e7eff7c97e1abf28df15abd28b7fda rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=52, length=84 MS-CHAP-MPPE-Keys = 0xd22b3a1df401aa61a721c8a31ba91082 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Now, is it safe to disable modules (by commenting them out of the sites-enabled files) that aren't related to the MSCHAP process? This is just in passing curiosity. On Aug 22, 2013, at 10:14 AM, Chris Parker cparke...@me.com wrote: Thank you for setting me on the right track; I have followed the directions on http://deployingradius.com/documents/configuration/active_directory.html (the bottom section on MSCHAP) and have ntlm_auth in the authenticate {} - as per those directions. When I run the ntlm_auth command manually, it works find / as does running wbinfo -a root@leopard:/etc/freeradius# wbinfo -a wyse1%K503D plaintext password authentication succeeded challenge/response password authentication succeeded Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 60046, id=111, length=113 User-Name = wyse1 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 MS-CHAP-Challenge = 0xe07a375bed09f1f7 MS-CHAP-Response = 0x0001065b157b183b4d29d455414b184c57af4912b1d74f4ed726 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = wyse1, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv1 with NT-Password [mschap] expand: %{Stripped-User-Name} - [mschap] ... expanding second conditional [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] expand: %{User-Name:-None} - wyse1 [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} - --username=wyse1 [mschap] mschap1: e0 [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=e07a375bed09f1f7 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=065b157b183b4d29d455414b184c57af4912b1d74f4ed726 Exec-Program output: Reading winbind reply failed! (0xc001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] MS-CHAP-Response is incorrect. ++[mschap] returns reject Failed to authenticate the user. Login incorrect (mschap: External script says Reading winbind reply failed! (0xc001)): [wyse1/via Auth-Type = mschap] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - wyse1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 111 to 127.0.0.1 port 60046 Waking up in 4.9 seconds. Cleaning up request 0 ID 111 with timestamp +15 Ready to process requests. On Aug 22, 2013, at 5:50 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 21/08/13 23:44, Chris Parker wrote: Okay, pardon my confusion then. I had been following a howto online and it reported that the command when run manually will produce the key. Either way, I'm still having a failure in MSCHAP with radtest
Re: ntlm_auth not respected
Thank you Phil! That resolved my first steps, and I figured there was something like that. I have poured over deployingfreeradius.com, but for the life of me I could not find anything of assistance for my set up. I have enabled the ntlm_auth line in modules/mschap but no password is sent to ntlm_auth to be checked. So the fact that it's failing makes sense, since there's no password being read in and thus it fails authorize. So this is just escaping me on how to get the password into ntlm_auth via MSCHAP. On top of that, when my access point succeeds against the users file, I suspect it's doing EAP but the logs never say I have detected EAP, setting EAP rad_recv: Access-Request packet from host 127.0.0.1 port 60203, id=86, length=113 User-Name = wyse1 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 MS-CHAP-Challenge = 0x9e2069a2b9faf93d MS-CHAP-Response = 0x0001b48195bef7a73a38839411904a51717092c530d4bef03520 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = wyse1, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} - --username=wyse1 [ntlm_auth] expand: --password=%{User-Password} - --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) Exec-Program: returned: 1 ++[ntlm_auth] returns reject Invalid user: [wyse1/via Auth-Type = mschap] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - wyse1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 86 to 127.0.0.1 port 60203 Waking up in 4.9 seconds. Cleaning up request 0 ID 86 with timestamp +6 Ready to process requests. On Aug 21, 2013, at 3:25 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/21/2013 05:11 AM, Chris Parker wrote: Log output: rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114, length=57 User-Name = wyse1 User-Password = K503D NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = wyse1, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} - --username=wyse1 [ntlm_auth] expand: --password=%{User-Password} - --password=K503D Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok You're running ntlm_auth in the authorize section, and then: [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user ...nothing in the authenticate section. You either want: authorize { ... ntlm_auth if (ok) { update control { Auth-Type := Accept } } ... } ...or: authorize { ... # don't run ntlm_auth here, and right at the bottom if (User-Password) { # PAP request, tell ntlm_auth to run in authenticate update control { Auth-Type = ntlm_auth } } } authenticate { Auth-Type ntlm_auth { ntlm_auth } } HOWEVER - you should note that the (EXTREMELY unfortunately named) ntlm_auth module instance is usually not what you want for wireless. Wireless is typically 802.1x with PEAP/MSCHAP, which will entail setting up the ntlm_auth configuration *item* of the mschap module. Read the extensive docs, wiki, and walkthrough on deployingradius.com for more info. Failed to authenticate the user. Login incorrect: [wyse1/K503D] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT
Re: ntlm_auth not respected
When I poke around and try to deconstruct the issue, I find that ntlm_auth when run manually retrieve the NT key, it does not do anything. It just says NT_STATUS_OK: Success (0x0) If I run the --diagnostics flag this is what I get... root@leopard:/etc/freeradius# ntlm_auth --domain=WONKY --username=wyse1 --diagnostics password: Wrong Password (0xc06a) Wrong Password (0xc06a) Wrong Password (0xc06a) Wrong Password (0xc06a) Wrong Password (0xc06a) Wrong Password (0xc06a) Wrong Password (0xc06a) So I doubt this issue is with FR, but more of that Samba is being cranky. I can never get ntlm_auth to give me that NT key, which I feel if I could resolve that, I could continue with FR. On Aug 21, 2013, at 8:55 AM, Chris Parker cparke...@me.com wrote: Thank you Phil! That resolved my first steps, and I figured there was something like that. I have poured over deployingfreeradius.com, but for the life of me I could not find anything of assistance for my set up. I have enabled the ntlm_auth line in modules/mschap but no password is sent to ntlm_auth to be checked. So the fact that it's failing makes sense, since there's no password being read in and thus it fails authorize. So this is just escaping me on how to get the password into ntlm_auth via MSCHAP. On top of that, when my access point succeeds against the users file, I suspect it's doing EAP but the logs never say I have detected EAP, setting EAP rad_recv: Access-Request packet from host 127.0.0.1 port 60203, id=86, length=113 User-Name = wyse1 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 MS-CHAP-Challenge = 0x9e2069a2b9faf93d MS-CHAP-Response = 0x0001b48195bef7a73a38839411904a51717092c530d4bef03520 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = wyse1, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} - --username=wyse1 [ntlm_auth] expand: --password=%{User-Password} - --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) Exec-Program: returned: 1 ++[ntlm_auth] returns reject Invalid user: [wyse1/via Auth-Type = mschap] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - wyse1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 86 to 127.0.0.1 port 60203 Waking up in 4.9 seconds. Cleaning up request 0 ID 86 with timestamp +6 Ready to process requests. On Aug 21, 2013, at 3:25 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/21/2013 05:11 AM, Chris Parker wrote: Log output: rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114, length=57 User-Name = wyse1 User-Password = K503D NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = wyse1, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} - --username=wyse1 [ntlm_auth] expand: --password=%{User-Password} - --password=K503D Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok You're running ntlm_auth in the authorize section, and then: [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user ...nothing in the authenticate section. You either want: authorize { ... ntlm_auth if (ok) { update control { Auth-Type := Accept } } ... } ...or: authorize { ... # don't run ntlm_auth here, and right
Re: ntlm_auth not respected
Okay, pardon my confusion then. I had been following a howto online and it reported that the command when run manually will produce the key. Either way, I'm still having a failure in MSCHAP with radtest that I'm not quite grasping. On Aug 21, 2013, at 17:49, Phil Mayers p.may...@imperial.ac.uk wrote: On 21/08/2013 19:28, Chris Parker wrote: So I doubt this issue is with FR, but more of that Samba is being cranky. I can never get ntlm_auth to give me that NT key, which I feel if I could resolve that, I could continue with FR. No. NT_KEY is only generated by mschap, not by username/password auth. See my other email. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth not respected
It seems that I have ntlm_auth configured to talk to Samba correctly. As it positively works when run from the CLI and FR even shows a positive login, but that positive login never seems to be sent to the authentication stage. More food for thought once I tackle this, is that when I try to link all this together with a Netgear WAP, plain-text users in the users file works perfectly fine. Log output: rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114, length=57 User-Name = wyse1 User-Password = K503D NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = wyse1, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} - --username=wyse1 [ntlm_auth] expand: --password=%{User-Password} - --password=K503D Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [wyse1/K503D] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - wyse1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 114 to 127.0.0.1 port 35826 Waking up in 4.9 seconds. Cleaning up request 7 ID 114 with timestamp +843 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acctsessiontime is always zero
Hi Mike, Now, I've compared the mySQL tables and started freeradius in debugging mode. When Coova Chilli is used, acctsessiontime is filled in the mySQL table. When NTRadping Test Utility is used, acctstarttime and acctstoptime is set correctly, but acctsessiontime is always zero in mySQL. I've found a detail-log from a portmaster [1]. I didn't know, that the NAS has to send the Acct-Session-Time with the stop-request (Newbie!). When I set Acct-Session-Time in NTRadping Test Utility it's working as expected. Is it true, that Acct-Session-Time has to be set by NAS or is it possible to calculate it by the difference between acctstarttime and acctstoptime (and write it to mySQL)? Some counters are using acctstarttime and acctstoptime directly and calculate the difference in the SQL-query when checking if time is left. Chris [1] http://www.stat.ufl.edu/system/man/portmaster/RADIUS/guide/7account.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segfault error
)...done. Loaded symbols for /lib64/libsepol.so.1 Reading symbols from /lib64/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /lib64/libnss_ldap.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_ldap.so.2 Reading symbols from /usr/local/lib/rlm_exec.so...done. Loaded symbols for /usr/local/lib/rlm_exec.so Reading symbols from /usr/local/lib/rlm_expr.so...done. Loaded symbols for /usr/local/lib/rlm_expr.so Reading symbols from /usr/local/lib/rlm_expiration.so...done. Loaded symbols for /usr/local/lib/rlm_expiration.so Reading symbols from /usr/local/lib/rlm_logintime.so...done. Loaded symbols for /usr/local/lib/rlm_logintime.so Reading symbols from /usr/local/lib/rlm_pap.so...done. Loaded symbols for /usr/local/lib/rlm_pap.so Reading symbols from /usr/local/lib/rlm_chap.so...done. Loaded symbols for /usr/local/lib/rlm_chap.so Reading symbols from /usr/local/lib/rlm_preprocess.so...done. Loaded symbols for /usr/local/lib/rlm_preprocess.so Reading symbols from /usr/local/lib/rlm_digest.so...done. Loaded symbols for /usr/local/lib/rlm_digest.so Reading symbols from /usr/local/lib/rlm_realm.so...done. Loaded symbols for /usr/local/lib/rlm_realm.so Reading symbols from /usr/local/lib/rlm_acct_unique.so...done. Loaded symbols for /usr/local/lib/rlm_acct_unique.so Reading symbols from /usr/local/lib/rlm_files.so...done. Loaded symbols for /usr/local/lib/rlm_files.so Reading symbols from /usr/local/lib/rlm_detail.so...done. Loaded symbols for /usr/local/lib/rlm_detail.so Reading symbols from /usr/local/lib/rlm_unix.so...done. Loaded symbols for /usr/local/lib/rlm_unix.so Reading symbols from /usr/local/lib/rlm_radutmp.so...done. Loaded symbols for /usr/local/lib/rlm_radutmp.so Reading symbols from /usr/local/lib/rlm_attr_filter.so...done. Loaded symbols for /usr/local/lib/rlm_attr_filter.so Reading symbols from /usr/local/lib/rlm_ldap.so...done. Loaded symbols for /usr/local/lib/rlm_ldap.so Reading symbols from /usr/lib64/libldap_r-2.3.so.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libldap_r-2.3.so.0 Reading symbols from /usr/lib64/liblber-2.3.so.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/liblber-2.3.so.0 Reading symbols from /usr/lib64/libsasl2.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libsasl2.so.2 Reading symbols from /usr/local/lib/rlm_sql.so...done. Loaded symbols for /usr/local/lib/rlm_sql.so Reading symbols from /usr/local/lib/rlm_sql_mysql.so...done. Loaded symbols for /usr/local/lib/rlm_sql_mysql.so Reading symbols from /usr/lib64/mysql/libmysqlclient_r.so.15...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/mysql/libmysqlclient_r.so.15 Reading symbols from /lib64/libm.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libm.so.6 Reading symbols from /lib64/libgcc_s.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libgcc_s.so.1 Reading symbols from /lib64/libnss_dns.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_dns.so.2 Reading symbols from /usr/local/lib/rlm_eap.so...done. Loaded symbols for /usr/local/lib/rlm_eap.so Reading symbols from /usr/local/lib/libfreeradius-eap-2.2.0.so...done. Loaded symbols for /usr/local/lib/libfreeradius-eap-2.2.0.so Reading symbols from /usr/local/lib/rlm_eap_md5.so...done. Loaded symbols for /usr/local/lib/rlm_eap_md5.so Reading symbols from /usr/local/lib/rlm_eap_leap.so...done. Loaded symbols for /usr/local/lib/rlm_eap_leap.so Reading symbols from /usr/local/lib/rlm_eap_gtc.so...done. Loaded symbols for /usr/local/lib/rlm_eap_gtc.so Reading symbols from /usr/local/lib/rlm_eap_tls.so...done. Loaded symbols for /usr/local/lib/rlm_eap_tls.so Reading symbols from /usr/local/lib/rlm_eap_ttls.so...done. Loaded symbols for /usr/local/lib/rlm_eap_ttls.so Reading symbols from /usr/local/lib/rlm_eap_peap.so...done. Loaded symbols for /usr/local/lib/rlm_eap_peap.so Reading symbols from /usr/local/lib/rlm_eap_mschapv2.so...done. Loaded symbols for /usr/local/lib/rlm_eap_mschapv2.so Reading symbols from /usr/local/lib/rlm_always.so...done. Loaded symbols for /usr/local/lib/rlm_always.so warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7fff84bfd000 Core was generated by `/usr/sbin/radiusd -d /etc/raddb'. Program terminated with signal 11, Segmentation fault. #0 0x003c6c07b5bb in memcpy () from /lib64/libc.so.6 ### Thanks, Chris -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: Wednesday, May 01, 2013 6:30 PM To: FreeRadius users mailing list Subject: Re: segfault error hi, ..thats
RE: segfault error
I think I have what you are looking for now. I have copied the whole dump from when I start using gdb. Chris [root@on-radius01 raddb]# gdb /usr/sbin/radiusd /tmp/core-radiusd-11-95-95-11609-1367435209 GNU gdb (GDB) CentOS (7.0.1-45.el5.centos) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/sbin/radiusd...done. [New Thread 11611] [New Thread 11614] [New Thread 11613] [New Thread 11612] [New Thread 11610] [New Thread 11609] Reading symbols from /usr/local/lib/libfreeradius-radius-2.2.0.so...done. Loaded symbols for /usr/local/lib/libfreeradius-radius-2.2.0.so Reading symbols from /lib64/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libnsl.so.1 Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/libpthread.so.0...(no debugging symbols found)...done. [Thread debugging using libthread_db enabled] Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /usr/local/lib/libltdl.so.3...done. Loaded symbols for /usr/local/lib/libltdl.so.3 Reading symbols from /lib64/libssl.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libssl.so.6 Reading symbols from /lib64/libcrypto.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypto.so.6 Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /usr/lib64/libgssapi_krb5.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libgssapi_krb5.so.2 Reading symbols from /usr/lib64/libkrb5.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libkrb5.so.3 Reading symbols from /lib64/libcom_err.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /usr/lib64/libk5crypto.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libk5crypto.so.3 Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libz.so.1 Reading symbols from /usr/lib64/libkrb5support.so.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libkrb5support.so.0 Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libkeyutils.so.1 Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libselinux.so.1 Reading symbols from /lib64/libsepol.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libsepol.so.1 Reading symbols from /lib64/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /lib64/libnss_ldap.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_ldap.so.2 Reading symbols from /usr/local/lib/rlm_exec-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_exec-2.2.0.so Reading symbols from /usr/local/lib/rlm_expr-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_expr-2.2.0.so Reading symbols from /usr/local/lib/rlm_expiration-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_expiration-2.2.0.so Reading symbols from /usr/local/lib/rlm_logintime-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_logintime-2.2.0.so Reading symbols from /usr/local/lib/rlm_pap-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_pap-2.2.0.so Reading symbols from /usr/local/lib/rlm_chap-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_chap-2.2.0.so Reading symbols from /usr/local/lib/rlm_preprocess-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_preprocess-2.2.0.so Reading symbols from /usr/local/lib/rlm_digest-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_digest-2.2.0.so Reading symbols from /usr/local/lib/rlm_realm-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_realm-2.2.0.so Reading symbols from /usr/local/lib/rlm_acct_unique-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_acct_unique-2.2.0.so Reading symbols from /usr/local/lib/rlm_files-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_files-2.2.0.so Reading symbols from /usr/local/lib
RE: segfault error
I forgot to include my OS and kernel type. Linux on-radius01.eastlink.ca 2.6.18-308.16.1.el5 CentOS release 5.9 (Final) -Original Message- From: Chris Taylor Sent: Thursday, May 02, 2013 1:31 PM To: 'FreeRadius users mailing list' Subject: RE: segfault error I think I have what you are looking for now. I have copied the whole dump from when I start using gdb. Chris [root@on-radius01 raddb]# gdb /usr/sbin/radiusd /tmp/core-radiusd-11-95-95-11609-1367435209 GNU gdb (GDB) CentOS (7.0.1-45.el5.centos) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/sbin/radiusd...done. [New Thread 11611] [New Thread 11614] [New Thread 11613] [New Thread 11612] [New Thread 11610] [New Thread 11609] Reading symbols from /usr/local/lib/libfreeradius-radius-2.2.0.so...done. Loaded symbols for /usr/local/lib/libfreeradius-radius-2.2.0.so Reading symbols from /lib64/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libnsl.so.1 Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/libpthread.so.0...(no debugging symbols found)...done. [Thread debugging using libthread_db enabled] Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /usr/local/lib/libltdl.so.3...done. Loaded symbols for /usr/local/lib/libltdl.so.3 Reading symbols from /lib64/libssl.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libssl.so.6 Reading symbols from /lib64/libcrypto.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypto.so.6 Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /usr/lib64/libgssapi_krb5.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libgssapi_krb5.so.2 Reading symbols from /usr/lib64/libkrb5.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libkrb5.so.3 Reading symbols from /lib64/libcom_err.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /usr/lib64/libk5crypto.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libk5crypto.so.3 Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libz.so.1 Reading symbols from /usr/lib64/libkrb5support.so.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libkrb5support.so.0 Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libkeyutils.so.1 Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libselinux.so.1 Reading symbols from /lib64/libsepol.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libsepol.so.1 Reading symbols from /lib64/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /lib64/libnss_ldap.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_ldap.so.2 Reading symbols from /usr/local/lib/rlm_exec-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_exec-2.2.0.so Reading symbols from /usr/local/lib/rlm_expr-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_expr-2.2.0.so Reading symbols from /usr/local/lib/rlm_expiration-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_expiration-2.2.0.so Reading symbols from /usr/local/lib/rlm_logintime-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_logintime-2.2.0.so Reading symbols from /usr/local/lib/rlm_pap-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_pap-2.2.0.so Reading symbols from /usr/local/lib/rlm_chap-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_chap-2.2.0.so Reading symbols from /usr/local/lib/rlm_preprocess-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_preprocess-2.2.0.so Reading symbols from /usr/local/lib/rlm_digest-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_digest-2.2.0.so Reading symbols from /usr/local/lib/rlm_realm-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_realm-2.2.0.so
RE: segfault error
I did some more debugging and I always seem to get a segfault at the same place. Is there something I should be looking at on the LDAP backend? [files] users: Matched entry DEFAULT at line 214 ++[files] returns ok [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/virtual.amtelecom.net +- entering group PAP {...} [pap] login attempt with password 45270 [pap] Using SSHA encryption. [pap] Normalizing SSHA1-Password from base64 encoding Segmentation fault ++[files] returns ok [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/virtual.amtelecom.net +- entering group PAP {...} [pap] login attempt with password bradly [pap] Using SSHA encryption. [pap] Normalizing SSHA1-Password from base64 encoding Segmentation fault Thanks, Chris Chris Taylor System Administrator Network Operations Eastlink chris.tay...@corp.eastlink.caT: 519.773.1287 -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of Chris Taylor Sent: Friday, April 12, 2013 4:31 PM To: FreeRadius users mailing list Subject: RE: segfault error Yeah this is the only version of freeradius on the box the other was an rpm version that was removed before I compiled this one. -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, April 12, 2013 3:45 PM To: FreeRadius users mailing list Subject: Re: segfault error Chris Taylor wrote: Ok I have upgraded to a compiled version of freeradius 2.2.0, and I was able to see the same result. It crashed after a few minutes with the error below. on-radius01 kernel: radiusd[10038]: segfault at 73d87000 rip 003c6c07b5bb rsp 73d83c08 error 4 Check that you're really running v2.2.0. Sometimes scripts point to old installations. I turned on core dumps to see if I could get any more details out of it, but I could not make it crash after that. Did you follow the instructions in doc/bugs? That says how to find the bug. Any ideas as to what this could be I can post my -X output but all it says at the bottom when it stops working is segfault. doc/bugs has detailed instructions for just such an occasion. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segfault error
I have tried a few times but I can't get a core dump. After radius dies I run gdb /usr/sbin/radiusd /tmp/core_dump/test.dump but I get the following output. # [root@on-radius01 core_dump]# gdb /usr/sbin/radiusd /tmp/core_dump/test.dump GNU gdb (GDB) CentOS (7.0.1-45.el5.centos) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/sbin/radiusd...done. /tmp/core_dump/test.dump is not a core dump: File format not recognized # I have ulimit set to unlimited. [root@on-radius01 core_dump]# ulimit -a core file size (blocks, -c) unlimited data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited What am I doing wrong on this? Thanks, Chris -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, May 01, 2013 12:14 PM To: FreeRadius users mailing list Subject: Re: segfault error Chris Taylor wrote: I did some more debugging and I always seem to get a segfault at the same place. Is there something I should be looking at on the LDAP backend? See doc/bugs That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segfault error
Thanks John, I am actually using the complied version rather than the RPM package. I was finally able to get a core dump (a few actually), this was the output. I was the same failure everytime. Thanks, Chris [root@on-radius01 tmp]# gdb /usr/sbin/radiusd /tmp/core-radiusd-11-95-95-11382-1367432610 GNU gdb (GDB) CentOS (7.0.1-45.el5.centos) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/sbin/radiusd...done. [New Thread 11387] [New Thread 11386] [New Thread 11385] [New Thread 11384] [New Thread 11383] [New Thread 11382] Reading symbols from /usr/local/lib/libfreeradius-radius-2.2.0.so...done. Loaded symbols for /usr/local/lib/libfreeradius-radius-2.2.0.so Reading symbols from /lib64/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libnsl.so.1 Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/libpthread.so.0...(no debugging symbols found)...done. [Thread debugging using libthread_db enabled] Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /usr/local/lib/libltdl.so.3...done. Loaded symbols for /usr/local/lib/libltdl.so.3 Reading symbols from /lib64/libssl.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libssl.so.6 Reading symbols from /lib64/libcrypto.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypto.so.6 Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /usr/lib64/libgssapi_krb5.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libgssapi_krb5.so.2 Reading symbols from /usr/lib64/libkrb5.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libkrb5.so.3 Reading symbols from /lib64/libcom_err.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /usr/lib64/libk5crypto.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libk5crypto.so.3 Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libz.so.1 Reading symbols from /usr/lib64/libkrb5support.so.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libkrb5support.so.0 Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libkeyutils.so.1 Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libselinux.so.1 Reading symbols from /lib64/libsepol.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libsepol.so.1 Reading symbols from /lib64/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /lib64/libnss_ldap.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_ldap.so.2 Reading symbols from /usr/local/lib/rlm_exec.so...done. Loaded symbols for /usr/local/lib/rlm_exec.so Reading symbols from /usr/local/lib/rlm_expr.so...done. Loaded symbols for /usr/local/lib/rlm_expr.so Reading symbols from /usr/local/lib/rlm_expiration.so...done. Loaded symbols for /usr/local/lib/rlm_expiration.so Reading symbols from /usr/local/lib/rlm_logintime.so...done. Loaded symbols for /usr/local/lib/rlm_logintime.so Reading symbols from /usr/local/lib/rlm_pap.so...done. Loaded symbols for /usr/local/lib/rlm_pap.so Reading symbols from /usr/local/lib/rlm_chap.so...done. Loaded symbols for /usr/local/lib/rlm_chap.so Reading symbols from /usr/local/lib/rlm_preprocess.so...done. Loaded symbols for /usr/local/lib/rlm_preprocess.so Reading symbols from /usr/local/lib/rlm_digest.so...done. Loaded symbols for /usr/local/lib/rlm_digest.so Reading symbols from /usr/local/lib/rlm_realm.so...done. Loaded symbols for /usr/local/lib/rlm_realm.so Reading symbols from /usr/local/lib/rlm_acct_unique.so...done. Loaded symbols for /usr/local/lib/rlm_acct_unique.so Reading symbols from /usr/local/lib/rlm_files.so...done. Loaded symbols for /usr/local/lib/rlm_files.so Reading symbols from /usr/local/lib/rlm_detail.so...done. Loaded symbols
RE: segfault error
Ok I have upgraded to a compiled version of freeradius 2.2.0, and I was able to see the same result. It crashed after a few minutes with the error below. on-radius01 kernel: radiusd[10038]: segfault at 73d87000 rip 003c6c07b5bb rsp 73d83c08 error 4 I turned on core dumps to see if I could get any more details out of it, but I could not make it crash after that. Any ideas as to what this could be I can post my -X output but all it says at the bottom when it stops working is segfault. Thanks, Chris -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, April 10, 2013 9:45 AM To: FreeRadius users mailing list Subject: Re: segfault error Chris Taylor wrote: I am running freeradius2-2.1.12-5.el5 on a CentOS server release 5.9 (Final). I was doing some testing on some new RADIUS servers that we want to put into production and I got the following error. Well... upgrade to 2.2.0. There's no reason for us to debug issues in old versions. Those have already been debugged and fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segfault error
Yeah this is the only version of freeradius on the box the other was an rpm version that was removed before I compiled this one. -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, April 12, 2013 3:45 PM To: FreeRadius users mailing list Subject: Re: segfault error Chris Taylor wrote: Ok I have upgraded to a compiled version of freeradius 2.2.0, and I was able to see the same result. It crashed after a few minutes with the error below. on-radius01 kernel: radiusd[10038]: segfault at 73d87000 rip 003c6c07b5bb rsp 73d83c08 error 4 Check that you're really running v2.2.0. Sometimes scripts point to old installations. I turned on core dumps to see if I could get any more details out of it, but I could not make it crash after that. Did you follow the instructions in doc/bugs? That says how to find the bug. Any ideas as to what this could be I can post my -X output but all it says at the bottom when it stops working is segfault. doc/bugs has detailed instructions for just such an occasion. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segfault error
I am running freeradius2-2.1.12-5.el5 on a CentOS server release 5.9 (Final). I was doing some testing on some new RADIUS servers that we want to put into production and I got the following error. /var/log/messages Apr 9 17:33:45 on-radius01 kernel: radiusd[8831]: segfault at 2aae660ae000 rip 2aae5b6215eb rsp 2aae660ab7c8 error 4 What should I be looking for the RADIUS logs didn't turn up anything as it wasn't in debug mode. Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compile with ldap support
What are options do I have to use to compile freeradius with ldap support turned on? I tried ./configure -with-ldap but that didn't seem to work I still get an error about not being able to find rlm_ldap. I checked the mail archives but I couldn't find anything. Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: compile with ldap support
How do I check that I have them installed I have the openldap rpm installed. I am trying to go from an rpm build to a source build to fix a problem. Chris -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Wednesday, April 10, 2013 10:07 PM To: FreeRadius users mailing list Subject: Re: compile with ldap support On 10 Apr 2013, at 21:12, Chris Taylor chris.tay...@corp.eastlink.ca wrote: What are options do I have to use to compile freeradius with ldap support turned on? I tried ./configure -with-ldap but that didn't seem to work I still get an error about not being able to find rlm_ldap. I checked the mail archives but I couldn't find anything. It'll build it by default if you have the libldap headers installed. Check the output of configure to verify it's actually building rlm_ldap. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team Please contribute documentation: http://wiki.freeradius.org Fruity Oaty Bars, make a man out of a mouse. Fruity Oaty Bars, make you bust out of your blouse - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log on DB
Perl File::Tail works very well for things like this... On Mon, Mar 25, 2013 at 12:45 PM, AemNet sysadmin-aem...@aemnet.it wrote: On 25/03/2013 11:05, Olivier Beytrison wrote: This is not possible directly from freeradius. What you can do, is tell FreeRadius to log to your syslog deamon (like syslog-ng) and then tell syslog-ng to write the log within an INSERT statement for your database. Then you can send this to your database. Those two links might help you : http://wiki.freeradius.org/**guide/Syslog-HOWTOhttp://wiki.freeradius.org/guide/Syslog-HOWTO http://vermeer.org/docs/1 But this is beyond the scope of the freeradius list Olivier - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Thank you for the answer and for the links Olivier, but I prefer don't use the syslog system if it's possilbe. Do you think it's possible instead to use a script (perl/bash anything else) after the request arrive and put it in a DB? - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap group search filter
I am have profiles setup for all our users but I am having some trouble with the setting the groupmembership_filter correctly. It will query LDAP successfully but only after it does a failed search first. I have tried using numerous filters including the default one but I cant seem to separate the username by itself which is causing the initial search failure. I read through the rlm_ldap doc a few times but I didn't seem anything that I thought would help. Here is the output from radius -X This is the part where it uses the search filter and fails. [files] users: Matched entry DEFAULT at line 214 [domain1] Entering ldap_groupcmp() [files] expand: ou=radius,o=domain.on.ca,dc=placeholder,dc=ca - ou=radius,o=domain.on.ca,dc=placeholder,dc=ca [files] expand: ((objectClass=radiusProfile)(member=%{control:Ldap-UserDn})) - ((objectClass=radiusProfile)(member=uid\3d112boy\2cou\3dradius\2co\3ddomain.on.ca\2cdc\3dplaceholder\2cdc\3dca)) [domain1] ldap_get_conn: Checking Id: 0 [domain1] ldap_get_conn: Got Id: 0 [domain1] performing search in ou=radius,o=domain.on.ca,dc=placeholder,dc=ca, with filter ((cn=residential_profile)((objectClass=radiusProfile)(member=uid\3d112boy\2cou\3dradius\2co\3ddomain.on.ca\2cdc\3dplaceholder\2cdc\3dca))) [domain1] object not found It starts a second search and succeeds. [domain1] ldap_release_conn: Release Id: 0 [domain1] ldap_get_conn: Checking Id: 0 [domain1] ldap_get_conn: Got Id: 0 [domain1] performing search in uid=112boy,ou=radius,o=domain.on.ca,dc=palceholder,dc=ca, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group residential_profile [domain1] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 222 ++[files] returns ok My users file looks like this. ldap domain1 { server = ldap01.placeholder.ca identity = username xxx password = basedn = ou=radius,o=domain.on.ca,dc=placeholder,dc=ca filter = ((uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true)) groupname_attribute = cn groupmembership_attribute = radiusGroupName groupmembership_filter = ((objectClass=radiusProfile)(member=%{control:Ldap-UserDn})) #do_xlat = yes #compare_check_items = yes #access_attr_used_for_allow = yes ldap_connections_number = 5 My users file DEFAULT Service-Type == Framed-User, Huntgroup-Name == bras, domain1-Ldap-Group == residential_profile Service-Type = Framed-User, Framed-Protocol = PPP, Cisco-AVPair += ip:inacl#100=permit tcp any x.x.0.16 0.0.0.15 eq 25, Cisco-AVPair += ip:inacl#200=deny tcp any any eq 25, Cisco-AVPair += ip:inacl#300=permit ip any any, Fall-Through = No Any help is apprecaited. Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP groups and profiles
I added this to the users file DEFAULT ldap1.REALM-2.ca-Ldap-Group == residential_profile But I get this error when I fire up radius -X /etc/raddb/users[222]: Parse error (check) for entry DEFAULT: expecting operator Errors reading /etc/raddb/users Wild guess, but you might try a simpler module name e.g. ldap2 instead of ldap2.some.dots-and.hyphens. Phil I gave that a try but ended up with the same result. Chris I was able to get this working by adding that ldap instance to the instantiate section of radius.conf. I can do a query successfully from LDAP now and pull the group info, but during the query I am seeing first a failed query then a successful query how could I go about fixing this? I believe it's the groupmembership_filter settings but I left them to the default values which seems to be the consensus on the mailing list. radius -X output # [REALM1] Entering ldap_groupcmp() [files] expand: ou=radius,o=realm1.ca,dc=company,dc=ca - ou=radius,o=realm1.ca,dc=company,dc=ca [files] expand: (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) - (|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=))) [REALM1] ldap_get_conn: Checking Id: 0 [REALM1] ldap_get_conn: Got Id: 0 [REALM1] performing search in ou=radius,o=realm1.ca,dc=company,dc=ca, with filter ((cn=residential_profile)(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember= [REALM1] object not found [REALM1] ldap_release_conn: Release Id: 0 [REALM1] ldap_get_conn: Checking Id: 0 [REALM1] ldap_get_conn: Got Id: 0 [REALM1] performing search in uid=112boy,ou=radius,o=realm1.ca,dc=company,dc=ca, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group residential_profile [REALM1] ldap_release_conn: Release Id: 0 ### ### Group section of LDAP module # groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) groupmembership_attribute = radiusGroupName # # LDAP entry for an account I am querying against ## dn: uid=112boy,ou=radius,o=realm1.ca,dc=company,dc=ca uid: 112boy userPassword: objectClass:top objectClass: posixAccount objectClass: radiusProfile uidNumber: 1100 gidNumber:1100 radiusSimultaneousUse: 099 radiusAuthType: PAP homeDirectory: // radiusGroupName: residential_profile cn: TRUE ### I do get a successful query I would just like to figure out how to get it to resolve on the first attempt. Thanks, Chris -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Tuesday, February 05, 2013 11:23 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP groups and profiles On 05/02/13 15:50, Chris Taylor wrote: I added this to the users file DEFAULT ldap1.REALM-2.ca-Ldap-Group == residential_profile But I get this error when I fire up radius -X /etc/raddb/users[222]: Parse error (check) for entry DEFAULT: expecting operator Errors reading /etc/raddb/users Wild guess, but you might try a simpler module name e.g. ldap2 instead of ldap2.some.dots-and.hyphens. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP groups and profiles
I have RADIUS running with multiple realms and multiple LDAP back ends that stores all my user attributes. I am trying to apply different user profiles to different groups. What I did was setup the profile in the USERS file, add the group attributes to the ldap config file, and on the user’s LDAP account I added the attribute radiusGroupName with the value “residential_profile”, but I can’t seem to get it to work correctly. The debug output is pretty clear. It does an LDAP search, and the object isn't found. Make sure that (a) the object is in LDAP, and (b) you've configured FreeRADIUS to do the right LDAP search. It doesn’t seem to query the correct backend. For backend-specific queries, prefix the LDAP-Group with the backend name: ldap ldap2.REALM-2.ca { basedn = ou=radius,o=REALM-2.ca,dc=container,dc=ca To query this backend, use ldap2.REALM-2.ca-LDAP-Group == ... Alan DeKok. Alan I tried the setup that you suggested but it just threw an error at me. I added this to the users file DEFAULT ldap1.REALM-2.ca-Ldap-Group == residential_profile But I get this error when I fire up radius -X /etc/raddb/users[222]: Parse error (check) for entry DEFAULT: expecting operator Errors reading /etc/raddb/users Thanks, Chris -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, February 04, 2013 3:51 PM To: FreeRadius users mailing list Subject: Re: LDAP groups and profiles Chris Taylor wrote: I have RADIUS running with multiple realms and multiple LDAP back ends that stores all my user attributes. I am trying to apply different user profiles to different groups. What I did was setup the profile in the USERS file, add the group attributes to the ldap config file, and on the user’s LDAP account I added the attribute radiusGroupName with the value “residential_profile”, but I can’t seem to get it to work correctly. The debug output is pretty clear. It does an LDAP search, and the object isn't found. Make sure that (a) the object is in LDAP, and (b) you've configured FreeRADIUS to do the right LDAP search. It doesn’t seem to query the correct backend. For backend-specific queries, prefix the LDAP-Group with the backend name: ldap ldap2.REALM-2.ca { basedn = ou=radius,o=REALM-2.ca,dc=container,dc=ca To query this backend, use ldap2.REALM-2.ca-LDAP-Group == ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP groups and profiles
I added this to the users file DEFAULT ldap1.REALM-2.ca-Ldap-Group == residential_profile But I get this error when I fire up radius -X /etc/raddb/users[222]: Parse error (check) for entry DEFAULT: expecting operator Errors reading /etc/raddb/users Wild guess, but you might try a simpler module name e.g. ldap2 instead of ldap2.some.dots-and.hyphens. Phil I gave that a try but ended up with the same result. Chris Chris Taylor System Administrator Network Operations Eastlink chris.tay...@corp.eastlink.caT: 519.773.1287 -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Tuesday, February 05, 2013 11:23 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP groups and profiles On 05/02/13 15:50, Chris Taylor wrote: I added this to the users file DEFAULT ldap1.REALM-2.ca-Ldap-Group == residential_profile But I get this error when I fire up radius -X /etc/raddb/users[222]: Parse error (check) for entry DEFAULT: expecting operator Errors reading /etc/raddb/users Wild guess, but you might try a simpler module name e.g. ldap2 instead of ldap2.some.dots-and.hyphens. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP groups and profiles
I have RADIUS running with multiple realms and multiple LDAP back ends that stores all my user attributes. I am trying to apply different user profiles to different groups. What I did was setup the profile in the USERS file, add the group attributes to the ldap config file, and on the user's LDAP account I added the attribute radiusGroupName with the value residential_profile, but I can't seem to get it to work correctly. It doesn't seem to query the correct backend. I am sure that I have something wrong but I am not sure what I looked at rlm_ldap and searched the archive list but haven't been able to find anything any help would be appreciated. This is what my configuration files look like; USERS DEFAULT Ldap-Group == residential_profile Service-Type = Framed-User, Framed-Protocol = PPP, Cisco-AVPair += ip:inacl#100=permit tcp any x.x.x.x 0.0.0.15 eq 25, Cisco-AVPair += ip:inacl#200=deny tcp any any eq 25, Cisco-AVPair += ip:inacl#300=permit ip any any, Fall-Through = No ldap ldap2.REALM-2.ca { basedn = ou=radius,o=REALM-2.ca,dc=container,dc=ca filter = ((uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true)) ldap ldap1.REALM-1.ca { basedn = ou=radius,o=REALM-1.ca,dc=container,dc=ca filter = ((uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true)) groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) groupmembership_attribute = radiusGroupName Output from radius -X [files] users: Matched entry DEFAULT at line 214 [ldap2.REALM-2.ca] Entering ldap_groupcmp() [files] expand: ou=radius,o=REALM-2.ca,dc=container,dc=ca - ou=radius,o= REALM-2ca,dc= container,dc=ca [files] expand: %{Stripped-User-Name} - 112boy [files] expand: ((uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true)) - ((uid=112boy)(objectclass=posixAccount)(cn=true)) [ldap2. REALM-2.ca] ldap_get_conn: Checking Id: 0 [ldap2. REALM-2.ca] ldap_get_conn: Got Id: 0 [ldap2. REALM-2.ca] attempting LDAP reconnection [ldap2. REALM-2.ca] Bind was successful [ldap2. REALM-2.ca] performing search in ou=radius,o= REALM-2.ca,dc= container,dc=ca, with filter ((uid=112boy)(objectclass=posixAccount)(cn=true)) [ldap2. REALM-2.ca] object not found rlm_ldap::ldap_groupcmp: search failed [ldap2. REALM-2.ca] ldap_release_conn: Release Id: 0 Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Best way to apply default profile
This is the scenario that I have freeradius with LDAP for authentication and authorization and SQL for accounting. I want to try and force every user to have a default profile that will allow them to only use our local SMTP server. I also have some businesses that I will need to exclude from this profile and allow to them send SMTP traffic anywhere. What is the best way to go about this? Should I put the options in the users file and then create an entry for the select users in SQL and have it pull the separate profile from there? These are the options and profiles that I would like to apply; ### Allow local SMTP only ### acl_permit_local_smtp Cisco-AVPair += ip:inacl#100=permit tcp any 24.222.0.16 0.0.0.15 eq 25 acl_permit_local_smtp Cisco-AVPair += ip:inacl#200=deny tcp any any eq 25 acl_permit_lcoal_smtp Cisco-AVPair += ip:inacl#300=permit ip any any acl_permit_lcoal_smtp Fall-Through = Yes ### Allow any SMTP ### acl_permit_all_smtp Cisco-AVPair += ip:inacl#90=permit tcp any any eq 25 acl_permit_all_smtp Fall-Through = Yes I am just looking for the best way to do this. Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up multiple NULL realms
I am trying to collapse multiple domains into one RADIUS server (version 2-2.1.12-4.el5_8)with and LDAP backend. I have everything that has a realm suffix working I.E. username@domain-name, RADIUS will strip the username query the LDAP server (each domain has its own OU)and life is good. The problem I am running into is this. Each of the domains that I am collapsing had multiple users that would just connect with username. I can setup the NULL realm but I have only been successful in getting it to work for one of my domains (domain-1.com), all others (I.E. domain-2.com, domain-3.com) will get a password reject error as it queries against that virtual server and subsequent OU, I have tried to setup multiple virtual servers in the realm NULL setup but that doesn't work. I have looked in the mailing list archives and searched the net but I have not been able to find anything related to this. Proxy.conf setup realm NULL { virtual_server = virtual.domain-1.com virtual_server = virtual.domain-1.com } Users file setup DEFAULT Realm == NULL, Service-Type == Framed-User, Huntgroup-Name == bras Filter-Id = NoRealm, Fall-Through = Yes What way should I be going about this? Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Best way to capture RADIUS passwords
I am migrating from one RADIUS setup that checks against a flat file with usernames and passwords inside it . Over to a RADIUS server with and LDAP backend. I have used JTR to crack most of the passwords but I still have some left over that JTR cant crack. I was thinking of trying to run a packet capture to get the remaining usernames and passwords. What would be the best way to do this? Run RADIUS in debug mode Radius -X? Or try to use tcpdump and pick it up that way or is it even possible to do? I have been trolling the internet for a few days and have not come up with a good way to do it. I setup tcpdump to dump to a file (tcpdump -i eth0 -n -s0 port radius -w rad-capture.lpc) , but when I check it out with wireshark I am unable to see the password (just the username). Am I going about this the wrong way? Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: += allowed in attrs ??
You shouldn't be using the attribute filter to add attributes, that's what the users file is there for? Hmmm I tried that but it didn t work so I went over to try via attrs Dumb question: How can I have the files directive being processed after having proxied an incoming auth request? I seem to be unable to find the answer on this -- so I m glad for any pointers. Aren't you looking for pre-proxy and post-proxy then ? -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql Error
sql.conf: # number of sql connections to make to server num_sql_socks = 5 You prob need to up this. On Mon, Aug 13, 2012 at 3:00 PM, Antonio Modesto mode...@isimples.com.br wrote: Hi, Here in the ISP which I work we have a Freeradius 1.X in production, and a 2.X that we're testing to replace the old one. On both Radius we get the following error sometimes, What can be causing this? The SQL Database is in the same server of freeradius 1.X, but the load is low, we have about 2500 subscribers. I was thinking about increasing the number of sql connections, which is set to 4, would it make any difference? Database server load: load averages: 1.10, 1.05, 1.03 Error: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RedBack PPPoE Config
Could someone please share the radius reply items they are returning for the initial ATM PVC authentication from a Redback device that tells it to start up a PPPoE session on the PVC? Thanks much. I'm returning this but I'm never seeing the PPPoE authentication packet from the client router hit RADIUS. Login OK: [rdbacks5p0.0.502] (from client 1928redback port 208496) Sending Access-Accept of id 102 to 209.221.208.5 port 1812 Service-Type = Framed-User PVC_Profile_Name = 1000-384 Bind_Auth_Context = mycontext PVC_Encapsulation_Type = AAA-ENCAPS-ATM-PPPOE Bind_Type = AAA-AUTH-BIND -- Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling station ID
On Thu, Jul 12, 2012 at 12:29 PM, madal 30 mada...@hotmail.com wrote: Calling-Station-Id = .031 How do I or where do i adjust this parameter sothat full IP address is logged in calling-station-ID ? I looked at detail file in modules/detail but could not find the parameter The radius server can only process on what the NAS sends it. Look at the NAS and configure the NAS to send the correct/full Calling-Station-Id. -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius dont't send VSA attribute
On Tue, Jun 5, 2012 at 1:49 PM, CHEBIHI Abdelhakim (EXT ALTEN - IGTL) ext.alten.abdelhakim.cheb...@sncf.fr wrote: tom Cleartext-Password := tom123 Service-Type = Login-User, Juniper-Local-User-Name := readonly-users, when i launch freeradius -X, and i connect with tom from the router i see that the user logs Ok But freeradius don't send the vsa attribute: So put the VSA attributes in the reply details for user tom? Radius is returning precisely what you configured it to return. -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius service doest start
On Thu, May 17, 2012 at 1:21 PM, David Peterson dav...@wirelessconnections.net wrote: If you installed Ubuntu with default options you likely don't have permission to access those files. Try sudo freeradius -X or sudo su before running that sort of daemon. It's an ubuntu thing... Try running freeradiusd -X instead of radiusd. Yes - they changed the name of the binary... Peeves me off too. -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
setup question...
Greetings All! We have set up Radius on OS X 10.6 Server running OD for use with several devices, including a Sonic Wall, and Ruckus WAPs. We have gotten everything working very nicely, but we would love to be able to include a small group of Windows users running on AD, so they can also use their network Credentials to access the WAP etc. The main question is - Is it possible for FreeRadius (the OS X 10.6 version) to authenticate against both OD and AD? And the second question is obviously... how? Thanks in advance for your time!! Please reply directly, as I am not subscribed to the list... Chris Morris Nashville, TN -- Hi, Thanks in advance for your time!! Please reply directly, as I am not subscribed to the list... no answer then...and such answers from others should also be on this list to help others and the community. alan Alan, that is what CC is for. Turns out however, that you have to be subscribed or your email will be rejected, so I am subscribed now if that is what you were worried about. So anyway, my original question is above if you're up for answering. Thanks again, -C - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
setup question...
Greetings All! We have set up Radius on OS X 10.6 Server running OD for use with several devices, including a Sonic Wall, and Ruckus WAPs. We have gotten everything working very nicely, but we would love to be able to include a small group of Windows users running on AD, so they can also use their network Credentials to access the WAP etc. The main question is - Is it possible for FreeRadius (the OS X 10.6 version) to authenticate against both OD and AD? And the second question is obviously... how? Thanks in advance for your time!! Please reply directly, as I am not subscribed to the list... Chris Morris Nashville, TN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed to build FR 2.1.10 (64-bit) on Solaris 10 x86
Alan, I'm unable to build a 64-bit version of FreeRADIUS 2.1.10 on Solaris 10 9/10 s10x_u9wos_14a X86 owing to the following problem. I'm using the latest software from the 2.1.x git repository and gcc version 3.4.3. I've noticed that the 'FNM_FILE_NAME' flag is not declared in the fnmatch.h file on my system if this helps. Thanks in advance, Chris gcc -m64 -O -g -I/opt/local/include -I/opt/webstack/mysql/include/mysql -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/export/home/ecl6ch/freeradius-server/src -I/export/home/ecl6ch/freeradius-server/libltdl -c rlm_detail.c -fPIC -DPIC -o .libs/rlm_detail.o rlm_detail.c: In function `do_detail': rlm_detail.c:276: warning: comparison between pointer and integer rlm_detail.c:278: error: `FNM_FILE_NAME' undeclared (first use in this function) rlm_detail.c:278: error: (Each undeclared identifier is reported only once rlm_detail.c:278: error: for each function it appears in.) gmake[6]: *** [rlm_detail.lo] Error 1 gmake[6]: Leaving directory `/export/home/ecl6ch/freeradius-server/src/modules/rlm_detail' gmake[5]: *** [rlm_detail] Error 2 gmake[5]: Leaving directory `/export/home/ecl6ch/freeradius-server/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/export/home/ecl6ch/freeradius-server/src/modules' gmake[3]: *** [modules] Error 2 gmake[3]: Leaving directory `/export/home/ecl6ch/freeradius-server/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/export/home/ecl6ch/freeradius-server/src' gmake[1]: *** [src] Error 2 gmake[1]: Leaving directory `/export/home/ecl6ch/freeradius-server' gmake: *** [all] Error 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: unable to authenticate freeradius+AD
You have not configured ntlm_auth, see http://deployingradius.com/documents/configuration/active_directory.html Von: freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Yao Konou Gesendet: Dienstag, 12. April 2011 15:53 An: FreeRadius users mailing list Betreff: RE: unable to authenticate freeradius+AD SOS - is somebody around to HELP ME Yao Thierry Konou AMR SERVICES 11 Rue du Petit Châtelier CS90346 44303 NANTES CEDEX 3 Tel : 02 28 44 19 80 - Fax : 02 28 44 53 88 Site: http://www.amr-services.frhttp://www.amr-services.fr/ De : freeradius-users-bounces+ykonou=amr-services@lists.freeradius.org [mailto:freeradius-users-bounces+ykonou=amr-services@lists.freeradius.org] De la part de Yao Konou Envoyé : lundi 11 avril 2011 15:56 À : freeradius-users@lists.freeradius.org Objet : unable to authenticate freeradius+AD Hi all, I need your help to fix a problem in an AD configuration with Freeradius My platform : Freeradius + samba + AD ( windows 2003). The PB : unable to authenticate AD users This the debug of the authentication of an AD user on the server Regards. Yao Thierry Konou AMR SERVICES 11 Rue du Petit Châtelier CS90346 44303 NANTES CEDEX 3 Tel : 02 28 44 19 80 - Fax : 02 28 44 53 88 Site: http://www.amr-services.frhttp://www.amr-services.fr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Riverbed console authentication, encrypted User-Password
Greetings all, I have been asked if our Riverbed console users can also be authenticated through freeRadius. Riverbed has RiOS running, which is almost Cisco IOS and a Radius Server can be configured so I did. In freeRadius I added the Riverbed as client but unfortunately it was not that easy (is it ever?). rad_recv: Access-Request packet from host 10.1.1.27 port 9538, id=37, length=71 User-Name = username User-Password = /\227\334\377\374\302\343\204\345\001'O\227 NAS-Identifier = webasd NAS-Port = 8513 NAS-Port-Type = Virtual Service-Type = Authenticate-Only That is not the password I entered, my conclusion is that Riverbed encrypts the password before the entire request is encrypted using the shared secret. I cannot find a way to change how Riverbed sends the request, though I am writing a ticket there as well. My question to you, can freeRadius work with encrypted passwords? Thanks in advance, Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Riverbed console authentication, encrypted User-Password
Hi, Pretty weird. I set the Shared Secret again (in CLI) and had exactly the same results. So I tried setting the shared secret using the Riverbed web interface and now it works perfectly. Will write a new ticket for Riverbed support. Sorry to have bothered you, thanks for the help. Chris Schaatsbergen -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Stefan Winter Gesendet: Montag, 14. März 2011 11:12 An: freeradius-users@lists.freeradius.org Betreff: Re: Riverbed console authentication, encrypted User-Password Hi, I have been asked if our Riverbed console users can also be authenticated through freeRadius. Riverbed has RiOS running, which is almost Cisco IOS and a Radius Server can be configured so I did. In freeRadius I added the Riverbed as client but unfortunately it was not that easy (is it ever?). rad_recv: Access-Request packet from host 10.1.1.27 port 9538, id=37, length=71 User-Name = username User-Password = /\227\334\377\374\302\343\204\345\001'O\227 NAS-Identifier = webasd NAS-Port = 8513 NAS-Port-Type = Virtual Service-Type = Authenticate-Only That is not the password I entered, my conclusion is that Riverbed encrypts the password before the entire request is encrypted using the shared secret. This looks like a typical case of shared secret mismatch. Are you *sure* that the shared secret is exactly the same on RiOS and FreeRADIUS? I cannot find a way to change how Riverbed sends the request, though I am writing a ticket there as well. My question to you, can freeRadius work with encrypted passwords? It can, in a multitude of ways. None of these ways is about en- /dycrypting the password within the User-Password attribute though. That is very odd. My strong guess is a shared secret mismatch instead. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius Issues
Hi I believe that I have setup the FR configs correctly for use with MYSQL, I got it all working just fine when using a flat file and was able to authenticate etc with no issues, since moving to SQL I am getting this. rad_recv: Access-Request packet from host 10.5.5.55 port 57593, id=3, length=46 User-Name = chrisk User-Password = user-password +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = chrisk, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop expand: %{User-Name} - chrisk rlm_sql (sql): sql_set_user escaped user -- 'chrisk' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'chrisk' ORDER BY id expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM usergroup WHERE username = 'chrisk' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): User chrisk not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [chrisk/user-password] (from client seccom port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - chrisk attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 3 to 10.5.5.55 port 57593 So it appears that its using pap right? The database is very minimal and Im not sure if that's the issue, All I am needing to do is have user authenticate based on username and password IM not worried about anything other than that. Its for auth from a web server Thanks -Original Message- From: freeradius-users-bounces+chris.kilian=seccomglobal@lists.freeradius.org [mailto:freeradius-users-bounces+chris.kilian=seccomglobal@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Tuesday, 1 March 2011 9:03 PM To: FreeRadius users mailing list Subject: Re: Free Radius Issues hi, you havent given the full debug...so its pretty much guesswork here with whats going wrong.. have you added the sql to the authorize section of your server? (uncomment the entry thats commented by default) are you using EAP etc? in which case you will also need to uncomment it in the inner-tunnel server. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free Radius Issues
Hi Guys I am new to Freeradius and have got it working with Mysql , however run into an issue whereby I am seeing this for all requests rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [chrisk/password] (from client seccom port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - chrisk attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Can anyone help or let me know what other info may be required Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
OK, I think I found out where things are going wrong. In my Radius -X log I noticed the Starting - reading configuration files is short, compared to those of others. What is missing is actually: including files in directory /usr/local/etc/raddb/modules/ (followed by including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/unix including configuration file/usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/perl) This is all not in my freeradius -X logs and is in the logs of others. Now where do I enable/disable loading the modules folder? -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Schaatsbergen, Chris Gesendet: Freitag, 11. Februar 2011 19:32 An: FreeRadius users mailing list Betreff: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD So far I have done everything there exactly as described with the same outcome. No. If you get the error Failed to link to module 'rlm_ntlm_auth':..., it means you did something *other* than what is on the web page. This is I believe indeed the missing piece, problem is I cannot find it in your web page. It's the exec ntlm_auth { ... text. Add it, *and* the ntlm_auth entry in the authenticate section. The ntlm_auth file with the exec ntlm_auth text has been in the module folder since I started working on this (actually I believe it was already there as it is has been added in 2.1.8), about a week ago. It is also what I have indicated both in my original post and in the repost I made today. The file
AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? The beginning part of our current radiusd.conf: # -*- text -*- ## ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id: radiusd.conf.in,v 1.272 2008/04/26 15:14:33 aland Exp $ ## ## # # Read man radiusd before editing this file. See the section # titled DEBUGGING. It outlines a method where you can quickly # obtain the configuration you want, without running into # trouble. # # Run the server in debugging mode, and READ the output. # # $ radiusd -X # # We cannot emphasize this point strongly enough. The vast # majority of problems can be solved by carefully reading the # debugging output, which includes warnings about common issues, # and suggestions for how they may be fixed. # # There may be a lot of output, but look carefully for words like: # warning, error, reject, or failure. The messages there # will usually be enough to guide you to a solution. # # If you are going to ask a question on the mailing list, then # explain what you are trying to do, and include the output from # debugging mode (radiusd -X). Failure to do so means that all # of the responses to your question will be people telling you # to post the output of radiusd -X. ## # # The location of other config files and logfiles are declared # in this file. # # Also general configuration for modules can be done in this # file, it is exported through the API to modules that ask for # it. # # See man radiusd.conf for documentation on the format of this # file. Note that the individual configuration items are NOT # documented in that man page. They are only documented here, # in the comments. # # As of 2.0.0, FreeRADIUS supports a simple processing language # in the authorize, authenticate, accounting, etc. sections. # See man unlang for details. # prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius # Should likely be ${localstatedir}/lib/radiusd db_dir = $(raddbdir) -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 12:40 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD Schaatsbergen, Chris wrote: OK, I think I found out where things are going wrong. In my Radius -X log I noticed the Starting - reading configuration files is short, compared to those of others. What is missing is actually: including files in directory /usr/local/etc/raddb/modules/ ... Now where do I enable/disable loading the modules folder? radiusd.conf? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
I think freeradius is a great piece of software and I will certainly continue to use it. I am also very happy with the great documentation that can be found, both the wiki and Alan's website are an awesome source of very good information. The support community here is also very active, which is a great thing. But had someone with freeradius knowledge taken the time to look at the freeradius -X logs I (and David Dumortier) supplied with our questions, they would have seen the problem right away I suppose, in both our cases. Probably there have been too many typical n00b users who asked questions after not following the (clear) documentation properly, but please understand we are not all like that. This has caused me an enormous load of stress and has cost me about 3 days (and one night sleep), and I assume it has caused you a certain amount of stress as well, and it could have been so much more satisfying had it been checked just a little bit more. Of course, you are not responsible for every package being produced and I do not know yet how this all works as I did not install our freeradius server myself (unfortunately). But in our cases, the users where not to blame, other than using an available and hopefully supported package. I will have a new lenny server installed with just the 2.1.10 debian backport package on it (no older versions) to see if that comes with a proper radiusd.conf file. If so then my problem is caused by an older package being installed earlier and new users will not be bothered by it. Again, I really think freeradius is a great piece of software, there is plenty of good documentation and it has an awesome support community here. So I will certainly continue to use freeradius as our authentication server. But please, if a user says he followed the instructions to the letter, give them the benefit of the doubt and see if something else is going wrong. -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 12:57 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD Schaatsbergen, Chris wrote: That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011- January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. shrug I don't run Lenny, so I can't say any more. Where can I find a proper radiusd.conf? Have you tried the 2.1.10 tar file on freeradius.org? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Freeradius on lenny doesn't permit mschap auth
Hi David, In case you have not found it yet, in the lenny package somehow there is one line missing in the radiusd.conf file. In the modules section there should be: $INCLUDE ${confdir}/modules/ I would suggest, top of the modules section. Then ntlm_auth should work. Good luck, Chris -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von David Dumortier Gesendet: Freitag, 14. Januar 2011 11:27 An: freeradius-users@lists.freeradius.org Betreff: Freeradius on lenny doesn't permit mschap auth Hi all, I had read and configure like http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWT O I have test ntlm_auth with success but radtest user passwd localhost 0 testing123 fail I attach my debug output Thanks -- David Dumortier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Thanks! Actually in this case I was too early writing the mail (because I was rather annoyed), something I should not allow myself to happen. The radiusd.conf file is documented on the Wiki site (though the link there that should point to the latest version is not working as it points to the currently unexisting http://github.com/alandekok/freeradius-server/blob/stable/raddb/radiusd.conf). I found the missing piece: $INCLUDE ${confdir}/modules/ Which should be in (the top of) the modules section. With that addition freeradius starts without error messages so I can continue Alan DeKoks (excellent) description how to enable AD authentication. -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan Buxey Gesendet: Montag, 14. Februar 2011 13:48 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD Hi, That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011- January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? from the main source www.freeradius.org get the 2.1.10 tarball , extract it and look at what the config should be like. I wonder if lenny is requiring you to install other packages for purpose/facilities alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Support
A slightly different question, does the support from http://networkradius.com come from the active users of this mailing list? I.e. if I buy a support contract there, do the Alans get a part of that? I am missing a donate button on the freeradius website and I hope/expect we do not need that much support once this server is up and running. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Support
-Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 15:33 An: FreeRadius users mailing list Betreff: Re: Support Schaatsbergen, Chris wrote: A slightly different question, does the support from http://networkradius.com come from the active users of this mailing list? I.e. if I buy a support contract there, do the Alans get a part of that? I am missing a donate button on the freeradius website and I hope/expect we do not need that much support once this server is up and running. Network RADIUS is a for-profit company which does FreeRADIUS support, development, consulting, etc. No one on this list is asked to work for free. I run the company, and while I'm not getting rich, the proceeds from it have kept me off of the streets. Well, I am not doing it to keep you off the streets (you should not be a freeradius prisoner), but to make sure FreeRadius continues to get developed and this active community stays active. As a former developer myself I can understand how annoying it can be if you have helped someone a great deal and then get absolutely nothing in return (quite often people even forget to thank you). I will try and convince the management to cough up. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Most of the howtos assume you're running a recent version of the server. Some systems have *old* versions of the server. We're unable to maintain copies of the documentation for each version of the server. This makes life harder for the average admin, but we have to draw the line somewhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html We are running a current version of the server (2.1.10), but somehow the radiusd.conf file is not right. I hope to find out what is wrong exactly and post it here for future use. After a short (and rather violent) discussion with our linux expert I believe originally version 2.0.4 had been installed as that is the current stable version for lenny. But before I started working with it, it had already been upgraded to 2.1.8 and I requested the upgrade to 2.1.10 recently because of the lowercase function. All upgrades, no new installs, perhaps there lies the problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
-Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 16:00 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD Schaatsbergen, Chris wrote: We are running a current version of the server (2.1.10), but somehow the radiusd.conf file is not right. The radiusd.conf file isn't over-written when a new package is installed. You've customized it locally, and it *must* be left alone. Crystal Clear. So you should never upgrade the existing installation. And if you really do need a new version then you should backup the old installation, perform a clean new installation and then redo all the configuration you had done before (and hope that it still works). Pity, but on the other hand a very good reason to keep your documentation up to date. Talking about work for the admins :p I am glad when I have this server up and running, I just have to finish the documentation and can then 'throw it over the wall' to the system administrators ;) There are actually other programs (Splunk, costs 12k a year) that use different config files for system config and user config. Maybe an idea for a future release of freeradius? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
-Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Johan Meiring Gesendet: Montag, 14. Februar 2011 14:48 An: freeradius-users@lists.freeradius.org Betreff: Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD On 2011/02/14 01:50 PM, Schaatsbergen, Chris wrote: That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011- January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? Looking at config below... /usr/local/etc/raddb/modules/ Lenny package does NOT put stuff in /usr/local/ Seems you have two versions of freeradius on your system. Cheers, I took the other data from another 'ticket' here which is clearly not running on lenny indeed. But the problem has been solved, thanks for your help to think of an answer though :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Authenticating SSH login on a Cisco IOS switch to AD
OK, so the current problem seems to be that I cannot get the ntlm_auth to work. I read http://freeradius.1045715.n5.nabble.com/Freeradius-with-Active-Directory-td2747221.html but that does not seem to apply for me as the ntlm_auth file contains the exec. Attached (if that works) is the radius -X output for the current working configuration (basic_configuration_run.txt). We are only doing mac-authentication now and depending on the mac-address, the device is placed in a certain VLAN. I unfortunately did not install the server myself but as far as I know FR was originally installed from the Debian package 2.1.8 and we recently upgraded to 2.1.10. Until a year ago I never really worked with (free)radius, linux or cisco switches and it still is just a small part of my daily work, so I probably make a lot of beginner mistakes. # -*- text -*- # # $Id$ # NTLM module # # To authenticate requests using AD. # exec ntlm_auth { wait = yes program = /usr/bin/ntlm_auth --request-nt-key --domain=ALEO.LOCAL --username=%{mschap:User-Name} --password=%{User-Password} } If I add ntlm_auth to the beginning of the users file I get an error /etc/freeradius/users[157]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type Errors reading /etc/freeradius/users If I add ntlm_auth to the authenticate section of the default virtual server I get an error /etc/freeradius/sites-enabled/default[254]: Failed to load module ntlm_auth. /etc/freeradius/sites-enabled/default[217]: Errors parsing authenticate section. If I add ntlm_auth to the modules section of radiusd.conf I get a 'warning' /etc/freeradius/radiusd.conf[1840]: Failed to link to module 'rlm_ntlm_auth': file not found FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:14:10 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = freerad group = freerad allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = status-server ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Loading Clients client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = secret nastype = other } client 10.1.1.201 { require_message_authenticator = no secret = secret shortname = 10.1.1.201 nastype = cisco } client 10.1.1.202 { require_message_authenticator = no secret = secret shortname = 10.1.1.202 nastype = cisco } client 10.1.1.203 { require_message_authenticator = no secret = secret shortname = 10.1.1.203 nastype =
AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Greetings and thanks for the quick reply. As stated in my original posting, http://deployingradius.com/documents/configuration/active_directory.html is what I have been working with from the beginning. So far I have done everything there exactly as described with the same outcome. Why? Why not read the main web page that *correctly* describes how to get it to work? http://deployingradius.com/documents/configuration/active_directory.htm l If I add ntlm_auth to the authenticate section of the default virtual server I get an error /etc/freeradius/sites-enabled/default[254]: Failed to load module ntlm_auth. /etc/freeradius/sites-enabled/default[217]: Errors parsing authenticate section. Because you didn't add the module definition as described in the web page. This is I believe indeed the missing piece, problem is I cannot find it in your web page. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
So far I have done everything there exactly as described with the same outcome. No. If you get the error Failed to link to module 'rlm_ntlm_auth':..., it means you did something *other* than what is on the web page. This is I believe indeed the missing piece, problem is I cannot find it in your web page. It's the exec ntlm_auth { ... text. Add it, *and* the ntlm_auth entry in the authenticate section. The ntlm_auth file with the exec ntlm_auth text has been in the module folder since I started working on this (actually I believe it was already there as it is has been added in 2.1.8), about a week ago. It is also what I have indicated both in my original post and in the repost I made today. The file is there, and the exact contents of that file are in the repost I posted earlier today. Now if there is something wrong with that file I would love to hear it. I tried various ways of adding ntlm_auth to the authentication section of the default virtual machine but all with the same outcome, module not found. Unfortunately I do not see where the actual problem lies, otherwise I would not have bothered you with it. I have followed the instructions from your webpage to the letter and when that did not work I tried some other suggestions but they all proven without effect and are therefore removed again. Now, if anyone is willing to actually look to see what is going wrong instead of immediately jumping to the easy conclusions, that help would be highly appreciated. I am pretty sure I made a mistake somewhere, but it has not been in following these instructions. More likely it is in the original configuration or how I changed it to fit our need (Mac authentication). The current running config works properly, but it is very well possible I disabled something that is needed for ntlm_auth. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Authenticating SSH login on a Cisco IOS switch to AD
Gary Would you mind if I contacted you directly (I have your e-mail) about this? I have seen a very nice discussion and reading this a second time has proven that what you describe here is exactly what we are looking for. But I would still really appreciate some help getting it to work. Thanks, Chris Von: freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Gary Gatten Gesendet: Mittwoch, 9. Februar 2011 17:11 An: 'FreeRadius users mailing list' Betreff: RE: Authenticating SSH login on a Cisco IOS switch to AD Authentication with ntlm-auth and require-membership-of works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is authorized locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our dev FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I'll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else... G From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Brett Littrell Sent: Wednesday, February 09, 2011 9:57 AM To: FreeRadius users mailing list Subject: Re: Authenticating SSH login on a Cisco IOS switch to AD Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 09, 2011 at 7:24 AM, in message 604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07, Schaatsbergen, Chris chris.schaatsber...@aleo-solar.de wrote: Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating SSH login on a Cisco IOS switch to AD
Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Authenticating SSH login on a Cisco IOS switch to AD
Greetings Gary, Well, this does sound like what I would like to achieve, we only have 3 users to administer the Cisco switches, though all domain admins (7) could do it. We currently have one admin user account and all domain admins know the password. To go to priv level (enable) we will continue to use one password, we only would like the SSH login to be authenticated against AD. I am in no hurry (going home now anyway) but would love to hear your solution a little more detailed. Chris Von: freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Gary Gatten Gesendet: Mittwoch, 9. Februar 2011 17:11 An: 'FreeRadius users mailing list' Betreff: RE: Authenticating SSH login on a Cisco IOS switch to AD Authentication with ntlm-auth and require-membership-of works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is authorized locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our dev FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I'll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else... G From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Brett Littrell Sent: Wednesday, February 09, 2011 9:57 AM To: FreeRadius users mailing list Subject: Re: Authenticating SSH login on a Cisco IOS switch to AD Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 09, 2011 at 7:24 AM, in message 604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07, Schaatsbergen, Chris chris.schaatsber...@aleo-solar.de wrote: Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[ SOLVED ] Re: Freeradius SQL: PEAP: Tunneled authentication was rejected.
Hi Alan, its work great thx Chris -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-SQL-PEAP-Tunneled-authentication-was-rejected-tp3360430p3362708.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius SQL: PEAP: Tunneled authentication was rejected.
Hi Alan, thx for the response, and yes i read the debug output and i also found the side you mentioned, to get more information about the output but, as you see in the number of my posting counts, i'm an newbie in using radius. And i didn't understood what these messages should occur in my mind or how it can be fixed... rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for sqluser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [sqluser/] (from client dlink-private-network port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x81bd288 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. You give me a hint: thx: You probably need to list sql in the inner-tunnel virtual server. In 2.1.10, you can test the inner-tunnel directly, without using PEAP. See the comments at the top of the file. I will try and give an answer thx Chris -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-SQL-PEAP-Tunneled-authentication-was-rejected-tp3360430p3361206.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius SQL: PEAP: Tunneled authentication was rejected.
Hi Alan, thx for the response, and yes i read the debug output and i also found the side you mentioned, to get more information about the output but, as you see in the number of my posting counts, i'm an newbie in using radius. And i didn't understood what these messages should occur in my mind or how it can be fixed... rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for sqluser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [sqluser/via Auth-Type = EAP] (from client dlink-private-network port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x81bd288 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. You give me a hint: thx: You probably need to list sql in the inner-tunnel virtual server. In 2.1.10, you can test the inner-tunnel directly, without using PEAP. See the comments at the top of the file. I will try and give an answer thx Chris -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-SQL-PEAP-Tunneled-authentication-was-rejected-tp3360430p3361212.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius SQL: PEAP: Tunneled authentication was rejected.
: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for sqluser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [sqluser/via Auth-Type = EAP] (from client dlink-private-network port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x81bd288 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 8 to 192.168.0.50 port 1037 EAP-Message = 0x0109003b1900170301003034751d74d2db85e76a4a09990bc079aabf886c33adbae4de36aa4b998d1437564e312ceb4f3ef2e602a0ec1b74c34c8b Message-Authenticator = 0x State = 0xeff176eae7f86f7198f0e801bd7f42f1 Finished request 8. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=9, length=296 Message-Authenticator = 0xcf9f988ac3da6a9784a700bd6e8bd235 Service-Type = Framed-User User-Name = sqluser Framed-MTU = 1488 State = 0xeff176eae7f86f7198f0e801bd7f42f1 Called-Station-Id = F0-7D-68-17-D4-39:dlink Calling-Station-Id = 00-18-DE-E1-85-89 NAS-Identifier = D-Link Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x0209006019001703010020b4f42681cb8004c329ba3e6eb3f20af6ab64a075776fd142c83e827add1a8e531703010030f9a9c64a35e6e5b5327b4c2e 91499e1a3897f2202d67ff4db4b2e03510edaa39019a712075a32f6ef78368edcc2e3bb6 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = STA port # 1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = sqluser, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 9 length 96 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [sqluser/via Auth-Type = EAP] (from client dlink-private-network port 1 cli 00-18-DE-E1-85-89) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - sqluser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 9 to 192.168.0.50 port 1037 EAP-Message = 0x04090004 Message-Authenticator = 0x Waking up in 3.4 seconds. Cleaning up request 0 ID 0 with timestamp +24 Cleaning up request 1 ID 1 with timestamp +24 Waking up in 0.3 seconds. Cleaning up request 2 ID 2 with timestamp +24 Cleaning up request 3 ID 3 with timestamp +24 Cleaning up request 4 ID 4 with timestamp +24 Waking up in 0.1 seconds. Cleaning up request 5 ID 5 with timestamp +24 Cleaning up request 6 ID 6 with timestamp +24 Cleaning up request 7 ID 7 with timestamp +24 Cleaning up request 8 ID 8 with timestamp +24 Waking up in 1.0 seconds. Cleaning up request 9 ID 9 with timestamp +24 Ready to process requests. Tell me if you need more information thx Chris -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-SQL-PEAP-Tunneled-authentication-was-rejected-tp3360430p3360430.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tolower seems to result in unneeded reject of mac address, or I am using it wrong
Hi all, I am not very used to working with freeradius unfortunately and I am using the Mac Auth solutionhttp://wiki.freeradius.org/Mac-Auth as described on your website and other then the case sensitivity it was working correctly. I was looking for a way to change the Calling station id to lowercase, or to make the comparison case insensitive as some of our switches return mac addresses in uppercase, others in lowercase. Then I discovered a brand new function tolower had been added to the 2.1.10 version of freeradius and we were still at 2.1.8. So after an update I could run freeradius with the added function without errors. Unfortunately it seems not to work correctly. Now, if a known mac address is authorized, it is rejected [authorized_macs] expand: %{Calling-Station-ID} - 00-17-42-1C-44-68 [authorized_macs] expand: %{tolower:%{Calling-Station-ID}} - 00-17-42-1c-44-68 +[authorized_macs.authorize] returns noop 00-17-42-1c-44-68 does actually exist in the authorized_macs file. This used to return a match and ok when the calling station id was matched, case sensitive. Unfortunately I do not have permission from my superiors to utilize a MySQL database yet (which would solve all of this), so I am stuck with the files for now. Can any of you see what I am doing wrong? modules/files files authorized_macs { # The default key attribute to use for matches. The content # of this attribute is used to match the name of the # entry. key = %{tolower:%{Calling-Station-ID}} usersfile = ${confdir}/authorized_macs # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } sites-available/default post-auth { # output surpressed if(control:Auth-Type == 'CSID'){ # Authorization happens here # %{Calling-Station-ID} = %{tolower:%{Calling-Station-ID}} # here the function does not work (like this) authorized_phones.authorize if (!ok) { authorized_printers.authorize if (!ok) { authorized_macs.authorize if (notfound) { # notfound construction used to overcome false rejects reject } else { update reply { Cisco-AVPair = tunnel-type=vlan Cisco-AVPair = tunnel-medium-type=802 Cisco-AVPair = tunnel-private-group-id=4 } } } else{ update reply { Cisco-AVPair = tunnel-type=vlan Cisco-AVPair = tunnel-medium-type=802 Cisco-AVPair = tunnel-private-group-id=1 } } } else{ update reply { Cisco-AVPair = device-traffic-class=voice } } } } Chris Schaatsbergen -- aleo solar Deutschland GmbH Chris Schaatsbergen IT Projekte / IT Projects Osterstr. 15, 26122 Oldenburg T +49 441 21988-288 F +49 441 21988-150 M +49 162 2552288 chris.schaatsber...@aleo-solar.demailto:chris.schaatsber...@aleo-solar.de http://www.aleo-solar.de Geschäftsführer/Management Board: York zu Putlitz, Dr. Jens Sabotke, Norbert Schlesiger Sitz der Gesellschaft/Registered Office: Oldenburg (Oldb), Germany Handelsregister/Companies´ Register: Oldenburg, Germany, HRB 4947 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: tolower seems to result in unneeded reject of mac address, or I am using it wrong
Hi again all, Sorry, stupid me. Not key = %{tolower:%{Calling-Station-ID}} But key = %{tolower:%{Calling-Station-ID}} Now it works again properly. Apologies, Chris Schaatsbergen Von: freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Schaatsbergen, Chris Gesendet: Dienstag, 21. Dezember 2010 15:01 An: freeradius-users@lists.freeradius.org Betreff: tolower seems to result in unneeded reject of mac address, or I am using it wrong Hi all, I am not very used to working with freeradius unfortunately and I am using the Mac Auth solutionhttp://wiki.freeradius.org/Mac-Auth as described on your website and other then the case sensitivity it was working correctly. I was looking for a way to change the Calling station id to lowercase, or to make the comparison case insensitive as some of our switches return mac addresses in uppercase, others in lowercase. Then I discovered a brand new function tolower had been added to the 2.1.10 version of freeradius and we were still at 2.1.8. So after an update I could run freeradius with the added function without errors. Unfortunately it seems not to work correctly. Now, if a known mac address is authorized, it is rejected [authorized_macs] expand: %{Calling-Station-ID} - 00-17-42-1C-44-68 [authorized_macs] expand: %{tolower:%{Calling-Station-ID}} - 00-17-42-1c-44-68 +[authorized_macs.authorize] returns noop 00-17-42-1c-44-68 does actually exist in the authorized_macs file. This used to return a match and ok when the calling station id was matched, case sensitive. Unfortunately I do not have permission from my superiors to utilize a MySQL database yet (which would solve all of this), so I am stuck with the files for now. Can any of you see what I am doing wrong? modules/files files authorized_macs { # The default key attribute to use for matches. The content # of this attribute is used to match the name of the # entry. key = %{tolower:%{Calling-Station-ID}} usersfile = ${confdir}/authorized_macs # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } sites-available/default post-auth { # output surpressed if(control:Auth-Type == 'CSID'){ # Authorization happens here # %{Calling-Station-ID} = %{tolower:%{Calling-Station-ID}} # here the function does not work (like this) authorized_phones.authorize if (!ok) { authorized_printers.authorize if (!ok) { authorized_macs.authorize if (notfound) { # notfound construction used to overcome false rejects reject } else { update reply { Cisco-AVPair = tunnel-type=vlan Cisco-AVPair = tunnel-medium-type=802 Cisco-AVPair = tunnel-private-group-id=4 } } } else{ update reply { Cisco-AVPair = tunnel-type=vlan Cisco-AVPair = tunnel-medium-type=802 Cisco-AVPair = tunnel-private-group-id=1 } } } else{ update reply { Cisco-AVPair = device-traffic-class=voice } } } } Chris Schaatsbergen -- aleo solar Deutschland GmbH Chris Schaatsbergen IT Projekte / IT Projects Osterstr. 15, 26122 Oldenburg T +49 441 21988-288 F +49 441 21988-150 M +49 162 2552288 chris.schaatsber...@aleo-solar.demailto:chris.schaatsber...@aleo-solar.de http://www.aleo-solar.de Geschäftsführer/Management Board: York zu Putlitz, Dr. Jens Sabotke, Norbert Schlesiger Sitz der Gesellschaft/Registered Office: Oldenburg (Oldb), Germany Handelsregister/Companies´ Register: Oldenburg, Germany, HRB 4947 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam auth_radius and user database / session close error message
Hi, I'm using pam_auth_radius PAM module to authenticate against an RSA SecurId radius server. It works fine but I need to pre-create the users on the system. I was wondering if it's possible to use the LDAP directory for the valid user accounts. I'm under linux Debian/Lenny. I tried to define pam_ldap in /etc/pam.d/common-account : account sufficient pam_ldap.so and leave the common-auth use radius (also session) auth sufficient pam_radius_auth.so debug but it does not seem to work. I may miss something. Theorically i think it's possible, isn't it? Other little problem with the pam_auth_radius module, when restricting persissions on the /etc/pam_auth_radius.conf file (shared secret for RADIUS server), I get this message when closing the session : pam_close_session: Cannot make/remove an entry for the specified session details : Aug 20 14:57:09 debian su[11840]: pam_unix(su:session): session opened for user chris by root(uid=1001) Aug 20 14:57:10 debian su[11840]: pam_radius_auth: Could not open configuration file /etc/pam_radius_auth.conf: Permission denied Aug 20 14:57:10 debian su[11840]: pam_unix(su:session): session closed for user chris Aug 20 14:57:10 debian su[11840]: pam_close_session: Cannot make/remove an entry for the specified session I think it's needed to contact the radius server for accounting, but it is not a secure configuration, even if using one time passwords Thanks for your help, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expiration linked to both huntgroup and user
Hi, So here's my hurdle. I have multiple groups and use hunt-groups plus expiration time on the users for authentication. Assuming I have groups 1 2 how is it possible to link the expiration time to a group and the user and not just for the user. The expiration time is set on a per user level (not per group) which means a given user will either have access or not have access. A user can not have access to hunt-group 1 with an expiration in 10 days as well as an access expiring in 2 hours on hunt-group B. I only want to have one user over the whole domain so do not want to create multiple users and then append to the name on the incoming request and authenticate against multiple users who are in fact the same. Is there any other way round this problem? Many thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: framedipaddress
What are you authenticating? Where is the radius debug logs? Chances are you are more than likely authenticating a Wireless Association to the Access Point - not a PPP type of service where IP addresses are involved. Debug your radius logs a bit and perhaps post a bit more detail 2010/5/12 Paweł Pogorzelski ppogorzel...@gmail.com Listen we've already bought complete meru sytem to eduroam project and there is no turning back. There are many great feature which only meru have. Right now i must find solution for this sytem. -- Pozdrawiam/Best regards Paweł Pogorzelski e-mail: ppogorzel...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + PHP script
Use the exec module? On Thu, Apr 29, 2010 at 11:26 AM, bslee (HKBU) bs...@hkbu.edu.hk wrote: Hi, How can I configure freeradius to invoke a PHP script when an authentication request comes? The PHP script will access an MYSQL database and then returns reply to freeradius. Thanks Regards, BS __ Information from ESET Smart Security, version of virus signature database 5071 (20100429) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to convert User-Name to lower case
On Feb 15, 2010, at 12:26 PM, Bob Brandt wrote: I have spent the day searching the internet for a solution, but Nothing. I refuse to believe I am the first human being ever to run into this problem... Please tell me someone has an idea. Thanks Bob http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-June/msg00335.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allowing user from one realm but not another
On Feb 14, 2010, at 6:11 AM, Jeff A wrote: Your idea is best. I think I will modify, but for a work around till I get a chance to get everything turned around. I will use Alan's example.. My question is this Can his example contain more than one realm to reject between the quotes? bob Realm != foo.net, Auth-Type := Reject That's not the realm you're rejecting, but the one you're accepting, rejecting access if the username is bob and the realm is not equal to foo.net. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Simultaneous-Use problem with Mikrotik NAS clients
Yes, Simulaneous-Use is a check item, not a reply. 2010/2/12 Fojtán Balázs István bal...@fojtan.hu Hello Fajar, mysql select * from radgroupreply; ++---+--++---+ | id | GroupName | Attribute ? ? ? ?| op | Value | ++---+--++---+ | ?1 | HZ ? ? ? ?| Simultaneous-Use | := | 1 ? ? | ++---+--++---+ Shouldn't this be on radgroupcheck? My radgroupcheck table is empty. Does it cause the problem? Regards, fbi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA Certificate Question
On Jan 30, 2010, at 6:39 PM, Peter Lambrechtsen wrote: On 31/01/2010, at 11:59 AM, Mike Diggins mike.digg...@mcmaster.ca wrote: I was able to get freeradius 2.1.3 and wireless WPA working, likely due to the fact that FreeRadius was mostly configured for me (thanks ;) ). I’m a little confused about the certificate that is required in the process, and what the relationship is with the client, the Wireless Controller and the FreeRadius server. The README file states: “ In general, you should use self-signed certificates for 802.1x (EAP) authentication.” Why self signed versus CA signed? Ideally I would like my clients to not be questioned about the certificate at all. Is that even possible with WPA? If I purchase a CA signed cert, would that eliminate the requirement on the client to acknowledge the certificate or import it? It would also mean that anyone could go to the same CA, get a client certificate and would be able to login to your wireless network. Not really ideal IMHO ;) Hence why controlling your own CA, and managing the CRL or OCSP is the only way to go if you want to properly maintain control over your wireless or 802.1x wired network. Minting certificates is pretty trvial depending on the CA software you are using and importing a CA into every workstation is also easy using the numerous tools available. My preference is to use the rootsupd package and extract that out and update the p7b with your own ca. Then get everyone to run that, or use software distribution to get it out enterprise wide. Except that asking users to use one certificate is hard enough. Expecting them to use one for WPA, one for email, etc just makes things worse. It'd be nice to filter acceptable certificates by, say, regexp on the rfc822Name. Accept certificate if: It is signed by our chosen CA and the rfc822Name =~ /@ourdomain.com$/ StartCOM Class 2 puts the organizer's full name in the CN attribute. That's already built into the eap filtering capabilities, if I understand things correctly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pam radius client and binding to mulitple IPs
Hi everyone, I realise that this maybe somewhat a limitation of the PAM Radius Plugin for OpenVPN but have searched around for a week now to find a solution. The problem I am having is that I have an OpenVPN proxy hub that has 3 external IP addresses. I am using huntgroups to distinguish if a user can authenticate against an IP address and if so they receive an IP default Gw to a front end proxy (each front end proxy is located in a separate country). The idea is that a user of a specific group can only connect to an interface that he is a group memeber of. The authentication uses the pam radius plugin against a backend SQL / radius server. If I connect to int1 then the requests sent by the Radius plugin to the backend radius server has a source IP of int1. This works well and the user is authenticated and is provided a default GW to the front end proxy. However if the user connects to INT2 the NAS requset still has the source IP address of INT1 and therefore the user is rejected because he is not a member of the INT1 grouping. Is it possible to have multiple instances of the radius plugin each binding to a different interface so that the request seen by the Radius server via the PAM plugin has the correct source address? Is it possible to get the NAS to Distinguish between the interfaces? Cheers to all in advance (,) Cj _ New Windows 7: Find the right PC for you. Learn more. http://windows.microsoft.com/shop- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Seeking FreeRADIUS Consultant
Hello, I apologize in advance to those who might consider this a form of advertising, but I've searched high and low in many other places and I'm quickly running out of time and options. My company needs to expand its FreeRADIUS deployment in a way that will allow us to have multiple geographical locations reporting its accounting information to a single RADIUS server. I am more than willing to pay someone here by the hour to give me advice by phone. If you're interested, please contact me off-list via email or by phone at +1 205-401-4081. Best regards, Chris Brunner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting help please
On Jun 30, 2009, at 10:43 PM, David Hobley wrote: Chris, When you put it like that, it does make rather a large amount of sense. Sorry about that. Login details attached. Cheers, David Still don't see any accounting packets. Did you configure a RADIUS accounting server in your NAS? You usually have to set both authentication and accounting servers. RADIUS Servers (including FreeRADIUS) do not generate accounting records based on authentication attempts. They act on accounting packets sent by the NAS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting help please
On Jun 30, 2009, at 3:29 PM, David Hobley wrote: Hello, I have freeradius2 configured and authenticating properly. I would like to be able to get radwho and radlast working properly, but for some reason the files do not get created (permission are correct in that directory). I thought I have set up accounting correctly, but obviously haven't. I have attached the output from radiusd -X, any pointers anyone could give me, I would appreciate. The output I get from radwho and radlast is: [r...@samba raddb]# radwho radwho: Error reading /var/log/radius/radutmp: No such file or directory [r...@samba raddb]# radlast last: /var/log/radius/radwtmp: No such file or directory Might help if you included debug output which included processing of an accounting packet. Preferably a start and a stop. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Robust proxy accounting
Alan Ivan, I can confirm that the change made to the event.c file fixed the problem with the robust proxy accounting. Many thanks for you help. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
On Jun 16, 2009, at 1:37 PM, Elias Abou Zeid wrote: Ok, I have removed encrypted-key in Redback router which was causing issue about shared secrets. Now the subscriber config on Radius is as follows: a...@radius Cleartext-Password := test Service-Type = Framed-User, Framed-Protocol = PPP From redius debug: rlm_realm: Looking up realm RADIUS for User-Name = a...@radius rlm_realm: No such realm RADIUS I think you need to either define a DEFAULT realm or define the RADIUS realm in proxy.conf Either: RADIUS { } Or: DEFAULT { } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Robust proxy accounting
Alan, This is the debug output using the latest release of 2.1.7 from http://git.freeradius.org/pre. Thanks for your help in advance. Chris -Original Message- From: Chris Howley [mailto:ecl...@netserv3.leeds.ac.uk] Sent: 15 June 2009 12:07 To: Chris Howley Subject: radius.debug4 ending Access-Accept of id 138 to 10.12.80.109 port 32769 User-Name = isschug MS-MPPE-Recv-Key = 0x7c4e32b6485bed39ef623ae3c45738d54144c1492d00df705cb1902ed60d5578 MS-MPPE-Send-Key = 0x707c6949db85e4ebb023aaa8016fb3027bfaaf613fb82b92568ba62965235648 EAP-Message = 0x030b0004 Message-Authenticator = 0x Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3021, Reply-Message = Welcome isschug - student Finished request 9. Going to the next request Waking up in 0.2 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 1.2 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 0.8 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 1.1 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 0.8 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 0.7 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 0.9 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 0.7 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 1.0 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 1.0 seconds. rad_recv: Accounting-Request packet from host 10.12.80.109 port 32769, id=146, length=156 User-Name = isschug NAS-Port = 29 NAS-IP-Address = 10.12.80.109 Framed-IP-Address = 129.11.1.138 NAS-Identifier = WM07-1 Airespace-Wlan-Id = 1 Acct-Session-Id = 4a3629c8/00:13:02:8d:f3:1f/53 Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3022 Acct-Status-Type = Start Calling-Station-Id = 129.11.1.138 Called-Station-Id = 10.12.80.109 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address = 10.12.80.109,NAS-IP-Address = 10.12.80.109,Acct-Session-Id = 4a3629c8/00:13:02:8d:f3:1f/53,User-Name = isschug' [acct_unique] Acct-Unique-Session-ID = 04fae10ff02490f4. ++[acct_unique] returns ok [suffix] No '@' in User-Name = isschug, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail]expand: /usr/local/var/log/radius/radacct/%Y-%m-%d/accounting-detail-%H:00 - /usr/local/var/log/radius/radacct/2009-06-15/accounting-detail-12:00 [detail] /usr/local/var/log/radius/radacct/%Y-%m-%d/accounting-detail-%H:00 expands to /usr/local/var/log/radius/radacct/2009-06-15/accounting-detail-12:00 [detail]expand: %{Packet-Src-IP-Address} - %t - 10.12.80.109 - Mon Jun 15 12:00:24 2009 ++[detail] returns ok ++? if (%{Client-IP-Address} != 129.11.162.17) expand: %{Client-IP-Address} - 10.12.80.109 ? Evaluating (%{Client-IP-Address} != 129.11.162.17) - TRUE ++? if (%{Client-IP-Address} != 129.11.162.17) - TRUE ++- entering if (%{Client-IP-Address} != 129.11.162.17) {...} +++[control] returns ok ++- if (%{Client-IP-Address} != 129.11.162.17) returns ok ++[unix] returns ok [radutmp] expand: /usr/local/var/log/radius/radutmp - /usr/local/var/log/radius/radutmp [radutmp] expand: %{User-Name} - isschug ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} - isschug attr_filter: Matched entry DEFAULT at line 1 ++[attr_filter.accounting_response] returns updated server home.example.com { } Sending Accounting-Request of id 159 to 129.11.162.17 port 1813 User-Name = isschug NAS-Port = 29 NAS-IP-Address = 10.12.80.109 Framed-IP-Address = 129.11.1.138 NAS-Identifier = WM07-1 Airespace-Wlan-Id = 1 Acct-Session-Id = 4a3629c8/00:13:02:8d:f3:1f/53 Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3022 Acct-Status-Type = Start Calling-Station-Id = 129.11.1.138 Called-Station-Id = 10.12.80.109 Proxy-State = 0x313436 Proxying request 10 to home server 129.11.162.17 port 1813 Sending Accounting-Request of id 159 to 129.11.162.17 port 1813 User-Name = isschug NAS-Port = 29 NAS-IP-Address
Robust proxy accounting
Ivan, I doubled the value of cleanup delay in radiusd.conf. This change didn't fix the problem (see below). Thanks for your help, Chris ++[exec] returns noop Sending Access-Accept of id 88 to 10.12.80.109 port 32769 User-Name = isschug MS-MPPE-Recv-Key = 0x529e91a0004dce6a6ba2d81c79eeeb98aa3bc7c08880c37d95236064ef786280 MS-MPPE-Send-Key = 0x59005da107574a481d3a7d580821be64872d65153f9767789e79a51f84880994 EAP-Message = 0x030b0004 Message-Authenticator = 0x Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3021, Reply-Message = Welcome isschug - student Finished request 9. Going to the next request Waking up in 0.9 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 1.0 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 1.0 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 1.2 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 1.0 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 1.0 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 0.8 seconds. rad_recv: Accounting-Request packet from host 10.12.80.109 port 32769, id=137, length=156 User-Name = isschug NAS-Port = 29 NAS-IP-Address = 10.12.80.109 Framed-IP-Address = 129.11.1.138 NAS-Identifier = WM07-1 Airespace-Wlan-Id = 1 Acct-Session-Id = 4a323344/00:13:02:8d:f3:1f/49 Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3022 Acct-Status-Type = Start Calling-Station-Id = 129.11.1.138 Called-Station-Id = 10.12.80.109 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address = 10.12.80.109,NAS-IP-Address = 10.12.80.109,Acct-Session-Id = 4a323344/00:13:02:8d:f3:1f/49,User-Name = isschug' [acct_unique] Acct-Unique-Session-ID = 829905a4bf02a129. ++[acct_unique] returns ok [suffix] No '@' in User-Name = isschug, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail]expand: /usr/local/var/log/radius/radacct/%Y-%m-%d/accounting-detail-%H:00 - /usr/local/var/log/radius/radacct/2009-06-12/accounting-detail-11:00 [detail] /usr/local/var/log/radius/radacct/%Y-%m-%d/accounting-detail-%H:00 expands to /usr/local/var/log/radius/radacct/2009-06-12/accounting-detail-11:00 [detail]expand: %{Packet-Src-IP-Address} - %t - 10.12.80.109 - Fri Jun 12 11:51:48 2009 ++[detail] returns ok ++? if (%{Client-IP-Address} != 129.11.162.17) expand: %{Client-IP-Address} - 10.12.80.109 ? Evaluating (%{Client-IP-Address} != 129.11.162.17) - TRUE ++? if (%{Client-IP-Address} != 129.11.162.17) - TRUE ++- entering if (%{Client-IP-Address} != 129.11.162.17) {...} +++[control] returns ok ++- if (%{Client-IP-Address} != 129.11.162.17) returns ok ++[unix] returns ok [radutmp] expand: /usr/local/var/log/radius/radutmp - /usr/local/var/log/radius/radutmp [radutmp] expand: %{User-Name} - isschug ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} - isschug attr_filter: Matched entry DEFAULT at line 1 ++[attr_filter.accounting_response] returns updated server home.example.com { } Sending Accounting-Request of id 167 to 129.11.162.17 port 1813 User-Name = isschug NAS-Port = 29 NAS-IP-Address = 10.12.80.109 Framed-IP-Address = 129.11.1.138 NAS-Identifier = WM07-1 Airespace-Wlan-Id = 1 Acct-Session-Id = 4a323344/00:13:02:8d:f3:1f/49 Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3022 Acct-Status-Type = Start Calling-Station-Id = 129.11.1.138 Called-Station-Id = 10.12.80.109 Proxy-State = 0x313337 Proxying request 10 to home server 129.11.162.17 port 1813 Sending Accounting-Request of id 167 to 129.11.162.17 port 1813 User-Name = isschug NAS-Port = 29 NAS-IP-Address = 10.12.80.109 Framed-IP-Address = 129.11.1.138 NAS-Identifier = WM07-1 Airespace-Wlan-Id = 1 Acct-Session-Id = 4a323344/00:13:02:8d:f3:1f/49 Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3022 Acct-Status-Type = Start Calling-Station-Id = 129.11.1.138 Called-Station-Id = 10.12.80.109 Proxy-State = 0x313337 Going
Robust proxy accounting
Alan, Here's the output from FR2.1.7. Thanks for you help in advance, Chris ++[exec] returns noop Sending Access-Accept of id 128 to 10.12.80.109 port 32769 User-Name = isschug MS-MPPE-Recv-Key = 0x3019b4c8f9f76bb2fc4d69edbc20e98377351a661c0b412c760cd773e3b4c5f5 MS-MPPE-Send-Key = 0x5c7923cd941d8d7bd673b823632371b01435f0590105a5c38211b89b04fdea1b EAP-Message = 0x030b0004 Message-Authenticator = 0x Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3021, Reply-Message = Welcome isschug - student Finished request 20. Going to the next request Waking up in 1.0 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 0.9 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 0.9 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 0.9 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 0.8 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 0.7 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 1.2 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 0.9 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 0.9 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 1.0 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Cleaning up request 11 ID 119 with timestamp +601 Cleaning up request 12 ID 120 with timestamp +601 Cleaning up request 13 ID 121 with timestamp +601 Cleaning up request 14 ID 122 with timestamp +601 Cleaning up request 15 ID 123 with timestamp +601 Cleaning up request 16 ID 124 with timestamp +601 Cleaning up request 17 ID 125 with timestamp +601 Cleaning up request 18 ID 126 with timestamp +601 Cleaning up request 19 ID 127 with timestamp +601 Cleaning up request 20 ID 128 with timestamp +601 Waking up in 0.5 seconds. rad_recv: Accounting-Request packet from host 10.12.80.109 port 32769, id=144, length=156 User-Name = isschug NAS-Port = 29 NAS-IP-Address = 10.12.80.109 Framed-IP-Address = 129.11.1.138 NAS-Identifier = WM07-1 Airespace-Wlan-Id = 1 Acct-Session-Id = 4a327dde/00:13:02:8d:f3:1f/52 Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3022 Acct-Status-Type = Start Calling-Station-Id = 129.11.1.138 Called-Station-Id = 10.12.80.109 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address = 10.12.80.109,NAS-IP-Address = 10.12.80.109,Acct-Session-Id = 4a327dde/00:13:02:8d:f3:1f/52,User-Name = isschug' [acct_unique] Acct-Unique-Session-ID = 5b58953f85bf5074. ++[acct_unique] returns ok [suffix] No '@' in User-Name = isschug, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail]expand: /usr/local/var/log/radius/radacct/%Y-%m-%d/accounting-detail-%H:00 - /usr/local/var/log/radius/radacct/2009-06-12/accounting-detail-17:00 [detail] /usr/local/var/log/radius/radacct/%Y-%m-%d/accounting-detail-%H:00 expands to /usr/local/var/log/radius/radacct/2009-06-12/accounting-detail-17:00 [detail]expand: %{Packet-Src-IP-Address} - %t - 10.12.80.109 - Fri Jun 12 17:10:06 2009 ++[detail] returns ok ++? if (%{Client-IP-Address} != 129.11.162.17) expand: %{Client-IP-Address} - 10.12.80.109 ? Evaluating (%{Client-IP-Address} != 129.11.162.17) - TRUE ++? if (%{Client-IP-Address} != 129.11.162.17) - TRUE ++- entering if (%{Client-IP-Address} != 129.11.162.17) {...} +++[control] returns ok ++- if (%{Client-IP-Address} != 129.11.162.17) returns ok ++[unix] returns ok [radutmp] expand: /usr/local/var/log/radius/radutmp - /usr/local/var/log/radius/radutmp [radutmp] expand: %{User-Name} - isschug ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} - isschug attr_filter: Matched entry DEFAULT at line 1 ++[attr_filter.accounting_response] returns updated server home.example.com { } Sending Accounting-Request of id 253 to 129.11.162.17 port 1813 User-Name = isschug NAS-Port = 29 NAS-IP-Address = 10.12.80.109 Framed-IP-Address = 129.11.1.138 NAS-Identifier = WM07-1 Airespace-Wlan-Id = 1 Acct-Session-Id = 4a327dde/00:13:02:8d:f3:1f/52 Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN
Robust proxy accounting
Ivan, When both RADIUS servers are operational robust proxying works. When one of the servers is unreachable the other server (that's attempting to proxy an accounting request) will delete the detail.work file from the listener's sub-directory after failing to get a response from the other server. Thanks for you help. Chris ++[exec] returns noop Sending Access-Accept of id 67 to 10.12.80.109 port 32769 User-Name = isschrpg MS-MPPE-Recv-Key = 0x240dd3ada2d5904bf049fc2bd7afdfc8b1a2b589b4eb3974235cf04143f138d1 MS-MPPE-Send-Key = 0x638979dd5d59705051793c16de1509508e39fd9722d56198d52da2286bb69879 EAP-Message = 0x030b0004 Message-Authenticator = 0x Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3021, Reply-Message = Welcome isschrpg - student Finished request 9. Going to the next request Waking up in 0.3 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 0.9 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 1.0 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 0.9 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Waking up in 0.7 seconds. rad_recv: Accounting-Request packet from host 10.12.80.109 port 32769, id=123, length=157 User-Name = isschrpg NAS-Port = 29 NAS-IP-Address = 10.12.80.109 Framed-IP-Address = 129.11.1.138 NAS-Identifier = WM07-1 Airespace-Wlan-Id = 1 Acct-Session-Id = 4a30b4a8/00:13:02:8d:f3:1f/44 Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3022 Acct-Status-Type = Start Calling-Station-Id = 129.11.1.138 Called-Station-Id = 10.12.80.109 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address = 10.12.80.109,NAS-IP-Address = 10.12.80.109,Acct-Session-Id = 4a30b4a8/00:13:02:8d:f3:1f/44,User-Name = isschrpg' [acct_unique] Acct-Unique-Session-ID = aeb3d50af9d33fb8. ++[acct_unique] returns ok [suffix] No '@' in User-Name = isschrpg, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail]expand: /usr/local/var/log/radius/radacct/%Y-%m-%d/accounting-detail-%H:00 - /usr/local/var/log/radius/radacct/2009-06-11/accounting-detail-08:00 [detail] /usr/local/var/log/radius/radacct/%Y-%m-%d/accounting-detail-%H:00 expands to /usr/local/var/log/radius/radacct/2009-06-11/accounting-detail-08:00 [detail]expand: %{Packet-Src-IP-Address} - %t - 10.12.80.109 - Thu Jun 11 08:39:20 2009 ++[detail] returns ok ++? if (%{Client-IP-Address} != 129.11.162.17) expand: %{Client-IP-Address} - 10.12.80.109 ? Evaluating (%{Client-IP-Address} != 129.11.162.17) - TRUE ++? if (%{Client-IP-Address} != 129.11.162.17) - TRUE ++- entering if (%{Client-IP-Address} != 129.11.162.17) {...} +++[control] returns ok ++- if (%{Client-IP-Address} != 129.11.162.17) returns ok [unix] ++returns ok [radutmp] expand: /usr/local/var/log/radius/radutmp - /usr/local/var/log/radius/radutmp [radutmp] expand: %{User-Name} - isschrpg ++[radutmp] returns ok [sql] expand: %{Stripped-User-Name} - [sql] expand: %{User-Name} - isschrpg [sql] expand: %{%{User-Name}:-DEFAULT} - isschrpg [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - isschrpg [sql] sql_set_user escaped user -- 'isschrpg' [sql] expand: %{Acct-Delay-Time} - [sql] expand:INSERT INTO radacct (acctsessionid, acctuniqueid, username,realm, nasidentifier, nasipaddress, nasportid, nasporttype,acctstarttime, acctstoptime, acctsessiontime,acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid,callingstationid, tunneltype, tunnelmedium, tunnelgroupid, acctterminatecause, servicetype,framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-Identifier}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '-00-00 00:00:00', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', ! '%{Calling-Station-Id} [sql] expand: /usr/local/var/log/radius/sqltrace.sql - /usr/local/var/log/radius/sqltrace.sql rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query
Robust proxy accounting
Alan, I used the example configuration and got the same result. Sending proxied request internally to virtual server. server acct_detail.example.com { +- entering group accounting {...} [detail.example.com] Suppressing writes to detail file as the request was just read from a detail file.++[detail.example.com] returns noop } # server acct_detail.example.com Going to the next request Received proxied response from internal virtual server. server home.example.com { } 1) The following is in the robust-proxy-accounting file. # (5) Define the virtual server to write the packets to the detail file # This will be called when ALL home servers are down, because of the # fallback configuration in the home server pool. server acct_detail.example.com { accounting { detail.example.com } } # (6) Define a virtual server to handle pre/post-proxy re-writing server home.example.com { pre-proxy { # Insert pre-proxy rules here } post-proxy { # Insert post-proxy rules here # This will be called when the CURRENT packet failed # to be proxied. This may happen when one home server # suddenly goes down, even though another home server # may be alive. # # i.e. the current request has run out of time, so it # cannot fail over to another (possibly) alive server. # # We want to respond to the NAS, so that it can stop # re-sending the packet. We write the packet to the # detail file, where it will be read, and sent to # another home server. # Post-Proxy-Type Fail { detail.example.com } } # Read accounting packets from the detail file(s) for # the home server. # # Note that you can have only ONE listen section reading # detail files from a particular directory. That is why the # destination host name is used as part of the directory name # below. Having two listen sections reading detail files # from the same directory WILL cause problems. The packets # may be read by one, the other, or both listen sections. listen { type = detail filename = ${radacctdir}/detail.example.com/detail-*:* load_factor = 10 } # All packets read from the detail file are proxied back to # the home servers. # # The normal pre/post-proxy rules are applied to them, too. # # If the home servers are STILL down, then the server stops # reading the detail file, and queues the packets for a later # retransmission. The Post-Proxy-Type Fail handler is NOT # called. # # When the home servers come back up, the packets are forwarded, # and the detail file processed as normal. accounting { # You may want accounting policies here... update control { Proxy-To-Realm := acct_realm.example.com } } } 2. I moved the following from the robust-proxy-accounting file to the proxy.conf file. # (1) Define two home servers. home_server home1.example.com { type = acct ipaddr = 129.11.162.17 port = 1813 secret = remvoved # Mark this home server alive ONLY when it starts being responsive status_check = status-server #status_check = request #username = test_user_status_check # Set the response timeout aggressively low. # You MAY have to increase this, depending on tests with # your local installation. response_window = 6 } # (2) Define a virtual server to be used when both of the # home servers are down. home_server acct_detail.example.com { virtual_server = acct_detail.example.com } # Put all of the servers into a pool. home_server_pool acct_pool.example.com { type = load-balance # other types are OK, too. home_server = home1.example.com # add more home_server's here. # If all home servers are down, try a home server that # is a local virtual server. fallback = acct_detail.example.com # for pre/post-proxy policies virtual_server = home.example.com } # (3) Define a realm for these home servers. # It should NOT be used as part of normal proxying decisions! realm acct_realm.example.com { acct_pool = acct_pool.example.com } Chris Howley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Robust proxy accounting
Alan, Thank you for your help. I've removed the configuration from the proxy.conf and I'm now using the original robust-proxy-accounting file. However, the problem persists - the detail.work file is being erased. Chris -Original Message- From: freeradius-users-bounces+c.p.howley=leeds.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+c.p.howley=leeds.ac...@lists.freeradius.org] On Behalf Of freeradius-users-requ...@lists.freeradius.org Sent: 10 June 2009 11:00 To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 50, Issue 56 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Robust proxy accounting (a.l.m.bu...@lboro.ac.uk) -- Message: 1 Date: Wed, 10 Jun 2009 10:18:04 +0100 From: a.l.m.bu...@lboro.ac.uk Subject: Re: Robust proxy accounting To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 20090610091804.gc7...@lboro.ac.uk Content-Type: text/plain; charset=us-ascii Hi, I used the example configuration and got the same result. . 2. I moved the following from the robust-proxy-accounting file to the proxy.conf file. why? the robust-accounting stuff is a self-contained virtual server. by putting this into proxy.conf you have introduced (or reintroduced) a loop mechanism. I can think of no reason to have moved this configuration from the virtual server...this isnt plain config. the virtual server is a virtual instance. by putting this code into the main proxy.conf it may/will get triggered by other instances. alan -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 50, Issue 56 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Robust proxy accounting
Alan, I hoping you can help me. We're currently testing FR2.1.6 and robust proxy accounting. We have two servers running FR2.1.6. When both servers are operational the relaying of accounting packets works. However, when one of the servers is down the other operational server fails to retain the accounting data. The software deletes the detail.work file and any other detail files stored in the listener's sub-directory. Looking at the debug output the only thing that's different after the last time that the detail.work file is accessed is shown below. A copy of the debug output is available at: http://netgrp-pc052.leeds.ac.uk/radiusd.debug.txt Thanks, Chris Howley Sending proxied request internally to virtual server. server acct_detail.leeds.ac.uk { +- entering group accounting {...} [detail.leeds.ac.uk] Suppressing writes to detail file as the request was just read from a detail file. ++[detail.leeds.ac.uk] returns noop } # server acct_detail.leeds.ac.uk Going to the next request Received proxied response from internal virtual server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP EAP-TLS not replying with Access-Accept message
I've been debugging this for awhile and I still can't find a solution to the problems I'm having. I'm running freeradius in this pattern: Active Directory - MS-CHAP - Freeradius - Cisco Switch - Windows XP SP3 I seem to be getting the error that is described here: http://wiki.freeradius.org/index.php/FAQ#PEAP_or_EAP-TLS_Doesn.27t_Work_with_a_Windows_machine I've run through and created the SSL certificates as described with the Windows OID's and I still seem to be getting the same issues. I have the actual AD authentication setup as described here: http://deployingradius.com/documents/configuration/active_directory.html I've turned off certificate validation on the Windows XP host and still no dice. I ran the EAP debugging as show here: http://deployingradius.com/documents/configuration/eap-problems.html and I have posted the results here: http://www.mythdragon.com/freeradius-debug/ The output of freeradius -X when I attempt a connection is like this: rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=76, length=150 User-Name = chris Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-XX-XX-XX-XX-XX Calling-Station-Id = 00-YY-YY-YY-YY-YY EAP-Message = 0x0201000b01637374756474 Message-Authenticator = 0x8ffd4ec097ed474d2acfdbd06ce668ec NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = GigabitEthernet1/0/10 NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 1 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 76 to 10.10.10.15 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x99671c6699650575d57e32307d8902b7 Finished request 36. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=77, length=237 User-Name = chris Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-XX-XX-XX-XX-XX Calling-Station-Id = 00-YY-YY-YY-YY-YY EAP-Message = 0x02020050198000461603010041013d03014a16f9f81d590cd2812aba8c635f832ec313fc9cd6070f2bcdb13efd9f9c854310 Message-Authenticator = 0x852be4c5dbca1b2f6653ddaef5525a62 NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = GigabitEthernet1/0/10 State = 0x99671c6699650575d57e32307d8902b7 NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 2 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 77 to 10.10.10.15 port 1645 EAP-Message = 0x0103040019c0089b160301002a022603014a16f9f822ffc89286e662e0256b43e66215ad341c85a29e778755224a23e68709 EAP-Message = 0x301e170d3039303532323138353235395a170d3130303532323138353235395a307c310b3009060355040613024652310f300d060355040e EAP-Message = 0x16e1a3903966209e8ab8733cc6c04e80a7b972a847ad3b172844cfe65eb4080ce9170bc842dfb0a6c747fda85e5890ba53ccf0b16757e60b EAP-Message = 0x4e837b84ca468c64275107fe93f5470153c858eb12e74f02ab7bd52ccf54add01488f9987b9a49a8ba1e8e2208c8ade2a727261a596bb4c4 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x State = 0x99671c6698640575d57e32307d8902b7 Finished request 37. Going to the next request
Re: PEAP EAP-TLS not replying with Access-Accept message
Chris Studt wrote: I've been debugging this for awhile and I still can't find a solution to the problems I'm having. I'm running freeradius in this pattern: Active Directory - MS-CHAP - Freeradius - Cisco Switch - Windows XP SP3 And Samba. Don't forget Samba. And it's not that the server doesn't reply with Access-Accept. It replies with a challenge, and the client never sends the next packet. The output of freeradius -X when I attempt a connection is like this: ... [mschapv2] +- entering group MS-CHAP {...} ... expand: --challenge=%{mschap:Challenge:-00} - --challenge=4e97ec9325450dea expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=35b488c0131cea6672253fe5e9a3b8e54aacc0c341fae031 Exec-Program output: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207 Exec-Program-Wait: plaintext: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207 Exec-Program: returned: 0 ++[mschap] returns ok MSCHAP Success ... Sending Access-Challenge of id 83 to 10.10.10.15 port 1645 EAP-Message = 0x0109004a1900170301003f9831a816e378081f830ef42917053a509f826145b1c94885404f81f6f05985fbdaed9e0e6a5002ea5d72b9dba9 Message-Authenticator = 0x State = 0x99671c669e6e0575d57e32307d8902b7 Finished request 43. Going to the next request Waking up in 4.8 seconds. Cleaning up request 36 ID 76 with timestamp +422 OK. That problem is becoming more common. Any help you guys can give me would be very appreciated. I know this issue has been posted here before, but it seems like the results I'm getting from all the solutions I've seen aren't fixing my problem. Please post: 1) OS you're using to run RADIUS. 2) version of Active Directory 3) version of Samba Then, try *downgrading* samba to an earlier version. Keep going backwards until it works. Then, post the version of Samba where it starts working. I've asked the Samba people if they know anything more about this, but have seen no response. If this is common, I'll open a bug with them, and see if it can get larger attention. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for the help, yes I am using Samba between AD and Freeradius. The OS I'm running on the Freeradius server is Ubuntu 8.10. I'm running a OpenSSL patched package of Freeradius 2.1.0+dfsg-0ubuntu2. The Active Directory server is Windows Server 2003. The version of Samba (and winbind) running is 3.2.3-1ubuntu3.4. I will begin downgrading my Samba and see if that changes anything. Chris Studt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP EAP-TLS not replying with Access-Accept message
Please post: 1) OS you're using to run RADIUS. 2) version of Active Directory 3) version of Samba Then, try *downgrading* samba to an earlier version. Keep going backwards until it works. Then, post the version of Samba where it starts working. I've asked the Samba people if they know anything more about this, but have seen no response. If this is common, I'll open a bug with them, and see if it can get larger attention. Thanks for the help, yes I am using Samba between AD and Freeradius. The OS I'm running on the Freeradius server is Ubuntu 8.10. I'm running a OpenSSL patched package of Freeradius 2.1.0+dfsg-0ubuntu2. The Active Directory server is Windows Server 2003. The version of Samba (and winbind) running is 3.2.3-1ubuntu3.4. I will begin downgrading my Samba and see if that changes anything. Samba was exactly the issue. I downgraded from the ubuntu intrepid version of Samba (3.2.3-1ubuntu3.4) to the ubuntu hardy version of Samba (3.0.28a-1ubuntu4.7) and my Windows XP clients started authenticating right away. Thanks guys, you saved me quite a bit of headache. Chris Studt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html