Suse rpm in 2.1.4
autoreconf on suse does not seem to work and I commented it out in the
specfile.
otp.conf does not seem to exist any longer,
/usr/sbin/raddebug must be applied.
With these little modifications of the suse specfile 2.1.4 builds on
suse 10.3.
bugs.freeradius.org still seems to be unavailable, therefore I post the
patch here.
# diff -Nru freeradius.spec-org freeradius.spec
--- freeradius.spec-org2009-03-11 13:29:53.0 +0100
+++ freeradius.spec2009-03-11 13:30:02.0 +0100
@@ -179,7 +179,7 @@
%build
export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -DLDAP_DEPRECATED
-fPIC -DPIC"
#export CFLAGS="$CFLAGS -std=c99 -pedantic"
-autoreconf
+#autoreconf
%configure \
--libdir=%{_libdir}/freeradius \
@@ -332,7 +332,7 @@
%attr(640,-,radiusd) %config(noreplace)
/etc/raddb/sql/oracle/msqlippool.txt
%attr(640,-,radiusd) %config(noreplace) /etc/raddb/users
%attr(640,-,radiusd) %config(noreplace) /etc/raddb/experimental.conf
-%attr(640,-,radiusd) %config(noreplace) /etc/raddb/otp.conf
+#%attr(640,-,radiusd) %config(noreplace) /etc/raddb/otp.conf
%dir %attr(750,-,radiusd) /etc/raddb/certs
/etc/raddb/certs/Makefile
/etc/raddb/certs/README
@@ -355,6 +355,7 @@
/usr/sbin/radrelay
/usr/sbin/radwatch
/usr/sbin/radmin
+/usr/sbin/raddebug
# man-pages
%doc %{_mandir}/man1/*
%doc %{_mandir}/man5/*
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Migration from TACACS+ to RADIUS
Alan DeKok schrieb: Nicholas R. Cappelletti wrote: In the recent weeks, I have come across some downfalls to using TACACS+ such as no 802.1x authentication, no WPA integration, and the impossible integration into both Kerberos and LDAP. I hate to sound naive, but like many who need help, I'm new to RADIUS, its configuration, and its capabilities. With that said, I have a few questions concerning functionality that I had with TACACS+ and its equivalence in RADIUS. 1. How granular can I get with command authorization? Currently, TACACS+ is used for VPN authentication and device login, but not all those users should, or need, access to the CLI of the network equipment (We use both Cisco and HP devices). Eventually I would like to use the RADIUS setup for wireless authentication too. The hope is that we can add TACACS+ support to FreeRADIUS in a future version. That will help with migration. Can this be expected in the foreseeable future? Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
otp daemon for use with freeradius
in otp.conf an otpd is mentioned for use with freeradius. According to the licence the daemon can only be used with tokens from tri-dsystems. Is there another otpd around that is free? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: server selection
Alan DeKok schrieb:
Norbert Wegener wrote:
That configuration can be added manually, by doing internal proxying
to the virtual server.
Will this also be possible, when freeradius gets its information out of
a mysql database?
Of course!
The only place to modify addresses I found is the preproxy_users file,
which seems to be used by the rlm_files module only.
I'm not sure what that means...
You could do something like:
...
update control {
Proxy-To-Realm := "%{sql:SELECT ... from.. where
%{NAS-IP-Addres}"
}
OK, but I did not yet hear about that before and it seems no topic for
the mass media: googling for Proxy-To-Realm gives 94 results.
Could you describe more of your requirements??
In a greater installation there are numerous different rules for vlan
assignements. Before applying even the slightest configuration change to
a production system, I want to make sure, that as much different
configurations as possible have been checked to deliver those attributes
that they are expected to.
Obviously a part of those checks can be done using radtest. Running
radtest with nasip as an argument should therefore bring freeradius to
use the server the nasip belongs to, and not the server the machine
running radtest belongs to.
Btw: Is eapol_test *the* tool to do such checks in an automated way for
eap/tls authentications or is there a better one available?
Norbert Wegener
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: server selection
Alan DeKok schrieb: Norbert Wegener wrote: freeradius 2.1.1, configured to use multiple virtual servers, seems to select the server to use depending on the host sending the request, not depending on the NAS-IP-Address in the request. Yes. See raddb/sites-available/README. When a client is tied to a virtual server, it is done by source IP address. Ok. I would have expected, the server is choosen because of the NAS-IP-Address. That configuration can be added manually, by doing internal proxying to the virtual server. Will this also be possible, when freeradius gets its information out of a mysql database? The only place to modify addresses I found is the preproxy_users file, which seems to be used by the rlm_files module only. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
server selection
freeradius 2.1.1, configured to use multiple virtual servers, seems to
select the server to use depending on the host sending the request, not
depending on the NAS-IP-Address in the request.
When using radtest I get:
norb...@suse:~$ radtest 0002 0002 psucoll 0 secret dummy
1.1.1.1
Sending Access-Request of id 227 to 123.25.153.210 port 1812
User-Name = "0002"
User-Password = "0002"
NAS-IP-Address = 1.1.1.1
NAS-Port = 0
Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 123.25.153.210 port 1812,
id=227, length=20
while radiusd -X shows
.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 149.246.185.169 port 54115,
id=244, length=70
User-Name = "0001"
User-Password = "0001"
NAS-IP-Address = 1.1.1.1
NAS-Port = 0
Framed-Protocol = PPP
server enterasys {
1.1.1.1 is a nas belonging to the server cisco,
149.246.185.169 belongs to the server enterasys.
I would have expected, the server is choosen because of the NAS-IP-Address.
Thanks
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ownership change
Upgrading from 2.1.1 to 2.1.3 on a Suse10.2 system and restarting radiusd with the identical configuration showed the following message: We do not own /var/run/radiusd/radiusd.sock. ls -l /var/run/radiusd/radiusd.sock srw-rw 1 radiusd radiusd 0 12. Dez 16:18 /var/run/radiusd/radiusd.sock That fits to the entries user = radiusd group = radiusd in radiusd.conf. Removing radiusd.sock and restarting radiusd solved the problem. 2.1.3 obviously changed the ownership: ls -l /var/run/radiusd/radiusd.sock srw-rw 1 root radiusd 0 12. Dez 16:20 /var/run/radiusd/radiusd.sock Shouldn't the ownership still be radiusd.radiusd ? Norbert Wegener -- Norbert Wegener Siemens IT Solutions and Services GmbH & Co. OHG SIS GO GIO NW PSU2 Kruppstraße 16 D-45128 Essen Phone : +49 (0) 201 816-3116 Fax. : +49 (0) 201 816-5581284 mailto:norbert.wege...@siemens.com Siemens IT Solutions and ServicesGmbH & Co. OHG Offene Handelsgesellschaft, Sitz der Gesellschaft: München; Registergericht: München, HRA 69235; Geschäftsführende Gesellschafterin: Siemens Business Services Beteiligungs-GmbH, Geschäftsführer: Christoph Kollatz, Vorsitzender; Jürgen Frischmuth, Michael Schulz-Drost; Sitz der Gesellschaft: München; Registergericht: München, HRB 50462; Weitere Gesellschafter: Siemens Business Services Investment GmbH & Co. KG, Sitz der Gesellschaft: München; Registergericht: München, HRA 86893; Persönlich haftende Gesellschafterin der Siemens Business Services Investment GmbH & Co. KG: Siemens Business Services Beteiligungs-GmbH, Geschäftsführer: Christoph Kollatz, Vorsitzender; Jürgen Frischmuth, Michael Schulz-Drost; Sitz der Gesellschaft: München; Registergericht: München, HRB 50462 WEEE-Reg.Nr. DE 88294312 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radmin SIGABRTs freeradius 2.1.1
I have an input file for radmin with the following content: debug file /var/log/radius/nw2.log debug condition '(NAS-IP-Address == "172.31.110.147") || (NAS-IP-Address == "172.31.110.149") || (NAS-IP-Address == "149.246.185.169")' When those commands have been executed and some debugging shows up int the logfile, I want to switch to another log. changing the radmin input file to debug file /var/log/radius/nw3.log debug condition '(NAS-IP-Address == "172.31.110.147") || (NAS-IP-Address == "172.31.110.149") || (NAS-IP-Address == "149.246.185.169")' and executing the commands, freeradius in the actual 2.1.1 version dies. This is, what gdb show up: Loaded symbols for /usr/lib64/freeradius/rlm_sql_log.so 0x2b091e323562 in ?? () from /lib64/libc.so.6 (gdb) cont Continuing. Program received signal SIGABRT, Aborted. [Switching to Thread 47318162851936 (LWP 2820)] 0x2b091e299b95 in raise () from /lib64/libc.so.6 (gdb) bt #0 0x2b091e299b95 in raise () from /lib64/libc.so.6 #1 0x2b091e29af90 in abort () from /lib64/libc.so.6 #2 0x2b091e2d035b in __libc_message () from /lib64/libc.so.6 #3 0x2b091e2d534e in malloc_printerr () from /lib64/libc.so.6 #4 0x2b091e2d695c in free () from /lib64/libc.so.6 #5 0x0040e748 in command_debug_condition (listener=optimized out>, argc=2820, argv=0x6) at command.c:718 #6 0x0040ee01 in command_domain_recv (listener=0x726dc0, pfun=, prequest=) at command.c:1680 #7 0x0041ef10 in event_socket_handler (xel=out>, fd=, ctx=) at event.c:2666 #8 0x2b091d7169c0 in fr_event_loop (el=0x70e980) at event.c:400 #9 0x00418bb1 in main (argc=, argv=0xe) at radiusd.c:394 Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile Error :FreeRadius v 2.1.1 RPM build error
See: http://lists.freeradius.org/pipermail/freeradius-users/2008-September/msg00659.html Norbert Wegener Syed Anwarul Hasan schrieb: Hi Ala, Ivan and all, Alan as I having backtrace problem in my FreeRadius v 2.0.5. <http://2.0.5.> I deleted all the old binaries and libraries for the earlier version.Then I got the latest FreeRadius v 2.1.1 tarball (Compresses tar.bz2) from freeradius.org <http://freeradius.org> website and started to build on SLES 10 SP2. And I copied the freeradius.spec in SPECS folder. When I try to compile, I got an rpm build error and compilation stopped. Please help me in this regard. SYED pc1138: /usr/src/packages/SOURCES # *rpmbuild -ba /usr/src/packages/SPECS/freeradius.spec* Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.25117 + umask 022 + cd /usr/src/packages/BUILD + cd /usr/src/packages/BUILD + rm -rf freeradius-server-2.1.1 + /usr/bin/bzip2 -dc /usr/src/packages/SOURCES/freeradius-server-2.1.1.tar.bz2 + tar -xf - + STATUS=0 + '[' 0 -ne 0 ']' + cd freeradius-server-2.1.1 ++ /usr/bin/id -u + '[' 0 = 0 ']' + /bin/chown -Rhf root . ++ /usr/bin/id -u + '[' 0 = 0 ']' + /bin/chgrp -Rhf root . + /bin/chmod -Rf a+rX,u+w,g-w,o-w . ++ find . -name CVS + rm -rf + exit 0 Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.27085 + umask 022 + cd /usr/src/packages/BUILD + /bin/rm -rf /var/tmp/freeradius-server-2.1.1-build ++ dirname /var/tmp/freeradius-server-2.1.1-build + /bin/mkdir -p /var/tmp + /bin/mkdir /var/tmp/freeradius-server-2.1.1-build + cd freeradius-server-2.1.1 + export 'CFLAGS=-O2 -g -m32 -march=i586 -mtune=i686 -fmessage-length=0 -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -DLDAP_DEPRECATED -fPIC -DPIC' + CFLAGS='-O2 -g -m32 -march=i586 -mtune=i686 -fmessage-length=0 -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -DLDAP_DEPRECATED -fPIC -DPIC' + autoreconf configure.in:1140 <http://configure.in:1140>: warning: AC_CONFIG_SUBDIRS: you should use literals autoconf/status.m4:1077: AC_CONFIG_SUBDIRS is expanded from... configure.in:1140 <http://configure.in:1140>: the top level configure.in:1140 <http://configure.in:1140>: warning: AC_CONFIG_SUBDIRS: you should use literals autoconf/status.m4:1077: AC_CONFIG_SUBDIRS is expanded from... configure.in:1140 <http://configure.in:1140>: the top level configure.in:1140 <http://configure.in:1140>: warning: AC_CONFIG_SUBDIRS: you should use literals autoconf/status.m4:1077: AC_CONFIG_SUBDIRS is expanded from... configure.in:1140 <http://configure.in:1140>: the top level configure.in:547 <http://configure.in:547>: error: possibly undefined macro: AC_LIB_READLINE If this token and others are legitimate, please use m4_pattern_allow. * * See the Autoconf documentation.* autoreconf: /usr/bin/autoconf failed with exit status: 1 error: Bad exit status from /var/tmp/rpm-tmp.27085 (%build)* *RPM build errors: Bad exit status from /var/tmp/rpm-tmp.27085 (%build)* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Suse 10.3 build problem with 2.1.1
Alan DeKok schrieb: Norbert Wegener wrote: Building Suse rpms on 10.3 I get the following error: Err... the spec file is re-building the "configure" script? Why? + autoreconf okay, after commenting autoreconf out in the specfile everything builds as expected. Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Suse 10.3 build problem with 2.1.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Building Suse rpms on 10.3 I get the following error: rpmbuild -ba freeradius.spec Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.73764 + umask 022 + cd /usr/src/packages/BUILD + cd /usr/src/packages/BUILD + rm -rf freeradius-server-2.1.1 + tar -xf - + /usr/bin/bzip2 -dc /usr/src/packages/SOURCES/freeradius-server-2.1.1.tar.bz2 + STATUS=0 + '[' 0 -ne 0 ']' + cd freeradius-server-2.1.1 ++ /usr/bin/id -u + '[' 0 = 0 ']' + /bin/chown -Rhf root . ++ /usr/bin/id -u + '[' 0 = 0 ']' + /bin/chgrp -Rhf root . + /bin/chmod -Rf a+rX,u+w,g-w,o-w . ++ find . -name CVS + rm -rf + exit 0 Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.28328 + umask 022 + cd /usr/src/packages/BUILD + /bin/rm -rf /var/tmp/freeradius-server-2.1.1-build ++ dirname /var/tmp/freeradius-server-2.1.1-build + /bin/mkdir -p /var/tmp + /bin/mkdir /var/tmp/freeradius-server-2.1.1-build + cd freeradius-server-2.1.1 + export 'CFLAGS=-O2 -g -m32 -march=i586 -mtune=i686 -fmessage-length=0 - -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -DLDAP_DEPRECATED -fPIC -DPIC' + CFLAGS='-O2 -g -m32 -march=i586 -mtune=i686 -fmessage-length=0 - -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -DLDAP_DEPRECATED -fPIC -DPIC' + autoreconf configure.in:1140: warning: AC_CONFIG_SUBDIRS: you should use literals ../../lib/autoconf/status.m4:919: AC_CONFIG_SUBDIRS is expanded from... configure.in:1140: the top level configure.in:1140: warning: AC_CONFIG_SUBDIRS: you should use literals ../../lib/autoconf/status.m4:919: AC_CONFIG_SUBDIRS is expanded from... configure.in:1140: the top level configure.in:1140: warning: AC_CONFIG_SUBDIRS: you should use literals ../../lib/autoconf/status.m4:919: AC_CONFIG_SUBDIRS is expanded from... configure.in:1140: the top level configure.in:547: error: possibly undefined macro: AC_LIB_READLINE If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 error: Bad exit status from /var/tmp/rpm-tmp.28328 (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.28328 (%build) I have build former version of freeradius on that machine. This error did not occure before. Norbert Wegener -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI24Myh6K5ZY70OM8RArcpAJ9KRBJTQ6VH/A02Zr7/ntHriWQtHwCcC0g8 iMs8brHbOVyu5oCHzP/odb8= =n8jE -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.Troubleshooting MySQL Connections , 2. troubleshooting possible memory leak
1 .Maybe max_connections in the MySQL config file should also be
increased and Mysql be restarted.
2. No idea except upgrading.
Norbert Wegener
Stefan A. schrieb:
Gurus,
in my radiusd.log, I can see lots of these errors:
Wed Sep 24 09:40:54 2008 : Info: rlm_sql (sql_accounting): There are no DB
handles to use! skipped 0, tried to connect 0
Wed Sep 24 09:40:55 2008 : Info: rlm_sql (sql_accounting): There are no DB
handles to use! skipped 0, tried to connect 0
Wed Sep 24 09:40:56 2008 : Info: rlm_sql (sql_accounting): There are no DB
handles to use! skipped 0, tried to connect 0
Wed Sep 24 09:40:57 2008 : Info: rlm_sql (sql_accounting): There are no DB
handles to use! skipped 0, tried to connect 0
Wed Sep 24 09:40:58 2008 : Info: rlm_sql (sql_accounting): There are no DB
handles to use! skipped 0, tried to connect 0
Wed Sep 24 09:41:01 2008 : Info: rlm_sql (sql_accounting): There are no DB
handles to use! skipped 0, tried to connect 0
Wed Sep 24 09:48:00 2008 : Info: rlm_sql (sql_accounting): There are no DB
handles to use! skipped 0, tried to connect 0
Wed Sep 24 09:48:01 2008 : Info: rlm_sql (sql_accounting): There are no DB
handles to use! skipped 0, tried to connect 0
Wed Sep 24 09:48:02 2008 : Info: rlm_sql (sql_accounting): There are no DB
handles to use! skipped 0, tried to connect 0
Wed Sep 24 09:48:03 2008 : Info: rlm_sql (sql_accounting): There are no DB
handles to use! skipped 0, tried to connect 0
Wed Sep 24 09:48:04 2008 : Info: rlm_sql (sql_accounting): There are no DB
handles to use! skipped 0, tried to connect 0
Wed Sep 24 09:49:37 2008 : Info: rlm_sql (sql_accounting): There are no DB
handles to use! skipped 0, tried to connect 0
Wed Sep 24 09:49:38 2008 : Info: rlm_sql (sql_accounting): There are no DB
handles to use! skipped 0, tried to connect 0
Wed Sep 24 09:51:39 2008 : Info: rlm_sql (sql_accounting): There are no DB
handles to use! skipped 0, tried to connect 0
I thougt, giving the system more DB connections and lowering the retry delay
should help.
It did, and I now get only about 50% of the errors. But what would be a
reasonable value for this?
'sql_accounting' is configured:
sql sql_accounting{
database = "mysql"
driver = "rlm_sql_${database}"
server = "db-master"
port="3306"
login = "y"
password = "x"
radius_db = "radius_te"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
deletestalesessions = yes
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 8
connect_failure_retry_delay = 30
#readclients = yes
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf
}
An other issue:
FR is eating Memory and I do not know how to troubleshoot this.
It takes about 1 MB/ Minute which was about 3.5 GB over some Days, before we
rcognized this.
I configured the option to die a server after 500 packets, but this does not
help for me. Do I have to restart the server from time to time?
How may I troubleshoot this?
May I unconfigure radutmp? I think I do not need this.
Do I really need the sqltrace-file? How my I unconfigure it? Just deleting
the config line
My system runs FR 2.0.5 on Solaris 10 using MySQL 5.0.51a
Any Ideas?
Thank You.
Regards Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging problem
Thanks, that works.
Norbert Wegener
Alan DeKok schrieb:
Norbert Wegener wrote:
If fear not...
Hmm... if this is in the "authenticate" section, then the rules are
different. The authenticate section is processed by selecting *one*
module / section from the list. That *one* module is processed.
So if you have:
authenticate {
eap
foo
}
Then "eap" is run for Auth-Type = eap. "foo" is not used, and any
failure / noop / whatever of "eap" does NOT cause it to fall through to
"foo".
The solution is to wrap it in an Auth-Type block:
authenticate {
Auth-Type eap {
eap {
invalid = 1
}
if ( invalid ) {
...
}
}
foo
}
In this case, the "eap" *section* will be processed. The contents
will be treated just as if they were being run in the "authorize"
section. So the default action for "invalid" has to be changed in order
for it to fall through, and continue processing.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging problem
If fear not...
eap {
invalid = 1
}
if (invalid) {
update reply {
Tmp-String-5="INVALID Certificate"
}
...
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server cisco
Using Post-Auth-Type Reject
+- entering group REJECT {...}
...
Alan DeKok schrieb:
Norbert Wegener wrote:
It seems, "if (invalid) " is not entered and I don't see why.
The default behavior for "invalid" is to stop processing the request.
This can be changed by:
eap {
invalid = 1
}
if ( invalid ) {
...
I'm not sure the default behavior is really documented anywhere,
unfortunately.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging problem
Hello Alan,
I want logging information, if a client shows up with an expired
certificate.
Therefor in authorize I have:
...
eap
if ( invalid ) {
update reply {
Tmp-String-5="INVALID Certificate"
}
}
in post-auth :
..
Post-Auth-Type REJECT {
sql_log
}
and in modules/sql_log:
Post-Auth = "INSERT INTO ${postauth_table} \
(username, pass, reply, authdate, nasname,
nasipaddress,radiusip,machinetype,nasport,modulefailmes,csi)
VALUES \
('%{User-Name}', '%{User-Password}', \
'%{reply:Packet-Type}', '%S',
'%{NAS-Identifier}','%{Client-IP-Address}','${RADIP}',\
'%{Port-Message}','%{NAS-Port-Id}','%{reply:Tmp-String-5}','%{Calling-Station-Id}');"
When a client shows up with an expired certificate I would expect to see
the message "INVALID Certificate".
.
Here is what I get with 2.1.0:
[tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_expired
TLS Alert write:fatal:certificate expired
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server cisco
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[sql_log] Processing sql_log_postauth
expand: %{User-Name} -> HOST/osd02red.ww901.mycompany.net
expand: %{%{User-Name}:-DEFAULT} ->
HOST/osd02red.ww901.mycompany.net
[sql_log] sql_set_user escaped user --> 'HOST/osd02red.ww901.mycompany.net'
expand: INSERT INTO radpostauth
(username, pass, reply, authdate, nasname,
nasipaddress,radiusip,machinetype,nasport,modulefailmes,csi)
VALUES ('%{User-Name}',
'%{User-Password}','%{reply:Packet-Type}', '%S',
'%{NAS-Identifier}','%{Client-IP-Address}','1.2.3.4',
'%{Port-Message}','%{NAS-Port-Id}','%{reply:Tmp-String-5}','%{Calling-Station-Id}');
-> INSERT INTO radpostauth (username, pass,
reply, authdate, nasname,
nasipaddress,radiusip,machinetype,nasport,modulefailmes,csi)
VALUES
('HOST/osd02red.ww901.mycompany.net', '', 'Access-Reject',
'2008-09-12 09:58:09', '','123.246.185.169','1.2.3.4',
'','','','00-00-00-00-00-02');
It seems, "if (invalid) " is not entered and I don't see why.
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Alan DeKok wrote:
..
* Debug logs can now be turned on/off while the server is
running, for a user, group, realm, etc. See the "log" section
of radiusd.conf.
It seems to me, the log section contains the same items as in 2.0.5.
So I am not sure how to turn logging on for a specific user when the
server is running:
log {
destination = files
file = ${logdir}/radius.log
#
#requests =
${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
Maybe I missed something?
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
The new /usr/sbin/radmin is missing in %files section of the suse specfile. When added the packages will be build correctly. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
modules in unlang unknown?
Hello,
I want to use a second database searching users, when not found in the
first one.
So I have setup two sql modules: sqldef and sqlps.
In my server configuration there is:
authorize {
group sqlall {
sqldef {
notfound = 1
}
sqlps
}
..
preprocess
..
if ("%{sqlall:SELECT UserName from radcheck where UserName like
'%{User-Name}' }" != "" ) {
update control {
}
}
When a query comes in I finally get:
server cisco {^M
+- entering group authorize^M
++- entering group sqlall^M
Obviously the group is known...
expand: %{User-Name} -> e0001323c4c3^M
rlm_sql (sqldef): sql_set_user escaped user --> 'e0001323c4c3'^M
rlm_sql (sqldef): Reserving sql socket id: 3^M
...
rlm_sql (sqldef): Released sql socket id: 3^M
+++[sqldef] returns ok^M
expand: %{User-Name} -> e0001323c4c3^M
rlm_sql (sqlps): sql_set_user escaped user --> 'e0001323c4c3'^M
rlm_sql (sqlps): Released sql socket id: 4^M
rlm_sql (sqlps): User e0001323c4c3 not found^M
+++[sqlps] returns notfound^M
++- group sqlall returns ok^M
++? if (!User-Name)^M
? Evaluating !(User-Name) -> TRUE^M
++? if (!User-Name) -> FALSE^M
++[preprocess] returns ok^M
++? if ("%{sqlall:SELECT UserName from radcheck where UserName like
'%{User-Name}' }" != "" )^M
WARNING: Unknown module "sqlall" in string expansion "%{sqlall:SELECT
UserName from radcheck where UserName like '%{User-Name}' }"^
Shouldn't that module be known here?
Something wrong with my syntax or something else?
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
With unlang I achive the following: Check, whether a special VLAN exists
on a switch and if so, assign it.
This works with the construct below.
if ("%{sqlquery:SELECT value from radcheck where ( attribute='SIE-VLAN1'
!= '' and username='%{User-Name}') and value in (select vlan from vlan
where nasname= '%{NAS-IP-Address}' ) }"!='') {
update reply {
Tunnel-Private-Group-ID ="%{sqlquery:SELECT value from
radcheck where ( attribute='SIE-VLAN1' != '' and
username='%{User-Name}') and value in (select vlan from vlan where
nasname= '%{NAS-IP-Address}' )}"
Tunnel-Medium-Type = IEEE-802
Tunnel-Type = VLAN
}
}
To reduce sql queries I want to avoid the second.
Can I store the result of the first query and use the value to assign
Tunnel-Private-Group-ID?
Thanks
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ASSERT FAILED
Alan DeKok wrote: Norbert Wegener wrote: As snmp is not available right now, I am looking in how to deal with statistics, status_server and played a bit. This way I was able to kill freeradius... Whoops. The intent was to allow Status-Server to any port, but to permit the statistics only to a "status" port. First I noticed: radclient: dict_init: /usr/share/freeradius//dictionary.freeradius[47]: dict_addattr: attribute name too long I commented out a few of the long-named values. Hmm... The if src/include/libradius.h has a DICT_ATTR with attrname[40], then you have an old copy of the source. This was fixed in a commit on June 19. rad_recv: Status-Server packet from host 127.0.0.1 port 33453, id=117, length=50 Message-Authenticator = 0x32f28212809676b99d5943988a714aa8 FreeRADIUS-Statistics-Type = Authentication ASSERT FAILED stats.c[318]: request->listener->type == RAD_LISTEN_NONE Abgebrochen Grab an update from the new CVS tree: cvs -d :pserver:[EMAIL PROTECTED]:/freeradius-server.git checkout -d radiusd master You should be able to just copy src/main/listen.c from there you your existing tree, so you don't have to do a full configure/make again. Thanks, works now. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ASSERT FAILED
[EMAIL PROTECTED] wrote: Hi, ... I got: rad_recv: Status-Server packet from host 127.0.0.1 port 33453, id=117, length=50 Message-Authenticator = 0x32f28212809676b99d5943988a714aa8 FreeRADIUS-Statistics-Type = Authentication ASSERT FAILED stats.c[318]: request->listener->type == RAD_LISTEN_NONE Abgebrochen have you enabled the statistics virtual server? copy or link the entry in sites-available/ In radiusd.conf: status_server = yes If you mean the "status" file from sites-available: It is linked to sites-enabled. Norbert Wegener alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ASSERT FAILED
As snmp is not available right now, I am looking in how to deal with statistics, status_server and played a bit. This way I was able to kill freeradius... First I noticed: radclient: dict_init: /usr/share/freeradius//dictionary.freeradius[47]: dict_addattr: attribute name too long I commented out a few of the long-named values. Now with cat x | radclient -d /usr/share/freeradius/ 127.0.0.1 status adminsecret, where x contains: Message-Authenticator = 0x00 FreeRADIUS-Statistics-Type=1 I got: rad_recv: Status-Server packet from host 127.0.0.1 port 33453, id=117, length=50 Message-Authenticator = 0x32f28212809676b99d5943988a714aa8 FreeRADIUS-Statistics-Type = Authentication ASSERT FAILED stats.c[318]: request->listener->type == RAD_LISTEN_NONE Abgebrochen Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual server and clients from sql
[EMAIL PROTECTED] wrote:
Hi,
Modified nas_query:
{"nas_query", PW_TYPE_STRING_PTR,
offsetof(SQL_CONFIG,nas_query), NULL, "SELECT
id,nasname,shortname,type,secret,server FROM nas"},
rebuild the server.
huh? thats the default query in the code - if you
edit sql.conf and modify nas_query in the config
it will do the required task.
Correct, thanks. I have been confused by the nas_query in rlm_sql.c
Norbert Wegener
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual server and clients from sql
Alan DeKok wrote:
Norbert Wegener wrote:
where those changes alone did not seem to help...
See raddb/sql/mysql/nas.sql
The field name is "server", not "virtual_server". And it's commented
out by default.
So in 2.0.5 something seems to be missing.
The SQL tables have to be updated to contain the right information,
too. Once that's done, and the queries updated, it should work.
I took today's cvs/git, modified the nas table:
mysql> select * from nas;
++-+---+---+---+++---++
| id | nasname | shortname | type | ports | secret | server
| community | description|
++-+---+---+---+++---++
| 1 | 149.246.185.169 | testbox | linux | 123 | testing123 | cisco
| none | no description |
++-+---+---+---+++---++
1 row in set (0.00 sec)
Modified nas_query:
{"nas_query", PW_TYPE_STRING_PTR,
offsetof(SQL_CONFIG,nas_query), NULL, "SELECT
id,nasname,shortname,type,secret,server FROM nas"},
rebuild the server.
...
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname,
shortname, type, secret FROM nas^M
rlm_sql (sql): Reserving sql socket id: 4^M
rlm_sql (sql): Read entry
nasname=149.246.185.169,shortname=testbox,secret=testing123^M
rlm_sql (sql): Adding client 149.246.185.169 (testbox, server=) to
clients list^M
so the server does not seem to arrive.
So I changed in rlm_sql.c:
/* NAS query isn't xlat'ed */
/*strlcpy(querystr, inst->config->nas_query, sizeof(querystr));*/
strlcpy(querystr, "SELECT
id,nasname,shortname,type,secret,server FROM nas", sizeof(querystr));
Which is probably not how it is expected to be done, but it works:
rlm_sql (sql) in generate_sql_clients: query is SELECT
id,nasname,shortname,type,secret,server FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Read entry
nasname=149.246.185.169,shortname=testbox,secret=testing123
rlm_sql (sql): Adding client 149.246.185.169 (testbox, server=cisco) to
clients list
rlm_sql (sql): Released sql socket id: 4
Norbert Wegener
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual server and clients from sql
Alan DeKok wrote: Norbert Wegener wrote: will this be in 2.0.6 by default? Yes. It's also in 2.0.5, if you're willing to try it out in a testing environment. I will try it, but what about the comment from [EMAIL PROTECTED]: the logic is in rlm_sql.c alrady, all you need to do is update your nas_query so that it looks like eg SELECT id,nasname,shortname,type,secret,virtual_server FROM nas then it'll pull in the details from the DB alan where those changes alone did not seem to help... So in 2.0.5 something seems to be missing. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual server and clients from sql
[EMAIL PROTECTED] schrieb: Hi, With the actual git/cvs I wanted to setup client based virtual Servers, where the clients are stored in a mysql database. I added a column "server" to the nas table and set it to the name of a virtual server. the logic is in rlm_sql.c alrady, all you need to do is update your nas_query so that it looks like eg SELECT id,nasname,shortname,type,secret,virtual_server FROM nas then it'll pull in the details from the DB Thanks, will this be in 2.0.6 by default? Norbert Wegener alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
virtual server and clients from sql
With the actual git/cvs I wanted to setup client based virtual Servers, where the clients are stored in a mysql database. I added a column "server" to the nas table and set it to the name of a virtual server. ... rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret FROM nas^M rlm_sql (sql): Reserving sql socket id: 4^M rlm_sql (sql): Read entry nasname=149.246.222.54,shortname=149.246.222.541,secret=testing123^M rlm_sql (sql): Adding client 149.246.222.54 (149.246.222.541, server=) to clients list^M ... It seems, the value for server is ignored. Maybe the SELECT statement in rlm_sql.c has to be modified? Or do I have to configure anything else? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compile error on suse 10.3
Building an rpm from the current cvs on suse 10.3 fails with: Checking for unpackaged file(s): /usr/lib/rpm/check-files /var/tmp/freeradius-server-2.0.5-build error: Installed (but unpackaged) file(s) found: /etc/raddb/sql/oracle/msqlippool.txt RPM build errors: Installed (but unpackaged) file(s) found: /etc/raddb/sql/oracle/msqlippool.txt Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic clients from SQL.
As it seems to me:
if ("%{sqlnastype: SELECT nasname FROM nas WHERE nasname =
%{Packet-Src-IP-Address}}") {
misses some ':
if ("%{sqlnastype: SELECT nasname FROM nas WHERE nasname =
'%{Packet-Src-IP-Address}'}") {
works.
Norbert Wegener
Alan DeKok schrieb:
$ cvs update
$ more raddb/sites-available/dynamic-clients
It Just Works.
You can now manage clients in an SQL table. When the server receives
packets from a new client, it looks up the IP in SQL. The clients can
expire (so shared secrets can be changed). When 'readclients=yes' is
set in sql.conf, you only need one "client" entry in the configuration
files.
The dynamic clients can be read from anywhere... not just from SQL.
The configuration needs to be tested, as the SQL example in the
"dynamic-clients" file may not be exactly correct. But it should be
relatively easy to fix.
Client lookups are rate-limited, so DoS attacks won't affect the
server. The lookups are done NO MORE THAN once a second after the
server starts.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Parser problem?
I don't want the module saneusername to be executed, when the username
either
contains "HOST" or ends with ".net" or contains "@".
Therefore in 2.0.4 I have this code in sites-available/default:
authorize {
if (!( "%{User-Name}" =~ /HOST/ || "%{User-Name}" =~ /.net/ ||
"%{User-Name}" =~ /@/ )) {
saneusername
}
..
Starting radiusd -X
...
rad_recv: Access-Request packet from host 149.246.185.169 port 60938,
id=0, length=168^M
User-Name = "HOST/02G1-67.us002.mycompany.net"^M
NAS-IP-Address = 10.10.20.77^M
Calling-Station-Id = "00-00-00-00-00-02"^M
Framed-MTU = 1400^M
NAS-Port-Type = Wireless-802.11^M
Connect-Info = "CONNECT 11Mbps 802.11b"^M
EAP-Message =
0x022301484f53542f303247312d36372e75733030322e7369656d656e732e6e6574^M
Message-Authenticator = 0x1836592939950fab657ec0d5568883c4^M
With that User-Name I would expect the module not be executed.
+- entering group authorize^M
++? if (!( "%{User-Name}" =~ /HOST/ || "%{User-Name}" =~ /.net/ ||
"%{User-Name}" =~ /@/ ))^M
expand: %{User-Name} -> HOST/02G1-67.us002.mycompany.net^M
?? Evaluating ("%{User-Name}" =~ /HOST/) -> TRUE^M
? Converting !TRUE -> FALSE^M
expand: %{User-Name} -> HOST/02G1-67.us002.mycompany.net^M
? Evaluating ("%{User-Name}" =~ /.net/) -> TRUE^M
Skipping ("%{User-Name}" =~ /@/)^M
++? if (!( "%{User-Name}" =~ /HOST/ || "%{User-Name}" =~ /.net/ ||
"%{User-Name}" =~ /@/ )) -> TRUE^M
++- entering if (!( "%{User-Name}" =~ /HOST/ || "%{User-Name}" =~
/.net/ || "%{User-Name}" =~ /@/ ))^M
expand: [-] -> [-]^M
saneusername: Changed value for attribute User-Name from
'HOST/02G1-67.us002.mycompany.net' to 'HOST/02G167.us002.mycompany.net'^M
Now unfortunately the username has been changed.
+++[saneusername] returns ok^M
++- if (!( "%{User-Name}" =~ /HOST/ || "%{User-Name}" =~ /.net/ ||
"%{User-Name}" =~ /@/ )) returns ok^M
++? if ("%{sqlnastype:SELECT UserName from usergroup where UserName =
'%{User-Name}' }" == "" )^M
What do I have to change to make it work as expected?
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SNMP in 2.0.2: segmentation Fault
I have 2.0.2 running and snmp enabled. When the snmp daemon dies, freeradius follows... Ready to process requests. SMUX connection closed: 278 SMUX connect try 1 Can't connect to SNMP agent with SMUX: Connection refused Ready to process requests. Exiting... Speicherzugriffsfehler - Segmentation Fault I can reproduce this, by killing the snmpd. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mideye authentication
.. See rlm_example for a simple C challenge-response authentication module. You may also need a consistent State attribute. That code is in rlm_eap, but should probably be pulled into src/main, because other modules may need it, too. Thanks, that was the missing link. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mideye authentication
Norbert Wegener wrote: Alan DeKok wrote: Norbert Wegener wrote: It should be simple to generate a one time password, throw it into a database,send it via sms and make it available for the next time, the user requests access. The problem here seems to be, that after a first successfull authentication another one with only a new password but the already entered username has to be done. Can this be realised with an actual freeradius? If so: Where can I find documentation about it? You first need to define what you mean by "successful authentication". Is it sending an Access-Accept? Or receiving an Accounting start for that user? The box I am talking about is a Juniper vpn gateway. There they have Custom Radius Authentication Rules and in the configuration menu there is: If received packet Type :Access Challenge Take action: Show Next Token page Now it seems to me, that after providing the correct login/(static) password combination, not an Access-Accept must be sent, but instead an Access-Challenge. Maybe, this can be done using the otpd, but up to now I am searching on how to realise this. Anyone any idea? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mideye authentication
Alan DeKok wrote: Norbert Wegener wrote: It should be simple to generate a one time password, throw it into a database,send it via sms and make it available for the next time, the user requests access. The problem here seems to be, that after a first successfull authentication another one with only a new password but the already entered username has to be done. Can this be realised with an actual freeradius? If so: Where can I find documentation about it? You first need to define what you mean by "successful authentication". Is it sending an Access-Accept? Or receiving an Accounting start for that user? For this kind of special requirements, I would suggest writing a C module that implements the logic. It should be very small, even if it stores the passwords in SQL. Would otpd, which is mentioned in otp.conf do that job? Up to now I had not time to take a look at it. Norbert Wegener You could do much of the logic in "unlang". The only part I'm not sure about is the insert/query/delete from a database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mideye authentication
One of our customers uses an authentication service from Mideye, which is described this way: The end-user requests access to a protected application, and is prompted for a user name and password. If the correct credentials have been provided, a one- time password (OTP) is presented on the user's mobile phone. The user is requested to enter the OTP, and if the correct OTP is returned, access is granted. http://www.mideye.com/index.php3?bredd=268.5 It should be simple to generate a one time password, throw it into a database,send it via sms and make it available for the next time, the user requests access. The problem here seems to be, that after a first successfull authentication another one with only a new password but the already entered username has to be done. Can this be realised with an actual freeradius? If so: Where can I find documentation about it? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap authentication and cpu utilization
Alan DeKok schrieb: Norbert Wegener wrote: Just for information: I made some tests on different machines. Around 60% of the theoretical maximum was the best value I got. The behaviour was heavy influenced by the parameters in the "thread pool" section and num_sql_socks, as I have a database backend. Yes. The interaction effects are strong. If there are fewer SQL sockets than threads, then the threads will block waiting for an SQL socket to become ready. At that point, performance drops significantly. I would be curious to know how many PAP authentications/s you can do with that database back-end. Knowing the 3 numbers will help scope interaction effects. e.g. OpenSSL says: S rsa/a PAP says: P requests/s EAP testing says: E requests/s You say E < S, but E << P, too... Tuning all parameters in mysql/freeradius that I know of and that seemed to make sense, the maximum number of pap requests is about twice the number of rsa signatures. The bottleneck here seems to be mysql. radius used about 20% of the cpu, mysql about 80%. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap authentication and cpu utilization
Just for information: I made some tests on different machines. Around 60% of the theoretical maximum was the best value I got. The behaviour was heavy influenced by the parameters in the "thread pool" section and num_sql_socks, as I have a database backend. Norbert Wegener Alan DeKok wrote: Sebastian Heil wrote: with my configuration, the freeradius-server can handle about 300 to 400 eap-tls-authentication-request per minute. the cpu load is about 30 - 35 %. That's less than 10/s. I think that the virtual server is running at a clock rate of about 800MHz, maybe less. There's some overhead/delay involved in RADIUS and EAP. But it shouldn't drop the performance by 80%. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0.2 has been released.
With 2.0.2 I tried a performance test with eap authentications.
At one point I get :
Thu Feb 14 15:10:30 2008 : Error: rlm_eap: No EAP session matching the
State variable.
Thu Feb 14 15:10:30 2008 : Error: rlm_eap: Either EAP-request timed out
OR EAP-response to an unknown EAP-request
Is this the normal message when the server is too busy?
Norbert Wegener
Alan T DeKok schrieb:
People using EAP should definitely upgrade.
Feature improvements
* Added notes on how to debug the server in radiusd.conf
* Moved all "log_*" in radiusd.conf to log{} section.
The old configurations are still accepted, though.
* Added ca.der target in raddb/certs/Makefile. This is
needed for importing CA certs into Windows.
* Added ability send raw attributes via
"Raw-Attribute = 0x0102..."
This is available only debug builds. It can be used
to create invalid packets! Use it with care.
* Permit "unlang" policies inside of Auth-Type{} sub-sections
of the authenticate{} section. This makes some policies
easier to implement.
* "listen" sections can now have "type = proxy". This lets you
control which IP is used for sending proxied requests.
* Added note on SSL performance to raddb/certs/README
Bug fixes
* Fixed reading of "detail" files.
* Allow inner EAP tunneled sessions to be proxied.
* Corrected MySQL schemas
* syslog now works in log{} section.
* Corrected typo in raddb/certs/client.cnf
* Updated raddb/sites-available/proxy-inner-tunnel to
permit authentication to work.
* Ignore zero-length attributes in received packets.
* Correct memcpy when dealing with unknown attributes.
* Corrected debugging messages in attr_rewrite.
* Corrected generation of State attribute in EAP. This
fixes the "failed to remember handler" issues.
* Fall back to DEFAULT realm if no realm was found.
Based on a patch from Vincent Magnin.
* Updated example raddb/sites-available/proxy-inner-tunnel
* Corrected behavior of attr_filter to match documentation.
This is NOT backwards compatible with previous versions!
See "man rlm_attr_filter" for details.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap authentication and cpu utilization
Alan DeKok wrote: .. $ openssl speed Or $ openssl speed rsa http://www.madboa.com/geek/openssl/#benchmark-speed For 2048 bit rsa keys, the web page gives 77 signs/s for a 2GHz Intel Core 2. My 1GHz laptop gives around 20/s. That number becomes the limiting factor for any TLS-based EAP method. It doesn't matter if the rest of the server can handle 5k PAP requests/s. If it can only do 77 rsa signings/s, that is the maximum number of EAP-TLS/TTLS/PEAP sessions that it can do. Fine, that openssl switch has been new to me. Do you also have experience in how many percent of that theoretic value can be reached in practise with a database backend on the same machine where beside freeradius and the database nothing else is running? Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap authentication and cpu utilization
Simple authentication with login/password can be handled in large numbers with a recent cpu and freeradius. . EAP authentication on the other hand requires a great amount of cpu processing. Therefore I have a simple(?) question: Did someone already calcute the theoretically maximum number of eap authentications per second, that a recent x86 cpu is able to handle? Or did someone some practical research on that issue? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
As usually, Alan has made a great job. After more than 7 eap authentications everything is still working fine. The bug is obviously fixed. Thanks Alan Norbert Wegener Norbert Wegener wrote: I am runnning those tests at the moment with the modified version. I will post the result of 7 authentications later. Norbert Wegener Sebastian Heil wrote: is there anything, i can try to test? $ cvs update $ cd src/modules/rlm_eap $ make clean $ make ... and re-run the tests. i am sorry, but my server doesn't have any internet-access... so, i can't use cvs for updating. is there another easy way to test your patch, alan? Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
I am runnning those tests at the moment with the modified version. I will post the result of 7 authentications later. Norbert Wegener Sebastian Heil wrote: is there anything, i can try to test? $ cvs update $ cd src/modules/rlm_eap $ make clean $ make ... and re-run the tests. i am sorry, but my server doesn't have any internet-access... so, i can't use cvs for updating. is there another easy way to test your patch, alan? Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
Alan DeKok wrote: Norbert Wegener wrote: The complete log is at http:// www.wegener-net.de/freeradius/ (url destroyed) In line 116518 a client gets a reject, in 119715 the same client an accept. ... State = 0x00030d00 ... It's a 64-bit machine... I'll be damned if I can figure out why the State attribute is (almost) all zeros. I have no access to that machine and didn't expect processor information to be relevant: That is, what I got as information about the processor: cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 15 model : 2 model name : Intel(R) Celeron(R) CPU 2.40GHz stepping: 9 cpu MHz : 2405.622 cache size : 128 KB fdiv_bug: no hlt_bug : no f00f_bug: no coma_bug: no fpu : yes fpu_exception : yes cpuid level : 2 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe up cid xtpr bogomips: 4815.15 I updated the code in rlm_eap to fix one problem, and apparently created another... All I can guess is that the code generating 32-bit random numbers somehow has them promoted to 64-bit numbers, and then the lower 32-bits get ignored... I think I have access to a 64-bit machine where I can get take a look at this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
The complete log is at http:// www.wegener-net.de/freeradius/ (url destroyed) In line 116518 a client gets a reject, in 119715 the same client an accept. Norbert Wegener Alan DeKok wrote: Norbert Wegener wrote: With 2.0.0 sometimes I get this error message, that I have not seen before: Much of the EAP code was edited in 2.0. It was extensively tested, but apparently there are still issues. That's what happens when changing working code, I guess... rlm_eap: No EAP session matching the State variable. Is this happening inside of a PEAP tunnel? rlm_eap: Either EAP-request timed out OR EAP-response to an unknown ... This does not sound good, as there is no real load on the server and the same client will be authenticated some time later without configurational changes. If neccessary, I can provide the long log. That would help... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP session matching the State variable.
With 2.0.0 sometimes I get this error message, that I have not seen before: rlm_eap: No EAP session matching the State variable. rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler ++[eap] returns invalid auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT This does not sound good, as there is no real load on the server and the same client will be authenticated some time later without configurational changes. If neccessary, I can provide the long log. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: password failover
Alan DeKok schrieb: Norbert Wegener wrote: your answer lets me assume, the problem is with my configuration :-( The output is at http : //www.wegener-net.de/freeradius/typescript Wed Feb 6 18:02:23 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal certificate_expired Wed Feb 6 18:02:23 2008 : Error: TLS Alert write:fatal:certificate expired Expired certificates can't be used for authentication. Editing radiusd.conf won't fix this. :) Accepted. But it would be helpful for a service desk to know that an expired certificate was the reason to refuse access. My intention was to provide this information in radpostauth. It seems, this cannot be achived the way I tried. Is there another way to go for this? Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: password failover
Alan DeKok wrote: Norbert Wegener wrote: Should this kind of mechanism in 2.0.1 also be able to do something similar for eap? I don't see why not. Fine ... This does not work for me. Is it expected to do what I want and I have a configuration error? Or is this not the right way to do this? If it should work: What's the fault here? And the full debug output with that configuration is... ? your answer lets me assume, the problem is with my configuration :-( The output is at http : //www.wegener-net.de/freeradius/typescript (had to destroy the link, as the mailinglist software does not seem to like that any more) Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: password failover
Alan DeKok schrieb:
[EMAIL PROTECTED] wrote:
How do I set up a freeradius server so that if the password fails for
the primary radius server it tries the secondary for the password.
In 2.0.1, you should be able to do:
authenticate {
...
Auth-Type pap {
pap
if (reject) {
update control {
Proxy-To-Realm := "realm"
}
ok
}
}
...
}
Should this kind of mechanism in 2.0.1 also be able to do something
similar for eap?
In case I have this debug output:
Wed Feb 6 14:14:40 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Alert
[length 0002], fatal certificate_expired ^M
Wed Feb 6 14:14:40 2008 : Error: TLS Alert write:fatal:certificate
expired ^M
Wed Feb 6 14:14:40 2008 : Error: TLS_accept:error in SSLv3 read
client certificate B ^M
Wed Feb 6 14:14:40 2008 : Error: rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned^M
Wed Feb 6 14:14:40 2008 : Error: rlm_eap_tls: SSL_read failed in a
system call (-1), TLS session fails.^M
Wed Feb 6 14:14:40 2008 : Debug: eaptls_process returned 13 ^M
Wed Feb 6 14:14:40 2008 : Debug: rlm_eap: Freeing handler^M
Wed Feb 6 14:14:40 2008 : Debug: modsingle[authenticate]: returned
from eap (rlm_eap) for request 9^M
Wed Feb 6 14:14:40 2008 : Debug: ++[eap] returns reject^M
I would like to send more information than simply "reject" to
radpostauth, something like: Certificate error
Auth-Type eap {
eap
if (reject) {
update control {
Module-Failure-Message := "Certificate error"
}
}
reject
}
}
and in radiusd.conf:
Post-Auth = "INSERT INTO ${postauth_table} values (...
'%{control:Module-Failure-Message}',.. )
This does not work for me. Is it expected to do what I want and I have a
configuration error? Or is this not the right way to do this? If it
should work: What's the fault here?
Thanks
Norbert Wegener
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Message-Authenticator
Alan DeKok wrote: Norbert Wegener wrote: In cvs from January 9th I noticed for the first time, that freeradius complains about packets without Message-Authenticator and ignores them: WARNING: Insecure packet from host 145.25.153.222: Packet does not contain required Message-Authenticator attribute How can freeradius be convinced to handle those packets? It should... In clients.conf I have require_message_authenticator = no but the clients come from an sql database. The default for that field is "no", even for clients coming from SQL. The only thing I can think of is that you did a "cvs update" which took the definition of that field, but didn't rebuild the SQL module, which depends on it. Try doing a build from a clean CVS checkout, or from the 2.0.0 tarball. Maybe that has been the problem. I took the rpms from http://download.opensuse.org/repositories/network:/aaa/openSUSE_10.2/i586/ and it works as expected. Thanks. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Message-Authenticator
In cvs from January 9th I noticed for the first time, that freeradius complains about packets without Message-Authenticator and ignores them: WARNING: Insecure packet from host 145.25.153.222: Packet does not contain required Message-Authenticator attribute How can freeradius be convinced to handle those packets? In clients.conf I have require_message_authenticator = no but the clients come from an sql database. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rpm for suse
The recent cvs seems to contain a new spec file for suse. With that spec I tried to build an rpm on 10.2. rpmbuild -ba freeradius.spec checking for SQLConnect in -liodbc... no checking for isql.h... no configure: error: set --without-rlm_sql_iodbc to disable it explicitly. configure: error: /bin/sh './configure' failed for ./drivers/rlm_sql_iodbc configure: error: ./configure failed for ./src/modules/rlm_sql error: Bad exit status from /var/tmp/rpm-tmp.19102 (%build) In Suse10.2 I don't find packages like *iodb* Which package contains the neccessary files? As I don't need everything, I modifyed the configure instruction in the spec-file and added: --without-rlm_sql_iodbc \ --without-rlm_sql_firebird \ --without-rlm_sql_db2 \ configure now runs without errors. Nevertheless, later on I get: gmake[10]: Entering directory `/usr/src/packages/BUILD/freeradius-server-2.0.0/src/modules/rlm_sql/drivers/rlm_sql_firebird'^M gmake[10]: Für das Ziel »all« ist nichts zu tun.^M gmake[10]: Leaving directory `/usr/src/packages/BUILD/freeradius-server-2.0.0/src/modules/rlm_sql/drivers/rlm_sql_firebird'^M Making all in rlm_sql_freetds...^M gmake[10]: Entering directory `/usr/src/packages/BUILD/freeradius-server-2.0.0/src/modules/rlm_sql/drivers/rlm_sql_freetds'^M gmake[10]: *** Keine Regel, um »all« zu erstellen. Schluss.^M gmake[10]: Leaving directory `/usr/src/packages/BUILD/freeradius-server-2.0.0/src/modules/rlm_sql/drivers/rlm_sql_freetds'^M gmake[9]: *** [common] Fehler 2^M gmake[9]: Leaving directory `/usr/src/packages/BUILD/freeradius-server-2.0.0/src/modules/rlm_sql/drivers'^M gmake[8]: *** [all] Fehler 2^M gmake[8]: Leaving directory `/usr/src/packages/BUILD/freeradius-server-2.0.0/src/modules/rlm_sql/drivers'^M gmake[7]: *** [common] Fehler 2^M gmake[7]: Leaving directory `/usr/src/packages/BUILD/freeradius-server-2.0.0/src/modules/rlm_sql'^M gmake[6]: *** [build-module] Fehler 2^M gmake[6]: Leaving directory `/usr/src/packages/BUILD/freeradius-server-2.0.0/src/modules/rlm_sql'^M gmake[5]: *** [common] Fehler 2^M gmake[5]: Leaving directory `/usr/src/packages/BUILD/freeradius-server-2.0.0/src/modules'^M gmake[4]: *** [all] Fehler 2^M gmake[4]: Leaving directory `/usr/src/packages/BUILD/freeradius-server-2.0.0/src/modules'^M gmake[3]: *** [common] Fehler 2^M gmake[3]: Leaving directory `/usr/src/packages/BUILD/freeradius-server-2.0.0/src'^M gmake[2]: *** [all] Fehler 2^M gmake[2]: Leaving directory `/usr/src/packages/BUILD/freeradius-server-2.0.0/src'^M gmake[1]: *** [common] Fehler 2^M gmake[1]: Leaving directory `/usr/src/packages/BUILD/freeradius-server-2.0.0'^M make: *** [all] Fehler 2^M error: Bad exit status from /var/tmp/rpm-tmp.36031 (%build)^M ^M ^M RPM build errors:^M Bad exit status from /var/tmp/rpm-tmp.36031 (%build)^M de7018tc:/usr/src/packages/SPECS # exit^M Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reread config files
When I remember correctly, one issue in pre2 had been, that on SIGHUP freeradius did not reread its configration completely. Is this issue already solved in cvs? Will especially the clients be reread by SIGHUP? Norbert Wegener ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: building problem wit actual cvs
Alan DeKok wrote: Norbert Wegener wrote: 1.348 or 1.384? 1.384, sorry. * Version: $Id: radiusd.c,v 1.384 2007/12/27 09:17:22 aland Exp $ 140 /* This is a quick fix start-stop scripts for radrelay-radiusd 141 * so if we are called as 'radiusd' then, config file 142 * is 'radiusd.conf', if we are called as 'mokoko', then 143 * config file is 'mokoko.conf', which will probably make things 144 * easier.. will it ? Does it break something?? 145 * (-n option still overwrites the config file name) 146 * A long comment for a 2 line patch.. Err... Tuyan used to work for Peter. He doesn't have commit access. There is no such text in CVS. This text has NEVER existed in CVS. 147 */ 148 snprintf(buffer, sizeof(buffer), "%s.conf",progname); 149 mainconfig.radiusd_conf = strdup(buffer); Are you sure your copy is up to date, AND that you've made no local changes? No changes. You have local changes, OR local patches you apply after a CVS checkout. Sorry, you are right. I did not realize that patches from http://download.opensuse.org/repositories/network:/aaa/SLES_9/src/freeradius-server-pre-2.0.0-8.1.src.rpm had been applied to my local copy. Norbert Wegener Fix your local system. CVS is fine. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: building problem wit actual cvs
Alan DeKok wrote: Norbert Wegener wrote: With the actual cvs there is a build problem: ... radiusd.c:148: error: 'buffer' undeclared (first use in this function) I see no reference to "buffer" in radiusd.c in revision 1.348, which is the latest for radiusd.c. 1.348 or 1.384? * Version: $Id: radiusd.c,v 1.384 2007/12/27 09:17:22 aland Exp $ 140 /* This is a quick fix start-stop scripts for radrelay-radiusd 141 * so if we are called as 'radiusd' then, config file 142 * is 'radiusd.conf', if we are called as 'mokoko', then 143 * config file is 'mokoko.conf', which will probably make things 144 * easier.. will it ? Does it break something?? 145 * (-n option still overwrites the config file name) 146 * A long comment for a 2 line patch.. 147 */ 148 snprintf(buffer, sizeof(buffer), "%s.conf",progname); 149 mainconfig.radiusd_conf = strdup(buffer); Are you sure your copy is up to date, AND that you've made no local changes? No changes. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
building problem wit actual cvs
With the actual cvs there is a build problem: ./configure ... gcc -g -O2 -I/usr/src/packages/BUILD/freeradius-server-2.0.0-281207/src -DHOSTINFO=\"i686-pc-linux-gnu\" -DRADIUSD_VERSION=\"2.0.0-beta\" -DOPENSSL_NO_KRB5 -c radiusd.c -fPIC -DPIC -o .libs/radiusd.o radiusd.c: In function 'main': radiusd.c:148: error: 'buffer' undeclared (first use in this function) radiusd.c:148: error: (Each undeclared identifier is reported only once radiusd.c:148: error: for each function it appears in.) radiusd.c:175: warning: passing argument 1 of 'free' discards qualifiers from pointer target type radiusd.c:440: warning: passing argument 1 of 'free' discards qualifiers from pointer target type gmake[4]: *** [radiusd.lo] Fehler 1 gmake[4]: Leaving directory `/usr/src/packages/BUILD/freeradius-server-2.0.0-281207/src/main' Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql error
Maybe this helps: http://dev.mysql.com/doc/refman/5.0/en/old-client.html Norbert Wegener Pablo Lucchetti wrote: Hi, I've an error with mysql, I think is php mysql client. I did upgrade to php5 but the erros remains the same. Mysql is Ver 14.12 Distrib 5.0.32, for pc-linux-gnu (i486) using readline 5.2 rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius rlm_sql_mysql: Mysql error 'Client does not support authentication protocol requested by server; consider upgrading MySQL client' rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. Any help? Thanks in advance Pablo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no logging => reject?
I am using a recent pre-2, authentication via a mysql database.
In post-auth I have a sql module, that reports accept/reject to a
another mysql database.
When this database is not available, the user is rejected, although I
get Auth-Type = Accept before.
Is this a desired behaviour, bug or feature?
...
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [7989] (from client 149.246.185.169 port 1812)
+- entering group post-auth
++? if ("%{User-Name}" =~ /.net/i || "%{User-Name}" =~ /@/ )
expand: %{User-Name} -> 7989
? Evaluating ("%{User-Name}" =~ /.net/i) -> FALSE
expand: %{User-Name} -> 7989
Evaluating ("%{User-Name}" =~ /@/) -> FALSE
++? if ("%{User-Name}" =~ /.net/i || "%{User-Name}" =~ /@/ ) -> FALSE
expand:
//var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d ->
//var/log/radius/radacct/149.246.185.169/reply-detail-20071218
rlm_detail:
//var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to //var/log/radius/radacct/149.246.185.169/reply-detail-20071218
expand: %t -> Tue Dec 18 15:29:07 2007
++[reply_log] returns ok
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} -> 7989
rlm_sql (sql): sql_set_user escaped user --> '7989'
expand: INSERT into radpostauth (id, user, pass, reply,
date,nasname) values ('', '%{User-Name}', '%{User-Password}',
'%{reply:Packet-Type}', NOW(),'%{NAS-IP-Address}') -> INSERT into
radpostauth (id, user, pass, reply, date,nasname) values ('',
'7989', '7989', 'Access-Accept', NOW(),'139.25.153.222')
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id,
user, pass, reply, date,nasname) values ('', '7989',
'7989', 'Access-Accept', NOW(),'139.25.153.222')
rlm_sql (sql): Ignoring unconnected handle 4..
rlm_sql (sql): Ignoring unconnected handle 3..
rlm_sql (sql): Ignoring unconnected handle 2..
rlm_sql (sql): Ignoring unconnected handle 1..
rlm_sql (sql): Ignoring unconnected handle 0..
rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
++[sql] returns fail
Found Post-Auth-Type Reject
+- entering group REJECT
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} -> 7989
rlm_sql (sql): sql_set_user escaped user --> '7989'
expand: INSERT into radpostauth (id, user, pass, reply,
date,nasname) values ('', '%{User-Name}', '%{User-Password}',
'%{reply:Packet-Type}', NOW(),'%{NAS-IP-Address}') -> INSERT into
radpostauth (id, user, pass, reply, date,nasname) values ('',
'7989', '7989', 'Access-Reject', NOW(),'139.25.153.222')
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id,
user, pass, reply, date,nasname) values ('', '7989',
'7989', 'Access-Reject', NOW(),'139.25.153.222')
rlm_sql (sql): Ignoring unconnected handle 4..
rlm_sql (sql): Ignoring unconnected handle 3..
rlm_sql (sql): Ignoring unconnected handle 2..
rlm_sql (sql): Ignoring unconnected handle 1..
rlm_sql (sql): Ignoring unconnected handle 0..
rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
++[sql] returns fail
Sending Access-Reject of id 51 to 149.246.185.169 port 32833
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 4.0 seconds.
Cleaning up request 0 ID 51 with timestamp +1
Ready to process requests.
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
release date 2.0.0?
Hello Alan, since the release of pre1 half a year has gone. Can you already foresee when the final version will be released? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
In pre2 an update reply works, when I have:
update reply {
...
Tunnel-Private-Group-ID ="%{control:Huntgroup-Name}"
...
}
Enterasys have a unusual syntax. They need for the same something like:
update reply {
...
filter-id =
Enterasys:version=1:mgmt=su:policy="%{control:Huntgroup-Name}"
...
}
This does not work for me.
Trying different quoting do not yet help.
Is this possible at all?
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attribute assignment in post-auth?
Phil Mayers wrote: Norbert Wegener wrote: With 1.1.7 I want to add attributes to an eap authenticated client. The rules for applying vlan are somewhat unusual, that I decided to use mysql and stored procedures to determine the values that have to be applied. When I call the corresponding sql module from the authorize section, I run into the problem described at: https://lists.freeradius.org/pipermail/freeradius-users/2007-September/066381.html to which Alan already answered: > Ideally, the attributes in the reply should be sent ONLY on Access-Accept. i.e. the configuration should NOT update the reply until it has determined that the user has been authenticated. This involves moving most of the policy from the "authorize" section to the "post-auth" section. You can't currently do that. The post-auth handler does not expect the query to return rows. Could you suggest a workaround? Is there code in the cvs which handles this? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attribute assignment in post-auth?
With 1.1.7 I want to add attributes to an eap authenticated client.
The rules for applying vlan are somewhat unusual, that I decided to use
mysql and stored procedures to determine the values that have to be applied.
When I call the corresponding sql module from the authorize section, I
run into the problem described at:
https://lists.freeradius.org/pipermail/freeradius-users/2007-September/066381.html
to which Alan already answered:
> Ideally, the attributes in the reply should be sent ONLY on
Access-Accept. i.e. the configuration should NOT update the reply until
it has determined that the user has been authenticated.
This involves moving most of the policy from the "authorize" section
to the "post-auth" section.
That is why I want to call the stored procedure in the post-auth section.
Therefore in sql.conf I set :
postauth_query = "call speap ('%{SQL-User-Name}', '%{NAS-IP-Address}','2')"
radiusd -AX shows , that procedure is called,
.
rlm_sql (sp1): Processing sql_postauth
radius_xlat: 'host/28tef003.ww006.mycompany.net'
rlm_sql (sp1): sql_set_user escaped user --> 'host/28tef003.ww006.mycompany.net'
radius_xlat: 'call speap ('host/28tef003.ww006.mycompany.net',
'172.31.110.146','2')'
rlm_sql (sp1) in sql_postauth: query is call speap
('host/28tef003.ww006.mycompany.net', '172.31.110.146','2')
rlm_sql (sp1): Reserving sql socket id: 28
rlm_sql_mysql: SQL statement returned unexpected result
..
unfortunately with an unexpected result.
When I call that stored procedure directly from mysql I get the expected result:
mysql> call speap ('host/28tef003.ww006.mycompany.net', '172.31.110.146','2')
+---+---+--+-++
| 0 | s_username| Fall-Through | Yes | += |
+---+---+--+-++
| 0 | HOST/28tef003.ww006.mycompany.net | Fall-Through | Yes | += |
+---+---+--+-++
what I would expect.
So, what is unexpected with that result?
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
variables in 1.1.7
With version 1.1.7 I want to achieve the following, which is probably
easy in 2.0:
In the authorize section I have an ldap module and an sql module sp1.
group {
ldap1
sp1
}
I want to get an attribute from AD and use the value of that attribute
in a later call to a database
radiusd -AX shows:
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding mobile as Huntgroup-Name == "VL-SBS-AD02-0001"
rlm_ldap: looking for reply items in directory...
rlm_ldap: user host/28tef003.ww006.company.net authorized to use remote
access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap1" returns ok for request 1
radius_xlat: 'host/28tef003.ww006.company.net'
rlm_sql (sp1): sql_set_user escaped user -->
'host/28tef003.ww006.company.net'
radius_xlat: 'call firstif ('0','host/28tef003.ww006.company.net','',
'1.2.3.4','=','2')'
Retrieving an attribute from AD obviously works.
In sql.conf I have changed authorize_check_query to use a stored procedure:
sql.conf:
authorize_check_query = "call firstif
('0','%{SQL-User-Name}','%{Huntgroup-Name}', '%{NAS-IP-Address}','=','2')"
I would have expected the %{Huntgroup-Name} to be "VL-SBS-AD02-0001",
but this is not true.
Is the desired assignment possible at all in 1.1.7 ?
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any ideas on this compile error ??
maybe it would help to install libltdl3-dev or something like that? Norbert Wegener Willem Gerber wrote: Hey Guys I cant get radius to compile :/ Linux vaughan 2.6.20-1.2307.fc5 #1 Sun Mar 18 20:44:48 EDT 2007 i686 i686 i386 GNU/Linux /home/willem/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h: No such file or directory In file included from rlm_sqlippool.c:37: /home/willem/freeradius-1.1.7/src/include/modpriv.h:16: error: expected specifier-qualifier-list before 'lt_dlhandle' In file included from rlm_sqlippool.c:39: /home/willem/freeradius-1.1.7/src/modules/rlm_sql/rlm_sql.h:15:18: error: ltdl.h: No such file or directory In file included from rlm_sqlippool.c:39: /home/willem/freeradius-1.1.7/src/modules/rlm_sql/rlm_sql.h:68: error: expected specifier-qualifier-list before 'lt_dlhandle' rlm_sqlippool.c: In function 'sqlippool_command': rlm_sqlippool.c:311: error: 'SQL_INST' has no member named 'module' rlm_sqlippool.c: In function 'sqlippool_query1': rlm_sqlippool.c:358: error: 'SQL_INST' has no member named 'module' rlm_sqlippool.c: In function 'sqlippool_postauth': rlm_sqlippool.c:539: warning: pointer targets in passing argument 2 of 'strNcpy' differ in signedness rlm_sqlippool.c:526: warning: unused variable 'self' gmake[6]: *** [rlm_sqlippool.lo] Error 1 gmake[6]: Leaving directory `/home/willem/freeradius-1.1.7/src/modules/rlm_sqlippool' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/home/willem/freeradius-1.1.7/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/home/willem/freeradius-1.1.7/src/modules' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/home/willem/freeradius-1.1.7/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/home/willem/freeradius-1.1.7/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/home/willem/freeradius-1.1.7' make: *** [all] Error 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
Something like
if ("%{sqlnastype:SELECT Value from radcheck where UserName =
'%{User-Name}' and otherconditions}" == 'bla' )
works,
whereas I have problems
with:
if ("%{sqlnastype:SELECT Value from radcheck where UserName =
'%{User-Name}' and other conditions.. " is not null )
Am I doing something wrong or is "is not null" not (yet) implemented?
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Received conflicting packet
With my actual freeradius cvs I have some messages like this ones: | 2007-11-08 11:37:07 | radiusd[17266]: Received conflicting packet from client 119.25.50.234 port 33496 - ID: 37 due to unfinished request 140423. Giving up on old request. | | 2007-11-08 11:37:07 | radiusd[17266]: Received conflicting packet from client 119.25.50.234 port 33512 - ID: 205 due to unfinished request 140435. Giving up on old request. | | 2007-11-08 19:04:11 | radiusd[22818]: Received conflicting packet from client 119.25.50.234 port 36363 - ID: 181 due to unfinished request 50778. Giving up on old request. | | 2007-11-08 19:04:17 | radiusd[22818]: Received conflicting packet from client 119.25.50.234 port 36363 - ID: 181 due to unfinished request 50779. Giving up on old request. | | 2007-11-08 19:04:28 | radiusd[22818]: Received conflicting packet from client 119.25.50.234 port 36363 - ID: 64 due to unfinished request 50783. Giving up on old request. | What causes those messages? I suppose, it might be serious? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius going to sleep?
Now it works again with num_sql_socks=30. To make it work, I increased the number of connections on the mysql server via set global max_connections =200; (I have more than one sql-module and each one starts its own connections) It seems, freeradius comes into trouble, when the number of connections allowed by mysql is exceeded. I did not notice that in former versions of freeradius. Hope this information helps to find the real cause for freeradius going to sleep. Norbert Wegener Norbert Wegener schrieb: Alan DeKok wrote: .. Any other suggestions? Not right now. If you're willing to do a binary search in CVS to see *when* it started breaking... but that's a lot of work. Without changing versions of mysql or freeradius I think I already found out, that num_sql_socks seems to have a significant influence on the behaviour. With a value of 5, freeradius now is already running for some hours. A value of 20 stops it from working normally within two hours. Maybe I can find out more. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -------- Norbert Wegener Siemens AG Siemens IT Solutions and Services SBS GO GIO NW PSU2 Kruppstr. 16 D-46128 Essen, Germany Phone : +49 (0) 201 816-3116 Fax. : +49 (0) 201 816-5581284 mailto:[EMAIL PROTECTED] Siemens Aktiengesellschaft: Vorsitzender des Aufsichtsrats: Gerhard Cromme Vorstand: Peter Löscher, Vorsitzender; Johannes Feldmayer, Heinrich Hiesinger, Joe Kaeser, Rudi Lamprecht, Eduardo Montes, Jürgen Radomski, Erich R. Reinhardt, Hermann Requardt, Uriel J. Sharef, Klaus Wucherer Sitz der Gesellschaft: Berlin und München; Registergericht: Berlin Charlottenburg, HRB 12300, München, HRB 6684 WEEE-Reg.-Nr. DE 23691322 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius going to sleep?
Alan DeKok wrote: .. Any other suggestions? Not right now. If you're willing to do a binary search in CVS to see *when* it started breaking... but that's a lot of work. Without changing versions of mysql or freeradius I think I already found out, that num_sql_socks seems to have a significant influence on the behaviour. With a value of 5, freeradius now is already running for some hours. A value of 20 stops it from working normally within two hours. Maybe I can find out more. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pre2 cv2 uses 99,9% of cpu
The problem seems to be fixed. Thanks. Norbert Wegener Alan DeKok schrieb: Norbert Wegener wrote: my last popsting was about a sleeping radius. The same version on another machine makes just the opposite: It uses all the cpu power of a 2.4Ghz machine. A gdb output with bt is at: http://www.wegener-net.de/freeradius/typescript OK. It looks like a failure to initialize timed delays in the post-proxy-fail handler. i.e. if a server didn't respond to a proxied request, it looked like it was possible to try to set up events in the past... Grab the latest CVS, it should have a fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Norbert Wegener Siemens AG Siemens IT Solutions and Services SBS GO GIO NW PSU2 Kruppstr. 16 D-46128 Essen, Germany Phone : +49 (0) 201 816-3116 Fax. : +49 (0) 201 816-5581284 mailto:[EMAIL PROTECTED] Siemens Aktiengesellschaft: Vorsitzender des Aufsichtsrats: Gerhard Cromme Vorstand: Peter Löscher, Vorsitzender; Johannes Feldmayer, Heinrich Hiesinger, Joe Kaeser, Rudi Lamprecht, Eduardo Montes, Jürgen Radomski, Erich R. Reinhardt, Hermann Requardt, Uriel J. Sharef, Klaus Wucherer Sitz der Gesellschaft: Berlin und München; Registergericht: Berlin Charlottenburg, HRB 12300, München, HRB 6684 WEEE-Reg.-Nr. DE 23691322 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius going to sleep?
There seems to have changed a bit more.rlm_sql.c did not fit. Even substituting the whole rlm_sql directory with the one from pre 2 did not work: rlm_sql.c: In function 'sql_xlat': rlm_sql.c:200: warning: comparison between signed and unsigned rlm_sql.c: In function 'generate_sql_clients': rlm_sql.c:329: warning: pointer targets in assignment differ in signedness rlm_sql.c:337: error: 'struct main_config_t' has no member named 'clients' gmake[6]: *** [rlm_sql.lo] Fehler 1 gmake[6]: Leaving directory `/root/radiusd/src/modules/rlm_sql' gmake[5]: *** [common] Fehler 2 gmake[5]: Leaving directory `/root/radiusd/src/modules' gmake[4]: *** [all] Fehler 2 gmake[4]: Leaving directory `/root/radiusd/src/modules' gmake[3]: *** [common] Fehler 2 gmake[3]: Leaving directory `/root/radiusd/src' gmake[2]: *** [all] Fehler 2 gmake[2]: Leaving directory `/root/radiusd/src' gmake[1]: *** [common] Fehler 2 gmake[1]: Leaving directory `/root/radiusd' make: *** [all] Fehler 2 Any other suggestions? Norbert Wegener Alan DeKok schrieb: Norbert Wegener wrote: got the opportunity earlier than expected... The system is suse 10.2. # gdb radiusd 30251 ... (gdb) bt ... #5 0xb7b083c8 in vio_read () from /usr/lib/mysql/libmysqlclient_r.so.15 So it's blocked on a MySQL read... All I can suggest right now is to try reverting rlm_sql.c to revision 1.172, which is the only difference in that module between -pre2 and Sept. 12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ------------ Norbert Wegener Siemens AG Siemens IT Solutions and Services SBS GO GIO NW PSU2 Kruppstr. 16 D-46128 Essen, Germany Phone : +49 (0) 201 816-3116 Fax. : +49 (0) 201 816-5581284 mailto:[EMAIL PROTECTED] Siemens Aktiengesellschaft: Vorsitzender des Aufsichtsrats: Gerhard Cromme Vorstand: Peter Löscher, Vorsitzender; Johannes Feldmayer, Heinrich Hiesinger, Joe Kaeser, Rudi Lamprecht, Eduardo Montes, Jürgen Radomski, Erich R. Reinhardt, Hermann Requardt, Uriel J. Sharef, Klaus Wucherer Sitz der Gesellschaft: Berlin und München; Registergericht: Berlin Charlottenburg, HRB 12300, München, HRB 6684 WEEE-Reg.-Nr. DE 23691322 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pre2 cv2 uses 99,9% of cpu
Peter Nixon wrote: On Mon 05 Nov 2007, Norbert Wegener wrote: my last popsting was about a sleeping radius. The same version on another machine makes just the opposite: It uses all the cpu power of a 2.4Ghz machine. A gdb output with bt is at: http://www.wegener-net.de/freeradius/typescript Which modules are you using? My data are stored in mysql. I use rlm_sql. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pre2 cv2 uses 99,9% of cpu
my last popsting was about a sleeping radius. The same version on another machine makes just the opposite: It uses all the cpu power of a 2.4Ghz machine. A gdb output with bt is at: http://www.wegener-net.de/freeradius/typescript Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius going to sleep?
ols from /lib/rlm_attr_filter-2.0.0-pre2.so...done. Loaded symbols for //lib/rlm_attr_filter-2.0.0-pre2.so Failed to read a valid object file image from memory. 0xb7f87410 in ?? () (gdb) bt #0 0xb7f87410 in ?? () #1 0xbfae9008 in ?? () #2 0x4000 in ?? () #3 0x801779d0 in ?? () #4 0xb7f32003 in __read_nocancel () from //lib/libpthread.so.0 #5 0xb7b083c8 in vio_read () from /usr/lib/mysql/libmysqlclient_r.so.15 #6 0xb7b0843e in vio_read_buff () from /usr/lib/mysql/libmysqlclient_r.so.15 #7 0xb7b08eac in net_realloc () from /usr/lib/mysql/libmysqlclient_r.so.15 #8 0xb7b0929b in my_net_read () from /usr/lib/mysql/libmysqlclient_r.so.15 #9 0xb7b03799 in cli_safe_read () from /usr/lib/mysql/libmysqlclient_r.so.15 #10 0xb7b04665 in unpack_fields () from /usr/lib/mysql/libmysqlclient_r.so.15 #11 0xb7b02e14 in mysql_real_query () from /usr/lib/mysql/libmysqlclient_r.so.15 #12 0xb7adaa85 in mysql_query () from /usr/lib/mysql/libmysqlclient_r.so.15 #13 0xb7c0b163 in sql_query (sqlsocket=0x80163e10, config=0x80168d28, querystr=0xbfae9254 "SELECT id, username, attribute, value, op", ' ' , "FROM radcheck", ' ' , "WHERE username = 'host/de7018tc.ww901.siemens.net'", ' ' , "ORDER BY id") at sql_mysql.c:172 #14 0xb7c0b1f5 in sql_select_query (sqlsocket=0x80163e10, config=0x80168d28, querystr=0xbfae9254 "SELECT id, username, attribute, value, op", ' ' , "FROM radcheck", ' ' , "WHERE username = 'host/de7018tc.ww901.siemens.net'", ' ' , "ORDER BY id") ---Type to continue, or q to quit--- at sql_mysql.c:259 #15 0xb7c12bf2 in rlm_sql_select_query (sqlsocket=0x80163e10, inst=0x80163508, query=0xbfae9254 "SELECT id, username, attribute, value, op", ' ' , "FROM radcheck", ' ' , "WHERE username = 'host/de7018tc.ww901.siemens.net'", ' ' , "ORDER BY id") at sql.c:516 #16 0xb7c13122 in sql_getvpdata (inst=0x80163508, sqlsocket=0x80163e10, pair=0xbfaea458, query=0xbfae9254 "SELECT id, username, attribute, value, op", ' ' , "FROM radcheck", ' ' , "WHERE username = 'host/de7018tc.ww901.siemens.net'", ' ' , "ORDER BY id") at sql.c:563 #17 0xb7c10ce3 in rlm_sql_authorize (instance=0x80163508, request=0x8034adb8) at rlm_sql.c:926 #18 0x80011bc0 in modcall (component=1, c=0x801668f0, request=0x8034adb8) at modcall.c:244 #19 0x8000edea in indexed_modcall (space=, comp=1, idx=0, request=0x8034adb8) at modules.c:411 #20 0x8000635a in rad_authenticate (request=0x8034adb8) at auth.c:540 #21 0x8001a486 in radius_handle_request (request=0x8034adb8, fun=0x80006280 ) at event.c:2181 #22 0x80014876 in thread_pool_addrequest (request=0x8034adb8, fun=0x80006280 ) at threads.c:847 #23 0x800130f4 in main (argc=2, argv=0xbfaec6e4) at radiusd.c:699 Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius going to sleep?
Alan DeKok wrote: Norbert Wegener wrote: In a cvs version of pre2, which is newer than pre2, on one machine, after some time of inactivity, freeradius does not seem to answer at all- sometimes, not reliable reproducable. When did you take the CVS snapshot? the cvs is from September, 12. Did -pre2 NOT have this behavior? I did not notice this with pre2. ... with a few dozens lines deleted. It looks like the threads are blocked on reading a descriptor, OR on a mutex. Which mutex they're blocked on is anyone's guess. .. You can use gdb to attach to a running process, and then type "bt" to see where it's blocked. I'll try to get a bt. Norbert Wegener Running radiusd under gdb's control seemed to solve that problem, maybe that's not the final solution. Sounds like it's a signal/mutex issue... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius going to sleep?
In a cvs version of pre2, which is newer than pre2, on one machine, after some time of inactivity, freeradius does not seem to answer at all- sometimes, not reliable reproducable. Freeradius has a lot of database connections to mysql, maybe they are the culprit for that behaviour? stracing freeradius gives: # strace -f -p 29757 Process 29807 attached with 51 threads - interrupt to quit [pid 29757] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29758] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29759] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29760] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29761] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- ... [pid 29796] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29797] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29798] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29799] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29800] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29801] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29802] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29803] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- --- [pid 29778] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29779] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29780] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29781] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29782] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29783] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29784] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29785] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29786] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- ... [pid 29803] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29804] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29805] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29806] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29807] --- SIGSTOP (Stopped (signal)) @ 0 (0) --- [pid 29758] futex(0x8002f654, FUTEX_WAIT, 0, NULL [pid 29759] futex(0x8002f654, FUTEX_WAIT, 0, NULL [pid 29760] read(9, [pid 29761] read(8, [pid 29762] futex(0x8002f654, FUTEX_WAIT, 0, NULL [pid 29763] futex(0x8002f654, FUTEX_WAIT, 0, NULL [pid 29764] futex(0x8002f654, FUTEX_WAIT, 0, NULL [pid 29765] futex(0x8002f654, FUTEX_WAIT, 0, NULL [pid 29766] futex(0x8002f654, FUTEX_WAIT, 0, NULL [. [pid 29798] futex(0x8002f654, FUTEX_WAIT, 0, NULL [pid 29799] futex(0x8002f654, FUTEX_WAIT, 0, NULL [pid 29800] futex(0x8002f654, FUTEX_WAIT, 0, NULL [pid 29801] futex(0x8002f654, FUTEX_WAIT, 0, NULL [pid 29802] futex(0x8002f654, FUTEX_WAIT, 0, NULL [pid 29803] futex(0x8002f654, FUTEX_WAIT, 0, NULL [pid 29804] futex(0x8002f654, FUTEX_WAIT, 0, NULL [pid 29805] futex(0x8002f654, FUTEX_WAIT, 0, NULL [pid 29806] futex(0x8002f654, FUTEX_WAIT, 0, NULL [pid 29807] futex(0x8002f654, FUTEX_WAIT, 0, NULL with a few dozens lines deleted. strace's output stops here, also when radius request come in. They are not answered. Any idea, what's going wrong here or how to track that down? I already tried nohup gdb -x gdbargs /sbin/radiusd & with gdbargs containing: run -AX bt but was unable to reproduce that situation in this context. Running radiusd under gdb's control seemed to solve that problem, maybe that's not the final solution. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
I am using a recent 2.0.0-pre cvs snapshot.
For 802.1x authentication AD is querried for a valid machine account
and VLAN, which the ldap modules put into the radius-attribute
Huntgroup-Name. The client authenticates via a certificate. Everything
works as expected. Nevertheless someone inspecting the switch logs found:
12277052: .Sep 26 13:33:45.914: RADIUS: Received from id 1645/86
139.25.78.162:1812, *Access-Challenge,* len 1130
12277053: .Sep 26 13:33:45.914: RADIUS: authenticator 41 6D FD 2B B1 E6
81 32 - 92 3A 05 C1 96 B9 A5 E9
12277054: .Sep 26 13:33:45.914: RADIUS: *Tunnel-Private-Group[81] 18
"VL-SBS-AD02-0001"
*12277055: .Sep 26 13:33:45.914: RADIUS: *Tunnel-Medium-Type [65] 6
00:ALL_802[6]
*12277056: .Sep 26 13:33:45.914: RADIUS: *Tunnel-Type [64] 6
00:VLAN [13]
*12277057: .Sep 26 13:33:45.914: RADIUS: EAP-Message [79] 255
and claimed, the Access-Challenge with Tunnel-Private-Group,
Tunnel-Medium-Type etc. are not RFC compatible.
I can see those values in radiusd -AX, too, but didn't care.
My question is:
Is he right?
If so: How would I have to change the configuration?
In my sites-enabeld/default I have:
...
# ldap1/2 set control:Huntgroup-Name.
redundant {
ldap1
ldap2
}
#
if ("%{sqlnastype:SELECT vl_vlan from vlan where vl_vlan
= '%{control:Huntgroup-Name}' and vl_nasname='%{NAS-IP-Address}'}" ==
"%{control:Huntgroup-Name}" ) {
# das vlan gibt es auf dem swicht
update reply {
Tunnel-Private-Group-ID ="%{control:Huntgroup-Name}"
Tunnel-Medium-Type = IEEE-802
Tunnel-Type = VLAN
}
}
..
This works as expected.
Sending Access-Challenge of id 135 to 172.31.110.149 port 1645^M
Tunnel-Private-Group-Id:0 = "VL-SBS-AD02-0001"^M
Tunnel-Medium-Type:0 = IEEE-802^M
Tunnel-Type:0 = VLAN^M
EAP-Message =
0x0104040a0dc01860160301004a0246030146fa71a8d8d8395908fa88327d699ee4477b8e014f81fc6f5aabfabb26dda89a204f927ec5aaa134ac60f488278826fbd8be697e5826f45b2890e527d58ca26a0a00040016030113710b00136d00136a0005f6308205f2308204daa003020102020a136547850002003ae484300d06092a864886f70d01010505003081f6310b300906035504061302444531133011060a0992268993f22c64011916036e657431173015060a0992268993f22c64011916077369656d656e733110300e060355040a13075369656d656e7331453043060355040b133c49737375696e6720434120666f72206d6163^M
EAP-Message =
0x68696e652063657274696669636174657320696e20746865205369656d656e7320414420666f72657374313a3038060355040b1331436f7079726967687420284329205369656d656e73204147203230303320416c6c20726967687473207265736572766564312430220603550403131b5369656d656e732049737375696e6720434120436c617373204144301e170d303730383232323131325a170d303830323138323131325a3025312330210603550403131a64653730313874632e3930312e7369656d656e732e6e657430819f300d06092a864886f70d010101050003818d0030818902818100d420d44e29fdfd018e8ff279b4^M
EAP-Message =
0x04d0421c8612c6cd6ba909bb50feca6a71089e6212ef9ae86a3a0cd12f201b25e62ec7395e1365a8bac4477551fed6c41183e2210a3b524e013f80952f7f7efef179f6b48d1a7e219a8e0e789d561b8472485f7792a6e51514018b40e1f90feb314aff3d7a55baceb56b72af1d1bb04ee8a4a30203010001a38202d4308202d0301d0603551d0e041604143349edcf20cbe55a68d010a8df8878bbce1714e4303306092b060104018237150a04263024300a06082b06010505070302300a06082b06010505070301300a06082b06010505080202300b0603551d0f0404030205a030270603551d250420301e06082b0601050507030206082b06010505^M
EAP-Message =
0x07030106082b06010505080202303c06092b0601040182371507042f302d06252b060104018237150887e4bc2b85a7c80a85d19529a08c6d819ffa1381219eaf36869ee33d020164020103301f0603551d2304183016801453cf2cd0fe413db6c4731640813764d8702909993081e50603551d1f0481dd3081da3081d7a081d4a081d18681ce6c6461703a2f2f2f434e3d5369656d656e7325323049737375696e672532304341253230436c61737325323041442832292c434e3d6d63686d393335612c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e6669677572^M
EAP-Message = 0x6174696f6e2c44433d7369656d656e732c44433d6e65^M
Message-Authenticator = 0x^M
State = 0xcf369d304b83244706a446310ed5b92e^M
Finished request 1 state 5^M
Going to the next request^M
The complete output can be found at http://www.wegener-net.de:/freeradius
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
list problem?
Is there a problem with the list/mailserver? The archives show newer threads, where the last message I received from the list has been from September, 10. It arrived this mornig. If I'm the only one with that problem, sorry. My other mail comes in as usual. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql error in pre2
My first tests indicate, that it seems to work. Thank you. Norbert Wegener Alan DeKok wrote: Norbert Wegener wrote: In some cases I do not have the need to query for groupmembership. When I undefine group_membership_query, I get the following error: Please do "cvs update", rebuild, and test. If you undefined the groupmembership query, it should now simply not match. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no lower_user/lower_pass in pre2 ?
Alan DeKok wrote: Norbert Wegener wrote: In previous versions of radiusd.conf there has been: lower_user = after lower_pass = after In pre2 this is missing and a grep -r lower_pass on the source tree does not show anything. Is this feature replaced my another one? No. I understand the utility of it, but it was a nighmare to support in the server. You can get *almost* the same functionality with unlang. What, specifically do you need? Why? CAPS LOCK has always been a nice problem and lower_user as well as lower_pass solved that without any trouble. If this can be solved by unlang, fine. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no lower_user/lower_pass in pre2 ?
In previous versions of radiusd.conf there has been: lower_user = after lower_pass = after In pre2 this is missing and a grep -r lower_pass on the source tree does not show anything. Is this feature replaced my another one? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql error in pre2
In some cases I do not have the need to query for groupmembership. When I undefine group_membership_query, I get the following error: rlm_sql (voipsipsql): Error retrieving group list^M rlm_sql (voipsipsql): Error processing groups; rejecting user Maybe an information about the non availability of groupmembership would be more helpful than an error ? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
I want to use the result from a sql query in something like this:
...
switch "%{sqlnastype:SELECT nas.type FROM `nas` WHERE
nas.nasname ='%{NAS-IP-Address}'}" {
case "Cisco" {
...
It works, and it is a great feature.
The point is, it seems to work only if there is an
authorize_check_query and a authorize_reply_query in the sql module.
So I have to setup an authorize_reply_query with UserName,Attr Nam,
Attr Value, Op, although I am only interested in the answer to the query
above, which might be Cisco, Entrasys or something like that.
Is there a way to avoid such an authorize_reply_query or even the
authorize_check_query?
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkitem problem
Alan DeKok wrote: Norbert Wegener wrote: Yes... because you are telling the server what the clear-text password is supposed to be. If you tell the server TWICE, it will say OK twice. Telling it twice in a check item? Yes. You told the server what the "known good" password was. Please correct me, but my understanding of check items has been, that they have to be in the the access request to match an entry. No. Read "man users", or the comments at the top of the "users" file. The check items hold BOTH the comparison against the original password, AND the instructions for how the server should behave. This is BROKEN, because it confuses people. 2.0 has a more complex configuration. But it's a LOT easier to understand why it works. Maybe I should have taken a look at unlang before. Using it solved my problem nearly immediately. Norbert Wegener The clear-text password is not in the original request. It is added during the processing of that request via ldap. Yes. So? Depending on that value an entry of the users file should match. No. Read "man users". Cleartext-Password is a configuration attribute. It is NOT an attribute that goes into a packet. In 2.0.0-pre2, see "man unlang". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkitem problem
Alan DeKok wrote: Norbert Wegener wrote: rlm_ldap: looking for check items in directory... rlm_ldap: Adding primaryGroupID as Cleartext-Password == "515" OK... modcall[authorize]: module "ldap" returns ok for request 11 users: Matched entry DEFAULT at line 2 Yes... because you are telling the server what the clear-text password is supposed to be. If you tell the server TWICE, it will say OK twice. Telling it twice in a check item? Please correct me, but my understanding of check items has been, that they have to be in the the access request to match an entry. The clear-text password is not in the original request. It is added during the processing of that request via ldap. Depending on that value an entry of the users file should match. I do not yet see, where myunderstanding is wrong. Norbert Wegener What sort of behavior do you expect? "If cleartext password is already set, don't set it again" ? Nothing in the ldap or users file documentation says that they do anything like that. If you want that functionality, see 2.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkitem problem
Alan DeKok wrote: ... Repeat after me: Cleartext-Password := If it helps :-) Before posting I tried nearly everything, including the use of Cleartext-Password := in ldap.attrmap and the users file. Unfortunately the result was always the same ... add checkItem Cleartext-Password primaryGroupID := to ldap.attrmap users: DEFAULT Cleartext-Password := "wrong” Service-Type = Framed-User, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID = VL-SBS-AD02-0001, DEFAULT Cleartext-Password := "515” Service-Type = Framed-User, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID = VL-SBS-AD02-0002, radiusd -AX (1.1.7) ... rlm_ldap: looking for check items in directory...^M rlm_ldap: Adding primaryGroupID as Cleartext-Password == "515"^M rlm_ldap: looking for reply items in directory...^M rlm_ldap: user host/28tef004.ww006.mycompany.net authorized to use remote access^M rlm_ldap: ldap_release_conn: Release Id: 0^M modcall[authorize]: module "ldap" returns ok for request 11^M users: Matched entry DEFAULT at line 2^M . Again, the complete output at http://www.wegener-net.de/freeradius/typescript Fix this everywhere. Then try it again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkitem problem
I get an attribute/value from ad via freeradius and want this as a checkitem in another module. Therefore I added checkItem User-Password primaryGroupID := to ldap.attrmap and have the following users: DEFAULT User-Password == "wrong” Service-Type = Framed-User, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID = VL-SBS-AD02-0001, DEFAULT User-Password == "515” Service-Type = Framed-User, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID = VL-SBS-AD02-0002, radiusd -AX says: ... rlm_ldap: looking for check items in directory...^M rlm_ldap: Adding primaryGroupID as User-Password == "515"^M The 515 is form AD and for me its seems to be what I expect. rlm_ldap: looking for reply items in directory...^M rlm_ldap: user host/28tef004.ww006.mycompany.net authorized to use remote access^M rlm_ldap: ldap_release_conn: Release Id: 0^M modcall[authorize]: module "ldap" returns ok for request 11^M users: Matched entry DEFAULT at line 2^M Now I would assume, User-Password == "515" is added to the list of checkitems. Nevertheless the first DEFAULT Entry of the users file is taken. What am I missing? The complete typescript is at http://www.wegener-net.de/freeradius/typescript Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
prevent ldap from searching for groups
I am using rlm_ldap (2.0.0-pre2) to check an account for being valid in AD.
This works.
As I am only interested in one attribute from AD, it would be
sufficient, if rlm_ldap would only use "filter" to dive into AD once.
How could I prevent rlm_ldap from "Entering ldap_groupcmp()" ?
Setting
groupname_attribute = NULL
groupmembership_filter = NULL
only results in an error message "Bad search filter"
.
rlm_ldap: looking for check items in directory...^M
rlm_ldap: LDAP attribute primaryGroupID as RADIUS attribute Group-Name
== "515"^M
rlm_ldap: looking for reply items in directory...^Mrlm_ldap: user
host/28tef004.ww006.mycomany.net authorized to use remote access^M
rlm_ldap: ldap_release_conn: Release Id: 0^M
++[ldap] returns ok^M
How to prevent entering this function??
rlm_ldap: Entering ldap_groupcmp()^M
expand: DC=MYCOMPANY,dc=NET -> DC=MYCOMPANY,dc=NET^M
expand: NULL -> NULL^M
.
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius logging to ms-sql
freeradius 1.1.7 is known to support stored procedures in mysql, a feature, that we use. I may have the need, to do accounting/logging to a MS-SQL database. Does freeradius support stored procedures also in MS-SQL? As I did not find information about the in the documentation, I should conclude, there is no support. Correct? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accepting clients with expired certificates
Alan DeKok wrote: ... Incoming RADIUS packet did not have correct Message-Authenticator - dropped message on the client side. Try adding a Message-Authenticator to the reply. Any value will do, as it will be re-calculated when the packet is sent. freeradius now sends a Message-Authenticator with value 0x00: rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 0 to 156.215.207.190 port 58366 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "VL-G-DE-GU14-0001" Message-Authenticator 0x Finished request 0 but there seems to be a problem on the other end, as eapol_test shows: STA 00:00:00:00:00:02: Received RADIUS packet matched with a pending request, round trip time 0.05 sec RADIUS packet matching with station could not extract EAP-Message from RADIUS message EAPOL: startWhen --> 0 EAPOL test timed out MPPE keys OK: 0 mismatch: 1 FAILURE freeradius version is 1.1.6 Norbert Wegener -- ---- Norbert Wegener Siemens AG Siemens IT Solutions and Services SBS GO GIO NW PSU2 Kruppstr. 16 D-46128 Essen, Germany Phone : +49 (0) 201 816-3116 Fax. : +49 (0) 201 816-5581284 mailto:[EMAIL PROTECTED] Siemens Aktiengesellschaft: Vorsitzender des Aufsichtsrats: Gerhard Cromme Vorstand: Peter Löscher, Vorsitzender; Johannes Feldmayer, Heinrich Hiesinger, Joe Kaeser, Rudi Lamprecht, Eduardo Montes, Jürgen Radomski, Erich R. Reinhardt, Hermann Requardt, Uriel J. Sharef, Klaus Wucherer Sitz der Gesellschaft: Berlin und München; Registergericht: Berlin Charlottenburg, HRB 12300, München, HRB 6684 WEEE-Reg.-Nr. DE 23691322 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accepting clients with expired certificates
I have setup authentication against AD according to: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO This works as expected. If the client's certificate is expired, eap/tls will, of course, fail. In this case a guest vlan shall be assigned to the client. Having a module, that adds the needed radius-attributes seems to work, if an additional Auth-Type += Accept is added. Doing this, the eap-tls is short-circuited and may result in a: Incoming RADIUS packet did not have correct Message-Authenticator - dropped message on the client side. Is this acceptable? What would be the best way to handle a situation like that? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pre1 dies on startup: generate_sql_clients() returned error
[EMAIL PROTECTED] wrote: Hi, The "clients.conf" file may also define clients. yes. but that still doesnt fix the issue that duplicates could exist in the NAS table itself :-) That's true, but maybe Alan's suggestion to add a debug message complaining about this would be nice here, too? Norbert Wegener alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pre1 dies on startup: generate_sql_clients() returned error
I have a larger list of clients, that is read from a mysql database. Freeradius starts loading the clients, but when having loaded the first 2442 clients, it dies. Unfortunately gdb is not very helpfull: . rlm_sql (sql_base): Read entry nasname=192.168.36.73,shortname=192.168.36.73,secret=maxen^M rlm_sql (sql_base): Adding client 192.168.36.73 (192.168.36.73) to clients list^M rlm_sql (sql_base): generate_sql_clients() returned error rlm_sql (sql_base): Closing sqlsocket 4 rlm_sql (sql_base): Closing sqlsocket 3 rlm_sql (sql_base): Closing sqlsocket 2 rlm_sql (sql_base): Closing sqlsocket 1 rlm_sql (sql_base): Closing sqlsocket 0 radiusd.conf[46]: sql_base: Module instantiation failed. radiusd.conf[2032] Failed to find module "sql_base". radiusd.conf[2032] Failed to parse "sql_base" entry. radiusd.conf[1928] Failed to parse authorize section. Errors setting up modules Program exited with code 01. (gdb) bt No stack. (gdb) Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 13 LDAP queries for one authorize!
Alan DeKok wrote: Phil Mayers wrote: I'm only slightly wiser from reading that... Shouldn't 'eap' and 'mschap' be in this Authz-Type to then? No I will note that in CVS head (2.0-pre2), this is *much* easier to understand. There's a configuration file for the outer tunnel piece, and a separate one for the inner tunnel. Sounds promising. Can you already foresee, when pre2 will be released? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.0.0-pre1 compile problem on ubuntu
on an ubuntu 6.06 configure does not show an error with 2.0.0-pre1. Compiling fails: . make[6]: Betrete Verzeichnis '/home/norbert/Desktop/freeradius-server-2.0.0-pre1/src/modules/rlm_perl'^M /home/norbert/Desktop/freeradius-server-2.0.0-pre1/libtool --mode=link gcc -release 2.0.0-pre1 \^M -module -export-dynamic -o rlm_perl.la \^M -rpath /usr/local/lib rlm_perl.lo rlm_perl.c /home/norbert/Desktop/freeradius-server-2.0.0-pre1/src/lib/libradius.la \^M `perl -MExtUtils::Embed -e ldopts` -lnsl -lresolv -lpthread^M ^M *** Warning: Linking the shared library rlm_perl.la against the^M *** static library /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a is not portable!^M gcc -shared .libs/rlm_perl.o -Wl,--rpath -Wl,/home/norbert/Desktop/freeradius-server-2.0.0-pre1/src/lib/.libs -Wl,--rpath -Wl,/usr/local/lib /home/norbert/Desktop/freeradius-server-2.0.0-pre1/src/lib/.libs/libradius.so -L/usr/local/lib /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a -L/usr/lib/perl/5.8/CORE -lperl -ldl -lm -lc -lcrypt -lnsl -lresolv -lpthread -Wl,-E -Wl,-soname -Wl,rlm_perl-2.0.0-pre1.so -o .libs/rlm_perl-2.0.0-pre1.so^M /usr/bin/ld: cannot find -lperl^M On the other hand, dpkg shows: dpkg -l|grep libperl ii libperl5.8 5.8.8-7build1 Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radtest and Message-Authenticator
When I send radtest 0009 0009 brm 1812 secret xx 10.10.20.138 to a freeradiusserver, I get an access accept. Sending the same radtest command line to an IAS, that should proxy that request to a freeradiusserver, the IAS complains about a missing Message-Authenticator. What do I have to do to get a Message-Authenticator in such a radtest request? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling 1.1.6 on solaris problem
Alan DeKok schrieb: > ... > >> In file included from /root/freeradius-1.1.6/src/include/radiusd.h:31, >> from rlm_dbm_parser.c:52: >> /usr/include/netinet/in.h:302: warning: `INADDR_ANY' redefined >> /root/freeradius-1.1.6/src/include/missing.h:73: warning: this is the >> location of the previous definition >> /usr/include/netinet/in.h:303: warning: `INADDR_LOOPBACK' redefined >> /root/freeradius-1.1.6/src/include/missing.h:77: warning: this is the >> location of the previous definition >> > > The include file order is wrong. I've fixed this in the CVS head, but > in 1.1.6, the best thing to do is: > > $ ./configure --without-rlm_dbm > This leads to a related problem in another context: /root/freeradius-1.1.6/libtool --mode=link gcc -o radeapclient radeapclient.lo libeap/libeap.la -lnsl -lresolv -lsocket -lposix4 -lpthread -lcrypto -lssl -lcrypto^M gcc -o .libs/radeapclient .libs/radeapclient.o libeap/.libs/libeap.so /root/freeradius-1.1.6/src/lib/.libs/libradius.so -lcrypt -lnsl -lresolv -lsocket -lposix4 -lpthread -lssl -lcrypto -Wl,--rpath -Wl,/usr/local/lib^M /root/freeradius-1.1.6/src/lib/.libs/libradius.so: undefined reference to [EMAIL PROTECTED]'^M collect2: ld returned 1 exit status^M gmake[6]: *** [radeapclient] Error 1^M gmake[6]: Leaving directory `/root/freeradius-1.1.6/src/modules/rlm_eap'^M gmake[5]: *** [common] Error 2^M gmake[5]: Leaving directory `/root/freeradius-1.1.6/src/modules'^M gmake[4]: *** [all] Error 2^M gmake[4]: Leaving directory `/root/freeradius-1.1.6/src/modules'^M gmake[3]: *** [common] Error 2^M gmake[3]: Leaving directory `/root/freeradius-1.1.6/src'^M gmake[2]: *** [all] Error 2^M gmake[2]: Leaving directory `/root/freeradius-1.1.6/src'^M gmake[1]: *** [common] Error 2^M gmake[1]: Leaving directory `/root/freeradius-1.1.6'^M make: *** [all] Error 2^M Again, the whole output is at http://www.wegener-net.de/fr Norbert Wegener > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling 1.1.6 on solaris problem
[EMAIL PROTECTED] schrieb: > hi, > > do you have OpenSSL installed or using a Solaris derivation? I am not really familiar with Solaris. [EMAIL PROTECTED]:/# openssl version OpenSSL 0.9.7b 10 Apr 2003 Is this information sufficient? Norbert Wegener > alan > - List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compiling 1.1.6 on solaris problem
Setting up 1.1.6 on a Sun with `uname -a` giving SunOS sunfire 5.10 Generic_118822-26 sun4u sparc SUNW,Ultra-30 configure does not show errors, only warnings. Unfortunately make dies with: creating rlm_dbm.la (cd .libs && rm -f rlm_dbm.la && ln -s ../rlm_dbm.la rlm_dbm.la) /root/freeradius-1.1.6/libtool --mode=compile gcc -g -O2 -I/root/freeradius-1.1.6/src/include -DHAVE_NDBM_H -c rlm_dbm_parser.c gcc -g -O2 -I/root/freeradius-1.1.6/src/include -DHAVE_NDBM_H -c rlm_dbm_parser.c -fPIC -DPIC -o .libs/rlm_dbm_parser.o In file included from /root/freeradius-1.1.6/src/include/radiusd.h:31, from rlm_dbm_parser.c:52: /usr/include/netinet/in.h:302: warning: `INADDR_ANY' redefined /root/freeradius-1.1.6/src/include/missing.h:73: warning: this is the location of the previous definition /usr/include/netinet/in.h:303: warning: `INADDR_LOOPBACK' redefined /root/freeradius-1.1.6/src/include/missing.h:77: warning: this is the location of the previous definition rlm_dbm_parser.c: In function `storecontent': rlm_dbm_parser.c:165: warning: assignment discards qualifiers from pointer target type gcc -g -O2 -I/root/freeradius-1.1.6/src/include -DHAVE_NDBM_H -c rlm_dbm_parser.c -o rlm_dbm_parser.o >/dev/null 2>&1 /root/freeradius-1.1.6/libtool --mode=link gcc \ -o rlm_dbm_parser rlm_dbm_parser.lo ../../lib/libradius.la -lnsl -lresolv -lsocket -lposix4 -lpthread gcc -o .libs/rlm_dbm_parser .libs/rlm_dbm_parser.o ../../lib/.libs/libradius.so -lcrypt -lnsl -lresolv -lsocket -lposix4 -lpthread -Wl,--rpath -Wl,/usr/local/lib ../../lib/.libs/libradius.so: undefined reference to [EMAIL PROTECTED]' collect2: ld returned 1 exit status gmake[6]: *** [rlm_dbm_parser] Error 1 gmake[6]: Leaving directory `/root/freeradius-1.1.6/src/modules/rlm_dbm' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/root/freeradius-1.1.6/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/root/freeradius-1.1.6/src/modules' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/root/freeradius-1.1.6/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/root/freeradius-1.1.6/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/root/freeradius-1.1.6' make: *** [all] Error 2 sh-3.00# exit autoconf --version autoconf (GNU Autoconf) 2.61 [EMAIL PROTECTED]:/root/freeradius-1.1.6# automake --version automake (GNU automake) 1.8 The complete output of configure / make can be found at: http://www.wegener-net.de/fr/ Any idea? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
version 2
On http://wiki.freeradius.org/Fail-over
I find an interesting feature, that would be very useful in some
configurations:
authorize {
...
sql
if notfound {
ldap1
}
else {
ldap2
}
As mentioned there, it is available in version 2 of the server.
Is it already foreseeable, when approximately the version 2 of
freeradius will be available?
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Default attributes
On different equipment the following profiles give me connections, that behave identically. [EMAIL PROTECTED] Auth-Type := Local, User-Password == "12345" Service-Type = Framed-User, Framed-Protocol = PPP [EMAIL PROTECTED] Auth-Type := Local, User-Password == "12345" Service-Type = Framed-User [EMAIL PROTECTED] Auth-Type := Local, User-Password == "12345" Are Service-Type = Framed-User and Framed-Protocol = PPP defaults these days or do those connections work only accidentally? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql question
Please forget this question. Someone had changed a network setting, so
that mysql and rlm_sql did not reach the same databases.
Right now everything works as expected.
Sorry
Norbert Wegener
Norbert Wegener schrieb:
> I am using freeradius 1.1.4 with mysql.
>
> I had to change the authorize_check_query.
>
> authorize_check_query = "SELECT radcheck.id, radcheck.UserName,
> radcheck.Attribute, radcheck.Value, radcheck.op \
> FROM radcheck,nas \
> WHERE (Username = '%{SQL-User-Name}') \
> and (nas.type='Enterasys Networks' and nas.nasname= '%{NAS-IP-Address}') \
> ORDER BY id"
>
>
> Now radiusd -AX gives me:
> ..
> rlm_sql (enterasys): sql_set_user escaped user --> '7509'
> radius_xlat: 'SELECT radcheck.id, radcheck.UserName,
> radcheck.Attribute, radcheck.Value, radcheck.op FROM
> radcheck,nas WHERE (Username = '7509') and (nas.type='Enterasys
> Networks' and nas.nasname= '172.31.110.150') ORDER BY id'
> rlm_sql (enterasys): Reserving sql socket id: 3
> rlm_sql_mysql: query: SELECT radcheck.id, radcheck.UserName,
> radcheck.Attribute, radcheck.Value, radcheck.op FROM radcheck,nas WHERE
> (Username = '7509') and (nas.type='Enterasys Networks' and
> nas.nasname= '172.31.110.150') ORDER BY id
> rlm_sql (enterasys): User 7509 not found in radcheck
>
>
> ..
>
> where the same query in mysql shows:
>
> mysql> SELECT radcheck.id, radcheck.UserName, radcheck.Attribute,
> radcheck.Value, radcheck.op FROM radcheck,nas WHERE (Username =
> '7509') and (nas.type='Enterasys Networks' and nas.nasname=
> '172.31.110.150') ORDER BY id;
> +-+--+---+++
> | id | UserName | Attribute | Value | op |
> +-+--+---+++
> | 1180894 | 7509 | Auth-Type | Accept | += |
> +-+--+---+++
> 1 row in set (0.00 sec)
>
>
> I would have expected the same results as well from rlm_sql as from
> mysql directly.
> Why do the results differ?
>
> Thanks
> Norbert Wegener
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
