free radius setup
I understand a bit more why people were bring up plain text passwords now. My radius server is being presented with peap ms-chapV2 credentials and I want it to receive authentication from my openldap server. It seems that the credentials in this format cannot be digested by openldap and acknowledged. The passwords in my openldap are encrypted as SHA Do I have this right? Is there an alternative. Maybe that FreeRadius 3.0.0 rc1 mentioned in one of the emails the other day? Thanks for your attention - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: free radius setup
Yes, I already saw that and this is why I am stuck. I am using Aruba 3000 Wireless controllers running the 6.2.X.X code. As I understand it when the laptop user selects the secure SSID they should be prompted for a username and password. This username and password will be presented to radius as peap MS-CHAPV2. Radius then needs to authenticate this against my Openldap where the passwords are encrypted as SHA, thus bad end. I could not find an encryption type in open ldap that would satisfy the chart. If it did work then I could take the info from radius accounting and pass it to our NAC control (Impulse Safe Connect) which will let the students onto the network after they pass some computer hygiene checks. I have a population of 2000 college students who have little idea of what security really is. And of course I am trying to do this on the typical budget provided by a non-profit such as my college is. Chris S. -Original Message- From: John Dennis [mailto:jden...@redhat.com] Sent: Tuesday, September 10, 2013 6:09 PM To: FreeRadius users mailing list Cc: Swenson, Chris Subject: Re: free radius setup On 09/10/2013 02:15 PM, Swenson, Chris wrote: I understand a bit more why people were bring up plain text passwords now. My radius server is being presented with peap ms-chapV2 credentials and I want it to receive authentication from my openldap server. It seems that the credentials in this format cannot be digested by openldap and acknowledged. The passwords in my openldap are encrypted as SHA Do I have this right? Is there an alternative. Maybe that FreeRadius 3.0.0 rc1 mentioned in one of the emails the other day? Before you go any further you need to read and understand the material on this page: http://deployingradius.com/documents/protocols/compatibility.html -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: free radius setup
-Original Message- From: freeradius-users-bounces+cswenson=curry@lists.freeradius.org [mailto:freeradius-users-bounces+cswenson=curry@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Tuesday, September 10, 2013 3:07 PM To: FreeRadius users mailing list Subject: Re: free radius setup On 10 Sep 2013, at 19:15, Swenson, Chris cswen...@curry.edu wrote: I understand a bit more why people were bring up plain text passwords now. My radius server is being presented with peap ms-chapV2 credentials and I want it to receive authentication from my openldap server. What happened to that web gateway? my vague understanding of what I was getting into led to a misstatement. It seems that the credentials in this format cannot be digested by openldap and acknowledged. The passwords in my openldap are encrypted as SHA Do I have this right? Is there an alternative. * Use a different EAP method, OR * Rehash all your credentials to NT-Password format, OR * Harvest passwords and store them in Plaintext Maybe that FreeRadius 3.0.0 rc1 mentioned in one of the emails the other day? No. It's good but it's not magic. You need the plaintext password for comparison, there's no way to transform the MSHCAPV2 responses in the cleartext password or to a SHA1 password. Back to the drawing board for me. I may be back with more questions. Thanks Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with initial setup
Thanks for the replies:
Ok, uninstalled #1 and updated to freeradius2
radiusd started without a hitch withtesting Cleartext-Password :=
password in users file.
When I ran radtest testing password localhost 0 testing123
Received -bash: /usr/bin/radtest: No such file or directory
For academics sake here is the radius -X output. (definitely not my granddads
radius )
[root@ldap1 raddb]# radiusd -X
FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on Sep 25 2012
at 10:55:14
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
main {
user = radiusd
group = radiusd
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = radiusd
prefix = /usr
localstatedir = /var
sbindir = /usr/sbin
logdir = /var/log/radius
run_dir = /var/run/radiusd
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy
RE: problem with initial setup
That did it, In the version 1 the radtest must have been installed with the radius, not as a separate package. I have now also successfully tested. I wonder why the in the ticket I opened with red hat support they did not suggest the upgrade. Thanks to all. Chris S. -Original Message- From: John Dennis [mailto:jden...@redhat.com] Sent: Monday, September 09, 2013 1:11 PM To: FreeRadius users mailing list Cc: Swenson, Chris Subject: Re: problem with initial setup On 09/09/2013 12:52 PM, Swenson, Chris wrote: Thanks for the replies: Ok, uninstalled #1 and updated to freeradius2 radiusd started without a hitch with testing Cleartext-Password := password in users file. When I ran radtest testing password localhost 0 testing123 Received -bash: /usr/bin/radtest: No such file or directory It's in the freeradius2-utils package. % yum install /usr/bin/radtest or % yum install freeradius2-utils or read how to use the yum package manager. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with initial setup
Hi all, I have not used radius in about 15 years and found a need recently. I have set up the rpm on a red hat 5.6 server and when I run radius -X the system starts fine with the expected info. When I enter the suggested as the first line in the users file testing Cleartext-Password := password And then rerun the radius -X it bombs and does not start. See output below. Without this running I cannot do the radtest. Thanks for any guidance. [root@ldap1 raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no /etc/raddb/users[91]: Parse error (check) for entry testing: Unknown attribute Cleartext-Password Errors reading /etc/raddb/users radiusd.conf[1059]: files: Module instantiation failed. radiusd.conf[1837] Unknown module files. radiusd.conf[1773] Failed to parse authorize section. [root@ldap1 raddb]# - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with initial setup solved
I guess I need to recycle my 2002 Shell O'Reilly book. -Original Message- From: freeradius-users-bounces+cswenson=curry@lists.freeradius.org [mailto:freeradius-users-bounces+cswenson=curry@lists.freeradius.org] On Behalf Of Swenson, Chris Sent: Monday, September 09, 2013 1:27 PM To: FreeRadius users mailing list Subject: RE: problem with initial setup That did it, In the version 1 the radtest must have been installed with the radius, not as a separate package. I have now also successfully tested. I wonder why the in the ticket I opened with red hat support they did not suggest the upgrade. Thanks to all. Chris S. -Original Message- From: John Dennis [mailto:jden...@redhat.com] Sent: Monday, September 09, 2013 1:11 PM To: FreeRadius users mailing list Cc: Swenson, Chris Subject: Re: problem with initial setup On 09/09/2013 12:52 PM, Swenson, Chris wrote: Thanks for the replies: Ok, uninstalled #1 and updated to freeradius2 radiusd started without a hitch with testing Cleartext-Password := password in users file. When I ran radtest testing password localhost 0 testing123 Received -bash: /usr/bin/radtest: No such file or directory It's in the freeradius2-utils package. % yum install /usr/bin/radtest or % yum install freeradius2-utils or read how to use the yum package manager. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: my Radius goal radius and openldap.
No, they are encrypted in the ldap database in md5 hash. I might be too old to do bleeding edge stuff like 3.0 RC1 I will take a look and a poke at it though. Thanks. -Original Message- From: freeradius-users-bounces+cswenson=curry@lists.freeradius.org [mailto:freeradius-users-bounces+cswenson=curry@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Monday, September 09, 2013 6:54 PM To: FreeRadius users mailing list Subject: Re: my Radius goal radius and openldap. On 9 Sep 2013, at 23:00, Swenson, Chris cswen...@curry.edu wrote: I already have functioning openldap with SSL. (actually a neat little multi master setup.) I would like to get this radius to authenticate against the openldap. You have plaintext passwords then? I have dug around Google and found some useful looking pages, but I wonder if anybody has any hot tips on this so I don't feel like I am completely reinventing the wheel. Use FreeRADIUS 3.0.0-rc1, the LDAP module is SIGNIFICANTLY better. For redundancy/resilience you can either just point the module at a round-robin FQDN, or set a comma delimited list of servers in the 'server' config item, libldap handles the failover. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
my Radius goal radius and openldap.
I already have functioning openldap with SSL. (actually a neat little multi master setup.) I would like to get this radius to authenticate against the openldap. I have dug around Google and found some useful looking pages, but I wonder if anybody has any hot tips on this so I don't feel like I am completely reinventing the wheel. Thanks Chris s. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: my Radius goal radius and openldap.
Yeah, bit the goal is that it is passed to the server via a secure web page. The end goal here is getting authenticated users the right to connect to the secure ssid's. The Aruba wireless controllers are supposed to do that. If I am way over my head I have a consultant on contract. RHIP. Sent from my Verizon Wireless 4GLTE smartphone - Reply message - From: Arran Cudbard-Bell a.cudba...@freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: my Radius goal radius and openldap. Date: Mon, Sep 9, 2013 7:34 pm On 10 Sep 2013, at 00:19, Swenson, Chris cswen...@curry.edu wrote: No, they are encrypted in the ldap database in md5 hash. Right, but you have the plaintext version from the user? I might be too old to do bleeding edge stuff like 3.0 RC1 I will take a look and a poke at it though. Fair enough. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
All, I could use some help in understanding my options for the following scenario: In our environment, FreeRADIUS currently writes its Accounting logs to the local drive - one file per authorized client. In addition to the local logging, the Security group wants the Accounting logs sent to their logging cluster (in real-time) so they can put them in their elasticsearch database and respond to incidents. My question: What is the best way to make both the Ops and Security groups happy given the below limitations: - The Security group does not want to pull the logs from MySQL, as they want to use logstash/elasticsearch and this would just complicate things. - The Ops group wants to avoid syslog because they fear syslog could block, causing their production FreeRADIUS servers to eventually stop responding to requests. -- The options we are exploring, in order of preference: 1. Robust Accounting - the Ops team believes there is a way to have the logs written to two locations simultaneously - locally and remotely, and if the remote connection is lost it does not impact operations. Is this possible? Does anyone have a sample config they could share? 2. Re-configure FreeRADIUS to write to one giant log-file, rotated hourly. A script would then essentially 'tail -f' the log file and stream the logs to the Security group (and would handle the hourly filename changes obviously). 3. Re-configure FreeRADIUS to log to syslog, and have syslog write to a local file AND send remotely to the Security group. The Ops group wants to avoid syslog if at all possible. 4. Re-configure FreeRADIUS to also log to MySQL. The Security group would then have to figure out a way to pull the data out in near-real time and insert it into their own database, which they would like to avoid. Any comments or suggestions are welcome. Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
Arran, Thank you for taking the time to so clearly lay things out - it seems like rlm_replicate will do exactly what we want! I'm going to look into using redis, as it is supported by logstash out-of-the-box and I'm guessing I'll get the benefit of 'guaranteed delivery'. What would happen to the FreeRADIUS processes should my client be unable to connect back to the redis 'server' (for whatever reason) for an extended period of time? Also, should I be nervous about using the redis module in production given the 'Experimental' redis module description in the 2.1.1 changelog? Thanks, Chris P.s. My apologies for replying via the digest - you replied before I had time to switch off of digests. Date: Thu, 5 Sep 2013 19:11:35 +0100 From: Arran Cudbard-Bell a.cudba...@freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously Message-ID: e1c61c30-b39e-4d42-9532-1b113dbc2...@freeradius.org Content-Type: text/plain; charset=us-ascii On 5 Sep 2013, at 18:29, Chris Decker csd...@psu.edu wrote: All, I could use some help in understanding my options for the following scenario: In our environment, FreeRADIUS currently writes its Accounting logs to the local drive - one file per authorized client. In addition to the local logging, the Security group wants the Accounting logs sent to their logging cluster (in real-time) so they can put them in their elasticsearch database and respond to incidents. Well you don't want the main log file from the daemon which makes it easier. That can only go to one place. There are four types modules you could use for this: - linelog - detail - replicate - the db modules (ldap, sql, redis) Linelog can log to files or syslog, you construct the format lines using static text and attributes. Detail can only log to files, it just dumps the contents of an attribute list to a file. Replicate fires and forgets a copy of the Accounting-Request to a remote server. The DB modules just log to a table. You can list any combination of those modules in the accounting section of the server to write to multiple destinations. It's generally sensible to log one copy of the accounting packets to disk on the box it was received, most people use the detail module for this. For the other consumers, if they want off-box logging and don't want syslog, forward them a copy of the packet using rlm_replicate. This copies the incoming packet to another destination. It doesn't block, and doesn't wait for a response, meaning it will be affected by packet loss. But that shouldn't be an issue on a campus network if you set the QoS priorities correctly, and hey, at least no congestive failure. For consuming those packets at the other end, you can use another instance of FreeRADIUS (and configure it to not responsd), or radsniff can be used to pick them off the wire with libpcap, and output them in something very similar to detail format. I've adopted radsniff as a bit of a pet project until FreeRADIUS 3.0.0 is released (were currently in feature freeze, so I needed something to hack on). So if you want additional features like outputting packet 'signatures' to syslog, and are willing to test the code then I'd be happy to add it in. My question: What is the best way to make both the Ops and Security groups happy given the below limitations: - The Security group does not want to pull the logs from MySQL, as they want to use logstash/elasticsearch and this would just complicate things. Yeah and who wants to manage SQL tables with millions of rows, eww. - The Ops group wants to avoid syslog because they fear syslog could block, causing their production FreeRADIUS servers to eventually stop responding to requests. Ok. The options we are exploring, in order of preference: 1. Robust Accounting - the Ops team believes there is a way to have the logs written to two locations simultaneously - locally and remotely, and if the remote connection is lost it does not impact operations. Is this possible? Does anyone have a sample config they could share? Um, that's a pretty basic feature of the server, just list multiple modules in the accounting section. 2. Re-configure FreeRADIUS to write to one giant log-file, rotated hourly. A script would then essentially 'tail -f' the log file and stream the logs to the Security group (and would handle the hourly filename changes obviously). Sure. Unlike core logging, modules will re-open the file handle each time they write an entry, this is nice because you can just move the files out of the way at rotate time, and not so nice, because it's slow. Depends on load as to whether this is ok. 3. Re-configure FreeRADIUS to log to syslog, and have syslog write to a local file
Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
Arran - Ignore my 'What would happen to the FreeRADIUS processes… question - I meant to delete that before sending my message. On Sep 5, 2013, at 9:34 PM, Chris Decker csd...@psu.edu wrote: Arran, Thank you for taking the time to so clearly lay things out - it seems like rlm_replicate will do exactly what we want! I'm going to look into using redis, as it is supported by logstash out-of-the-box and I'm guessing I'll get the benefit of 'guaranteed delivery'. What would happen to the FreeRADIUS processes should my client be unable to connect back to the redis 'server' (for whatever reason) for an extended period of time? Also, should I be nervous about using the redis module in production given the 'Experimental' redis module description in the 2.1.1 changelog? Thanks, Chris P.s. My apologies for replying via the digest - you replied before I had time to switch off of digests. Date: Thu, 5 Sep 2013 19:11:35 +0100 From: Arran Cudbard-Bell a.cudba...@freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously Message-ID: e1c61c30-b39e-4d42-9532-1b113dbc2...@freeradius.org Content-Type: text/plain; charset=us-ascii On 5 Sep 2013, at 18:29, Chris Decker csd...@psu.edu wrote: All, I could use some help in understanding my options for the following scenario: In our environment, FreeRADIUS currently writes its Accounting logs to the local drive - one file per authorized client. In addition to the local logging, the Security group wants the Accounting logs sent to their logging cluster (in real-time) so they can put them in their elasticsearch database and respond to incidents. Well you don't want the main log file from the daemon which makes it easier. That can only go to one place. There are four types modules you could use for this: - linelog - detail - replicate - the db modules (ldap, sql, redis) Linelog can log to files or syslog, you construct the format lines using static text and attributes. Detail can only log to files, it just dumps the contents of an attribute list to a file. Replicate fires and forgets a copy of the Accounting-Request to a remote server. The DB modules just log to a table. You can list any combination of those modules in the accounting section of the server to write to multiple destinations. It's generally sensible to log one copy of the accounting packets to disk on the box it was received, most people use the detail module for this. For the other consumers, if they want off-box logging and don't want syslog, forward them a copy of the packet using rlm_replicate. This copies the incoming packet to another destination. It doesn't block, and doesn't wait for a response, meaning it will be affected by packet loss. But that shouldn't be an issue on a campus network if you set the QoS priorities correctly, and hey, at least no congestive failure. For consuming those packets at the other end, you can use another instance of FreeRADIUS (and configure it to not responsd), or radsniff can be used to pick them off the wire with libpcap, and output them in something very similar to detail format. I've adopted radsniff as a bit of a pet project until FreeRADIUS 3.0.0 is released (were currently in feature freeze, so I needed something to hack on). So if you want additional features like outputting packet 'signatures' to syslog, and are willing to test the code then I'd be happy to add it in. My question: What is the best way to make both the Ops and Security groups happy given the below limitations: - The Security group does not want to pull the logs from MySQL, as they want to use logstash/elasticsearch and this would just complicate things. Yeah and who wants to manage SQL tables with millions of rows, eww. - The Ops group wants to avoid syslog because they fear syslog could block, causing their production FreeRADIUS servers to eventually stop responding to requests. Ok. The options we are exploring, in order of preference: 1. Robust Accounting - the Ops team believes there is a way to have the logs written to two locations simultaneously - locally and remotely, and if the remote connection is lost it does not impact operations. Is this possible? Does anyone have a sample config they could share? Um, that's a pretty basic feature of the server, just list multiple modules in the accounting section. 2. Re-configure FreeRADIUS to write to one giant log-file, rotated hourly. A script would then essentially 'tail -f' the log file and stream the logs to the Security group (and would handle the hourly filename changes obviously). Sure. Unlike core logging, modules will re-open the file handle each time they write an entry, this is nice because you can just move
Re: ntlm_auth not respected
Thank you for setting me on the right track; I have followed the directions on
http://deployingradius.com/documents/configuration/active_directory.html (the
bottom section on MSCHAP) and have ntlm_auth in the authenticate {} - as per
those directions.
When I run the ntlm_auth command manually, it works find / as does running
wbinfo -a
root@leopard:/etc/freeradius# wbinfo -a wyse1%K503D
plaintext password authentication succeeded
challenge/response password authentication succeeded
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 60046, id=111,
length=113
User-Name = wyse1
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
MS-CHAP-Challenge = 0xe07a375bed09f1f7
MS-CHAP-Response =
0x0001065b157b183b4d29d455414b184c57af4912b1d74f4ed726
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = wyse1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap]expand: %{Stripped-User-Name} -
[mschap]... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[mschap]expand: %{User-Name:-None} - wyse1
[mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
- --username=wyse1
[mschap] mschap1: e0
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=e07a375bed09f1f7
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=065b157b183b4d29d455414b184c57af4912b1d74f4ed726
Exec-Program output: Reading winbind reply failed! (0xc001)
Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect (mschap: External script says Reading winbind reply failed!
(0xc001)): [wyse1/via Auth-Type = mschap] (from client localhost port
1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - wyse1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 111 to 127.0.0.1 port 60046
Waking up in 4.9 seconds.
Cleaning up request 0 ID 111 with timestamp +15
Ready to process requests.
On Aug 22, 2013, at 5:50 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 21/08/13 23:44, Chris Parker wrote:
Okay, pardon my confusion then. I had been following a howto online
and it reported that the command when run manually will produce the
key.
Either way, I'm still having a failure in MSCHAP with radtest that
I'm not quite grasping.
Well, as I explained in my other email, mschap == challenge/response,
modules/ntlm_auth != challenge/response.
To reiterate, modules/ntlm_auth is almost certainly not what you want, and
is not intended to be used as-is. I would unconfigure it and concentrate on
getting modules/mschap working.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
Sorry for the individual emails, but I got things working with MSCHAP (w/
ntlm_auth) and WPA-EAP.
My issue was that when I got the two winbind errors, I did some more searching
and there's the potential that the freerad user did not have access to pipe
named: /var/run/samba/winbindd
That pipe is owned as follows:
drwxr-x--- 2 root winbindd_priv 60 Aug 22 11:15 winbindd_privileged/
That being the case, you need to add the user freerad to that group, so it can
execute with the right privileges.
Sending Access-Request of id 52 to 127.0.0.1 port 1812
User-Name = wyse1
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
MS-CHAP-Challenge = 0xf38d9f1a3dcb27e9
MS-CHAP-Response =
0x0001941d3ff95601f8f335e7eff7c97e1abf28df15abd28b7fda
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=52, length=84
MS-CHAP-MPPE-Keys =
0xd22b3a1df401aa61a721c8a31ba91082
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
Now, is it safe to disable modules (by commenting them out of the sites-enabled
files) that aren't related to the MSCHAP process? This is just in passing
curiosity.
On Aug 22, 2013, at 10:14 AM, Chris Parker cparke...@me.com wrote:
Thank you for setting me on the right track; I have followed the directions
on http://deployingradius.com/documents/configuration/active_directory.html
(the bottom section on MSCHAP) and have ntlm_auth in the authenticate {} - as
per those directions.
When I run the ntlm_auth command manually, it works find / as does running
wbinfo -a
root@leopard:/etc/freeradius# wbinfo -a wyse1%K503D
plaintext password authentication succeeded
challenge/response password authentication succeeded
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 60046, id=111,
length=113
User-Name = wyse1
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
MS-CHAP-Challenge = 0xe07a375bed09f1f7
MS-CHAP-Response =
0x0001065b157b183b4d29d455414b184c57af4912b1d74f4ed726
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = wyse1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] expand: %{Stripped-User-Name} -
[mschap] ... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang
for details
[mschap] expand: %{User-Name:-None} - wyse1
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
- --username=wyse1
[mschap] mschap1: e0
[mschap] expand: --challenge=%{mschap:Challenge:-00} -
--challenge=e07a375bed09f1f7
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=065b157b183b4d29d455414b184c57af4912b1d74f4ed726
Exec-Program output: Reading winbind reply failed! (0xc001)
Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect (mschap: External script says Reading winbind reply failed!
(0xc001)): [wyse1/via Auth-Type = mschap] (from client localhost port
1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - wyse1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 111 to 127.0.0.1 port 60046
Waking up in 4.9 seconds.
Cleaning up request 0 ID 111 with timestamp +15
Ready to process requests.
On Aug 22, 2013, at 5:50 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 21/08/13 23:44, Chris Parker wrote:
Okay, pardon my confusion then. I had been following a howto online
and it reported that the command when run manually will produce the
key.
Either way, I'm still having a failure in MSCHAP with radtest
Re: ntlm_auth not respected
Thank you Phil!
That resolved my first steps, and I figured there was something like that. I
have poured over deployingfreeradius.com, but for the life of me I could not
find anything of assistance for my set up.
I have enabled the ntlm_auth line in modules/mschap but no password is sent to
ntlm_auth to be checked.
So the fact that it's failing makes sense, since there's no password being read
in and thus it fails authorize. So this is just escaping me on how to get the
password into ntlm_auth via MSCHAP.
On top of that, when my access point succeeds against the users file, I suspect
it's doing EAP but the logs never say I have detected EAP, setting EAP
rad_recv: Access-Request packet from host 127.0.0.1 port 60203, id=86,
length=113
User-Name = wyse1
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
MS-CHAP-Challenge = 0x9e2069a2b9faf93d
MS-CHAP-Response =
0x0001b48195bef7a73a38839411904a51717092c530d4bef03520
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = wyse1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[ntlm_auth] expand: --username=%{mschap:User-Name} - --username=wyse1
[ntlm_auth] expand: --password=%{User-Password} - --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)
Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password
(0xc06a)
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Invalid user: [wyse1/via Auth-Type = mschap] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - wyse1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 86 to 127.0.0.1 port 60203
Waking up in 4.9 seconds.
Cleaning up request 0 ID 86 with timestamp +6
Ready to process requests.
On Aug 21, 2013, at 3:25 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 08/21/2013 05:11 AM, Chris Parker wrote:
Log output:
rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114,
length=57
User-Name = wyse1
User-Password = K503D
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = wyse1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[ntlm_auth] expand: --username=%{mschap:User-Name} - --username=wyse1
[ntlm_auth] expand: --password=%{User-Password} - --password=K503D
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
You're running ntlm_auth in the authorize section, and then:
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
...nothing in the authenticate section.
You either want:
authorize {
...
ntlm_auth
if (ok) {
update control {
Auth-Type := Accept
}
}
...
}
...or:
authorize {
...
# don't run ntlm_auth here, and right at the bottom
if (User-Password) {
# PAP request, tell ntlm_auth to run in authenticate
update control {
Auth-Type = ntlm_auth
}
}
}
authenticate {
Auth-Type ntlm_auth {
ntlm_auth
}
}
HOWEVER - you should note that the (EXTREMELY unfortunately named)
ntlm_auth module instance is usually not what you want for wireless.
Wireless is typically 802.1x with PEAP/MSCHAP, which will entail setting up
the ntlm_auth configuration *item* of the mschap module.
Read the extensive docs, wiki, and walkthrough on deployingradius.com for
more info.
Failed to authenticate the user.
Login incorrect: [wyse1/K503D] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT
Re: ntlm_auth not respected
When I poke around and try to deconstruct the issue, I find that ntlm_auth when
run manually retrieve the NT key, it does not do anything. It just says
NT_STATUS_OK: Success (0x0)
If I run the --diagnostics flag this is what I get...
root@leopard:/etc/freeradius# ntlm_auth --domain=WONKY --username=wyse1
--diagnostics
password:
Wrong Password (0xc06a)
Wrong Password (0xc06a)
Wrong Password (0xc06a)
Wrong Password (0xc06a)
Wrong Password (0xc06a)
Wrong Password (0xc06a)
Wrong Password (0xc06a)
So I doubt this issue is with FR, but more of that Samba is being cranky. I can
never get ntlm_auth to give me that NT key, which I feel if I could resolve
that, I could continue with FR.
On Aug 21, 2013, at 8:55 AM, Chris Parker cparke...@me.com wrote:
Thank you Phil!
That resolved my first steps, and I figured there was something like that. I
have poured over deployingfreeradius.com, but for the life of me I could not
find anything of assistance for my set up.
I have enabled the ntlm_auth line in modules/mschap but no password is sent
to ntlm_auth to be checked.
So the fact that it's failing makes sense, since there's no password being
read in and thus it fails authorize. So this is just escaping me on how to
get the password into ntlm_auth via MSCHAP.
On top of that, when my access point succeeds against the users file, I
suspect it's doing EAP but the logs never say I have detected EAP, setting
EAP
rad_recv: Access-Request packet from host 127.0.0.1 port 60203, id=86,
length=113
User-Name = wyse1
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
MS-CHAP-Challenge = 0x9e2069a2b9faf93d
MS-CHAP-Response =
0x0001b48195bef7a73a38839411904a51717092c530d4bef03520
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = wyse1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[ntlm_auth] expand: --username=%{mschap:User-Name} - --username=wyse1
[ntlm_auth] expand: --password=%{User-Password} - --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)
Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password
(0xc06a)
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Invalid user: [wyse1/via Auth-Type = mschap] (from client localhost port
1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - wyse1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 86 to 127.0.0.1 port 60203
Waking up in 4.9 seconds.
Cleaning up request 0 ID 86 with timestamp +6
Ready to process requests.
On Aug 21, 2013, at 3:25 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 08/21/2013 05:11 AM, Chris Parker wrote:
Log output:
rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114,
length=57
User-Name = wyse1
User-Password = K503D
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = wyse1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[ntlm_auth] expand: --username=%{mschap:User-Name} -
--username=wyse1
[ntlm_auth] expand: --password=%{User-Password} - --password=K503D
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
You're running ntlm_auth in the authorize section, and then:
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
...nothing in the authenticate section.
You either want:
authorize {
...
ntlm_auth
if (ok) {
update control {
Auth-Type := Accept
}
}
...
}
...or:
authorize {
...
# don't run ntlm_auth here, and right
Re: ntlm_auth not respected
Okay, pardon my confusion then. I had been following a howto online and it reported that the command when run manually will produce the key. Either way, I'm still having a failure in MSCHAP with radtest that I'm not quite grasping. On Aug 21, 2013, at 17:49, Phil Mayers p.may...@imperial.ac.uk wrote: On 21/08/2013 19:28, Chris Parker wrote: So I doubt this issue is with FR, but more of that Samba is being cranky. I can never get ntlm_auth to give me that NT key, which I feel if I could resolve that, I could continue with FR. No. NT_KEY is only generated by mschap, not by username/password auth. See my other email. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth not respected
It seems that I have ntlm_auth configured to talk to Samba correctly. As it
positively works when run from the CLI and FR even shows a positive login, but
that positive login never seems to be sent to the authentication stage.
More food for thought once I tackle this, is that when I try to link all this
together with a Netgear WAP, plain-text users in the users file works perfectly
fine.
Log output:
rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114,
length=57
User-Name = wyse1
User-Password = K503D
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = wyse1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[ntlm_auth] expand: --username=%{mschap:User-Name} - --username=wyse1
[ntlm_auth] expand: --password=%{User-Password} - --password=K503D
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
user
Failed to authenticate the user.
Login incorrect: [wyse1/K503D] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - wyse1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 114 to 127.0.0.1 port 35826
Waking up in 4.9 seconds.
Cleaning up request 7 ID 114 with timestamp +843
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acctsessiontime is always zero
Hi Mike, Now, I've compared the mySQL tables and started freeradius in debugging mode. When Coova Chilli is used, acctsessiontime is filled in the mySQL table. When NTRadping Test Utility is used, acctstarttime and acctstoptime is set correctly, but acctsessiontime is always zero in mySQL. I've found a detail-log from a portmaster [1]. I didn't know, that the NAS has to send the Acct-Session-Time with the stop-request (Newbie!). When I set Acct-Session-Time in NTRadping Test Utility it's working as expected. Is it true, that Acct-Session-Time has to be set by NAS or is it possible to calculate it by the difference between acctstarttime and acctstoptime (and write it to mySQL)? Some counters are using acctstarttime and acctstoptime directly and calculate the difference in the SQL-query when checking if time is left. Chris [1] http://www.stat.ufl.edu/system/man/portmaster/RADIUS/guide/7account.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segfault error
)...done. Loaded symbols for /lib64/libsepol.so.1 Reading symbols from /lib64/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /lib64/libnss_ldap.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_ldap.so.2 Reading symbols from /usr/local/lib/rlm_exec.so...done. Loaded symbols for /usr/local/lib/rlm_exec.so Reading symbols from /usr/local/lib/rlm_expr.so...done. Loaded symbols for /usr/local/lib/rlm_expr.so Reading symbols from /usr/local/lib/rlm_expiration.so...done. Loaded symbols for /usr/local/lib/rlm_expiration.so Reading symbols from /usr/local/lib/rlm_logintime.so...done. Loaded symbols for /usr/local/lib/rlm_logintime.so Reading symbols from /usr/local/lib/rlm_pap.so...done. Loaded symbols for /usr/local/lib/rlm_pap.so Reading symbols from /usr/local/lib/rlm_chap.so...done. Loaded symbols for /usr/local/lib/rlm_chap.so Reading symbols from /usr/local/lib/rlm_preprocess.so...done. Loaded symbols for /usr/local/lib/rlm_preprocess.so Reading symbols from /usr/local/lib/rlm_digest.so...done. Loaded symbols for /usr/local/lib/rlm_digest.so Reading symbols from /usr/local/lib/rlm_realm.so...done. Loaded symbols for /usr/local/lib/rlm_realm.so Reading symbols from /usr/local/lib/rlm_acct_unique.so...done. Loaded symbols for /usr/local/lib/rlm_acct_unique.so Reading symbols from /usr/local/lib/rlm_files.so...done. Loaded symbols for /usr/local/lib/rlm_files.so Reading symbols from /usr/local/lib/rlm_detail.so...done. Loaded symbols for /usr/local/lib/rlm_detail.so Reading symbols from /usr/local/lib/rlm_unix.so...done. Loaded symbols for /usr/local/lib/rlm_unix.so Reading symbols from /usr/local/lib/rlm_radutmp.so...done. Loaded symbols for /usr/local/lib/rlm_radutmp.so Reading symbols from /usr/local/lib/rlm_attr_filter.so...done. Loaded symbols for /usr/local/lib/rlm_attr_filter.so Reading symbols from /usr/local/lib/rlm_ldap.so...done. Loaded symbols for /usr/local/lib/rlm_ldap.so Reading symbols from /usr/lib64/libldap_r-2.3.so.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libldap_r-2.3.so.0 Reading symbols from /usr/lib64/liblber-2.3.so.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/liblber-2.3.so.0 Reading symbols from /usr/lib64/libsasl2.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libsasl2.so.2 Reading symbols from /usr/local/lib/rlm_sql.so...done. Loaded symbols for /usr/local/lib/rlm_sql.so Reading symbols from /usr/local/lib/rlm_sql_mysql.so...done. Loaded symbols for /usr/local/lib/rlm_sql_mysql.so Reading symbols from /usr/lib64/mysql/libmysqlclient_r.so.15...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/mysql/libmysqlclient_r.so.15 Reading symbols from /lib64/libm.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libm.so.6 Reading symbols from /lib64/libgcc_s.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libgcc_s.so.1 Reading symbols from /lib64/libnss_dns.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_dns.so.2 Reading symbols from /usr/local/lib/rlm_eap.so...done. Loaded symbols for /usr/local/lib/rlm_eap.so Reading symbols from /usr/local/lib/libfreeradius-eap-2.2.0.so...done. Loaded symbols for /usr/local/lib/libfreeradius-eap-2.2.0.so Reading symbols from /usr/local/lib/rlm_eap_md5.so...done. Loaded symbols for /usr/local/lib/rlm_eap_md5.so Reading symbols from /usr/local/lib/rlm_eap_leap.so...done. Loaded symbols for /usr/local/lib/rlm_eap_leap.so Reading symbols from /usr/local/lib/rlm_eap_gtc.so...done. Loaded symbols for /usr/local/lib/rlm_eap_gtc.so Reading symbols from /usr/local/lib/rlm_eap_tls.so...done. Loaded symbols for /usr/local/lib/rlm_eap_tls.so Reading symbols from /usr/local/lib/rlm_eap_ttls.so...done. Loaded symbols for /usr/local/lib/rlm_eap_ttls.so Reading symbols from /usr/local/lib/rlm_eap_peap.so...done. Loaded symbols for /usr/local/lib/rlm_eap_peap.so Reading symbols from /usr/local/lib/rlm_eap_mschapv2.so...done. Loaded symbols for /usr/local/lib/rlm_eap_mschapv2.so Reading symbols from /usr/local/lib/rlm_always.so...done. Loaded symbols for /usr/local/lib/rlm_always.so warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7fff84bfd000 Core was generated by `/usr/sbin/radiusd -d /etc/raddb'. Program terminated with signal 11, Segmentation fault. #0 0x003c6c07b5bb in memcpy () from /lib64/libc.so.6 ### Thanks, Chris -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: Wednesday, May 01, 2013 6:30 PM To: FreeRadius users mailing list Subject: Re: segfault error hi, ..thats
RE: segfault error
I think I have what you are looking for now. I have copied the whole dump from when I start using gdb. Chris [root@on-radius01 raddb]# gdb /usr/sbin/radiusd /tmp/core-radiusd-11-95-95-11609-1367435209 GNU gdb (GDB) CentOS (7.0.1-45.el5.centos) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/sbin/radiusd...done. [New Thread 11611] [New Thread 11614] [New Thread 11613] [New Thread 11612] [New Thread 11610] [New Thread 11609] Reading symbols from /usr/local/lib/libfreeradius-radius-2.2.0.so...done. Loaded symbols for /usr/local/lib/libfreeradius-radius-2.2.0.so Reading symbols from /lib64/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libnsl.so.1 Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/libpthread.so.0...(no debugging symbols found)...done. [Thread debugging using libthread_db enabled] Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /usr/local/lib/libltdl.so.3...done. Loaded symbols for /usr/local/lib/libltdl.so.3 Reading symbols from /lib64/libssl.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libssl.so.6 Reading symbols from /lib64/libcrypto.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypto.so.6 Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /usr/lib64/libgssapi_krb5.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libgssapi_krb5.so.2 Reading symbols from /usr/lib64/libkrb5.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libkrb5.so.3 Reading symbols from /lib64/libcom_err.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /usr/lib64/libk5crypto.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libk5crypto.so.3 Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libz.so.1 Reading symbols from /usr/lib64/libkrb5support.so.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libkrb5support.so.0 Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libkeyutils.so.1 Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libselinux.so.1 Reading symbols from /lib64/libsepol.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libsepol.so.1 Reading symbols from /lib64/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /lib64/libnss_ldap.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_ldap.so.2 Reading symbols from /usr/local/lib/rlm_exec-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_exec-2.2.0.so Reading symbols from /usr/local/lib/rlm_expr-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_expr-2.2.0.so Reading symbols from /usr/local/lib/rlm_expiration-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_expiration-2.2.0.so Reading symbols from /usr/local/lib/rlm_logintime-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_logintime-2.2.0.so Reading symbols from /usr/local/lib/rlm_pap-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_pap-2.2.0.so Reading symbols from /usr/local/lib/rlm_chap-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_chap-2.2.0.so Reading symbols from /usr/local/lib/rlm_preprocess-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_preprocess-2.2.0.so Reading symbols from /usr/local/lib/rlm_digest-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_digest-2.2.0.so Reading symbols from /usr/local/lib/rlm_realm-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_realm-2.2.0.so Reading symbols from /usr/local/lib/rlm_acct_unique-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_acct_unique-2.2.0.so Reading symbols from /usr/local/lib/rlm_files-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_files-2.2.0.so Reading symbols from /usr/local/lib
RE: segfault error
I forgot to include my OS and kernel type. Linux on-radius01.eastlink.ca 2.6.18-308.16.1.el5 CentOS release 5.9 (Final) -Original Message- From: Chris Taylor Sent: Thursday, May 02, 2013 1:31 PM To: 'FreeRadius users mailing list' Subject: RE: segfault error I think I have what you are looking for now. I have copied the whole dump from when I start using gdb. Chris [root@on-radius01 raddb]# gdb /usr/sbin/radiusd /tmp/core-radiusd-11-95-95-11609-1367435209 GNU gdb (GDB) CentOS (7.0.1-45.el5.centos) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/sbin/radiusd...done. [New Thread 11611] [New Thread 11614] [New Thread 11613] [New Thread 11612] [New Thread 11610] [New Thread 11609] Reading symbols from /usr/local/lib/libfreeradius-radius-2.2.0.so...done. Loaded symbols for /usr/local/lib/libfreeradius-radius-2.2.0.so Reading symbols from /lib64/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libnsl.so.1 Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/libpthread.so.0...(no debugging symbols found)...done. [Thread debugging using libthread_db enabled] Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /usr/local/lib/libltdl.so.3...done. Loaded symbols for /usr/local/lib/libltdl.so.3 Reading symbols from /lib64/libssl.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libssl.so.6 Reading symbols from /lib64/libcrypto.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypto.so.6 Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /usr/lib64/libgssapi_krb5.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libgssapi_krb5.so.2 Reading symbols from /usr/lib64/libkrb5.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libkrb5.so.3 Reading symbols from /lib64/libcom_err.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /usr/lib64/libk5crypto.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libk5crypto.so.3 Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libz.so.1 Reading symbols from /usr/lib64/libkrb5support.so.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libkrb5support.so.0 Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libkeyutils.so.1 Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libselinux.so.1 Reading symbols from /lib64/libsepol.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libsepol.so.1 Reading symbols from /lib64/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /lib64/libnss_ldap.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_ldap.so.2 Reading symbols from /usr/local/lib/rlm_exec-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_exec-2.2.0.so Reading symbols from /usr/local/lib/rlm_expr-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_expr-2.2.0.so Reading symbols from /usr/local/lib/rlm_expiration-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_expiration-2.2.0.so Reading symbols from /usr/local/lib/rlm_logintime-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_logintime-2.2.0.so Reading symbols from /usr/local/lib/rlm_pap-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_pap-2.2.0.so Reading symbols from /usr/local/lib/rlm_chap-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_chap-2.2.0.so Reading symbols from /usr/local/lib/rlm_preprocess-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_preprocess-2.2.0.so Reading symbols from /usr/local/lib/rlm_digest-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_digest-2.2.0.so Reading symbols from /usr/local/lib/rlm_realm-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_realm-2.2.0.so
RE: segfault error
I did some more debugging and I always seem to get a segfault at the same
place. Is there something I should be looking at on the LDAP backend?
[files] users: Matched entry DEFAULT at line 214
++[files] returns ok
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/virtual.amtelecom.net
+- entering group PAP {...}
[pap] login attempt with password 45270
[pap] Using SSHA encryption.
[pap] Normalizing SSHA1-Password from base64 encoding
Segmentation fault
++[files] returns ok
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/virtual.amtelecom.net
+- entering group PAP {...}
[pap] login attempt with password bradly
[pap] Using SSHA encryption.
[pap] Normalizing SSHA1-Password from base64 encoding
Segmentation fault
Thanks,
Chris
Chris Taylor
System Administrator
Network Operations
Eastlink
chris.tay...@corp.eastlink.caT: 519.773.1287
-Original Message-
From:
freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org
[mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org]
On Behalf Of Chris Taylor
Sent: Friday, April 12, 2013 4:31 PM
To: FreeRadius users mailing list
Subject: RE: segfault error
Yeah this is the only version of freeradius on the box the other was an rpm
version that was removed before I compiled this one.
-Original Message-
From:
freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org
[mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: Friday, April 12, 2013 3:45 PM
To: FreeRadius users mailing list
Subject: Re: segfault error
Chris Taylor wrote:
Ok I have upgraded to a compiled version of freeradius 2.2.0, and I was able
to see the same result. It crashed after a few minutes with the error below.
on-radius01 kernel: radiusd[10038]: segfault at 73d87000 rip
003c6c07b5bb rsp 73d83c08 error 4
Check that you're really running v2.2.0. Sometimes scripts point to old
installations.
I turned on core dumps to see if I could get any more details out of it, but
I could not make it crash after that.
Did you follow the instructions in doc/bugs? That says how to find the bug.
Any ideas as to what this could be I can post my -X output but all it says at
the bottom when it stops working is segfault.
doc/bugs has detailed instructions for just such an occasion.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segfault error
I have tried a few times but I can't get a core dump. After radius dies I run gdb /usr/sbin/radiusd /tmp/core_dump/test.dump but I get the following output. # [root@on-radius01 core_dump]# gdb /usr/sbin/radiusd /tmp/core_dump/test.dump GNU gdb (GDB) CentOS (7.0.1-45.el5.centos) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/sbin/radiusd...done. /tmp/core_dump/test.dump is not a core dump: File format not recognized # I have ulimit set to unlimited. [root@on-radius01 core_dump]# ulimit -a core file size (blocks, -c) unlimited data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited What am I doing wrong on this? Thanks, Chris -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, May 01, 2013 12:14 PM To: FreeRadius users mailing list Subject: Re: segfault error Chris Taylor wrote: I did some more debugging and I always seem to get a segfault at the same place. Is there something I should be looking at on the LDAP backend? See doc/bugs That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segfault error
Thanks John, I am actually using the complied version rather than the RPM package. I was finally able to get a core dump (a few actually), this was the output. I was the same failure everytime. Thanks, Chris [root@on-radius01 tmp]# gdb /usr/sbin/radiusd /tmp/core-radiusd-11-95-95-11382-1367432610 GNU gdb (GDB) CentOS (7.0.1-45.el5.centos) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/sbin/radiusd...done. [New Thread 11387] [New Thread 11386] [New Thread 11385] [New Thread 11384] [New Thread 11383] [New Thread 11382] Reading symbols from /usr/local/lib/libfreeradius-radius-2.2.0.so...done. Loaded symbols for /usr/local/lib/libfreeradius-radius-2.2.0.so Reading symbols from /lib64/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libnsl.so.1 Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/libpthread.so.0...(no debugging symbols found)...done. [Thread debugging using libthread_db enabled] Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /usr/local/lib/libltdl.so.3...done. Loaded symbols for /usr/local/lib/libltdl.so.3 Reading symbols from /lib64/libssl.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libssl.so.6 Reading symbols from /lib64/libcrypto.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypto.so.6 Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /usr/lib64/libgssapi_krb5.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libgssapi_krb5.so.2 Reading symbols from /usr/lib64/libkrb5.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libkrb5.so.3 Reading symbols from /lib64/libcom_err.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /usr/lib64/libk5crypto.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libk5crypto.so.3 Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libz.so.1 Reading symbols from /usr/lib64/libkrb5support.so.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libkrb5support.so.0 Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libkeyutils.so.1 Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libselinux.so.1 Reading symbols from /lib64/libsepol.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libsepol.so.1 Reading symbols from /lib64/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /lib64/libnss_ldap.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_ldap.so.2 Reading symbols from /usr/local/lib/rlm_exec.so...done. Loaded symbols for /usr/local/lib/rlm_exec.so Reading symbols from /usr/local/lib/rlm_expr.so...done. Loaded symbols for /usr/local/lib/rlm_expr.so Reading symbols from /usr/local/lib/rlm_expiration.so...done. Loaded symbols for /usr/local/lib/rlm_expiration.so Reading symbols from /usr/local/lib/rlm_logintime.so...done. Loaded symbols for /usr/local/lib/rlm_logintime.so Reading symbols from /usr/local/lib/rlm_pap.so...done. Loaded symbols for /usr/local/lib/rlm_pap.so Reading symbols from /usr/local/lib/rlm_chap.so...done. Loaded symbols for /usr/local/lib/rlm_chap.so Reading symbols from /usr/local/lib/rlm_preprocess.so...done. Loaded symbols for /usr/local/lib/rlm_preprocess.so Reading symbols from /usr/local/lib/rlm_digest.so...done. Loaded symbols for /usr/local/lib/rlm_digest.so Reading symbols from /usr/local/lib/rlm_realm.so...done. Loaded symbols for /usr/local/lib/rlm_realm.so Reading symbols from /usr/local/lib/rlm_acct_unique.so...done. Loaded symbols for /usr/local/lib/rlm_acct_unique.so Reading symbols from /usr/local/lib/rlm_files.so...done. Loaded symbols for /usr/local/lib/rlm_files.so Reading symbols from /usr/local/lib/rlm_detail.so...done. Loaded symbols
RE: segfault error
Ok I have upgraded to a compiled version of freeradius 2.2.0, and I was able to see the same result. It crashed after a few minutes with the error below. on-radius01 kernel: radiusd[10038]: segfault at 73d87000 rip 003c6c07b5bb rsp 73d83c08 error 4 I turned on core dumps to see if I could get any more details out of it, but I could not make it crash after that. Any ideas as to what this could be I can post my -X output but all it says at the bottom when it stops working is segfault. Thanks, Chris -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, April 10, 2013 9:45 AM To: FreeRadius users mailing list Subject: Re: segfault error Chris Taylor wrote: I am running freeradius2-2.1.12-5.el5 on a CentOS server release 5.9 (Final). I was doing some testing on some new RADIUS servers that we want to put into production and I got the following error. Well... upgrade to 2.2.0. There's no reason for us to debug issues in old versions. Those have already been debugged and fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segfault error
Yeah this is the only version of freeradius on the box the other was an rpm version that was removed before I compiled this one. -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, April 12, 2013 3:45 PM To: FreeRadius users mailing list Subject: Re: segfault error Chris Taylor wrote: Ok I have upgraded to a compiled version of freeradius 2.2.0, and I was able to see the same result. It crashed after a few minutes with the error below. on-radius01 kernel: radiusd[10038]: segfault at 73d87000 rip 003c6c07b5bb rsp 73d83c08 error 4 Check that you're really running v2.2.0. Sometimes scripts point to old installations. I turned on core dumps to see if I could get any more details out of it, but I could not make it crash after that. Did you follow the instructions in doc/bugs? That says how to find the bug. Any ideas as to what this could be I can post my -X output but all it says at the bottom when it stops working is segfault. doc/bugs has detailed instructions for just such an occasion. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segfault error
I am running freeradius2-2.1.12-5.el5 on a CentOS server release 5.9 (Final). I was doing some testing on some new RADIUS servers that we want to put into production and I got the following error. /var/log/messages Apr 9 17:33:45 on-radius01 kernel: radiusd[8831]: segfault at 2aae660ae000 rip 2aae5b6215eb rsp 2aae660ab7c8 error 4 What should I be looking for the RADIUS logs didn't turn up anything as it wasn't in debug mode. Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compile with ldap support
What are options do I have to use to compile freeradius with ldap support turned on? I tried ./configure -with-ldap but that didn't seem to work I still get an error about not being able to find rlm_ldap. I checked the mail archives but I couldn't find anything. Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: compile with ldap support
How do I check that I have them installed I have the openldap rpm installed. I am trying to go from an rpm build to a source build to fix a problem. Chris -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Wednesday, April 10, 2013 10:07 PM To: FreeRadius users mailing list Subject: Re: compile with ldap support On 10 Apr 2013, at 21:12, Chris Taylor chris.tay...@corp.eastlink.ca wrote: What are options do I have to use to compile freeradius with ldap support turned on? I tried ./configure -with-ldap but that didn't seem to work I still get an error about not being able to find rlm_ldap. I checked the mail archives but I couldn't find anything. It'll build it by default if you have the libldap headers installed. Check the output of configure to verify it's actually building rlm_ldap. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team Please contribute documentation: http://wiki.freeradius.org Fruity Oaty Bars, make a man out of a mouse. Fruity Oaty Bars, make you bust out of your blouse - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log on DB
Perl File::Tail works very well for things like this... On Mon, Mar 25, 2013 at 12:45 PM, AemNet sysadmin-aem...@aemnet.it wrote: On 25/03/2013 11:05, Olivier Beytrison wrote: This is not possible directly from freeradius. What you can do, is tell FreeRadius to log to your syslog deamon (like syslog-ng) and then tell syslog-ng to write the log within an INSERT statement for your database. Then you can send this to your database. Those two links might help you : http://wiki.freeradius.org/**guide/Syslog-HOWTOhttp://wiki.freeradius.org/guide/Syslog-HOWTO http://vermeer.org/docs/1 But this is beyond the scope of the freeradius list Olivier - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Thank you for the answer and for the links Olivier, but I prefer don't use the syslog system if it's possilbe. Do you think it's possible instead to use a script (perl/bash anything else) after the request arrive and put it in a DB? - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap group search filter
I am have profiles setup for all our users but I am having some trouble with
the setting the groupmembership_filter correctly. It will query LDAP
successfully but only after it does a failed search first.
I have tried using numerous filters including the default one but I cant seem
to separate the username by itself which is causing the initial search failure.
I read through the rlm_ldap doc a few times but I didn't seem anything that I
thought would help.
Here is the output from radius -X
This is the part where it uses the search filter and fails.
[files] users: Matched entry DEFAULT at line 214
[domain1] Entering ldap_groupcmp()
[files] expand: ou=radius,o=domain.on.ca,dc=placeholder,dc=ca -
ou=radius,o=domain.on.ca,dc=placeholder,dc=ca
[files] expand:
((objectClass=radiusProfile)(member=%{control:Ldap-UserDn})) -
((objectClass=radiusProfile)(member=uid\3d112boy\2cou\3dradius\2co\3ddomain.on.ca\2cdc\3dplaceholder\2cdc\3dca))
[domain1] ldap_get_conn: Checking Id: 0
[domain1] ldap_get_conn: Got Id: 0
[domain1] performing search in ou=radius,o=domain.on.ca,dc=placeholder,dc=ca,
with filter
((cn=residential_profile)((objectClass=radiusProfile)(member=uid\3d112boy\2cou\3dradius\2co\3ddomain.on.ca\2cdc\3dplaceholder\2cdc\3dca)))
[domain1] object not found
It starts a second search and succeeds.
[domain1] ldap_release_conn: Release Id: 0
[domain1] ldap_get_conn: Checking Id: 0
[domain1] ldap_get_conn: Got Id: 0
[domain1] performing search in
uid=112boy,ou=radius,o=domain.on.ca,dc=palceholder,dc=ca, with filter
(objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group residential_profile
[domain1] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 222
++[files] returns ok
My users file looks like this.
ldap domain1 {
server = ldap01.placeholder.ca
identity = username xxx
password =
basedn = ou=radius,o=domain.on.ca,dc=placeholder,dc=ca
filter =
((uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true))
groupname_attribute = cn
groupmembership_attribute = radiusGroupName
groupmembership_filter =
((objectClass=radiusProfile)(member=%{control:Ldap-UserDn}))
#do_xlat = yes
#compare_check_items = yes
#access_attr_used_for_allow = yes
ldap_connections_number = 5
My users file
DEFAULT Service-Type == Framed-User, Huntgroup-Name == bras, domain1-Ldap-Group
== residential_profile
Service-Type = Framed-User,
Framed-Protocol = PPP,
Cisco-AVPair += ip:inacl#100=permit tcp any x.x.0.16 0.0.0.15 eq 25,
Cisco-AVPair += ip:inacl#200=deny tcp any any eq 25,
Cisco-AVPair += ip:inacl#300=permit ip any any,
Fall-Through = No
Any help is apprecaited.
Thanks,
Chris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP groups and profiles
I added this to the users file
DEFAULT ldap1.REALM-2.ca-Ldap-Group == residential_profile
But I get this error when I fire up radius -X
/etc/raddb/users[222]: Parse error (check) for entry DEFAULT:
expecting operator Errors reading /etc/raddb/users
Wild guess, but you might try a simpler module name e.g. ldap2 instead of
ldap2.some.dots-and.hyphens.
Phil I gave that a try but ended up with the same result.
Chris
I was able to get this working by adding that ldap instance to the instantiate
section of radius.conf. I can do a query successfully from LDAP now and pull
the group info, but during the query I am seeing first a failed query then a
successful query how could I go about fixing this? I believe it's the
groupmembership_filter settings but I left them to the default values which
seems to be the consensus on the mailing list.
radius -X output #
[REALM1] Entering ldap_groupcmp()
[files] expand: ou=radius,o=realm1.ca,dc=company,dc=ca -
ou=radius,o=realm1.ca,dc=company,dc=ca
[files] expand:
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
-
(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=)))
[REALM1] ldap_get_conn: Checking Id: 0
[REALM1] ldap_get_conn: Got Id: 0
[REALM1] performing search in ou=radius,o=realm1.ca,dc=company,dc=ca, with
filter
((cn=residential_profile)(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=
[REALM1] object not found
[REALM1] ldap_release_conn: Release Id: 0
[REALM1] ldap_get_conn: Checking Id: 0
[REALM1] ldap_get_conn: Got Id: 0
[REALM1] performing search in
uid=112boy,ou=radius,o=realm1.ca,dc=company,dc=ca, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group residential_profile
[REALM1] ldap_release_conn: Release Id: 0
###
### Group section of LDAP module #
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
groupmembership_attribute = radiusGroupName
#
# LDAP entry for an account I am querying against ##
dn: uid=112boy,ou=radius,o=realm1.ca,dc=company,dc=ca
uid: 112boy
userPassword:
objectClass:top
objectClass: posixAccount
objectClass: radiusProfile
uidNumber: 1100
gidNumber:1100
radiusSimultaneousUse: 099
radiusAuthType: PAP
homeDirectory: //
radiusGroupName: residential_profile
cn: TRUE
###
I do get a successful query I would just like to figure out how to get it to
resolve on the first attempt.
Thanks,
Chris
-Original Message-
From:
freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org
[mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org]
On Behalf Of Phil Mayers
Sent: Tuesday, February 05, 2013 11:23 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: LDAP groups and profiles
On 05/02/13 15:50, Chris Taylor wrote:
I added this to the users file
DEFAULT ldap1.REALM-2.ca-Ldap-Group == residential_profile
But I get this error when I fire up radius -X
/etc/raddb/users[222]: Parse error (check) for entry DEFAULT:
expecting operator Errors reading /etc/raddb/users
Wild guess, but you might try a simpler module name e.g. ldap2 instead of
ldap2.some.dots-and.hyphens.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP groups and profiles
I have RADIUS running with multiple realms and multiple LDAP back ends
that stores all my user attributes. I am trying to apply different
user profiles to different groups. What I did was setup the profile in
the USERS file, add the group attributes to the ldap config file, and
on the user’s LDAP account I added the attribute radiusGroupName with
the value “residential_profile”, but I can’t seem to get it to work
correctly.
The debug output is pretty clear. It does an LDAP search, and the object
isn't found.
Make sure that (a) the object is in LDAP, and (b) you've configured
FreeRADIUS to do the right LDAP search.
It
doesn’t seem to query the correct backend.
For backend-specific queries, prefix the LDAP-Group with the backend name:
ldap ldap2.REALM-2.ca {
basedn = ou=radius,o=REALM-2.ca,dc=container,dc=ca
To query this backend, use ldap2.REALM-2.ca-LDAP-Group == ...
Alan DeKok.
Alan I tried the setup that you suggested but it just threw an error at me.
I added this to the users file
DEFAULT ldap1.REALM-2.ca-Ldap-Group == residential_profile
But I get this error when I fire up radius -X
/etc/raddb/users[222]: Parse error (check) for entry DEFAULT: expecting operator
Errors reading /etc/raddb/users
Thanks,
Chris
-Original Message-
From:
freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org
[mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: Monday, February 04, 2013 3:51 PM
To: FreeRadius users mailing list
Subject: Re: LDAP groups and profiles
Chris Taylor wrote:
I have RADIUS running with multiple realms and multiple LDAP back ends
that stores all my user attributes. I am trying to apply different
user profiles to different groups. What I did was setup the profile in
the USERS file, add the group attributes to the ldap config file, and
on the user’s LDAP account I added the attribute radiusGroupName with
the value “residential_profile”, but I can’t seem to get it to work
correctly.
The debug output is pretty clear. It does an LDAP search, and the object
isn't found.
Make sure that (a) the object is in LDAP, and (b) you've configured
FreeRADIUS to do the right LDAP search.
It
doesn’t seem to query the correct backend.
For backend-specific queries, prefix the LDAP-Group with the backend name:
ldap ldap2.REALM-2.ca {
basedn = ou=radius,o=REALM-2.ca,dc=container,dc=ca
To query this backend, use ldap2.REALM-2.ca-LDAP-Group == ...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP groups and profiles
I added this to the users file DEFAULT ldap1.REALM-2.ca-Ldap-Group == residential_profile But I get this error when I fire up radius -X /etc/raddb/users[222]: Parse error (check) for entry DEFAULT: expecting operator Errors reading /etc/raddb/users Wild guess, but you might try a simpler module name e.g. ldap2 instead of ldap2.some.dots-and.hyphens. Phil I gave that a try but ended up with the same result. Chris Chris Taylor System Administrator Network Operations Eastlink chris.tay...@corp.eastlink.caT: 519.773.1287 -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Tuesday, February 05, 2013 11:23 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP groups and profiles On 05/02/13 15:50, Chris Taylor wrote: I added this to the users file DEFAULT ldap1.REALM-2.ca-Ldap-Group == residential_profile But I get this error when I fire up radius -X /etc/raddb/users[222]: Parse error (check) for entry DEFAULT: expecting operator Errors reading /etc/raddb/users Wild guess, but you might try a simpler module name e.g. ldap2 instead of ldap2.some.dots-and.hyphens. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP groups and profiles
I have RADIUS running with multiple realms and multiple LDAP back ends that
stores all my user attributes. I am trying to apply different user profiles to
different groups. What I did was setup the profile in the USERS file, add the
group attributes to the ldap config file, and on the user's LDAP account I
added the attribute radiusGroupName with the value residential_profile, but
I can't seem to get it to work correctly. It doesn't seem to query the correct
backend. I am sure that I have something wrong but I am not sure what I looked
at rlm_ldap and searched the archive list but haven't been able to find
anything any help would be appreciated.
This is what my configuration files look like;
USERS
DEFAULT Ldap-Group == residential_profile
Service-Type = Framed-User,
Framed-Protocol = PPP,
Cisco-AVPair += ip:inacl#100=permit tcp any x.x.x.x 0.0.0.15 eq 25,
Cisco-AVPair += ip:inacl#200=deny tcp any any eq 25,
Cisco-AVPair += ip:inacl#300=permit ip any any,
Fall-Through = No
ldap ldap2.REALM-2.ca {
basedn = ou=radius,o=REALM-2.ca,dc=container,dc=ca
filter =
((uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true))
ldap ldap1.REALM-1.ca {
basedn = ou=radius,o=REALM-1.ca,dc=container,dc=ca
filter =
((uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true))
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
groupmembership_attribute = radiusGroupName
Output from radius -X
[files] users: Matched entry DEFAULT at line 214
[ldap2.REALM-2.ca] Entering ldap_groupcmp()
[files] expand: ou=radius,o=REALM-2.ca,dc=container,dc=ca -
ou=radius,o= REALM-2ca,dc= container,dc=ca
[files] expand: %{Stripped-User-Name} - 112boy
[files] expand:
((uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true))
- ((uid=112boy)(objectclass=posixAccount)(cn=true))
[ldap2. REALM-2.ca] ldap_get_conn: Checking Id: 0
[ldap2. REALM-2.ca] ldap_get_conn: Got Id: 0
[ldap2. REALM-2.ca] attempting LDAP reconnection
[ldap2. REALM-2.ca] Bind was successful
[ldap2. REALM-2.ca] performing search in ou=radius,o= REALM-2.ca,dc=
container,dc=ca, with filter ((uid=112boy)(objectclass=posixAccount)(cn=true))
[ldap2. REALM-2.ca] object not found
rlm_ldap::ldap_groupcmp: search failed
[ldap2. REALM-2.ca] ldap_release_conn: Release Id: 0
Thanks,
Chris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Best way to apply default profile
This is the scenario that I have freeradius with LDAP for authentication and authorization and SQL for accounting. I want to try and force every user to have a default profile that will allow them to only use our local SMTP server. I also have some businesses that I will need to exclude from this profile and allow to them send SMTP traffic anywhere. What is the best way to go about this? Should I put the options in the users file and then create an entry for the select users in SQL and have it pull the separate profile from there? These are the options and profiles that I would like to apply; ### Allow local SMTP only ### acl_permit_local_smtp Cisco-AVPair += ip:inacl#100=permit tcp any 24.222.0.16 0.0.0.15 eq 25 acl_permit_local_smtp Cisco-AVPair += ip:inacl#200=deny tcp any any eq 25 acl_permit_lcoal_smtp Cisco-AVPair += ip:inacl#300=permit ip any any acl_permit_lcoal_smtp Fall-Through = Yes ### Allow any SMTP ### acl_permit_all_smtp Cisco-AVPair += ip:inacl#90=permit tcp any any eq 25 acl_permit_all_smtp Fall-Through = Yes I am just looking for the best way to do this. Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up multiple NULL realms
I am trying to collapse multiple domains into one RADIUS server (version
2-2.1.12-4.el5_8)with and LDAP backend.
I have everything that has a realm suffix working I.E. username@domain-name,
RADIUS will strip the username query the LDAP server (each domain has its own
OU)and life is good.
The problem I am running into is this. Each of the domains that I am collapsing
had multiple users that would just connect with username. I can setup the
NULL realm but I have only been successful in getting it to work for one of my
domains (domain-1.com), all others (I.E. domain-2.com, domain-3.com) will get a
password reject error as it queries against that virtual server and subsequent
OU, I have tried to setup multiple virtual servers in the realm NULL setup but
that doesn't work. I have looked in the mailing list archives and searched the
net but I have not been able to find anything related to this.
Proxy.conf setup
realm NULL {
virtual_server = virtual.domain-1.com
virtual_server = virtual.domain-1.com
}
Users file setup
DEFAULT Realm == NULL, Service-Type == Framed-User, Huntgroup-Name == bras
Filter-Id = NoRealm,
Fall-Through = Yes
What way should I be going about this?
Thanks,
Chris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Best way to capture RADIUS passwords
I am migrating from one RADIUS setup that checks against a flat file with usernames and passwords inside it . Over to a RADIUS server with and LDAP backend. I have used JTR to crack most of the passwords but I still have some left over that JTR cant crack. I was thinking of trying to run a packet capture to get the remaining usernames and passwords. What would be the best way to do this? Run RADIUS in debug mode Radius -X? Or try to use tcpdump and pick it up that way or is it even possible to do? I have been trolling the internet for a few days and have not come up with a good way to do it. I setup tcpdump to dump to a file (tcpdump -i eth0 -n -s0 port radius -w rad-capture.lpc) , but when I check it out with wireshark I am unable to see the password (just the username). Am I going about this the wrong way? Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: += allowed in attrs ??
You shouldn't be using the attribute filter to add attributes, that's what the users file is there for? Hmmm I tried that but it didn t work so I went over to try via attrs Dumb question: How can I have the files directive being processed after having proxied an incoming auth request? I seem to be unable to find the answer on this -- so I m glad for any pointers. Aren't you looking for pre-proxy and post-proxy then ? -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql Error
sql.conf: # number of sql connections to make to server num_sql_socks = 5 You prob need to up this. On Mon, Aug 13, 2012 at 3:00 PM, Antonio Modesto mode...@isimples.com.br wrote: Hi, Here in the ISP which I work we have a Freeradius 1.X in production, and a 2.X that we're testing to replace the old one. On both Radius we get the following error sometimes, What can be causing this? The SQL Database is in the same server of freeradius 1.X, but the load is low, we have about 2500 subscribers. I was thinking about increasing the number of sql connections, which is set to 4, would it make any difference? Database server load: load averages: 1.10, 1.05, 1.03 Error: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RedBack PPPoE Config
Could someone please share the radius reply items they are returning for the initial ATM PVC authentication from a Redback device that tells it to start up a PPPoE session on the PVC? Thanks much. I'm returning this but I'm never seeing the PPPoE authentication packet from the client router hit RADIUS. Login OK: [rdbacks5p0.0.502] (from client 1928redback port 208496) Sending Access-Accept of id 102 to 209.221.208.5 port 1812 Service-Type = Framed-User PVC_Profile_Name = 1000-384 Bind_Auth_Context = mycontext PVC_Encapsulation_Type = AAA-ENCAPS-ATM-PPPOE Bind_Type = AAA-AUTH-BIND -- Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling station ID
On Thu, Jul 12, 2012 at 12:29 PM, madal 30 mada...@hotmail.com wrote: Calling-Station-Id = .031 How do I or where do i adjust this parameter sothat full IP address is logged in calling-station-ID ? I looked at detail file in modules/detail but could not find the parameter The radius server can only process on what the NAS sends it. Look at the NAS and configure the NAS to send the correct/full Calling-Station-Id. -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius dont't send VSA attribute
On Tue, Jun 5, 2012 at 1:49 PM, CHEBIHI Abdelhakim (EXT ALTEN - IGTL) ext.alten.abdelhakim.cheb...@sncf.fr wrote: tom Cleartext-Password := tom123 Service-Type = Login-User, Juniper-Local-User-Name := readonly-users, when i launch freeradius -X, and i connect with tom from the router i see that the user logs Ok But freeradius don't send the vsa attribute: So put the VSA attributes in the reply details for user tom? Radius is returning precisely what you configured it to return. -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius service doest start
On Thu, May 17, 2012 at 1:21 PM, David Peterson dav...@wirelessconnections.net wrote: If you installed Ubuntu with default options you likely don't have permission to access those files. Try sudo freeradius -X or sudo su before running that sort of daemon. It's an ubuntu thing... Try running freeradiusd -X instead of radiusd. Yes - they changed the name of the binary... Peeves me off too. -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
setup question...
Greetings All! We have set up Radius on OS X 10.6 Server running OD for use with several devices, including a Sonic Wall, and Ruckus WAPs. We have gotten everything working very nicely, but we would love to be able to include a small group of Windows users running on AD, so they can also use their network Credentials to access the WAP etc. The main question is - Is it possible for FreeRadius (the OS X 10.6 version) to authenticate against both OD and AD? And the second question is obviously... how? Thanks in advance for your time!! Please reply directly, as I am not subscribed to the list... Chris Morris Nashville, TN -- Hi, Thanks in advance for your time!! Please reply directly, as I am not subscribed to the list... no answer then...and such answers from others should also be on this list to help others and the community. alan Alan, that is what CC is for. Turns out however, that you have to be subscribed or your email will be rejected, so I am subscribed now if that is what you were worried about. So anyway, my original question is above if you're up for answering. Thanks again, -C - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
setup question...
Greetings All! We have set up Radius on OS X 10.6 Server running OD for use with several devices, including a Sonic Wall, and Ruckus WAPs. We have gotten everything working very nicely, but we would love to be able to include a small group of Windows users running on AD, so they can also use their network Credentials to access the WAP etc. The main question is - Is it possible for FreeRadius (the OS X 10.6 version) to authenticate against both OD and AD? And the second question is obviously... how? Thanks in advance for your time!! Please reply directly, as I am not subscribed to the list... Chris Morris Nashville, TN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed to build FR 2.1.10 (64-bit) on Solaris 10 x86
Alan, I'm unable to build a 64-bit version of FreeRADIUS 2.1.10 on Solaris 10 9/10 s10x_u9wos_14a X86 owing to the following problem. I'm using the latest software from the 2.1.x git repository and gcc version 3.4.3. I've noticed that the 'FNM_FILE_NAME' flag is not declared in the fnmatch.h file on my system if this helps. Thanks in advance, Chris gcc -m64 -O -g -I/opt/local/include -I/opt/webstack/mysql/include/mysql -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/export/home/ecl6ch/freeradius-server/src -I/export/home/ecl6ch/freeradius-server/libltdl -c rlm_detail.c -fPIC -DPIC -o .libs/rlm_detail.o rlm_detail.c: In function `do_detail': rlm_detail.c:276: warning: comparison between pointer and integer rlm_detail.c:278: error: `FNM_FILE_NAME' undeclared (first use in this function) rlm_detail.c:278: error: (Each undeclared identifier is reported only once rlm_detail.c:278: error: for each function it appears in.) gmake[6]: *** [rlm_detail.lo] Error 1 gmake[6]: Leaving directory `/export/home/ecl6ch/freeradius-server/src/modules/rlm_detail' gmake[5]: *** [rlm_detail] Error 2 gmake[5]: Leaving directory `/export/home/ecl6ch/freeradius-server/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/export/home/ecl6ch/freeradius-server/src/modules' gmake[3]: *** [modules] Error 2 gmake[3]: Leaving directory `/export/home/ecl6ch/freeradius-server/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/export/home/ecl6ch/freeradius-server/src' gmake[1]: *** [src] Error 2 gmake[1]: Leaving directory `/export/home/ecl6ch/freeradius-server' gmake: *** [all] Error 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: unable to authenticate freeradius+AD
You have not configured ntlm_auth, see http://deployingradius.com/documents/configuration/active_directory.html Von: freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Yao Konou Gesendet: Dienstag, 12. April 2011 15:53 An: FreeRadius users mailing list Betreff: RE: unable to authenticate freeradius+AD SOS - is somebody around to HELP ME Yao Thierry Konou AMR SERVICES 11 Rue du Petit Châtelier CS90346 44303 NANTES CEDEX 3 Tel : 02 28 44 19 80 - Fax : 02 28 44 53 88 Site: http://www.amr-services.frhttp://www.amr-services.fr/ De : freeradius-users-bounces+ykonou=amr-services@lists.freeradius.org [mailto:freeradius-users-bounces+ykonou=amr-services@lists.freeradius.org] De la part de Yao Konou Envoyé : lundi 11 avril 2011 15:56 À : freeradius-users@lists.freeradius.org Objet : unable to authenticate freeradius+AD Hi all, I need your help to fix a problem in an AD configuration with Freeradius My platform : Freeradius + samba + AD ( windows 2003). The PB : unable to authenticate AD users This the debug of the authentication of an AD user on the server Regards. Yao Thierry Konou AMR SERVICES 11 Rue du Petit Châtelier CS90346 44303 NANTES CEDEX 3 Tel : 02 28 44 19 80 - Fax : 02 28 44 53 88 Site: http://www.amr-services.frhttp://www.amr-services.fr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Riverbed console authentication, encrypted User-Password
Greetings all, I have been asked if our Riverbed console users can also be authenticated through freeRadius. Riverbed has RiOS running, which is almost Cisco IOS and a Radius Server can be configured so I did. In freeRadius I added the Riverbed as client but unfortunately it was not that easy (is it ever?). rad_recv: Access-Request packet from host 10.1.1.27 port 9538, id=37, length=71 User-Name = username User-Password = /\227\334\377\374\302\343\204\345\001'O\227 NAS-Identifier = webasd NAS-Port = 8513 NAS-Port-Type = Virtual Service-Type = Authenticate-Only That is not the password I entered, my conclusion is that Riverbed encrypts the password before the entire request is encrypted using the shared secret. I cannot find a way to change how Riverbed sends the request, though I am writing a ticket there as well. My question to you, can freeRadius work with encrypted passwords? Thanks in advance, Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Riverbed console authentication, encrypted User-Password
Hi, Pretty weird. I set the Shared Secret again (in CLI) and had exactly the same results. So I tried setting the shared secret using the Riverbed web interface and now it works perfectly. Will write a new ticket for Riverbed support. Sorry to have bothered you, thanks for the help. Chris Schaatsbergen -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Stefan Winter Gesendet: Montag, 14. März 2011 11:12 An: freeradius-users@lists.freeradius.org Betreff: Re: Riverbed console authentication, encrypted User-Password Hi, I have been asked if our Riverbed console users can also be authenticated through freeRadius. Riverbed has RiOS running, which is almost Cisco IOS and a Radius Server can be configured so I did. In freeRadius I added the Riverbed as client but unfortunately it was not that easy (is it ever?). rad_recv: Access-Request packet from host 10.1.1.27 port 9538, id=37, length=71 User-Name = username User-Password = /\227\334\377\374\302\343\204\345\001'O\227 NAS-Identifier = webasd NAS-Port = 8513 NAS-Port-Type = Virtual Service-Type = Authenticate-Only That is not the password I entered, my conclusion is that Riverbed encrypts the password before the entire request is encrypted using the shared secret. This looks like a typical case of shared secret mismatch. Are you *sure* that the shared secret is exactly the same on RiOS and FreeRADIUS? I cannot find a way to change how Riverbed sends the request, though I am writing a ticket there as well. My question to you, can freeRadius work with encrypted passwords? It can, in a multitude of ways. None of these ways is about en- /dycrypting the password within the User-Password attribute though. That is very odd. My strong guess is a shared secret mismatch instead. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius Issues
Hi
I believe that I have setup the FR configs correctly for use with MYSQL, I got
it all working just fine when using a flat file and was able to authenticate
etc with no issues, since moving to SQL I am getting this.
rad_recv: Access-Request packet from host 10.5.5.55 port 57593, id=3, length=46
User-Name = chrisk
User-Password = user-password
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = chrisk, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
expand: %{User-Name} - chrisk
rlm_sql (sql): sql_set_user escaped user -- 'chrisk'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'chrisk' ORDER BY id
expand: SELECT groupname FROM usergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM usergroup WHERE username = 'chrisk' ORDER BY
priority
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): User chrisk not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
auth: Failed to validate the user.
Login incorrect: [chrisk/user-password] (from client seccom port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - chrisk
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 3 to 10.5.5.55 port 57593
So it appears that its using pap right?
The database is very minimal and Im not sure if that's the issue,
All I am needing to do is have user authenticate based on username and password
IM not worried about anything other than that. Its for auth from a web server
Thanks
-Original Message-
From:
freeradius-users-bounces+chris.kilian=seccomglobal@lists.freeradius.org
[mailto:freeradius-users-bounces+chris.kilian=seccomglobal@lists.freeradius.org]
On Behalf Of Alan Buxey
Sent: Tuesday, 1 March 2011 9:03 PM
To: FreeRadius users mailing list
Subject: Re: Free Radius Issues
hi,
you havent given the full debug...so its pretty much guesswork here with whats
going wrong..
have you added the sql to the authorize section of your server? (uncomment the
entry thats commented by default) are you using EAP etc? in which case you will
also need to uncomment it in the inner-tunnel server.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free Radius Issues
Hi Guys
I am new to Freeradius and have got it working with Mysql , however run into an
issue whereby I am seeing this for all requests
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
auth: Failed to validate the user.
Login incorrect: [chrisk/password] (from client seccom port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - chrisk
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Can anyone help or let me know what other info may be required
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
OK, I think I found out where things are going wrong.
In my Radius -X log I noticed the Starting - reading configuration files is
short, compared to those of others. What is missing is actually:
including files in directory /usr/local/etc/raddb/modules/
(followed by
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/unix
including configuration
file/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file
/usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file
/usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/perl)
This is all not in my freeradius -X logs and is in the logs of others.
Now where do I enable/disable loading the modules folder?
-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+chris.schaatsbergen=aleo-
solar...@lists.freeradius.org [mailto:freeradius-users-
bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im
Auftrag von Schaatsbergen, Chris
Gesendet: Freitag, 11. Februar 2011 19:32
An: FreeRadius users mailing list
Betreff: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to
AD
So far I have done everything there exactly as described with the
same outcome.
No.
If you get the error Failed to link to module
'rlm_ntlm_auth':...,
it means you did something *other* than what is on the web page.
This is I believe indeed the missing piece, problem is I cannot
find
it in your web page.
It's the exec ntlm_auth { ... text.
Add it, *and* the ntlm_auth entry in the authenticate section.
The ntlm_auth file with the exec ntlm_auth text has been in the module
folder since I started working on this (actually I believe it was
already there as it is has been added in 2.1.8), about a week ago. It
is also what I have indicated both in my original post and in the
repost I made today. The file
AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
That is clear, but it seems it is missing in the Lenny Package somehow as
http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192.html
has exactly the same problem as me, no modules folder being read causing the
ntlm_auth not being recognized as module.
Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it
be?
The beginning part of our current radiusd.conf:
# -*- text -*-
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id: radiusd.conf.in,v 1.272 2008/04/26 15:14:33 aland Exp $
##
##
#
# Read man radiusd before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble.
#
# Run the server in debugging mode, and READ the output.
#
# $ radiusd -X
#
# We cannot emphasize this point strongly enough. The vast
# majority of problems can be solved by carefully reading the
# debugging output, which includes warnings about common issues,
# and suggestions for how they may be fixed.
#
# There may be a lot of output, but look carefully for words like:
# warning, error, reject, or failure. The messages there
# will usually be enough to guide you to a solution.
#
# If you are going to ask a question on the mailing list, then
# explain what you are trying to do, and include the output from
# debugging mode (radiusd -X). Failure to do so means that all
# of the responses to your question will be people telling you
# to post the output of radiusd -X.
##
#
# The location of other config files and logfiles are declared
# in this file.
#
# Also general configuration for modules can be done in this
# file, it is exported through the API to modules that ask for
# it.
#
# See man radiusd.conf for documentation on the format of this
# file. Note that the individual configuration items are NOT
# documented in that man page. They are only documented here,
# in the comments.
#
# As of 2.0.0, FreeRADIUS supports a simple processing language
# in the authorize, authenticate, accounting, etc. sections.
# See man unlang for details.
#
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
# Should likely be ${localstatedir}/lib/radiusd
db_dir = $(raddbdir)
-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+chris.schaatsbergen=aleo-
solar...@lists.freeradius.org [mailto:freeradius-users-
bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im
Auftrag von Alan DeKok
Gesendet: Montag, 14. Februar 2011 12:40
An: FreeRadius users mailing list
Betreff: Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch
to AD
Schaatsbergen, Chris wrote:
OK, I think I found out where things are going wrong.
In my Radius -X log I noticed the Starting - reading configuration
files is short, compared to those of others. What is missing is
actually:
including files in directory /usr/local/etc/raddb/modules/
...
Now where do I enable/disable loading the modules folder?
radiusd.conf?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
I think freeradius is a great piece of software and I will certainly continue to use it. I am also very happy with the great documentation that can be found, both the wiki and Alan's website are an awesome source of very good information. The support community here is also very active, which is a great thing. But had someone with freeradius knowledge taken the time to look at the freeradius -X logs I (and David Dumortier) supplied with our questions, they would have seen the problem right away I suppose, in both our cases. Probably there have been too many typical n00b users who asked questions after not following the (clear) documentation properly, but please understand we are not all like that. This has caused me an enormous load of stress and has cost me about 3 days (and one night sleep), and I assume it has caused you a certain amount of stress as well, and it could have been so much more satisfying had it been checked just a little bit more. Of course, you are not responsible for every package being produced and I do not know yet how this all works as I did not install our freeradius server myself (unfortunately). But in our cases, the users where not to blame, other than using an available and hopefully supported package. I will have a new lenny server installed with just the 2.1.10 debian backport package on it (no older versions) to see if that comes with a proper radiusd.conf file. If so then my problem is caused by an older package being installed earlier and new users will not be bothered by it. Again, I really think freeradius is a great piece of software, there is plenty of good documentation and it has an awesome support community here. So I will certainly continue to use freeradius as our authentication server. But please, if a user says he followed the instructions to the letter, give them the benefit of the doubt and see if something else is going wrong. -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 12:57 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD Schaatsbergen, Chris wrote: That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011- January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. shrug I don't run Lenny, so I can't say any more. Where can I find a proper radiusd.conf? Have you tried the 2.1.10 tar file on freeradius.org? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Freeradius on lenny doesn't permit mschap auth
Hi David,
In case you have not found it yet, in the lenny package somehow there is one
line missing in the radiusd.conf file. In the modules section there should be:
$INCLUDE ${confdir}/modules/
I would suggest, top of the modules section.
Then ntlm_auth should work.
Good luck,
Chris
-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+chris.schaatsbergen=aleo-
solar...@lists.freeradius.org [mailto:freeradius-users-
bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im
Auftrag von David Dumortier
Gesendet: Freitag, 14. Januar 2011 11:27
An: freeradius-users@lists.freeradius.org
Betreff: Freeradius on lenny doesn't permit mschap auth
Hi all,
I had read and configure like
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWT
O
I have test ntlm_auth with success but
radtest user passwd localhost 0 testing123 fail
I attach my debug output
Thanks
--
David Dumortier
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Thanks! Actually in this case I was too early writing the mail (because I was
rather annoyed), something I should not allow myself to happen. The
radiusd.conf file is documented on the Wiki site (though the link there that
should point to the latest version is not working as it points to the currently
unexisting
http://github.com/alandekok/freeradius-server/blob/stable/raddb/radiusd.conf).
I found the missing piece:
$INCLUDE ${confdir}/modules/
Which should be in (the top of) the modules section.
With that addition freeradius starts without error messages so I can continue
Alan DeKoks (excellent) description how to enable AD authentication.
-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+chris.schaatsbergen=aleo-
solar...@lists.freeradius.org [mailto:freeradius-users-
bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im
Auftrag von Alan Buxey
Gesendet: Montag, 14. Februar 2011 13:48
An: FreeRadius users mailing list
Betreff: Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch
to AD
Hi,
That is clear, but it seems it is missing in the Lenny Package
somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-
January/msg00192.html has exactly the same problem as me, no modules
folder being read causing the ntlm_auth not being recognized as module.
Where can I find a proper radiusd.conf? Or where in the radiusd.conf
should it be?
from the main source
www.freeradius.org
get the 2.1.10 tarball , extract it and look at what the config should
be like.
I wonder if lenny is requiring you to install other packages for
purpose/facilities
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Support
A slightly different question, does the support from http://networkradius.com come from the active users of this mailing list? I.e. if I buy a support contract there, do the Alans get a part of that? I am missing a donate button on the freeradius website and I hope/expect we do not need that much support once this server is up and running. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Support
-Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 15:33 An: FreeRadius users mailing list Betreff: Re: Support Schaatsbergen, Chris wrote: A slightly different question, does the support from http://networkradius.com come from the active users of this mailing list? I.e. if I buy a support contract there, do the Alans get a part of that? I am missing a donate button on the freeradius website and I hope/expect we do not need that much support once this server is up and running. Network RADIUS is a for-profit company which does FreeRADIUS support, development, consulting, etc. No one on this list is asked to work for free. I run the company, and while I'm not getting rich, the proceeds from it have kept me off of the streets. Well, I am not doing it to keep you off the streets (you should not be a freeradius prisoner), but to make sure FreeRadius continues to get developed and this active community stays active. As a former developer myself I can understand how annoying it can be if you have helped someone a great deal and then get absolutely nothing in return (quite often people even forget to thank you). I will try and convince the management to cough up. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Most of the howtos assume you're running a recent version of the server. Some systems have *old* versions of the server. We're unable to maintain copies of the documentation for each version of the server. This makes life harder for the average admin, but we have to draw the line somewhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html We are running a current version of the server (2.1.10), but somehow the radiusd.conf file is not right. I hope to find out what is wrong exactly and post it here for future use. After a short (and rather violent) discussion with our linux expert I believe originally version 2.0.4 had been installed as that is the current stable version for lenny. But before I started working with it, it had already been upgraded to 2.1.8 and I requested the upgrade to 2.1.10 recently because of the lowercase function. All upgrades, no new installs, perhaps there lies the problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
-Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 16:00 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD Schaatsbergen, Chris wrote: We are running a current version of the server (2.1.10), but somehow the radiusd.conf file is not right. The radiusd.conf file isn't over-written when a new package is installed. You've customized it locally, and it *must* be left alone. Crystal Clear. So you should never upgrade the existing installation. And if you really do need a new version then you should backup the old installation, perform a clean new installation and then redo all the configuration you had done before (and hope that it still works). Pity, but on the other hand a very good reason to keep your documentation up to date. Talking about work for the admins :p I am glad when I have this server up and running, I just have to finish the documentation and can then 'throw it over the wall' to the system administrators ;) There are actually other programs (Splunk, costs 12k a year) that use different config files for system config and user config. Maybe an idea for a future release of freeradius? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
-Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Johan Meiring Gesendet: Montag, 14. Februar 2011 14:48 An: freeradius-users@lists.freeradius.org Betreff: Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD On 2011/02/14 01:50 PM, Schaatsbergen, Chris wrote: That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011- January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? Looking at config below... /usr/local/etc/raddb/modules/ Lenny package does NOT put stuff in /usr/local/ Seems you have two versions of freeradius on your system. Cheers, I took the other data from another 'ticket' here which is clearly not running on lenny indeed. But the problem has been solved, thanks for your help to think of an answer though :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Authenticating SSH login on a Cisco IOS switch to AD
OK, so the current problem seems to be that I cannot get the ntlm_auth to work.
I read
http://freeradius.1045715.n5.nabble.com/Freeradius-with-Active-Directory-td2747221.html
but that does not seem to apply for me as the ntlm_auth file contains the
exec.
Attached (if that works) is the radius -X output for the current working
configuration (basic_configuration_run.txt). We are only doing
mac-authentication now and depending on the mac-address, the device is placed
in a certain VLAN. I unfortunately did not install the server myself but as far
as I know FR was originally installed from the Debian package 2.1.8 and we
recently upgraded to 2.1.10.
Until a year ago I never really worked with (free)radius, linux or cisco
switches and it still is just a small part of my daily work, so I probably make
a lot of beginner mistakes.
# -*- text -*-
#
# $Id$
# NTLM module
#
# To authenticate requests using AD.
#
exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key --domain=ALEO.LOCAL
--username=%{mschap:User-Name} --password=%{User-Password}
}
If I add ntlm_auth to the beginning of the users file I get an error
/etc/freeradius/users[157]: Parse error (check) for entry DEFAULT: Unknown
value ntlm_auth for attribute Auth-Type
Errors reading /etc/freeradius/users
If I add ntlm_auth to the authenticate section of the default virtual server I
get an error
/etc/freeradius/sites-enabled/default[254]: Failed to load module ntlm_auth.
/etc/freeradius/sites-enabled/default[217]: Errors parsing authenticate section.
If I add ntlm_auth to the modules section of radiusd.conf I get a 'warning'
/etc/freeradius/radiusd.conf[1840]: Failed to link to module 'rlm_ntlm_auth':
file not found
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010
at 21:14:10
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = freerad
group = freerad
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = status-server
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Loading Clients
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = secret
nastype = other
}
client 10.1.1.201 {
require_message_authenticator = no
secret = secret
shortname = 10.1.1.201
nastype = cisco
}
client 10.1.1.202 {
require_message_authenticator = no
secret = secret
shortname = 10.1.1.202
nastype = cisco
}
client 10.1.1.203 {
require_message_authenticator = no
secret = secret
shortname = 10.1.1.203
nastype =
AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Greetings and thanks for the quick reply. As stated in my original posting, http://deployingradius.com/documents/configuration/active_directory.html is what I have been working with from the beginning. So far I have done everything there exactly as described with the same outcome. Why? Why not read the main web page that *correctly* describes how to get it to work? http://deployingradius.com/documents/configuration/active_directory.htm l If I add ntlm_auth to the authenticate section of the default virtual server I get an error /etc/freeradius/sites-enabled/default[254]: Failed to load module ntlm_auth. /etc/freeradius/sites-enabled/default[217]: Errors parsing authenticate section. Because you didn't add the module definition as described in the web page. This is I believe indeed the missing piece, problem is I cannot find it in your web page. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
So far I have done everything there exactly as described with the
same outcome.
No.
If you get the error Failed to link to module 'rlm_ntlm_auth':...,
it means you did something *other* than what is on the web page.
This is I believe indeed the missing piece, problem is I cannot find
it in your web page.
It's the exec ntlm_auth { ... text.
Add it, *and* the ntlm_auth entry in the authenticate section.
The ntlm_auth file with the exec ntlm_auth text has been in the module folder
since I started working on this (actually I believe it was already there as it
is has been added in 2.1.8), about a week ago. It is also what I have indicated
both in my original post and in the repost I made today. The file is there, and
the exact contents of that file are in the repost I posted earlier today. Now
if there is something wrong with that file I would love to hear it. I tried
various ways of adding ntlm_auth to the authentication section of the default
virtual machine but all with the same outcome, module not found.
Unfortunately I do not see where the actual problem lies, otherwise I would not
have bothered you with it.
I have followed the instructions from your webpage to the letter and when that
did not work I tried some other suggestions but they all proven without effect
and are therefore removed again.
Now, if anyone is willing to actually look to see what is going wrong instead
of immediately jumping to the easy conclusions, that help would be highly
appreciated. I am pretty sure I made a mistake somewhere, but it has not been
in following these instructions. More likely it is in the original
configuration or how I changed it to fit our need (Mac authentication). The
current running config works properly, but it is very well possible I disabled
something that is needed for ntlm_auth.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Authenticating SSH login on a Cisco IOS switch to AD
Gary Would you mind if I contacted you directly (I have your e-mail) about this? I have seen a very nice discussion and reading this a second time has proven that what you describe here is exactly what we are looking for. But I would still really appreciate some help getting it to work. Thanks, Chris Von: freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Gary Gatten Gesendet: Mittwoch, 9. Februar 2011 17:11 An: 'FreeRadius users mailing list' Betreff: RE: Authenticating SSH login on a Cisco IOS switch to AD Authentication with ntlm-auth and require-membership-of works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is authorized locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our dev FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I'll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else... G From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Brett Littrell Sent: Wednesday, February 09, 2011 9:57 AM To: FreeRadius users mailing list Subject: Re: Authenticating SSH login on a Cisco IOS switch to AD Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 09, 2011 at 7:24 AM, in message 604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07, Schaatsbergen, Chris chris.schaatsber...@aleo-solar.de wrote: Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating SSH login on a Cisco IOS switch to AD
Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Authenticating SSH login on a Cisco IOS switch to AD
Greetings Gary, Well, this does sound like what I would like to achieve, we only have 3 users to administer the Cisco switches, though all domain admins (7) could do it. We currently have one admin user account and all domain admins know the password. To go to priv level (enable) we will continue to use one password, we only would like the SSH login to be authenticated against AD. I am in no hurry (going home now anyway) but would love to hear your solution a little more detailed. Chris Von: freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Gary Gatten Gesendet: Mittwoch, 9. Februar 2011 17:11 An: 'FreeRadius users mailing list' Betreff: RE: Authenticating SSH login on a Cisco IOS switch to AD Authentication with ntlm-auth and require-membership-of works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is authorized locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our dev FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I'll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else... G From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Brett Littrell Sent: Wednesday, February 09, 2011 9:57 AM To: FreeRadius users mailing list Subject: Re: Authenticating SSH login on a Cisco IOS switch to AD Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 09, 2011 at 7:24 AM, in message 604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07, Schaatsbergen, Chris chris.schaatsber...@aleo-solar.de wrote: Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[ SOLVED ] Re: Freeradius SQL: PEAP: Tunneled authentication was rejected.
Hi Alan, its work great thx Chris -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-SQL-PEAP-Tunneled-authentication-was-rejected-tp3360430p3362708.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius SQL: PEAP: Tunneled authentication was rejected.
Hi Alan, thx for the response, and yes i read the debug output and i also found the side you mentioned, to get more information about the output but, as you see in the number of my posting counts, i'm an newbie in using radius. And i didn't understood what these messages should occur in my mind or how it can be fixed... rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for sqluser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [sqluser/] (from client dlink-private-network port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x81bd288 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. You give me a hint: thx: You probably need to list sql in the inner-tunnel virtual server. In 2.1.10, you can test the inner-tunnel directly, without using PEAP. See the comments at the top of the file. I will try and give an answer thx Chris -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-SQL-PEAP-Tunneled-authentication-was-rejected-tp3360430p3361206.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius SQL: PEAP: Tunneled authentication was rejected.
Hi Alan, thx for the response, and yes i read the debug output and i also found the side you mentioned, to get more information about the output but, as you see in the number of my posting counts, i'm an newbie in using radius. And i didn't understood what these messages should occur in my mind or how it can be fixed... rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for sqluser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [sqluser/via Auth-Type = EAP] (from client dlink-private-network port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x81bd288 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. You give me a hint: thx: You probably need to list sql in the inner-tunnel virtual server. In 2.1.10, you can test the inner-tunnel directly, without using PEAP. See the comments at the top of the file. I will try and give an answer thx Chris -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-SQL-PEAP-Tunneled-authentication-was-rejected-tp3360430p3361212.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius SQL: PEAP: Tunneled authentication was rejected.
: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for sqluser with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [sqluser/via Auth-Type = EAP] (from client
dlink-private-network port 0 via TLS tunnel)
} # server inner-tunnel
PEAP: Got tunneled reply RADIUS code 3
MS-CHAP-Error = \010E=691 R=1
EAP-Message = 0x04080004
Message-Authenticator = 0x
PEAP: Processing from tunneled session code 0x81bd288 3
MS-CHAP-Error = \010E=691 R=1
EAP-Message = 0x04080004
Message-Authenticator = 0x
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
++[eap] returns handled
Sending Access-Challenge of id 8 to 192.168.0.50 port 1037
EAP-Message =
0x0109003b1900170301003034751d74d2db85e76a4a09990bc079aabf886c33adbae4de36aa4b998d1437564e312ceb4f3ef2e602a0ec1b74c34c8b
Message-Authenticator = 0x
State = 0xeff176eae7f86f7198f0e801bd7f42f1
Finished request 8.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=9,
length=296
Message-Authenticator = 0xcf9f988ac3da6a9784a700bd6e8bd235
Service-Type = Framed-User
User-Name = sqluser
Framed-MTU = 1488
State = 0xeff176eae7f86f7198f0e801bd7f42f1
Called-Station-Id = F0-7D-68-17-D4-39:dlink
Calling-Station-Id = 00-18-DE-E1-85-89
NAS-Identifier = D-Link Access Point
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message =
0x0209006019001703010020b4f42681cb8004c329ba3e6eb3f20af6ab64a075776fd142c83e827add1a8e531703010030f9a9c64a35e6e5b5327b4c2e
91499e1a3897f2202d67ff4db4b2e03510edaa39019a712075a32f6ef78368edcc2e3bb6
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = STA port # 1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = sqluser, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 9 length 96
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this
session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [sqluser/via Auth-Type = EAP] (from client
dlink-private-network port 1 cli 00-18-DE-E1-85-89)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - sqluser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 9 to 192.168.0.50 port 1037
EAP-Message = 0x04090004
Message-Authenticator = 0x
Waking up in 3.4 seconds.
Cleaning up request 0 ID 0 with timestamp +24
Cleaning up request 1 ID 1 with timestamp +24
Waking up in 0.3 seconds.
Cleaning up request 2 ID 2 with timestamp +24
Cleaning up request 3 ID 3 with timestamp +24
Cleaning up request 4 ID 4 with timestamp +24
Waking up in 0.1 seconds.
Cleaning up request 5 ID 5 with timestamp +24
Cleaning up request 6 ID 6 with timestamp +24
Cleaning up request 7 ID 7 with timestamp +24
Cleaning up request 8 ID 8 with timestamp +24
Waking up in 1.0 seconds.
Cleaning up request 9 ID 9 with timestamp +24
Ready to process requests.
Tell me if you need more information
thx
Chris
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Freeradius-SQL-PEAP-Tunneled-authentication-was-rejected-tp3360430p3360430.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tolower seems to result in unneeded reject of mac address, or I am using it wrong
Hi all,
I am not very used to working with freeradius unfortunately and I am using the
Mac Auth solutionhttp://wiki.freeradius.org/Mac-Auth as described on your
website and other then the case sensitivity it was working correctly.
I was looking for a way to change the Calling station id to lowercase, or to
make the comparison case insensitive as some of our switches return mac
addresses in uppercase, others in lowercase. Then I discovered a brand new
function tolower had been added to the 2.1.10 version of freeradius and we
were still at 2.1.8. So after an update I could run freeradius with the added
function without errors. Unfortunately it seems not to work correctly.
Now, if a known mac address is authorized, it is rejected
[authorized_macs] expand: %{Calling-Station-ID} - 00-17-42-1C-44-68
[authorized_macs] expand: %{tolower:%{Calling-Station-ID}} -
00-17-42-1c-44-68
+[authorized_macs.authorize] returns noop
00-17-42-1c-44-68 does actually exist in the authorized_macs file. This used to
return a match and ok when the calling station id was matched, case sensitive.
Unfortunately I do not have permission from my superiors to utilize a MySQL
database yet (which would solve all of this), so I am stuck with the files for
now.
Can any of you see what I am doing wrong?
modules/files
files authorized_macs {
# The default key attribute to use for matches. The content
# of this attribute is used to match the name of the
# entry.
key = %{tolower:%{Calling-Station-ID}}
usersfile = ${confdir}/authorized_macs
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
sites-available/default
post-auth {
# output surpressed
if(control:Auth-Type == 'CSID'){
# Authorization happens here
# %{Calling-Station-ID} = %{tolower:%{Calling-Station-ID}} # here
the function does not work (like this)
authorized_phones.authorize
if (!ok) {
authorized_printers.authorize
if (!ok) {
authorized_macs.authorize
if (notfound) { # notfound construction used to
overcome false rejects
reject
}
else {
update reply {
Cisco-AVPair = tunnel-type=vlan
Cisco-AVPair =
tunnel-medium-type=802
Cisco-AVPair =
tunnel-private-group-id=4
}
}
}
else{
update reply {
Cisco-AVPair = tunnel-type=vlan
Cisco-AVPair = tunnel-medium-type=802
Cisco-AVPair = tunnel-private-group-id=1
}
}
}
else{
update reply {
Cisco-AVPair = device-traffic-class=voice
}
}
}
}
Chris Schaatsbergen
--
aleo solar Deutschland GmbH
Chris Schaatsbergen
IT Projekte / IT Projects
Osterstr. 15, 26122 Oldenburg
T +49 441 21988-288
F +49 441 21988-150
M +49 162 2552288
chris.schaatsber...@aleo-solar.demailto:chris.schaatsber...@aleo-solar.de
http://www.aleo-solar.de
Geschäftsführer/Management Board: York zu Putlitz, Dr. Jens Sabotke, Norbert
Schlesiger
Sitz der Gesellschaft/Registered Office: Oldenburg (Oldb), Germany
Handelsregister/Companies´ Register: Oldenburg, Germany, HRB 4947
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: tolower seems to result in unneeded reject of mac address, or I am using it wrong
Hi again all,
Sorry, stupid me.
Not key = %{tolower:%{Calling-Station-ID}}
But key = %{tolower:%{Calling-Station-ID}}
Now it works again properly.
Apologies,
Chris Schaatsbergen
Von:
freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org
[mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org]
Im Auftrag von Schaatsbergen, Chris
Gesendet: Dienstag, 21. Dezember 2010 15:01
An: freeradius-users@lists.freeradius.org
Betreff: tolower seems to result in unneeded reject of mac address, or I am
using it wrong
Hi all,
I am not very used to working with freeradius unfortunately and I am using the
Mac Auth solutionhttp://wiki.freeradius.org/Mac-Auth as described on your
website and other then the case sensitivity it was working correctly.
I was looking for a way to change the Calling station id to lowercase, or to
make the comparison case insensitive as some of our switches return mac
addresses in uppercase, others in lowercase. Then I discovered a brand new
function tolower had been added to the 2.1.10 version of freeradius and we
were still at 2.1.8. So after an update I could run freeradius with the added
function without errors. Unfortunately it seems not to work correctly.
Now, if a known mac address is authorized, it is rejected
[authorized_macs] expand: %{Calling-Station-ID} - 00-17-42-1C-44-68
[authorized_macs] expand: %{tolower:%{Calling-Station-ID}} -
00-17-42-1c-44-68
+[authorized_macs.authorize] returns noop
00-17-42-1c-44-68 does actually exist in the authorized_macs file. This used to
return a match and ok when the calling station id was matched, case sensitive.
Unfortunately I do not have permission from my superiors to utilize a MySQL
database yet (which would solve all of this), so I am stuck with the files for
now.
Can any of you see what I am doing wrong?
modules/files
files authorized_macs {
# The default key attribute to use for matches. The content
# of this attribute is used to match the name of the
# entry.
key = %{tolower:%{Calling-Station-ID}}
usersfile = ${confdir}/authorized_macs
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
sites-available/default
post-auth {
# output surpressed
if(control:Auth-Type == 'CSID'){
# Authorization happens here
# %{Calling-Station-ID} = %{tolower:%{Calling-Station-ID}} # here
the function does not work (like this)
authorized_phones.authorize
if (!ok) {
authorized_printers.authorize
if (!ok) {
authorized_macs.authorize
if (notfound) { # notfound construction used to
overcome false rejects
reject
}
else {
update reply {
Cisco-AVPair = tunnel-type=vlan
Cisco-AVPair =
tunnel-medium-type=802
Cisco-AVPair =
tunnel-private-group-id=4
}
}
}
else{
update reply {
Cisco-AVPair = tunnel-type=vlan
Cisco-AVPair = tunnel-medium-type=802
Cisco-AVPair = tunnel-private-group-id=1
}
}
}
else{
update reply {
Cisco-AVPair = device-traffic-class=voice
}
}
}
}
Chris Schaatsbergen
--
aleo solar Deutschland GmbH
Chris Schaatsbergen
IT Projekte / IT Projects
Osterstr. 15, 26122 Oldenburg
T +49 441 21988-288
F +49 441 21988-150
M +49 162 2552288
chris.schaatsber...@aleo-solar.demailto:chris.schaatsber...@aleo-solar.de
http://www.aleo-solar.de
Geschäftsführer/Management Board: York zu Putlitz, Dr. Jens Sabotke, Norbert
Schlesiger
Sitz der Gesellschaft/Registered Office: Oldenburg (Oldb), Germany
Handelsregister/Companies´ Register: Oldenburg, Germany, HRB 4947
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam auth_radius and user database / session close error message
Hi, I'm using pam_auth_radius PAM module to authenticate against an RSA SecurId radius server. It works fine but I need to pre-create the users on the system. I was wondering if it's possible to use the LDAP directory for the valid user accounts. I'm under linux Debian/Lenny. I tried to define pam_ldap in /etc/pam.d/common-account : account sufficient pam_ldap.so and leave the common-auth use radius (also session) auth sufficient pam_radius_auth.so debug but it does not seem to work. I may miss something. Theorically i think it's possible, isn't it? Other little problem with the pam_auth_radius module, when restricting persissions on the /etc/pam_auth_radius.conf file (shared secret for RADIUS server), I get this message when closing the session : pam_close_session: Cannot make/remove an entry for the specified session details : Aug 20 14:57:09 debian su[11840]: pam_unix(su:session): session opened for user chris by root(uid=1001) Aug 20 14:57:10 debian su[11840]: pam_radius_auth: Could not open configuration file /etc/pam_radius_auth.conf: Permission denied Aug 20 14:57:10 debian su[11840]: pam_unix(su:session): session closed for user chris Aug 20 14:57:10 debian su[11840]: pam_close_session: Cannot make/remove an entry for the specified session I think it's needed to contact the radius server for accounting, but it is not a secure configuration, even if using one time passwords Thanks for your help, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expiration linked to both huntgroup and user
Hi, So here's my hurdle. I have multiple groups and use hunt-groups plus expiration time on the users for authentication. Assuming I have groups 1 2 how is it possible to link the expiration time to a group and the user and not just for the user. The expiration time is set on a per user level (not per group) which means a given user will either have access or not have access. A user can not have access to hunt-group 1 with an expiration in 10 days as well as an access expiring in 2 hours on hunt-group B. I only want to have one user over the whole domain so do not want to create multiple users and then append to the name on the incoming request and authenticate against multiple users who are in fact the same. Is there any other way round this problem? Many thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: framedipaddress
What are you authenticating? Where is the radius debug logs? Chances are you are more than likely authenticating a Wireless Association to the Access Point - not a PPP type of service where IP addresses are involved. Debug your radius logs a bit and perhaps post a bit more detail 2010/5/12 Paweł Pogorzelski ppogorzel...@gmail.com Listen we've already bought complete meru sytem to eduroam project and there is no turning back. There are many great feature which only meru have. Right now i must find solution for this sytem. -- Pozdrawiam/Best regards Paweł Pogorzelski e-mail: ppogorzel...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + PHP script
Use the exec module? On Thu, Apr 29, 2010 at 11:26 AM, bslee (HKBU) bs...@hkbu.edu.hk wrote: Hi, How can I configure freeradius to invoke a PHP script when an authentication request comes? The PHP script will access an MYSQL database and then returns reply to freeradius. Thanks Regards, BS __ Information from ESET Smart Security, version of virus signature database 5071 (20100429) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to convert User-Name to lower case
On Feb 15, 2010, at 12:26 PM, Bob Brandt wrote: I have spent the day searching the internet for a solution, but Nothing. I refuse to believe I am the first human being ever to run into this problem... Please tell me someone has an idea. Thanks Bob http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-June/msg00335.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allowing user from one realm but not another
On Feb 14, 2010, at 6:11 AM, Jeff A wrote: Your idea is best. I think I will modify, but for a work around till I get a chance to get everything turned around. I will use Alan's example.. My question is this Can his example contain more than one realm to reject between the quotes? bob Realm != foo.net, Auth-Type := Reject That's not the realm you're rejecting, but the one you're accepting, rejecting access if the username is bob and the realm is not equal to foo.net. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Simultaneous-Use problem with Mikrotik NAS clients
Yes, Simulaneous-Use is a check item, not a reply. 2010/2/12 Fojtán Balázs István bal...@fojtan.hu Hello Fajar, mysql select * from radgroupreply; ++---+--++---+ | id | GroupName | Attribute ? ? ? ?| op | Value | ++---+--++---+ | ?1 | HZ ? ? ? ?| Simultaneous-Use | := | 1 ? ? | ++---+--++---+ Shouldn't this be on radgroupcheck? My radgroupcheck table is empty. Does it cause the problem? Regards, fbi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA Certificate Question
On Jan 30, 2010, at 6:39 PM, Peter Lambrechtsen wrote: On 31/01/2010, at 11:59 AM, Mike Diggins mike.digg...@mcmaster.ca wrote: I was able to get freeradius 2.1.3 and wireless WPA working, likely due to the fact that FreeRadius was mostly configured for me (thanks ;) ). I’m a little confused about the certificate that is required in the process, and what the relationship is with the client, the Wireless Controller and the FreeRadius server. The README file states: “ In general, you should use self-signed certificates for 802.1x (EAP) authentication.” Why self signed versus CA signed? Ideally I would like my clients to not be questioned about the certificate at all. Is that even possible with WPA? If I purchase a CA signed cert, would that eliminate the requirement on the client to acknowledge the certificate or import it? It would also mean that anyone could go to the same CA, get a client certificate and would be able to login to your wireless network. Not really ideal IMHO ;) Hence why controlling your own CA, and managing the CRL or OCSP is the only way to go if you want to properly maintain control over your wireless or 802.1x wired network. Minting certificates is pretty trvial depending on the CA software you are using and importing a CA into every workstation is also easy using the numerous tools available. My preference is to use the rootsupd package and extract that out and update the p7b with your own ca. Then get everyone to run that, or use software distribution to get it out enterprise wide. Except that asking users to use one certificate is hard enough. Expecting them to use one for WPA, one for email, etc just makes things worse. It'd be nice to filter acceptable certificates by, say, regexp on the rfc822Name. Accept certificate if: It is signed by our chosen CA and the rfc822Name =~ /@ourdomain.com$/ StartCOM Class 2 puts the organizer's full name in the CN attribute. That's already built into the eap filtering capabilities, if I understand things correctly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pam radius client and binding to mulitple IPs
Hi everyone, I realise that this maybe somewhat a limitation of the PAM Radius Plugin for OpenVPN but have searched around for a week now to find a solution. The problem I am having is that I have an OpenVPN proxy hub that has 3 external IP addresses. I am using huntgroups to distinguish if a user can authenticate against an IP address and if so they receive an IP default Gw to a front end proxy (each front end proxy is located in a separate country). The idea is that a user of a specific group can only connect to an interface that he is a group memeber of. The authentication uses the pam radius plugin against a backend SQL / radius server. If I connect to int1 then the requests sent by the Radius plugin to the backend radius server has a source IP of int1. This works well and the user is authenticated and is provided a default GW to the front end proxy. However if the user connects to INT2 the NAS requset still has the source IP address of INT1 and therefore the user is rejected because he is not a member of the INT1 grouping. Is it possible to have multiple instances of the radius plugin each binding to a different interface so that the request seen by the Radius server via the PAM plugin has the correct source address? Is it possible to get the NAS to Distinguish between the interfaces? Cheers to all in advance (,) Cj _ New Windows 7: Find the right PC for you. Learn more. http://windows.microsoft.com/shop- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Seeking FreeRADIUS Consultant
Hello, I apologize in advance to those who might consider this a form of advertising, but I've searched high and low in many other places and I'm quickly running out of time and options. My company needs to expand its FreeRADIUS deployment in a way that will allow us to have multiple geographical locations reporting its accounting information to a single RADIUS server. I am more than willing to pay someone here by the hour to give me advice by phone. If you're interested, please contact me off-list via email or by phone at +1 205-401-4081. Best regards, Chris Brunner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting help please
On Jun 30, 2009, at 10:43 PM, David Hobley wrote: Chris, When you put it like that, it does make rather a large amount of sense. Sorry about that. Login details attached. Cheers, David Still don't see any accounting packets. Did you configure a RADIUS accounting server in your NAS? You usually have to set both authentication and accounting servers. RADIUS Servers (including FreeRADIUS) do not generate accounting records based on authentication attempts. They act on accounting packets sent by the NAS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting help please
On Jun 30, 2009, at 3:29 PM, David Hobley wrote: Hello, I have freeradius2 configured and authenticating properly. I would like to be able to get radwho and radlast working properly, but for some reason the files do not get created (permission are correct in that directory). I thought I have set up accounting correctly, but obviously haven't. I have attached the output from radiusd -X, any pointers anyone could give me, I would appreciate. The output I get from radwho and radlast is: [r...@samba raddb]# radwho radwho: Error reading /var/log/radius/radutmp: No such file or directory [r...@samba raddb]# radlast last: /var/log/radius/radwtmp: No such file or directory Might help if you included debug output which included processing of an accounting packet. Preferably a start and a stop. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Robust proxy accounting
Alan Ivan, I can confirm that the change made to the event.c file fixed the problem with the robust proxy accounting. Many thanks for you help. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
On Jun 16, 2009, at 1:37 PM, Elias Abou Zeid wrote:
Ok, I have removed encrypted-key in Redback router which was causing
issue about shared secrets.
Now the subscriber config on Radius is as follows:
a...@radius Cleartext-Password := test
Service-Type = Framed-User,
Framed-Protocol = PPP
From redius debug:
rlm_realm: Looking up realm RADIUS for User-Name = a...@radius
rlm_realm: No such realm RADIUS
I think you need to either define a DEFAULT realm or define the RADIUS
realm in proxy.conf
Either:
RADIUS {
}
Or:
DEFAULT {
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Robust proxy accounting
Alan,
This is the debug output using the latest release of 2.1.7 from
http://git.freeradius.org/pre.
Thanks for your help in advance.
Chris
-Original Message-
From: Chris Howley [mailto:ecl...@netserv3.leeds.ac.uk]
Sent: 15 June 2009 12:07
To: Chris Howley
Subject: radius.debug4
ending Access-Accept of id 138 to 10.12.80.109 port 32769
User-Name = isschug
MS-MPPE-Recv-Key =
0x7c4e32b6485bed39ef623ae3c45738d54144c1492d00df705cb1902ed60d5578
MS-MPPE-Send-Key =
0x707c6949db85e4ebb023aaa8016fb3027bfaaf613fb82b92568ba62965235648
EAP-Message = 0x030b0004
Message-Authenticator = 0x
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3021,
Reply-Message = Welcome isschug - student
Finished request 9.
Going to the next request
Waking up in 0.2 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 1.2 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.8 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 1.1 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.8 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.7 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.9 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.7 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 1.0 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 1.0 seconds.
rad_recv: Accounting-Request packet from host 10.12.80.109 port 32769, id=146,
length=156
User-Name = isschug
NAS-Port = 29
NAS-IP-Address = 10.12.80.109
Framed-IP-Address = 129.11.1.138
NAS-Identifier = WM07-1
Airespace-Wlan-Id = 1
Acct-Session-Id = 4a3629c8/00:13:02:8d:f3:1f/53
Acct-Authentic = RADIUS
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3022
Acct-Status-Type = Start
Calling-Station-Id = 129.11.1.138
Called-Station-Id = 10.12.80.109
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address =
10.12.80.109,NAS-IP-Address = 10.12.80.109,Acct-Session-Id =
4a3629c8/00:13:02:8d:f3:1f/53,User-Name = isschug'
[acct_unique] Acct-Unique-Session-ID = 04fae10ff02490f4.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = isschug, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/usr/local/var/log/radius/radacct/%Y-%m-%d/accounting-detail-%H:00 -
/usr/local/var/log/radius/radacct/2009-06-15/accounting-detail-12:00
[detail] /usr/local/var/log/radius/radacct/%Y-%m-%d/accounting-detail-%H:00
expands to /usr/local/var/log/radius/radacct/2009-06-15/accounting-detail-12:00
[detail]expand: %{Packet-Src-IP-Address} - %t - 10.12.80.109 - Mon Jun
15 12:00:24 2009
++[detail] returns ok
++? if (%{Client-IP-Address} != 129.11.162.17)
expand: %{Client-IP-Address} - 10.12.80.109
? Evaluating (%{Client-IP-Address} != 129.11.162.17) - TRUE
++? if (%{Client-IP-Address} != 129.11.162.17) - TRUE
++- entering if (%{Client-IP-Address} != 129.11.162.17) {...}
+++[control] returns ok
++- if (%{Client-IP-Address} != 129.11.162.17) returns ok
++[unix] returns ok
[radutmp] expand: /usr/local/var/log/radius/radutmp -
/usr/local/var/log/radius/radutmp
[radutmp] expand: %{User-Name} - isschug
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} - isschug
attr_filter: Matched entry DEFAULT at line 1
++[attr_filter.accounting_response] returns updated
server home.example.com {
}
Sending Accounting-Request of id 159 to 129.11.162.17 port 1813
User-Name = isschug
NAS-Port = 29
NAS-IP-Address = 10.12.80.109
Framed-IP-Address = 129.11.1.138
NAS-Identifier = WM07-1
Airespace-Wlan-Id = 1
Acct-Session-Id = 4a3629c8/00:13:02:8d:f3:1f/53
Acct-Authentic = RADIUS
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3022
Acct-Status-Type = Start
Calling-Station-Id = 129.11.1.138
Called-Station-Id = 10.12.80.109
Proxy-State = 0x313436
Proxying request 10 to home server 129.11.162.17 port 1813
Sending Accounting-Request of id 159 to 129.11.162.17 port 1813
User-Name = isschug
NAS-Port = 29
NAS-IP-Address
Robust proxy accounting
Ivan,
I doubled the value of cleanup delay in radiusd.conf. This change didn't fix
the problem (see below).
Thanks for your help,
Chris
++[exec] returns noop
Sending Access-Accept of id 88 to 10.12.80.109 port 32769
User-Name = isschug
MS-MPPE-Recv-Key =
0x529e91a0004dce6a6ba2d81c79eeeb98aa3bc7c08880c37d95236064ef786280
MS-MPPE-Send-Key =
0x59005da107574a481d3a7d580821be64872d65153f9767789e79a51f84880994
EAP-Message = 0x030b0004
Message-Authenticator = 0x
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3021,
Reply-Message = Welcome isschug - student
Finished request 9.
Going to the next request
Waking up in 0.9 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 1.0 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 1.0 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 1.2 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 1.0 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 1.0 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.8 seconds.
rad_recv: Accounting-Request packet from host 10.12.80.109 port 32769, id=137,
length=156
User-Name = isschug
NAS-Port = 29
NAS-IP-Address = 10.12.80.109
Framed-IP-Address = 129.11.1.138
NAS-Identifier = WM07-1
Airespace-Wlan-Id = 1
Acct-Session-Id = 4a323344/00:13:02:8d:f3:1f/49
Acct-Authentic = RADIUS
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3022
Acct-Status-Type = Start
Calling-Station-Id = 129.11.1.138
Called-Station-Id = 10.12.80.109
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address =
10.12.80.109,NAS-IP-Address = 10.12.80.109,Acct-Session-Id =
4a323344/00:13:02:8d:f3:1f/49,User-Name = isschug'
[acct_unique] Acct-Unique-Session-ID = 829905a4bf02a129.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = isschug, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/usr/local/var/log/radius/radacct/%Y-%m-%d/accounting-detail-%H:00 -
/usr/local/var/log/radius/radacct/2009-06-12/accounting-detail-11:00
[detail] /usr/local/var/log/radius/radacct/%Y-%m-%d/accounting-detail-%H:00
expands to /usr/local/var/log/radius/radacct/2009-06-12/accounting-detail-11:00
[detail]expand: %{Packet-Src-IP-Address} - %t - 10.12.80.109 - Fri Jun
12 11:51:48 2009
++[detail] returns ok
++? if (%{Client-IP-Address} != 129.11.162.17)
expand: %{Client-IP-Address} - 10.12.80.109
? Evaluating (%{Client-IP-Address} != 129.11.162.17) - TRUE
++? if (%{Client-IP-Address} != 129.11.162.17) - TRUE
++- entering if (%{Client-IP-Address} != 129.11.162.17) {...}
+++[control] returns ok
++- if (%{Client-IP-Address} != 129.11.162.17) returns ok
++[unix] returns ok
[radutmp] expand: /usr/local/var/log/radius/radutmp -
/usr/local/var/log/radius/radutmp
[radutmp] expand: %{User-Name} - isschug
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} - isschug
attr_filter: Matched entry DEFAULT at line 1
++[attr_filter.accounting_response] returns updated
server home.example.com {
}
Sending Accounting-Request of id 167 to 129.11.162.17 port 1813
User-Name = isschug
NAS-Port = 29
NAS-IP-Address = 10.12.80.109
Framed-IP-Address = 129.11.1.138
NAS-Identifier = WM07-1
Airespace-Wlan-Id = 1
Acct-Session-Id = 4a323344/00:13:02:8d:f3:1f/49
Acct-Authentic = RADIUS
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3022
Acct-Status-Type = Start
Calling-Station-Id = 129.11.1.138
Called-Station-Id = 10.12.80.109
Proxy-State = 0x313337
Proxying request 10 to home server 129.11.162.17 port 1813
Sending Accounting-Request of id 167 to 129.11.162.17 port 1813
User-Name = isschug
NAS-Port = 29
NAS-IP-Address = 10.12.80.109
Framed-IP-Address = 129.11.1.138
NAS-Identifier = WM07-1
Airespace-Wlan-Id = 1
Acct-Session-Id = 4a323344/00:13:02:8d:f3:1f/49
Acct-Authentic = RADIUS
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3022
Acct-Status-Type = Start
Calling-Station-Id = 129.11.1.138
Called-Station-Id = 10.12.80.109
Proxy-State = 0x313337
Going
Robust proxy accounting
Alan,
Here's the output from FR2.1.7.
Thanks for you help in advance,
Chris
++[exec] returns noop
Sending Access-Accept of id 128 to 10.12.80.109 port 32769
User-Name = isschug
MS-MPPE-Recv-Key =
0x3019b4c8f9f76bb2fc4d69edbc20e98377351a661c0b412c760cd773e3b4c5f5
MS-MPPE-Send-Key =
0x5c7923cd941d8d7bd673b823632371b01435f0590105a5c38211b89b04fdea1b
EAP-Message = 0x030b0004
Message-Authenticator = 0x
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3021,
Reply-Message = Welcome isschug - student
Finished request 20.
Going to the next request
Waking up in 1.0 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.9 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.9 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.9 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.8 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.7 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 1.2 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.9 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.9 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 1.0 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Cleaning up request 11 ID 119 with timestamp +601
Cleaning up request 12 ID 120 with timestamp +601
Cleaning up request 13 ID 121 with timestamp +601
Cleaning up request 14 ID 122 with timestamp +601
Cleaning up request 15 ID 123 with timestamp +601
Cleaning up request 16 ID 124 with timestamp +601
Cleaning up request 17 ID 125 with timestamp +601
Cleaning up request 18 ID 126 with timestamp +601
Cleaning up request 19 ID 127 with timestamp +601
Cleaning up request 20 ID 128 with timestamp +601
Waking up in 0.5 seconds.
rad_recv: Accounting-Request packet from host 10.12.80.109 port 32769, id=144,
length=156
User-Name = isschug
NAS-Port = 29
NAS-IP-Address = 10.12.80.109
Framed-IP-Address = 129.11.1.138
NAS-Identifier = WM07-1
Airespace-Wlan-Id = 1
Acct-Session-Id = 4a327dde/00:13:02:8d:f3:1f/52
Acct-Authentic = RADIUS
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3022
Acct-Status-Type = Start
Calling-Station-Id = 129.11.1.138
Called-Station-Id = 10.12.80.109
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address =
10.12.80.109,NAS-IP-Address = 10.12.80.109,Acct-Session-Id =
4a327dde/00:13:02:8d:f3:1f/52,User-Name = isschug'
[acct_unique] Acct-Unique-Session-ID = 5b58953f85bf5074.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = isschug, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/usr/local/var/log/radius/radacct/%Y-%m-%d/accounting-detail-%H:00 -
/usr/local/var/log/radius/radacct/2009-06-12/accounting-detail-17:00
[detail] /usr/local/var/log/radius/radacct/%Y-%m-%d/accounting-detail-%H:00
expands to /usr/local/var/log/radius/radacct/2009-06-12/accounting-detail-17:00
[detail]expand: %{Packet-Src-IP-Address} - %t - 10.12.80.109 - Fri Jun
12 17:10:06 2009
++[detail] returns ok
++? if (%{Client-IP-Address} != 129.11.162.17)
expand: %{Client-IP-Address} - 10.12.80.109
? Evaluating (%{Client-IP-Address} != 129.11.162.17) - TRUE
++? if (%{Client-IP-Address} != 129.11.162.17) - TRUE
++- entering if (%{Client-IP-Address} != 129.11.162.17) {...}
+++[control] returns ok
++- if (%{Client-IP-Address} != 129.11.162.17) returns ok
++[unix] returns ok
[radutmp] expand: /usr/local/var/log/radius/radutmp -
/usr/local/var/log/radius/radutmp
[radutmp] expand: %{User-Name} - isschug
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} - isschug
attr_filter: Matched entry DEFAULT at line 1
++[attr_filter.accounting_response] returns updated
server home.example.com {
}
Sending Accounting-Request of id 253 to 129.11.162.17 port 1813
User-Name = isschug
NAS-Port = 29
NAS-IP-Address = 10.12.80.109
Framed-IP-Address = 129.11.1.138
NAS-Identifier = WM07-1
Airespace-Wlan-Id = 1
Acct-Session-Id = 4a327dde/00:13:02:8d:f3:1f/52
Acct-Authentic = RADIUS
Tunnel-Type:0 = VLAN
Robust proxy accounting
Ivan,
When both RADIUS servers are operational robust proxying works. When one of the
servers is
unreachable the other server (that's attempting to proxy an accounting request)
will delete
the detail.work file from the listener's sub-directory after failing to get a
response from
the other server.
Thanks for you help.
Chris
++[exec] returns noop
Sending Access-Accept of id 67 to 10.12.80.109 port 32769
User-Name = isschrpg
MS-MPPE-Recv-Key =
0x240dd3ada2d5904bf049fc2bd7afdfc8b1a2b589b4eb3974235cf04143f138d1
MS-MPPE-Send-Key =
0x638979dd5d59705051793c16de1509508e39fd9722d56198d52da2286bb69879
EAP-Message = 0x030b0004
Message-Authenticator = 0x
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3021,
Reply-Message = Welcome isschrpg - student
Finished request 9.
Going to the next request
Waking up in 0.3 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.9 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 1.0 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.9 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Waking up in 0.7 seconds.
rad_recv: Accounting-Request packet from host 10.12.80.109 port 32769, id=123,
length=157
User-Name = isschrpg
NAS-Port = 29
NAS-IP-Address = 10.12.80.109
Framed-IP-Address = 129.11.1.138
NAS-Identifier = WM07-1
Airespace-Wlan-Id = 1
Acct-Session-Id = 4a30b4a8/00:13:02:8d:f3:1f/44
Acct-Authentic = RADIUS
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3022
Acct-Status-Type = Start
Calling-Station-Id = 129.11.1.138
Called-Station-Id = 10.12.80.109
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address =
10.12.80.109,NAS-IP-Address = 10.12.80.109,Acct-Session-Id =
4a30b4a8/00:13:02:8d:f3:1f/44,User-Name = isschrpg'
[acct_unique] Acct-Unique-Session-ID = aeb3d50af9d33fb8.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = isschrpg, looking up realm NULL [suffix] No
such realm NULL
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/usr/local/var/log/radius/radacct/%Y-%m-%d/accounting-detail-%H:00 -
/usr/local/var/log/radius/radacct/2009-06-11/accounting-detail-08:00
[detail] /usr/local/var/log/radius/radacct/%Y-%m-%d/accounting-detail-%H:00
expands to /usr/local/var/log/radius/radacct/2009-06-11/accounting-detail-08:00
[detail]expand: %{Packet-Src-IP-Address} - %t - 10.12.80.109 - Thu Jun
11 08:39:20 2009
++[detail] returns ok
++? if (%{Client-IP-Address} != 129.11.162.17)
expand: %{Client-IP-Address} - 10.12.80.109 ? Evaluating
(%{Client-IP-Address} != 129.11.162.17) - TRUE
++? if (%{Client-IP-Address} != 129.11.162.17) - TRUE
++- entering if (%{Client-IP-Address} != 129.11.162.17) {...}
+++[control] returns ok
++- if (%{Client-IP-Address} != 129.11.162.17) returns ok [unix]
++returns ok
[radutmp] expand: /usr/local/var/log/radius/radutmp -
/usr/local/var/log/radius/radutmp
[radutmp] expand: %{User-Name} - isschrpg
++[radutmp] returns ok
[sql] expand: %{Stripped-User-Name} -
[sql] expand: %{User-Name} - isschrpg
[sql] expand: %{%{User-Name}:-DEFAULT} - isschrpg
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - isschrpg
[sql] sql_set_user escaped user -- 'isschrpg'
[sql] expand: %{Acct-Delay-Time} -
[sql] expand:INSERT INTO radacct (acctsessionid,
acctuniqueid, username,realm, nasidentifier,
nasipaddress, nasportid, nasporttype,acctstarttime,
acctstoptime, acctsessiontime,acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid,callingstationid,
tunneltype, tunnelmedium, tunnelgroupid, acctterminatecause,
servicetype,framedprotocol, framedipaddress,
acctstartdelay, acctstopdelay) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-Identifier}',
'%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S',
'-00-00 00:00:00', '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', !
'%{Calling-Station-Id}
[sql] expand: /usr/local/var/log/radius/sqltrace.sql -
/usr/local/var/log/radius/sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query
Robust proxy accounting
Alan,
I used the example configuration and got the same result.
Sending proxied request internally to virtual server.
server acct_detail.example.com {
+- entering group accounting {...}
[detail.example.com] Suppressing writes to detail file as the request was just
read from a detail file.++[detail.example.com] returns noop } # server
acct_detail.example.com Going to the next request Received proxied response
from internal virtual server.
server home.example.com {
}
1) The following is in the robust-proxy-accounting file.
# (5) Define the virtual server to write the packets to the detail file
# This will be called when ALL home servers are down, because of the
# fallback configuration in the home server pool.
server acct_detail.example.com {
accounting {
detail.example.com
}
}
# (6) Define a virtual server to handle pre/post-proxy re-writing server
home.example.com {
pre-proxy {
# Insert pre-proxy rules here
}
post-proxy {
# Insert post-proxy rules here
# This will be called when the CURRENT packet failed
# to be proxied. This may happen when one home server
# suddenly goes down, even though another home server
# may be alive.
#
# i.e. the current request has run out of time, so it
# cannot fail over to another (possibly) alive server.
#
# We want to respond to the NAS, so that it can stop
# re-sending the packet. We write the packet to the
# detail file, where it will be read, and sent to
# another home server.
#
Post-Proxy-Type Fail {
detail.example.com
}
}
# Read accounting packets from the detail file(s) for
# the home server.
#
# Note that you can have only ONE listen section reading
# detail files from a particular directory. That is why the
# destination host name is used as part of the directory name
# below. Having two listen sections reading detail files
# from the same directory WILL cause problems. The packets
# may be read by one, the other, or both listen sections.
listen {
type = detail
filename = ${radacctdir}/detail.example.com/detail-*:*
load_factor = 10
}
# All packets read from the detail file are proxied back to
# the home servers.
#
# The normal pre/post-proxy rules are applied to them, too.
#
# If the home servers are STILL down, then the server stops
# reading the detail file, and queues the packets for a later
# retransmission. The Post-Proxy-Type Fail handler is NOT
# called.
#
# When the home servers come back up, the packets are forwarded,
# and the detail file processed as normal.
accounting {
# You may want accounting policies here...
update control {
Proxy-To-Realm := acct_realm.example.com
}
}
}
2. I moved the following from the robust-proxy-accounting file to the
proxy.conf file.
# (1) Define two home servers.
home_server home1.example.com {
type = acct
ipaddr = 129.11.162.17
port = 1813
secret = remvoved
# Mark this home server alive ONLY when it starts being responsive
status_check = status-server
#status_check = request
#username = test_user_status_check
# Set the response timeout aggressively low.
# You MAY have to increase this, depending on tests with
# your local installation.
response_window = 6
}
# (2) Define a virtual server to be used when both of the # home servers are
down.
home_server acct_detail.example.com {
virtual_server = acct_detail.example.com }
# Put all of the servers into a pool.
home_server_pool acct_pool.example.com {
type = load-balance # other types are OK, too.
home_server = home1.example.com
# add more home_server's here.
# If all home servers are down, try a home server that
# is a local virtual server.
fallback = acct_detail.example.com
# for pre/post-proxy policies
virtual_server = home.example.com }
# (3) Define a realm for these home servers.
# It should NOT be used as part of normal proxying decisions!
realm acct_realm.example.com {
acct_pool = acct_pool.example.com }
Chris Howley
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Robust proxy accounting
Alan, Thank you for your help. I've removed the configuration from the proxy.conf and I'm now using the original robust-proxy-accounting file. However, the problem persists - the detail.work file is being erased. Chris -Original Message- From: freeradius-users-bounces+c.p.howley=leeds.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+c.p.howley=leeds.ac...@lists.freeradius.org] On Behalf Of freeradius-users-requ...@lists.freeradius.org Sent: 10 June 2009 11:00 To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 50, Issue 56 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Robust proxy accounting (a.l.m.bu...@lboro.ac.uk) -- Message: 1 Date: Wed, 10 Jun 2009 10:18:04 +0100 From: a.l.m.bu...@lboro.ac.uk Subject: Re: Robust proxy accounting To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 20090610091804.gc7...@lboro.ac.uk Content-Type: text/plain; charset=us-ascii Hi, I used the example configuration and got the same result. . 2. I moved the following from the robust-proxy-accounting file to the proxy.conf file. why? the robust-accounting stuff is a self-contained virtual server. by putting this into proxy.conf you have introduced (or reintroduced) a loop mechanism. I can think of no reason to have moved this configuration from the virtual server...this isnt plain config. the virtual server is a virtual instance. by putting this code into the main proxy.conf it may/will get triggered by other instances. alan -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 50, Issue 56 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Robust proxy accounting
Alan,
I hoping you can help me. We're currently testing FR2.1.6 and robust proxy
accounting.
We have two servers running FR2.1.6. When both servers are operational the
relaying of
accounting packets works. However, when one of the servers is down the other
operational
server fails to retain the accounting data. The software deletes the
detail.work file
and any other detail files stored in the listener's sub-directory. Looking at
the debug
output the only thing that's different after the last time that the detail.work
file is
accessed is shown below.
A copy of the debug output is available at:
http://netgrp-pc052.leeds.ac.uk/radiusd.debug.txt
Thanks,
Chris Howley
Sending proxied request internally to virtual server.
server acct_detail.leeds.ac.uk {
+- entering group accounting {...}
[detail.leeds.ac.uk] Suppressing writes to detail file as the request was just
read from a detail file.
++[detail.leeds.ac.uk] returns noop
} # server acct_detail.leeds.ac.uk
Going to the next request
Received proxied response from internal virtual server.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP EAP-TLS not replying with Access-Accept message
I've been debugging this for awhile and I still can't find a solution to
the problems I'm having. I'm running freeradius in this pattern:
Active Directory - MS-CHAP - Freeradius - Cisco Switch - Windows
XP SP3
I seem to be getting the error that is described here:
http://wiki.freeradius.org/index.php/FAQ#PEAP_or_EAP-TLS_Doesn.27t_Work_with_a_Windows_machine
I've run through and created the SSL certificates as described with the
Windows OID's and I still seem to be getting the same issues. I have the
actual AD authentication setup as described here:
http://deployingradius.com/documents/configuration/active_directory.html
I've turned off certificate validation on the Windows XP host and still no
dice. I ran the EAP debugging as show here:
http://deployingradius.com/documents/configuration/eap-problems.html
and I have posted the results here:
http://www.mythdragon.com/freeradius-debug/
The output of freeradius -X when I attempt a connection is like this:
rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=76,
length=150
User-Name = chris
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = 00-XX-XX-XX-XX-XX
Calling-Station-Id = 00-YY-YY-YY-YY-YY
EAP-Message = 0x0201000b01637374756474
Message-Authenticator = 0x8ffd4ec097ed474d2acfdbd06ce668ec
NAS-Port-Type = Ethernet
NAS-Port = 50110
NAS-Port-Id = GigabitEthernet1/0/10
NAS-IP-Address = 10.10.10.15
server routers-auth {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 1 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
} # server routers-auth
Sending Access-Challenge of id 76 to 10.10.10.15 port 1645
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0x99671c6699650575d57e32307d8902b7
Finished request 36.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=77,
length=237
User-Name = chris
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = 00-XX-XX-XX-XX-XX
Calling-Station-Id = 00-YY-YY-YY-YY-YY
EAP-Message =
0x02020050198000461603010041013d03014a16f9f81d590cd2812aba8c635f832ec313fc9cd6070f2bcdb13efd9f9c854310
Message-Authenticator = 0x852be4c5dbca1b2f6653ddaef5525a62
NAS-Port-Type = Ethernet
NAS-Port = 50110
NAS-Port-Id = GigabitEthernet1/0/10
State = 0x99671c6699650575d57e32307d8902b7
NAS-IP-Address = 10.10.10.15
server routers-auth {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 2 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server routers-auth
Sending Access-Challenge of id 77 to 10.10.10.15 port 1645
EAP-Message =
0x0103040019c0089b160301002a022603014a16f9f822ffc89286e662e0256b43e66215ad341c85a29e778755224a23e68709
EAP-Message =
0x301e170d3039303532323138353235395a170d3130303532323138353235395a307c310b3009060355040613024652310f300d060355040e
EAP-Message =
0x16e1a3903966209e8ab8733cc6c04e80a7b972a847ad3b172844cfe65eb4080ce9170bc842dfb0a6c747fda85e5890ba53ccf0b16757e60b
EAP-Message =
0x4e837b84ca468c64275107fe93f5470153c858eb12e74f02ab7bd52ccf54add01488f9987b9a49a8ba1e8e2208c8ade2a727261a596bb4c4
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x
State = 0x99671c6698640575d57e32307d8902b7
Finished request 37.
Going to the next request
Re: PEAP EAP-TLS not replying with Access-Accept message
Chris Studt wrote:
I've been debugging this for awhile and I still can't find a solution to
the problems I'm having. I'm running freeradius in this pattern:
Active Directory - MS-CHAP - Freeradius - Cisco Switch - Windows
XP SP3
And Samba. Don't forget Samba.
And it's not that the server doesn't reply with Access-Accept. It
replies with a challenge, and the client never sends the next packet.
The output of freeradius -X when I attempt a connection is like this:
...
[mschapv2] +- entering group MS-CHAP {...}
...
expand: --challenge=%{mschap:Challenge:-00} -
--challenge=4e97ec9325450dea
expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=35b488c0131cea6672253fe5e9a3b8e54aacc0c341fae031
Exec-Program output: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207
Exec-Program-Wait: plaintext: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207
Exec-Program: returned: 0
++[mschap] returns ok
MSCHAP Success
...
Sending Access-Challenge of id 83 to 10.10.10.15 port 1645
EAP-Message =
0x0109004a1900170301003f9831a816e378081f830ef42917053a509f826145b1c94885404f81f6f05985fbdaed9e0e6a5002ea5d72b9dba9
Message-Authenticator = 0x
State = 0x99671c669e6e0575d57e32307d8902b7
Finished request 43.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 36 ID 76 with timestamp +422
OK. That problem is becoming more common.
Any help you guys can give me would be very appreciated. I know this
issue
has been posted here before, but it seems like the results I'm getting
from all the solutions I've seen aren't fixing my problem.
Please post:
1) OS you're using to run RADIUS.
2) version of Active Directory
3) version of Samba
Then, try *downgrading* samba to an earlier version. Keep going
backwards until it works. Then, post the version of Samba where it
starts working.
I've asked the Samba people if they know anything more about this, but
have seen no response. If this is common, I'll open a bug with them,
and see if it can get larger attention.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thanks for the help, yes I am using Samba between AD and Freeradius.
The OS I'm running on the Freeradius server is Ubuntu 8.10.
I'm running a OpenSSL patched package of Freeradius 2.1.0+dfsg-0ubuntu2.
The Active Directory server is Windows Server 2003.
The version of Samba (and winbind) running is 3.2.3-1ubuntu3.4.
I will begin downgrading my Samba and see if that changes anything.
Chris Studt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP EAP-TLS not replying with Access-Accept message
Please post: 1) OS you're using to run RADIUS. 2) version of Active Directory 3) version of Samba Then, try *downgrading* samba to an earlier version. Keep going backwards until it works. Then, post the version of Samba where it starts working. I've asked the Samba people if they know anything more about this, but have seen no response. If this is common, I'll open a bug with them, and see if it can get larger attention. Thanks for the help, yes I am using Samba between AD and Freeradius. The OS I'm running on the Freeradius server is Ubuntu 8.10. I'm running a OpenSSL patched package of Freeradius 2.1.0+dfsg-0ubuntu2. The Active Directory server is Windows Server 2003. The version of Samba (and winbind) running is 3.2.3-1ubuntu3.4. I will begin downgrading my Samba and see if that changes anything. Samba was exactly the issue. I downgraded from the ubuntu intrepid version of Samba (3.2.3-1ubuntu3.4) to the ubuntu hardy version of Samba (3.0.28a-1ubuntu4.7) and my Windows XP clients started authenticating right away. Thanks guys, you saved me quite a bit of headache. Chris Studt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
