Username format
I think I know the answer to this question but I wanted to check with the Gurus! Does FreeRADIUS give a fig about what the username is? If it were all numeric, say 123456789 I guess it is happy with that? It's just a string to FreeRADIUS? If there was to be an issue, it would be the back end authentication system Unix/LDAP/AD etc and what it finds acceptable right? Thanks as always... Barry Dean Principal Programmer/Analyst Networks Team Computing Service Department - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl issue
An interesting one for the list ...
We are installing a Palo Alto firewall and it has a way to pass Username/IP
mappings from FreeRADIUS to a Windows User ID Agent, which is then queried by
the firewall.
The method employed is to use a Perl module (PAN::API), which has a simple API,
basically:
$var = PAN::API::UID-new( ip of server );
$var-add( type login/logout, username, Framed-IP-Address );
$var-submit();
which is added in the sub preacct () of the perl module...
then call this in preacct {}
There are a couple of issues with this module that I am going to try and
address:
1) Connections
new only instantiates an empty object
add adds the values to a hash
submit opens an TCP SSL connection, sends the hash as XML, then
closes the connection.
With all the work being done in submit you have to create and tear down an
SSL TCP connection for EVERY accounting record! Which is a lot at my site!
2) Errors
If the socket set-up fails, the PAN::API module calls croak(), which on
my system terminated FreeRADIUS, which seems like what would happen?
Thu Aug 22 13:53:03 2013 : Error: rlm_perl: perl_embed:: module =
/etc/raddb/perl.pl , func = preacct exit status= Unable to connect socket. at
/etc/raddb/perl.pl line 474
Socket setup failed I am guessing because of all the open/close socket
activity? Looks like the Windows 2008R2 server either blocked this as a
suspected DOS or the agent failed to cope with this kind of TCP activity?
Obviously for problem 1, a better model would be to implement new methods on
the object to open and close the SSL connection, then use a pattern like:
{ # Static block start
my $object = PAN::API::UID-new( IP );
$object-connectssl();
sub preacct {
$object-add( params );
$object-submit();
}
}
closing the SSL would not be needed in effect as we run forever, and I
wouldn't know where to place it as there is no function called on an rlm_perl
module when FreeRADIUS is about to terminate, unless I am missing something.
For problem 2, are there rules about what you should not do in an rlm_perl
module? I would have thought exit(), die(), croak() etc are all bad and that
returning quietly, optionally setting an error code, would be better? Then back
in sub preacct () you could check the error and log with radiusd::radlog()
and do a return RLM_MODULE_NOOP?
Would you expect FreeRADIUS to terminate if an rlm_perl module called croak()?
Anyone want to throw in 2 cents/pennies worth to this?
Thanks in advance, as always, for your time ...
Barry Dean
Principal Programmer/Analyst
Networks Team
Computing Service Department
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: global hash variable perl
Yes. Do something like this:
{
my %static_global_hash = ();
sub post_auth {
...
}
...
}
static_global_hash will then be available on each call to the subs so you can
store some kind of state between requests that you handle.
The trick is placing the whole lot into a {} block. Perl can be odd at times...
On 25 Feb 2011, at 20:25, Vinh Nguyen wrote:
hi all,
I was able to setup my freeradius to use perl and mysql. Things are working
ok. I wanted to use a global hash variable to store information. This way
all other requests can also access this hash variable. Is this doable? I
know you can use mysql for this purpose, but i wanted to reduce the # of
mysql hits.
Thanks.
--
Computer Science B.S. at Texas AM
C# .Net Developer
Server Analyst.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
[cid:4EC9B0A7-FE12-4AEE-A412-E3909697565C@liv.ac.uk]
---
Nice boy, but about as sharp as a sack of wet mice.
-- Foghorn Leghorn
inline: h1_a.png-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hash username or mac address to assign user to different vlan
I have been asked to do just this and I am working on the solution now. We wanted to use multiple pools of VLANs/Subnets and assign Staff to one pool and Students# to the other. Then to select a VLAN within the pool, use a hashing function and select a VLAN. One concern I have is when is post-auth called? Would it get called for interim authentication requests? Because I don't want to be changing the VLAN mid sessions, which could potentially happen with a non-deterministic hash! In my tests I have been creating a hash from the 'State' attribute which seems reasonably random and gives me a good even share across the VLANs in my pools, but would be completely non-deterministic. (My tests are not real world so this could prove untrue). A hash on User-Name may be more deterministic, but may not give me the balance I need. Students and Staff have different format usernames so I am sure this would result in un-balanced sharing across the VLAN pools. And we have un-even numbers of students on different courses and their usernames start the same. I am using a perl module called within post-auth that does some LDAP lookups as well to find the type of the user. Nothing is set in stone yet and I am still experimenting, I feel sure whatever method I use will end up being a I wouldn't start from here solution in 12 months time! # Staff in our world means Staff + Research Postgrads and Students are Students + Taught Postgrads... On 17 Feb 2011, at 23:52, Kenneth Marshall wrote: On Thu, Feb 17, 2011 at 02:26:14PM -0800, Brett Littrell wrote: I agree breaking the network up into separate VLANs then routing between them would help with broadcasting but I do not agree that hashing values and then using those hashing values as we randomizing agents to distribute vlans. There has to be a more elegant way to do this, I believe there is. First off by randomizing what network a host is going to be on is going to be extremely confusing when you try and troubleshoot other issues, for instance a virus outbreak, now you have to figure out who is on what subnet and who is sending what etc.. I can think of a lot of other issues that would cause headaches, suffice to say it is not a good idea. The better way to do this is to break people up by some logical means, such as Accounting, testing, personnel etc. Then create groups and assign group ids based on the users in those groups. This gives the benefit of segmenting and securing like minded traffic as well, maybe accounting can only talk to accounting, personnel can only talk to these servers, or those servers etc. Of course you would have to route to other subnets if you want them to talk but now you have control to say only this group of people can talk to that group of people and not just open it up for everyone. Even if you assign users by Group1, Group2, Group3 and you have a virus outbreak now you can at least look at it and say right away all Group1 subnet is crazy and have a list of all the stations/users in that group. Anyway, that is my 2 cents on the whole deal. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE I agree with you that random VLAN selection is not a good idea and it wrecks havoc with most clients too. However, the problem we ran into was balancing the usage of all of the VLANS to get both good performance and minimize infrastructure costs. This can be done by assigning to groups and then placing in the VLAN according to that group, but then you have the problem of balancing the assignment to the named groups. In the end, we used the hash function because it would deterministically assign a user to a VLAN and balanced the hardware usage reasonably well. We used the simple crc32, but a better hash function would distribute them even better if all were connected simultaneously, but a crc32 was easy and the size of the groups was within 10%. Calculating the group members is easy, but they already have that information from VLAN/IP address of the machine. It is also easy to have the network gear return who is attached and what VLAN they are in. My 1.5 cents. :) Ken On Thursday, February 17, 2011 at 11:26 AM, in message fc9038-7cg@chipmunk.wormnet.eu, Alexander Clouter a...@digriz.org.uk wrote: schilling schilling2...@gmail.com wrote: I get dynamic VLAN assignment working in post-auth section with help/hints from a lot of list members. Now I want to do one more steps. I would like to hash the username or mac-address to distribute users to different VLANs. The idea is to use freeradius to spread the load on different smaller subnets to reduce the broadcast in bigger VLANs. You are however not reducing the broadcast domain, you might be segregating the noise though. If you have large L2 broadcast domains, splitting people up into different VLAN's is not going to in effect solve the problem. For
Re: Hash username or mac address to assign user to different vlan
On 18 Feb 2011, at 14:26, Phil Mayers wrote: On 18/02/11 14:16, Dean, Barry wrote: I have been asked to do just this and I am working on the solution now. We wanted to use multiple pools of VLANs/Subnets and assign Staff to one pool and Students# to the other. Then to select a VLAN within the pool, use a hashing function and select a VLAN. One concern I have is when is post-auth called? Would it get called for interim authentication requests? Because I don't want to be changing the VLAN mid sessions, which could potentially happen with a non-deterministic hash! There is no such thing as an interim authentication request. Post-auth is called after every auth. I suspect you are referring to feature(s) on the switch(es) you use where it will re-auth the client after X minutes. That's just another, separate authentication as far as FreeRadius is concerned Yep, I was referring to the entries I see in my logs for Interim-Update, which is of course an Accounting record, and I had always assumed this went with an Auth as well, but have never looked in detail to see! So I am most likely talking rubbish! In my tests I have been creating a hash from the 'State' attribute That's a very bad idea. It will change mid-session and cause you huge problems. I will not be using this then :-) We do pervasive VLAN assignment on a large scale here, and my advice is the same as others in the thread - don't use a hash value. Just map a user or group to a vlan. If you need to balance the numbers of users on a vlan (why?) then you should log the vlan assignments to SQL and run a post-processing script that changes the assignment to keep the load balanced. Personally we just run big subnets to reduce the waste of IP space and configuration overhead. I don't design the wireless network here, I just make the RADIUS work as best I can. It has been decided to have smaller private IP ranges each associated with a VLAN and balance the routing of these across two routers. Then I was asked if I can distribute the users across these VLANS evenly. I am beginning to think a round robin allocation might just do! However, the goal posts could move again yet! Latest news is that we will have 1 pool of VLANs, so time to tear up the existing code and take a fresh look! I currently have no idea how big these subnets will be either. -- Barry Dean Principal Programmer/Analyst Networks Group Computing Services Department Tel: 0151 795 9540 Skype: barryvdean attachment: h1_a.png --- Nice boy, but about as sharp as a sack of wet mice. -- Foghorn Leghorn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: When to ldap?
On 13 May 2010, at 06:54, Alan DeKok wrote:
Dean, Barry wrote:
I am working on a new radius config and have been trying to avoid the lookup
in LDAP I have been seeing for the outer identity.
I have moved to 2.1.8 with the inner-tunnel virtual host enabled.
I have an authorise section for the relevant virtual server that has:
*which* virtual server?
I have 3 virtual servers on this host, one is for just local
authentication, one is for the JANET Roaming Service and one is for our local
Guest Wireless service. The config section I posted was from the local auth
virtual server.
Complete config:
# Local auth
#
server radius {
listen {
ipaddr = server ip
port = 0
type = auth
}
listen {
ipaddr = server ip
port = 0
type = acct
}
proxy_requests = no
$INCLUDE local-clients.conf
authorize {
preprocess
auth_log
if (%{User-Name} =~ /forbidden/i) {
update reply {
Reply-Message = Cannot use this user account
}
reject
}
chap
mschap
suffix
eap {
ok = return
}
files
if (!EAP-Message) {
ldap
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
Auth-Type EAP {
eap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
reply_log
}
pre-proxy {
pre_proxy_log
}
post-proxy {
eap
post_proxy_log
}
}
The if(!EAP-Message) works a treat at preventing an LDAP lookup for the
outer identity, but if I want to send a basic User-Name/User-Password type
auth request after checking with LDAP and returning Remote access is
permitted, I then see:
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
And the *rest* of the debug log says ?
Complete log is:
rad_recv: Access-Request packet from host 192.168.0.10 port 63775, id=111,
length=49
User-Name = user
User-Password = password
NAS-IP-Address = 192.168.0.10
server radius {
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/log/radacct/192.168.0.10/auth-detail-20100513
[auth_log] /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/log/radacct/192.168.0.10/auth-detail-20100513
[auth_log] expand: %t - Thu May 13 09:47:31 2010
++[auth_log] returns ok
++? if (%{User-Name} =~ /forbidden/i)
expand: %{User-Name} - user
? Evaluating (%{User-Name} =~ /forbidden/i) - FALSE
++? if (%{User-Name} =~ /forbidden/i) - FALSE
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = user, looking up realm NULL
[suffix] Found realm NULL
[suffix] Adding Stripped-User-Name = user
[suffix] Adding Realm = NULL
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap-eduroam] No EAP-Message, not doing EAP
++[eap-eduroam] returns noop
++[files] returns noop
[ldap] performing user authorization for user
[ldap] expand: %{Stripped-User-Name} - user
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -
(sAMAccountName=user)
[ldap] expand: OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk -
OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to adserver.liv.ac.uk:389, authentication 0
[ldap] bind as CN=radius-account,OU=Service
Accounts,OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk/special-password to
adserver.liv.ac.uk:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in OU=UOL,DC=adserer,DC=liv,DC=ac,DC=uk
Re: When to ldap?
On 13 May 2010, at 10:15, Alan DeKok wrote:
Dean, Barry wrote:
...
[ldap] performing search in OU=UOL,DC=adserer,DC=liv,DC=ac,DC=uk, with
filter (sAMAccountName=user)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
I mean, really... what's the issue?
The issue is that the self same configuration in FreeRADIUS 2.0.2 works! But
with 2.1.8 it fails.
The difference in the debug output is:
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type ldap
auth: type LDAP
+- entering group LDAP
rlm_ldap: - authenticate
In FR 2.0.2 this rad_check_password is causing LDAP authentication, whereas
is FR 2.1.8 the same section of debug output says:
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
...
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
That should be a hint.
True. My problem was why was LDAP not being attempted for this basic request.
No EAP, just a username and a password, which works just fine with FR 2.0.2.
In fact with 2.0.2 either:
if (!EAP-Message) {
ldap
}
or
ldap
Works in the authorise section as the Non-EAP request calls ldap either way.
With FR 2.1.8, both fail. They follow the same path and produce the No
authentication method ... error.
All the complex EAP/TTLS/PEAP/MSCHAP etc stuff is working with FR 2.1.8 with my
config, just the simple stuff is broken.
Maybe my question should have been:
FR 2.0.2 reports 'rad_check_password: Found Auth-Type ldap' then goes on to
authenticate a user against LDAP, whereas FR 2.1.8 reports that there is no
Auth-Type set and does not attempt LDAP authentication.
Complete output for working one:
rad_recv: Access-Request packet from host 192.168.0.10 port 33158, id=66,
length=49
User-Name = user
User-Password = password
NAS-IP-Address = 192.168.0.10
server radius {
+- entering group authorize
++[preprocess] returns ok
expand: /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/log/radacct/192.168.0.10/auth-detail-20100513
rlm_detail: /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/log/radacct/192.168.0.10/auth-detail-20100513
expand: %t - Thu May 13 10:46:02 2010
++[auth_log] returns ok
++? if (%{User-Name} =~ /forbidden/i)
expand: %{User-Name} - user
? Evaluating (%{User-Name} =~ /forbidden/i) - FALSE
++? if (%{User-Name} =~ /forbidden/i) - FALSE
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = user, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = user
rlm_realm: Proxying request from user user to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap-eduroam] returns noop
users: Matched entry user at line 203
++[files] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) - FALSE
++? if (!EAP-Message) - TRUE
++- entering if (!EAP-Message)
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
expand: %{Stripped-User-Name} - user
expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -
(sAMAccountName=user)
expand: OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk -
OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to adserver.liv.ac.uk:389, authentication 0
rlm_ldap: bind as CN=radius-account,OU=Service
Accounts,OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk/special-password to
adserver.liv.ac.uk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk, with
filter (sAMAccountName=user)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type ldap
auth: type LDAP
When to ldap?
I am working on a new radius config and have been trying to avoid the lookup in
LDAP I have been seeing for the outer identity.
I have moved to 2.1.8 with the inner-tunnel virtual host enabled.
I have an authorise section for the relevant virtual server that has:
authorize {
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
if (!EAP-Message) {
ldap
}
expiration
logintime
pap
}
The if(!EAP-Message) works a treat at preventing an LDAP lookup for the outer
identity, but if I want to send a basic User-Name/User-Password type auth
request after checking with LDAP and returning Remote access is permitted, I
then see:
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
What am I missing to tell the authenticate section below what I want to do
next?
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
Auth-Type EAP {
eap
}
eap
}
I presume:
if (!EAP-Message) {
ldap
}
Fails to set Auth-Type LDAP?
--
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
Tel: 0151 795 9540
attachment: h1_a.png
---
Nice boy, but about as sharp as a sack of wet mice.
-- Foghorn Leghorn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling rlm_perl on Solaris 10
I have been having problems compiling rlm_perl on Solaris 10 Intel and have
spent days googling for an answer.
Most answers say: use --without-rlm_perl, which is not much use when you
actually *need* it!
Here is what I did to solve it, hopefully this will save someone some pain:
Firstly, my source that built without rlm_perl fine on 9th April 2010, stopped
compiling on 16th April 2010 after some Solaris patches!
I got an error telling me that ltdl.h was not found. This is fixed by defining
CFLAGS in the environment before the ./configure stage:
setenv CFLAGS -I/path to freeRADIUS source/libltdl(C shell type shells)
CFLAGS=-I/path to freeRADIUS source/libltdl ; export CFLAGS (sh shells and
derivatives)
Over hurdle one! What caused this I still have no idea.
Now you have to do:
./configure --with-static-modules=perl
When that is complete, you have to edit path to freeRADIUS
source/src/main/Makefile and locate the line:
MODULE_LIBS = $(STATIC_MODULES)
and edit it to include the path to your DynaLoader.a for your version of Perl,
mine was as below:
MODULE_LIBS = $(STATIC_MODULES)
/usr/perl5/5.8.4/lib/i86pc-solaris-64int/auto/DynaLoader/DynaLoader.a
Now build the source with make. It should compile!
Over hurdle two...
Before you can now run radiusd, you will need to do what it says at the end of
the make, and add a library path to LD_LIBRARY_PATH so libperl.so can be found,
mine was:
setenv LD_LIBRARY_PATH
${LD_LIBRARY_PATH}:/usr/perl5/5.8.4/lib/i86pc-solaris-64int/CORE
and it all comes together and you get a radiusd with rlm_perl that actually
runs..
Over the last hurdle!
All I have to do now is write some clever Perl, figure out where to call it and
I will be on the home straight!
Best of luck to other Solaris users...
--
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
attachment: h1_a.png
---
Nice boy, but about as sharp as a sack of wet mice.
-- Foghorn Leghorn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
To proxy, or not to proxy, that is the question ...
I currently run two virtual servers, one for our local secure wireless
and one for eduroam customers.
The local one receives RADIUS packets from Bradford Campus Manager,
which is responsible for Network Access Control and stamps Auth-OK
replies with the VLAN for the user.
What I want to do is combine these wireless services, so that we just
have eduroam.
The functionality we will need, will be:
The requests will come to the eduroam server address.
if (no domain specified) then
who are ya?
fi
if (domain is non-local) then
proxy to user's home site.
fi
if (domain is local AND authenticating from a local NAS) then
authenticate locally by proxy to Bradford Campus Manager
(Campus Manager will receive the stripped u...@realm as user and
proxy to the local server address)
else
authenticate and return ACK/NACK to remote server in usual way for
one of our users visiting remote site
fi
The part I am not sure how to do is the last part, a conditional proxy
based on source NAS. I assume I need to dip into unlang, but can I put
that into the proxy.conf file?
realm local.site.ac.uk {
if( NAS-IP-Address ~= /192.168.*/ ) then # match my likely clients...
set-up A
else
set-up B
fi
}
Or whatever (I don't speak unlang, yet!), or have I got to determine
the source of the request somewhere else and use unlang to re-write
the realm to some special sentinel value that would be caught in
proxy.conf like:
realm local.site.ac.uk {
do the normal thing
}
realm special.local.site.ac.uk {
do the clever NAC proxy stuff
}
As usual, thanks for your time and hope someone can steer me in the
right direction before my head explodes.
(Yes I did read the docs, didn't help in this case!)
--
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
attachment: h1_a.png
---
Nice boy, but about as sharp as a sack of wet mice.
-- Foghorn Leghorn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: To proxy, or not to proxy, that is the question ...
Thanks for this, and thanks to Bob Franklin to. I have something
working now by selecting on client name and re-writing the User-Name
to append bcm, then proxying that alone to the NAC servers. This
leaves all the config I had before for my existing domains alone.
I might try the other virtual server approach as well as that is quite
neat.
All I need now is for the blasted NAC server to recognise me as a
client and actually do something instead of ignoring me!
Thanks again.
(I now speak some unlang!)
On 15 Oct 2009, at 15:50, Alan Buxey wrote:
Hi,
if (domain is local AND authenticating from a local NAS) then
authenticate locally by proxy to Bradford Campus Manager
(Campus Manager will receive the stripped u...@realm as user and
proxy to the local server address)
else
authenticate and return ACK/NACK to remote server in usual way for
one of our users visiting remote site
fi
The part I am not sure how to do is the last part, a conditional
proxy
based on source NAS. I assume I need to dip into unlang, but can I
put
that into the proxy.conf file?
with 2.x ? just ensure that clients are defined correctly - either
by
doing as the other post said, or create a new virtual server (copy
your
current one and rename it eg 'eduroam' and then define the proxies
as being
handled by that server ie
internal stuff - [RADIUS server {default/inner}] - return
attributes etc
external stuff - [RADIUS server {eduroam/inner}] - no return
attributes etc
look at the virtual_server definition in the clients.conf - that
says, basically,
for any request from that client, slap it through that virtual server.
this means you can actually have a very stripped down virtual
server... no need for
anything wierd...anything coming from the proxies will be solely for
you (because
the proxy has done the realm work already and decided on suitable
target) and
you dont need to deal with settings VLANs etc. the only thing you
may want in place
is an authorise section to deal with people who cannot remotely
authenticate - eg
they've broken AUP or are infected with virus/reported as bad etc
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
attachment: h1_a.png
---
Nice boy, but about as sharp as a sack of wet mice.
-- Foghorn Leghorn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using multiple certificates
I have been asked it it possible to run two SSIDs on our wireless, lets call them A and B that authorise against a FreeRADIUS server running as two virtual servers radiusA and radiusB. What we want is to have radiusA use a different server certificate from radiusB. However, as I see it, this looks impossible as the EAP configuration is global in eap.conf and not per server instance. Is this true or am I not being creative enough! Can you place the eap definition inside the site files in sites- availble and make it different per server instance is the question I guess. Any help would be appreciated. A quick google reveals a similar question in 2007 which got no answers :-( -- Barry Dean Networks Group University of Liverpool --- Nice boy, but about as sharp as a sack of wet mice. -- Foghorn Leghorn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUSD amnesia!
I am somewhat confused.
My RADIUS server forgot about some clients, all by itself, honest!
Users stopped being able to authenticate (I say users, we had one!), using
eduroam from Portugal, turns out that some time after September 5th, the RADIUS
server stopped recognising the JANET roaming RADIUS servers!
I had to restart the servers on September 8th after a failure of our Active
Directory servers. RADIUS/Winbind did not recover without help when AD came
back. It was the same config however.
There had been a restart on 17th March, 8th Sep and 23rd Sep, so RADIUS was
running at the time it developed its amnesia.
-X output attached, with error at the bottom I am seeing when trying to
authenticate from off-site.
Anyone got any ideas?
---cut here
# /usr/radius/sbin/radiusd -X
FreeRADIUS Version 2.0.2, for host i386-pc-solaris2.10, built on Mar 7 2008 at
09:52:42
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/radius/etc/raddb/radiusd.conf
including configuration file /usr/radius/etc/raddb/proxy.conf
including configuration file /usr/radius/etc/raddb/snmp.conf
including configuration file /usr/radius/etc/raddb/eap.conf
including configuration file /usr/radius/etc/raddb/sql.conf
including configuration file /usr/radius/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/radius/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/radius/etc/raddb/policy.conf
including files in directory /usr/radius/etc/raddb/sites-enabled/
including configuration file /usr/radius/etc/raddb/sites-enabled/janet-roaming
including configuration file /usr/radius/etc/raddb/jrs-clients.conf
including configuration file /usr/radius/etc/raddb/sites-enabled/local-auth
including configuration file /usr/radius/etc/raddb/local-clients.conf
including dictionary file /usr/radius/etc/raddb/dictionary
main {
prefix = /usr/radius
localstatedir = /usr/radius/var
logdir = /usr/radius/log
libdir = /usr/radius/lib
radacctdir = /usr/radius/log/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /usr/radius/var/run/radiusd/radiusd.pid
user = radius
group = radius
checkrad = /usr/radius/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
realm LOCAL {
authhost = LOCAL
accthost = LOCAL
}
realm NULL {
authhost = LOCAL
accthost = LOCAL
}
realm liv.ac.uk {
authhost = LOCAL
accthost = LOCAL
}
realm liverpool.ac.uk {
authhost = LOCAL
accthost = LOCAL
}
realm DEFAULT {
nostrip
authhost = roaming0.ja.net:1812
accthost = roaming0.ja.net:1813
secret = roaming0-secret
}
realm DEFAULT {
authhost = roaming1.ja.net:1812
accthost = roaming1.ja.net:1813
secret = roaming1-secret
} # realm DEFAULT
realm DEFAULT {
authhost = roaming2.ja.net:1812
accthost = roaming2.ja.net:1813
secret = roaming2-secret
} # realm DEFAULT
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server jrsradius {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = /usr/sfw/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = /usr/radius/log/radwtmp
}
Module: Linked
RE: RADIUSD amnesia!
Ah! Changed and seems to work now. I probably thought that using names would make me immune to IP address changes.. My eduroam user will be very pleased if this works again. Thanks. --- Barry Dean Networks Team http://pcwww.liv.ac.uk/~bvd/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 23 September 2008 14:59 To: FreeRadius users mailing list Subject: Re: RADIUSD amnesia! Dean, Barry wrote: My RADIUS server forgot about some clients, all by itself, honest! Nope. You have clients listed as *hostnames* rather than *addresses*. Who ever controls DNS changed the mapping of hostname to address, so the old address is no longer accepted. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realms and proxying
I currently have a realm defined:
realm liv.ac.uk {
type= radius
authhost= LOCAL
accthost= LOCAL
}
I now have one of my departments, which for various complex reasons, has been
allowed to have its own user accounts.
They have the subdomain name csc.liv.ac.uk. I want to proxy RADIUS to their
server.
If I add:
realm csc.liv.ac.uk {
type= radius
authhost= server.csc.liv.ac.uk:1812
accthost= server.csc.liv.ac.uk:1813
}
Is this position dependant? Does it have to appear before the liv.ac.uk realm
to prevent [EMAIL PROTECTED] being caught by the first realm?
I have:
realm suffix {
format = suffix
delimiter = @
}
in radius.conf.
---
Barry Dean
Networks Team
Computing Services Department
Tel: 0151 794 5641 (x45641)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.7 to 2.0.2 config for Realms problem
I have a problem with a realm configuration that used to work with FR 1.1.7,
but does not work at all with 2.0.2 and virtual servers.
I have a virtual server defined in sites-available/janet-roaming thus:
server jrsradius {
listen {
ipaddr = jrsradius2.liv.ac.uk
port = 0
type = auth
}
listen {
ipaddr = jrsradius2.liv.ac.uk
port = 0
type = acct
}
proxy_requests = yes
$INCLUDE jrs-proxy.conf
$INCLUDE jrs-clients.conf
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
unix
files
ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
... some stuff removed for brevity!
}
jrs-proxy.conf contains:
proxy server {
default_fallback = no
post_proxy_authorize = no
}
home_server localhost {
type = auth
ipaddr = 127.0.0.1
port = 1812
secret = testing123
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
realm LOCAL {
# If we do not specify a server pool, the realm is LOCAL, and
# requests are not proxied to it.
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm liv.ac.uk {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm liverpool.ac.uk {
type= radius
authhost= LOCAL
accthost= LOCAL
}
(stuff for JENET NRPS servers removed)
But logging in as [EMAIL PROTECTED] I get:
Thu Jun 5 11:57:21 2008 : Debug: rlm_realm: Looking up realm
liverpool.ac.uk for User-Name = [EMAIL PROTECTED]
Thu Jun 5 11:57:21 2008 : Debug: rlm_realm: No such realm liverpool.ac.uk
What have I done wrong in defining the realms for liv.ac.uk and liverpool.ac.uk?
Wrong place? Wrong syntax?
They are not mentioned during server startup with -X and -xx beyond:
Thu Jun 5 11:57:16 2008 : Debug: including configuration file
/usr/radius/etc/raddb/sites-enabled/janet-roaming
Thu Jun 5 11:57:16 2008 : Debug: including configuration file
/usr/radius/etc/raddb/jrs-proxy.conf
so is the config being ignored because it is wrong?
Thanks.
---
Barry Dean
Networks Team
Computing Services Department
Tel: 0151 794 5641 (x45641)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1.1.7 to 2.0.2 config for Realms problem
Thanks. All working now!
One more thing, what happened to:
lower_user
lower_pass
nospace_user
nospace_pass
between 1.1.7 and 2.0.x? Are they still supported?
---
Barry Dean
Networks Team
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: 05 June 2008 12:17
To: FreeRadius users mailing list
Subject: Re: 1.1.7 to 2.0.2 config for Realms problem
Dean, Barry wrote:
I have a problem with a realm configuration that used to work with FR 1.1.7,
but does not work at all with 2.0.2 and virtual servers.
I have a virtual server defined in sites-available/janet-roaming thus:
server jrsradius {
...
$INCLUDE jrs-proxy.conf
jrs-proxy.conf contains:
proxy server {
default_fallback = no
post_proxy_authorize = no
}
The proxy configuration is global. The default configuration shows it
as global.
home_server localhost {
Home servers are also global.
They are not mentioned during server startup with -X and -xx beyond:
Thu Jun 5 11:57:16 2008 : Debug: including configuration file
/usr/radius/etc/raddb/sites-enabled/janet-roaming
Thu Jun 5 11:57:16 2008 : Debug: including configuration file
/usr/radius/etc/raddb/jrs-proxy.conf
so is the config being ignored because it is wrong?
It's being ignored because the proxy realm configurations are in
the server section. They must be global.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and Active directory (An aside)
Alan DeKok said: It is impossible to use CHAP to authenticate to AD. You MUST use MS-CHAP, or PAP. When testing my Radius server with AD and XSupplicant I found that EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with CHAP inner auth all failed. So you have explained why EAP-TTLS (CHAP) fails, thanks! So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my Radius config broken? --- Barry Dean Networks Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth
I know this is not strictly a FreeRADIUS problem, but I am betting someone on
this list has been here and got the tee shirt!
I have joined my two RADIUS servers (FreeRADIUS 2.0.2, Solaris 10 x86, winbindd
3.0.25a) to our AD domain with the net join command. This worked
(eventually!).
Now when I test ntlm_auth I get the following odd goings on:
Scenario A: Works
Type: ntlm_auth --username=USER --password=PASSWORD --domain=DOMAIN
Result: NT_STATUS_OK: Success (0x0)
Scenario B: FAILS
Type: ntlm_auth --username=USER --domain=DOMAIN
password: PASSWORD
Result: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)
What's different about the password handling between A and B?
The upshot is that the command issued by FreeRADIUS:
ntlm_auth = /usr/sfw/bin/ntlm_auth --request-nt-key --username=
%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --
nt-response=%{mschap:NT-Response:-00}
Also fails.
So my MSCHAPv2 auth is now broken.
This worked with our Test AD environment fine. I am told the only difference
between test/production is:
1) Production is in native mode
2) Production supports logins using both USER\DOMAIN and [EMAIL PROTECTED]
forms.
If the answer to my problem is As the Samba list, I'll pop over there!
Thanks in advance.
---
Barry Dean
Networks Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ClearText-Password?
Hi,
rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032,
id=195, length=49 User-Name = user
User-Password = passwd
NAS-IP-Address = 138.253.XXX.XXX
There. No MS-CHAP-Challenge. You are not supposed to process this packet with
the rlm_mschap module. Why does it fail? ...
I see now why this was failing. Client was doing non-MSCHAP and there was no
section telling RADIUS how to authenticate this type of request.
Config:
users:
DEFAULT Auth-Type = mschap
Acct-Session-Id = Local,
Fall-Through = Yes
Write a hundred times on the blackboard: I will not set Auth-Type. The
server will figure out itself what to do. In this case, PAP.
Duly removed. I inherited the config and assumed it had been added for good
reason. It works without so it has been removed.
If I don’t force MSCHAP in users, how else do I get the user checked
against AD when the only place ntlm_auth is called is inside the
mschap module?
You configure your AD server in the ldap {} section and uncomment the ldap
stanzas in authorize and authenticate. You don't call ntlm_auth then, and
that is because you don't need ntlm_auth - user authentication is done with
an LDAP bind() operation with the user credentials.
With some pain, I now have the LDAP to AD authentication working. I have not
tested *all* methods, but the ones I am interested in supporting seem to work.
EAP-MD5 fails, but that is an exercise for another day if I feel I need to fix
it.
Greetings,
Stefan Winter
Thanks for your help. You pointed me in the right direction which was all I
needed really.
---
Barry Dean
Networks Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ClearText-Password?
I am migrating my RADIUS from: a) FreeBSD, FreeRADIUS 1.1.7, eDirectory lookups. to b) Solaris 10 x86, FreeRADIUS 2.0.1, Active Directory, winbindd etc. I stripped out all the LDAP stuff from the config, enabled ntlm_auth in the mschap module, changed the users file DEFAULT entry from LDAP to mschap, and bingo it works, almost! At least both a and b work for 802.1x/EAP-TTLS clients. However for other clients such as EZProxy, only a works. From my new config, debug says: +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: No MS-CHAP-Challenge in the request ++[mschap] returns reject So it fails. My Question is: Where is no ClearText-Password configured? 1) Is it the RADIUS client not providing one? 2) Is it the RADIUS config that is missing something? 3) Is it the AD directory that is missing a ClearText-Password? --- Barry Dean Networks Team Computing Services Department Tel: 0151 794 5641 (x45641) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ClearText-Password?
Debug:
==
rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195,
length=49
User-Name = user
User-Password = passwd
NAS-IP-Address = 138.253.XXX.XXX
+- entering group authorize
++[preprocess] returns ok
++? if (%{User-Name} =~ /barred-user/i)
expand: %{User-Name} - user
? Evaluating (%{User-Name} =~ /barred-user/i) - FALSE
++? if (%{User-Name} =~ /barred-user/i) - FALSE
expand:
/usr/radius201/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/usr/radius201/log/radacct/138.253.XXX.XXX/auth-detail-20080303
rlm_detail: /usr/radius201/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/radius201/log/radacct/138.253.XXX.XXX/auth-detail-20080303
expand: %t - Mon Mar 3 11:28:08 2008
++[auth_log] returns ok
++[mschap] returns noop
++[chap] returns noop
rlm_realm: No '@' in User-Name = user, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = user
rlm_realm: Proxying request from user user to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
users: Matched entry DEFAULT at line 211
++[files] returns ok
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type mschap
auth: type MSCHAP
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: No MS-CHAP-Challenge in the request
++[mschap] returns reject
auth: Failed to validate the user.
Login incorrect: [user/passwd] (from client EZProxy port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 195 to 138.253.XXX.XXX port 47032
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195,
length=49
Sending duplicate reply to client EZProxy port 47032 - ID: 195
Sending Access-Reject of id 195 to 138.253.XXX.XXX port 47032
Waking up in 4.9 seconds.
Cleaning up request 0 ID 195 with timestamp +24
Ready to process requests.
==
Config:
users:
DEFAULT Auth-Type = mschap
Acct-Session-Id = Local,
Fall-Through = Yes
radiusd.conf:
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = /usr/sfw/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
}
If I don’t force MSCHAP in users, how else do I get the user checked against AD
when the only place ntlm_auth is called is inside the mschap module?
---
Barry Dean
Networks Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: unlang? - reject unknown?
man unlang. Look for case-insensitive. In this case, you would
delete that users file entry, and use unlang
authorize {
...
if (%{User-Name} =~ /special/i) {
update reply {
Reply-Message = Cannot use this user account
reject
}
}
...
That should work.
I added this to the authorize section of radiusd.conf just after preprocess
and before auth_log and it gives the error:
radiusd.conf[1810]: ERROR: Unknown attribute reject
radiusd.conf[1808]: Failed to parse update subsection.
radiusd.conf[1788]: Errors parsing authorize section.
Have I messed up here by misunderstanding you completely!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang?
I am testing my current 1.1.7 config with version 2.0.0.
I have 2 bits of config that are not quite right on 2.0.0
1) I have the line:
filter = (cn=%{Stripped-User-Name:-%{User-Name}})
I am not sure why, I inherited this setup and I am still trying to understand
it. The LDAP server is eDirectory (FreeRADIUS compiled with -with-edir)
The -X output says:
WARNING: Deprecated conditional expansion :-. See man unlang for details
expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=user)
expand: o=uol - o=uol
What is the replacement for :- given I don't know what it did in the first
place for man unlang to be any help!
2) Rejecting a user
I have a specific user account (call it special) it was barred using:
special Auth-Type := Reject
Reply-Message = Cannot use this user account
in the users file.
Variants like special, Special and SPECIAL etc get by this check, and
out LDAP server allows them!, so I added:
lower_user = before
lower_pass = no
nospace_user = before
nospace_pass = no
to radius.conf. These no longer seem to work. How do you achieve this with
version 2.0.0?
---
Barry Dean
Networks Team
Computing Services Department
Tel: 0151 794 5641 (x45641)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Some users can't login after upgrade!
Our Novell experts have looked into the LDAP database and found that the affected accounts do indeed have the sasDefaultLoginSequence attribute, in fact only a handful of accounts have it. They are testing now. I will let you all know what happens. --- Barry Dean Networks Team -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 09 November 2007 15:11 To: FreeRadius users mailing list Subject: Re: Some users can't login after upgrade! Dean, Barry wrote: The debug output (private data masked) can be picked up from: Version 1.1.4 (Works): http://pcwww.liv.ac.uk/~bvd/radius/114.txt Version 1.1.7 (Broken): http://pcwww.liv.ac.uk/~bvd/radius/117.txt They are reasonably long so I did not want to post them as a long email! My reading of them indicates that the eDirectory returns a NOT OK to 1.1.7 and an OK to 1.1.4 for the same user account! Novell contributed a patch to allow changing the eDirectory NMAS authentication option. In the source, they look for No Default. In the debug logs you provide, eDirectory returns --No default--. Try changinging sasDefaultLoginSequence to No Default for the user. In short, the Novell patch doesn't seem to agree with the behavior of Novell's eDirectory server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Some users can't login after upgrade!
This fixed the problem for these users. Thanks to the list, and special thanks to Alan for solving this. --- Barry Dean Networks Team -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean, Barry Sent: 13 November 2007 09:31 To: FreeRadius users mailing list Subject: RE: Some users can't login after upgrade! Our Novell experts have looked into the LDAP database and found that the affected accounts do indeed have the sasDefaultLoginSequence attribute, in fact only a handful of accounts have it. They are testing now. I will let you all know what happens. --- Barry Dean Networks Team -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 09 November 2007 15:11 To: FreeRadius users mailing list Subject: Re: Some users can't login after upgrade! Dean, Barry wrote: The debug output (private data masked) can be picked up from: Version 1.1.4 (Works): http://pcwww.liv.ac.uk/~bvd/radius/114.txt Version 1.1.7 (Broken): http://pcwww.liv.ac.uk/~bvd/radius/117.txt They are reasonably long so I did not want to post them as a long email! My reading of them indicates that the eDirectory returns a NOT OK to 1.1.7 and an OK to 1.1.4 for the same user account! Novell contributed a patch to allow changing the eDirectory NMAS authentication option. In the source, they look for No Default. In the debug logs you provide, eDirectory returns --No default--. Try changinging sasDefaultLoginSequence to No Default for the user. In short, the Novell patch doesn't seem to agree with the behavior of Novell's eDirectory server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Some users can't login after upgrade!
The debug output (private data masked) can be picked up from: Version 1.1.4 (Works): http://pcwww.liv.ac.uk/~bvd/radius/114.txt Version 1.1.7 (Broken): http://pcwww.liv.ac.uk/~bvd/radius/117.txt They are reasonably long so I did not want to post them as a long email! My reading of them indicates that the eDirectory returns a NOT OK to 1.1.7 and an OK to 1.1.4 for the same user account! The debug traces contained the password, so I was able to check it was the same, it was. --- Barry Dean Networks Team -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 08 November 2007 16:21 To: FreeRadius users mailing list Subject: Re: Some users can't login after upgrade! Dean, Barry wrote: We also use RADIUS with EZProxy. I used a spare EZProxy test box and asked the user to login using that, failed with 1.1.7 RADIUS, changed it to use a spare 1.1.4 server and they could login! Can you post the output of debugging mode for 1.1.4 where it works, and 1.1.7 where it doesn't, all for the same user? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Some users can't login after upgrade!
The configuration I had was FreeRADIUS 1.1.4 running on NetBSD_3.0 (STABLE) authenticating to Novell eDirectory using LDAP. All was fine... I upgraded to FreeRADIUS 1.1.7 and all seemed OK, until two of my users found they can no longer login to the Cisco VPN3000 which uses this RADIUS. The log files simply show: Tue Nov 6 15:06:40 2007 : Auth: Login incorrect: [user] (from client vpn3000 port 13712 cli X.X.X.X) We also use RADIUS with EZProxy. I used a spare EZProxy test box and asked the user to login using that, failed with 1.1.7 RADIUS, changed it to use a spare 1.1.4 server and they could login! User names are alphabetic only and less than 8 characters, passwords are alpha-numeric only and 8 characters. I am reasonably new to RADIUS and cannot figure out why these two users are being singled out! I thought at first it might be because we have edir_account_policy_check=yes and that given the ChangeLog for 1.1.7 says Added more eDirectory support., and the two users possibly have extra attributes as they are sysadmins, that something was being checked that was not with 1.1.4 and that was preventing login. However later in radiusd.conf in the post-auth section the LDAP server entries are commented out. and it says: # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. So does this mean this feature is not in operation? Has anyone any ideas where I should start looking? Thanks. --- Barry Dean Networks Team University of Liverpool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
