Re: load balancing radius with F5 devices
On 09.10.2013 10:41, Alex Sharaz wrote: Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. I have f5 loadbalancers but atm I don't use them for our RADIUS trafic As far as I'm aware ( systems section support the F5 boxes) 1). We're using round robin to spread the load over 2 back end radius servers. 2). There is some general sticky persistence so that once a RAS device starts talking to a particular back end server it continues to talk to that server for a predetermined length of time ( might be an hour, not sure). This ensures that an eap dialogue will always talk to the same back end server for the duration of the stuck time. Not sure what happens when you get to the end of the time interval though. Point 2 should be setup carefully. I recommend using the iApp to deploy your radius through the f5 [1] (they use Freeradius as an example) I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. You can play with an iRule to statically assign one of your two pool member to your RAS servers. you can even decode the radius packet and base your load-balancing decision based on radius attributes [2] As you said, the most important thing is to ensure that a Client/NAS always talk to the same pool member, otherwise EAP won't work. Olivier [1] http://www.f5.com/pdf/deployment-guides/iapp-radius-dg.pdf [2] https://devcentral.f5.com/articles/radius-aware-load-balancing-via-irules#.UlUfIobjx1Y -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On 09.10.2013 11:25, Olivier Beytrison wrote: On 09.10.2013 10:41, Alex Sharaz wrote: I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Another nice thing to do is to do persistence based on radius AVP https://devcentral.f5.com/questions/radius-load-bnalancing-persistence So you can load balance incoming requests based on any standard AVP (User-Name, NAS-IP-Address, Calling-Station-Id ) Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CISCO ASA VPN3000 dictionary
On 28.08.2013 17:48, Alan DeKok wrote: Arran Cudbard-Bell wrote: In that list they have type 'boolean', but RADIUS can't encode attributes smaller than a byte. For boolean does anyone know if they really mean a standard 32bit integer with the values 0/1, or if they're wanting a single byte with the values 0/1, or whether it's some other cisco craziness? My guess is that it's a single byte. In v2.2.x, that's byte type. Well not all attributes changed between the VPN3000 and the ASA. Those indicated as boolean in the ASA documentation were in fact integers in the VPN3000. With Arran we suppose they made a lazy copy-past from the LDAP part of the document. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28.08.2013 00:20, Martin Kraus wrote:
On Tue, Aug 27, 2013 at 05:20:32PM -0400, Alan DeKok wrote:
Again, look at the debug log to see what's happening. *WHY* are you
doing LDAP lookups at all? Can you not delay them?
Hi. I'm using groups to authorize users and pull radius profiles for the
users.
My config is similar to what the default freeradius configuration offers.
And rlm_cache should help a lot, too.
I'm stuck with 2.1.10 on ubuntu:-(
Anyway I managed to filter out most of the redundant ldap lookups. the only
thing I'm
stuck with are lookups during TLS negotiation either in the default server for
EAP-TLS or in the inner-tunnel server for EAP-TTLS/EAP-TLS. The handshake
takes 8 access-requests and the only way I can see to filter it out is to
somehow findout if the EAP-Message AVPs contain something to tell me whether
it's about to be done or not.
I'm just quoting a mail from Phil Mayers a few months ago on this list.
It contains a check that allows to run the checks in authorize only
after the EAP tunnel is established. (Use it only in v2). And remove
ldap from the outer tunnel, you don't need it there anyway.
-
..and save some more hits to LDAP by wrapping the call to it in the
authorization stage to just the EAP Identity packet
He he he... if I recall correctly I came up with something like:
server inner-tunnel {
authorize {
eap
# stop processing authorize on eap identity or mschap success/fail
if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) {
noop
}
else {
# rest of config goes here
}
}
}
For complete thread :
http://lists.freeradius.org/pipermail/freeradius-users/2013-June/067100.html
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
On 07.08.2013 08:51, Dominique Frise wrote:
Did a fresh install from
http://github.com/FreeRADIUS/freeradius-server/tree/v2.x.x
./radiusd -v
radiusd: FreeRADIUS Version 2.2.1 (git #12be9f6), for host
x86_64-unknown-linux-gnu, built on Aug 6 2013 at 21:51:33
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
But still no luck :-(
-
rad_recv: Access-Challenge packet from host X.X.X.X port 1812, id=101,
length=49
Reply-Message = Enter OTP:
State = 0x38373131
Prompt = No-Echo
Proxy-State = 0x313039
# Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
++? if (Response-Packet-Type == Access-Challenge)
? Evaluating (Response-Packet-Type == Access-Challenge) - FALSE
--
I made myself a test with the latest git HEAD (3.0) and indeed, this
also doesn't work. I'll have a look at it and see why it doesn't call
the paircmp callback.
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Delete one value of multiple attribute(Class)
On 17.07.2013 12:29, Okis Chuang wrote: But the situation I encountered is : 1.I need to save some information returned in Access-Accept from external AAA in the attribute **Class** at the section **post-auth**. So it will return back to gateway. 2.Then gateway will send Accounting-Start to my server. In this time, I need to pop out the information I saved in the attribute **Class** in the section **accounting** so that I can generate the avp what I need. Hence, it cannot work by using Tmp-XXX internal attribute because those two events occur in two different sessions to FreeRADIUS. I thought Tmp-* attributes will not exist across two sessions at the same time. So that way I must choose some kind of attribute that gateway must return back for saving temporary attribute value. Well with the release 3.0.0 you can use the new rlm_cache module that will allow to do that quite easily. And (again with 3.0.0) you can do a foreach on your multi valued attributes, and erase those you don't need in the loop. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication filter based on source SSID
On 12.07.2013 17:03, Gustavo Vieira Oliveira wrote: I need some help with RADIUS regarding Wireless authentication with RADIUS + LDAP. Hello. which version of freeradius are you running ? I need to check if the user has permission to connect to a specific SSID, so we check a LDAP attribute for that. Pretty easy By that, we need to know from which SSID the authentication is being requested so we use a specific LDAP Filter to search the base and grant or deny the permission. We tried to use two instances of RADIUS, one per SSID, but the Wireless Controller doesn't seem to support it (supports only one AAA per AP). oh what ? That's why i'm asking for help in case you people have some alternatives or ideas to solve it. The setup is based on Cisco Wireless Controller 5508. I'm also setting up WLC-5508 right now on my side. First, the AAA servers are defined per SSID. So you can specify different radius servers (or simply ports) for each SSID Secondly, you can now customize the NAS-Identifier on a per SSID basis (at least in release 7.4) Finally, the Called-Station-Id will contain the SSID name. If you use the policy rewrite_called_station_id it will populate the attribute Called-Station-SSID with the SSID Name. So all the tools to do it easily are in your hands. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
On 11.07.2013 16:44, stefan.pae...@diamond.ac.uk wrote: Did you mean https://github.com/FreeRADIUS/freeradius- server/archive/release_3_0_0_rc0.tar.gz ? I'm afraid I'm getting a build error (from fresh): [snip] /usr/bin/ld: cannot find -lregex collect2: ld returned 1 exit status make: *** [build/lib/local/libfreeradius-radius.la] Error 1 Got exactly the same right now on a system which was running fine till now. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Substring using Unlang?
On 10.07.2013 07:48, Olivier Beytrison wrote:
if ( ADSL-Agent-Remote-Id =~ /(.{0,31})$/ ) {
if ( ADSL-Agent-Remote-Id =~ /(.{1,32})$/ ) {
that's even better as it won't match an empty attribute (you never know ...)
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Substring using Unlang?
On 10.07.2013 05:20, Peter Lambrechtsen wrote:
In pseudo code it would be something like:
if (length(ADSL-Agent-Remote-Id) 31) {
update reply {
strncat(SubscriberID, ADSL-Agent-Remote-Id +
(strlen(ADSL-Agent-Remote-Id) - 31), 31)
}
}
else {
update reply {
SubscriberID := ADSL-Agent-Remote-Id
}
}
Where in effect if the string is longer than 31 chars take the right
most 31 chars and only return that.
if ( ADSL-Agent-Remote-Id =~ /(.{0,31})$/ ) {
update reply {
SubscriberID := %{1}
}
}
that should do it.
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap
On 21.06.2013 22:21, Julian Macassey wrote: In another terminal window I enter: root# radtest usern...@mydomain.com PASSWORD 192.168.10.14 0 sharedsecret ending Access-Request of id 231 to 192.168.10.14 port 1812 User-Name = usern...@domain.com User-Password = PASSWORD NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Sending Access-Request of id 231 to 192.168.10.14 port 1812 User-Name = usern...@domain.com User-Password = PASSWORD NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Sending Access-Request of id 231 to 192.168.10.14 port 1812 User-Name = usern...@domain.com User-Password = PASSWORD NAS-IP-Address = 127.0.1.1 NAS-Port = 0 radclient: no response from server for ID 231 socket 3 in your config you didn't configure any other client than 127.0.0.1 you're sending your request to 192.168.10.14 which mean it's over the network. add a client for the machine on which you run radtest, and it will work. freeradius silently drop packets from unknown client. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnect
On 20.06.2013 08:21, Dagia Dorjsuren wrote: Hello, Does anyone know how to solve following issue? In this case : 1. NAS (Chillispot based access point) 2. Freeradius If NAS is shutdowned, the freeradius keeps all user logins of that NAS. In this case, the users session is alive. In fact, freeradius doesn't know if NAS's status is shutdowned or running. Is there any configuration that freeradius disconnects the users automatically when NAS is shutdowned? Freeradius can't disconnect a user, except by sending CoA Packets to the NAS. But in your case, the NAS is down. I guess you're keeping the accounting information in a database or something. You need to run an expiration query so the session is marked closed when freeradius doesn't hear from the NAS for a certain amount of time. Search through the list as this came up a few weeks ago. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19.06.2013 14:11, Marco Streich wrote:
Hi all
We have deployed FreeRADIUS on OS X before, but our configuration was rather
ugly. What we would do is authenticate users locally, having the machine
attached to our OpenDirectory server directly using the Connect Network
Account Server functionality provided by OS X.
I have seen this question getting asked a lot but still wasn't able to fill
my gap in understanding the whole process.
I will make it short and easy.
You can't do LDAP authentication with 802.1x. EAP needs the password of
the user in cleartext. if it's not in your ldap, you're screwed.
And the debug log explains it :
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
[snip]
At this moment, I cannot wrap my mind around what is going on here.
I understand that ldap tries to authenticate the user by itself, instead of
handing it to the LDAP server. But what is different when I run radtest?
Debug from radtest:
...
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by a4 with password whatever
[ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu
[ldap] (re)connect to ldap.hopro.edu:389, authentication 1
[ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to
ldap.hopro.edu:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user a4 authenticated successfully
++[ldap] returns ok
...
This works because you're doing PAP. with radtest the user password is
sent in cleartext. so YES you can authenticate with ldap because you can
BIND to the ldap with the provided password.
you don't have this password with 802.1x/EAP. you work only with
challenges, hash and keys.
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19.06.2013 16:02, a.l.m.bu...@lboro.ac.uk wrote: Hi, Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. ..and save some more hits to LDAP by wrapping the call to it in the authorization stage to just the EAP Identity packet :-) That's pretty interesting, what's the if() you're doing to achieve that? -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiply Cisco-AVPair request attribute process by regular expression
On 28.04.2013 23:30, Mehdi Ravanbakhsh wrote:
DearOlivier
I am try to test it but why first one is working ?!!! do you check my
regular expression in second one ? i do it correctly ?
I'm quoting the man page.
man unlang :
%{Attribute-Name[index]}
Reference the N'th occurance of the given attribute. The syntax
%{list:Attribute-Name[index]} may also be used. The indexes start at
zero. This feature is NOT available for non-attribute dynamic
translations, like %{sql:...}.
For example, %{User-Name[0]} is the same as %{User-Name}
The variable %{Cisco-AVPair[2]} will reference the value of the THIRD
Cisco-AVPair attribute (if it exists) in the request packet,
In your request you have 3 Cisco-AVPair. I don't know if they always
come in the same order or what, but looking at your request
%{Cisco-AVPair[0]} = client-mac-address=90f6.52d2.384f
%{Cisco-AVPair[1]} = connect-progress=LAN Ses Up
%{Cisco-AVPair[2]} = circuit-id-tag=Azadegan-1 atm 2/16:251:0.35
Please NOTE the %{ } surrounding the attribute and its index.
and is version 3 stable enough to use ? (your opinion )
Version 3 is a living thing. It can be stable one day and buggy the next
one.
I'm running Version 3 in production. I've froze the branch, tested it
carefully, cherry-picked the fix I needed, and deployed it. Version 3
brings some nice things and an important performance improvement.
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiply Cisco-AVPair request attribute process by regular expression
On 28 avr. 2013, at 22:58, Mehdi Ravanbakhsh baba...@gmail.com wrote:
Dear
A.L.M.Buxey
i have 2 Cisco-AVPair in request attribute :
Cisco-AVPair = client-mac-address=90f6.52d2.384f
and
Cisco-AVPair = circuit-id-tag=Azadegan-1 atm 2/16:251:0.35
You have multiple time the same attribute. Use Cisco-AVPair[X] to access a
specific instance of them. If you're running version 3 you can use a foreach
loop
for first one i use :
if (Cisco-AVpair =~ /^client-mac-address=([a-f0-9]
[a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9])$/)
{
if (!Calling-Station-Id) {
update request {
Calling-Station-Id :=
%{1}:%{2}:%{3}:%{4}:%{5}:%{6}
Called-Station-Id := %{NAS-Identifier}
}
}
}
and it is work
for second one i use :
if (Cisco-AVPair =~ /^circuit-id-tag=(.*)$/) {
update request {
NAS-Port-Id := %{1}
}
}
But it is not work !
that is the problem.
this is the attribute that come from NAS :
Acct-Session-Id = 04423124
Cisco-AVPair = client-mac-address=90f6.52d2.384f
Framed-Protocol = PPP
Framed-IP-Address = 172.20.10.238
User-Name = 7734247799
Cisco-AVPair = connect-progress=LAN Ses Up
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port-Type = Ethernet
NAS-Port = 71446820
NAS-Port-Id = 0/0/0/0
Cisco-AVPair = circuit-id-tag=Azadegan-1 atm 2/16:251:0.35
Service-Type = Framed-User
NAS-IP-Address = 10.150.21.218
X-Ascend-Session-Svr-Key = A4477F54
Acct-Delay-Time = 29
Calling-Station-Id =
Called-Station-Id =
Acct-Unique-Session-Id = 8cd7eadca98e09bf
Timestamp = 1367151426
Best regards
On Mon, Apr 29, 2013 at 1:10 AM, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
but it is not working !
what do you mean? what do you want to do (ie what do you want to have/get
and what do you actually get?) - what does the server say/do (ie. run in full
debug mode to see what its saying/doing to your logic.
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
On 19.04.2013 10:35, pramod kulkarni wrote: Thanks for the reply. I am new to FreeRadius and doing analysis on how to remove The identity and password attributes of LDAP module in radiusd.config and still be able to authenticate and authorize LDAP users. Is that really an issue for you ? set restrictive permission on the file so that only root and freeradius can read the admin credentials for the ldap server. And do not let people log as root. Everyone do that. It works fine. Is there any other option/configuration to avoid usernames and plain text passwords in the module ldap of radiusd.conf for authenticating and authorizing users of LDAP database ? Afaik no I tried EAP-TLS method but didn't get proper result,can I use LDAP as database for EAP-TLS method,as one of forum answers is no http://freeradius.1045715.n5.nabble.com/EAP-TLS-LDAP-tt2750042.html#a2750045 That's something else. EAP-TLS is how the user authenticate to the radius server. Not how the radius server bind to the ldap server. BUT you could do EAP-TLS without user/password (for the user) and check the validity of the certificate against an LDAP server that allows to retrieve those information anonymously (removing the need to have credentials written in the ldap module). But then it's your ldap server who can leak informations. I would like to use a certificate (admin) to bind to the LDAP database using FreeRadius because admin has the authority to traverse the LDAP tree. Not supported at the moment. After binding using certificate i would like to Authenticate different users of LDAP using radclient.exe -d ..\etc\raddb -f radtest.txt -x -s 127.0.0.1 auth testing1 This will work with radclient which do PAP. This won't work with wireless client who does EAP. if as per replies only LDAP simpile bind is possible ,how to compile OpenLDAP+SASL+FreeRadius on Windows only through cygwin ? or any other option If you do PAP and want to authenticate against your ldap, the only option is simple-bind at the moment. As usual, Patches Welcome. As for compiling on cygwin, I can't tell you if that's supported nor working. On a final note, people have been using ldap with credentials in a file for ages. It's down to the security of the server and the filesystem permission to ensure that only authorized users can access this file. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: captive portal auth with freeradius
On 17.04.2013 14:32, Chitrang Srivastava wrote:
I am using LDAP server as datasource
Attaching logs
You're doing PAP against LDAP.
This is the ONLY situation where Auth-Type should be set to ldap
looking at modules/ldap, we have
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
# You can disable this behavior by setting the following
# configuration entry to no.
#
# allowed values: {no, yes}
# set_auth_type = yes
So freeradious *should* set auth-type to LDAP.
We *should* see a Setting Auth-Type = ldap in the debug.
Yet it don't do it.
You messed the default *working* configuration provided with freeradius.
There's a lot of stuff in your config that are just useless.
Again, start with the default, working config, then change one thing
after another. What you are trying to do works with the default
configuration shipped with Freeradius.
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: captive portal auth with freeradius
On 17.04.2013 15:37, Chitrang Srivastava wrote: Thanks , I am trying to MSCHAPv2 (TTLS or PEAP ) or GTC with LDAP MSCHAPv2 with EAP-TTLS or PEAP will NOT work with LDAP. as explained almost everywhere, and especially here : http://deployingradius.com/documents/protocols/compatibility.html You need a cleartext password or a NT_Hash to authenticate with MSCHAPv2. Only EAP-GTC will work with LDAP if I'm not mistaken. And by the way, your debug output show a request using PAP. PAP and EAP are two completly different things, which different requirements. I see that rlm_ldap.c will set Auth-Type as ldap based on set_auth_type =yes and 3 other flags, tried but it didn't worked , I will try from scratch This won't change that you can't authenticate with EAP-TTLS/PEAP and MSCHAPv2 against a LDAP directory. (Well, except if you're using Novell eDirectory with the Central Password management, but that's another story). Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: don't wait rlm_sql response
On 2 avr. 2013, at 04:13, Mitsuhiro Nakamura nakam...@1pacific.ddo.jp wrote: Alan, Thank you. Our database has some problem and the response is slow. Since the problem itself seems to take long time to fix it, we wanted to avoid it. Look at the decoupled accounting virtual server example. Olivier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mode debug
On 28.03.2013 09:27, Billot wrote:
How can we have such detail logs in running mode ?
you can enable debugging while the server is running with radmin
(you need to enable the control-socket virtual server)
radmin debug level 4
radmin debug file my-radius-debug.log
the file will be in your ${logdir}
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Re: Mode debug
On 28.03.2013 10:31, Billot wrote:
Ok thanks but is it possible to have it permanently with a config item like
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
debug_level = 4
edit your startup script and add -xl /path/to/my/debugfile
add more x for more debugging
Be aware that this file will grow quickly depending on the amount of
request your server handle.
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compile error
On 28.03.2013 10:48, Igor Smitran wrote: I am not able to compile from git. It ends with error: version.c:71: warning: no previous prototype for 'ssl_version_check' version.c: In function 'ssl_version': version.c:78: error: expected ';' before '}' token gmake[4]: *** [version.lo] Error 1 gmake[4]: Leaving directory `/usr/src/freeradius-git-2.x.x/freeradius-server/src/main' gmake[3]: *** [main] Error 2 gmake[3]: Leaving directory `/usr/src/freeradius-git-2.x.x/freeradius-server/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/src/freeradius-git-2.x.x/freeradius-server/src' gmake[1]: *** [src] Error 2 gmake[1]: Leaving directory `/usr/src/freeradius-git-2.x.x/freeradius-server' make: *** [all] Error 2 Nice catch. Sent a pull request to fix this. In the mean time you can simply add a ; at the end of line 78 in src/main/version.c Btw, are you aware that your are compiling freeradius without ssl support ? this mean no eap, no tls, ect ? You should first install the openssl development files before compiling freeradius Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I change proxy based on username?
On 26.03.2013 13:50, John Horne wrote:
Hello,
Using Freeradius 2.1.10 I have been trying to see if I can proxy a
request to a remote server but using a different User-Name attribute
based on the original request User-Name attribute.
For example so that:
Request 'j.blo...@plymouth.ac.uk' gets proxied to remote server with
User-Name=j.blo...@plymouth.ac.uk in the proxy request.
Request 'jblo...@plymouth.ac.uk' gets proxied to the same remote server
but uses the User-Name=jbloggs attribute (so no realm) in the proxy
request.
So basically if a username contains a dot, then proxy on the whole thing
(username and realm). But if the username does not contain a dot, then
only proxy on the username, no realm.
I have been trying in the authorize section to use:
=
if (Realm !~ /^(NULL|DEFAULT|LOCAL)$/) {
if (User-Name =~ /^([^.]+)@/) {
update control {
Proxy-To-Realm := NULL
}
}
}
=
The NULL realm will 'strip' the username, and proxy the request to the
remote server. However, testing shows that the User-Name being sent is
the original one still with the realm:
If the NULL realm is set to strip, then the stripped user name will be
stored in the attribute Stripped-User-Name. User-Name will remain
untouched.
After your update control, you can do :
update request {
User-Name := %{Stripped-User-Name:-%{User-Name}}
}
You could also use the preproxy_users which allow you to rewrite the
request before it is proxied. It contains the exact example for your case.
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting clients from a mysql table
On 26.03.2013 13:52, Peter Kaagman wrote:
Try adding the SQL module to the jnstantiate section of radiusd.conf
From the radiusd -X output:
including configuration file /etc/raddb/modules-enabled/logintime
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
Not sure what you mean by that... to me it looks like sql.conf is loaded
Yes the configuration file is loaded.
But it seems that you do not use the sql module anywhere within your
virtual server. If you look at your debug output, you won't find a
Module: Instantiating module sql
If you don't call sql within your virtual server and want to use it
only to load your NASes, then add sql to the instantiate {} section in
radiusd.conf
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log on DB
On 25.03.2013 09:26, AemNet wrote: Hi everybody is there any way log the requests for the radius in a DB like MySQL? In other words is possible to put radius.log entry in a DB without use the local system syslog daemon? This is not possible directly from freeradius. What you can do, is tell FreeRadius to log to your syslog deamon (like syslog-ng) and then tell syslog-ng to write the log within an INSERT statement for your database. Then you can send this to your database. Those two links might help you : http://wiki.freeradius.org/guide/Syslog-HOWTO http://vermeer.org/docs/1 But this is beyond the scope of the freeradius list Olivier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log on DB
On 25.03.2013 11:45, AemNet wrote: Thank you for the answer and for the links Olivier, but I prefer don't use the syslog system if it's possilbe. Do you think it's possible instead to use a script (perl/bash anything else) after the request arrive and put it in a DB? You could make a perl script which pipe the freeradius log file and then insert the text into a DB. But again that's beyond the scope of this list. Freeradius doesn't offer the ability to put the log file into a DB. Olivier B. -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap connection status
On 25.03.2013 13:00, Chitrang Srivastava wrote:
I am trying to do similar but radius is giving error
group {
redundant {
ldap_primary
fail = return -*Entry with no value is
invalid*
}
if(fail){
files_local
}
else {
files
}
}
Why this could be ?
you have only one ldap instance. you don't need the redundant block
authorize {
#usual authorize stuff, preprocess, suffix, ect
ldap_primary {
fail = return
}
if(fail){
files_local
}
else {
files
}
}
this *should* work.
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
On 18.03.2013 16:48, Danny Kurniawan wrote:
Hi All,
So i have been able to authenticate my wireless user using 802.1x + LDAP
+ MAC address (using CallingStationID attriubute). So now for example
when user A have MAC 11:22:33 but tried to login using another device
there will be a pop up window when they try to connect - just a plain
error popup saying Unable to connect. Is there any way we can
customize this error from radius? or should be from the wireless AP?
So below is the unlang code that i use to check whether the user have a
set of MAC address in their ldap profile or not
if(!control:Calling-Station-Id){
reject
}
Possible to have that reject command to return some code that Windows
client can understand like No MAC address etc?
Thanks in advance
Danny
you could send back a reply-message.
But it is forbidden if you are doing EAP.
And anyway, Micro$oft is not paying attention to it and will disregard it.
so no, you can't send a message to the user.
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap connection status
On 15.03.2013 12:08, Chitrang Srivastava wrote:
Hi,
I want to do something like this in *authorize* section
ldap {
fail = return
}
if(fail) {
files_local
}
else {
files
}
something like that should work. The ldap module will fail if the
servers are unreachable.
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
On 14.03.2013 07:28, Danny Kurniawan wrote:
Thanks a lot for your reply.
Yes i got it working. However one more question :
what is the operator used to check if the value is empty ?
if(control:Calling-Station-Id == ){
reject
}
if(!control:Calling-Station-Id) {
reject
}
this will be true if the attribute doesn't exist.
and btw, on your previous messages :
if (control:Calling-Station-Id != %{Calling-Station-Id})
last is misplaced
if (control:Calling-Station-Id != %{Calling-Station-Id})
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-auth not being entered in inner-tunnel
On 13.03.2013 12:46, Alex Sharaz wrote: Hi, I've got a number of FR 2.2.0 servers that invoke sql_log in the inner-tunnel post-auth in order to write user-name some other attributes into a back end mysql database server and it all works. If I've got non-eap requests coming in , the default site deals with it. If I've got eap-based requests coming in the inner-tunnel deals with them. About a week ago I downloaded the latest 2.2 code from git.freeradius, built that and upgraded one of my FR2.2 servers. Since then I can't see an invocation of post-auth within the inner-tunnel. I can see it for the default site but not the inner-tunnel. Everything else seems to work but not that. Same hardware platform, same config files just different FR code. I've generated two radius -X dumps, vsn220.log and vsn221.log on my test server. The only raw client accessing this server is the switch my mac is sitting on configured to do macauth and 802.1x on my ethernet port. By simply disconnecting and reconnecting my mac I've generated a macauth followed by an 802.1x auth. In both files you can see post-auth being invoked for the default site. but only the vsn220.log file has a corresponding post-auth for the inner-tunnel. It may be that there's something else I've configured wrong that is only showing up in van 2.2.1 (ish). Should I be sending these traces to the free radius list or is there another address I can email them to Sounds weird. But again hard to tell without a radius -X output. Just send it here on the list, a complete request output, and maybe the relevant virtual-server configuration snippet Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radtest failed; IP not found
On 12.03.2013 17:05, Staffan Meijer wrote: Listening on authentication interface eth0 address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 freeradius is listening on eth0 port 1812, not on all interfaces. so sending packets to localhost won't work. netstat -puln | grep radius will show exactly where freeradius is listening if really. Fix your listen section and it should work Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radtest failed; IP not found
On 12.03.2013 18:08, Staffan Meijer wrote: I uncommented the eth0 line in the configuration file when radtest did not work with the original. Using the original configuration file I get; Listening on authentication address * port 1812 and linux-vdis:/etc/raddb # radtest testing password localhost 0 testing123 radclient:: Failed to find IP address for linux-vdis.site radclient: Nothing to send. your server's name resolution configuration is somewhere wrong. if you replace localhost by 127.0.0.1 it should work. fix your /etc/host, but this is beyond the scope of this list. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Old message abou LDAP
On 11.03.2013 17:14, Andres Septer wrote: When one searches google for freeradius and ldap groups there is a LOT of messages that all point to this message. Freeradius and LDAP groups how to make it work: http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg1.html Unfortunately this old archive is unavailable. 404 Is there any other good howto about freeradius + LDAP + groups -- ho to make them wor together? everything is in the wiki http://wiki.freeradius.org/modules/Rlm_ldap#Group-Support -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Child is hung for request … message
On 07.03.2013 11:32, Alex Sharaz wrote: Hi, I've just downloaded,compiled and installed the latest version of 2.2 (2.2.1?) from git.freeradius.org. Installed it on an internal server and things seemed to work o.k. I then upgraded another server that deals with our external ( eduroam) connectivity and within a few mins am seeing The server is basically proxying off auth requests to remote RADIUS servers. Is the above just telling me that the other end is taking a while to reply or is there some underlying issue? Without a debug output it's hard to tell. Please send freeradius -X output. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius freeradius server
On 07.03.2013 07:57, Iftakhul Anwar wrote: HI All, I just installed free radius server using apt-get on my ubuntu machine. Now i want to configure jradius on my freeradius server. I follow step by step from http://coova.org/JRadius/FreeRADIUS. Are you sure ? By default rlm_jradius is not compiled because it is considered experimental. So you have either to add --with-experimental-modules=yes or as explained on the link above to add rlm_jradius to src/modules/stable Now if the module failed to compile (check the compilation process) then it won't be installed in your system. You should have a rlm_jradius.so file where your freeradius libraries are installed. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius freeradius server
On 07.03.2013 16:56, Iftakhul Anwar wrote: Actually i install freeradius from apt-get , But i try configure jradius following tutorial from http://coova.org/JRadius/FreeRADIUS How i can add this module to radius server if i using apt-get ? You can't. You have to compile it. experimental modules are usually not available in binary distribution. Either compile it by hand and install it, or build your own debian packages. follow http://wiki.freeradius.org/building/Build and remember to add either --with-experimental-modules=yes or add rlm_jradius to src/modules/stable Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PHP MD5 with appended salt
On 07.03.2013 17:15, René Klomp wrote:
xlat are placeholders in strings, usually used for substituting attribute
values, for example:
Is there a better war to solve the loading of the sql module?
If it do not include the else section, the %{sql:...} does not work. But if I
place it outside the else or when the user enters the wrong password the
database is queried twice.
in radiusd.conf, there's an instantiate {} section where you can put sql
Olivier B.
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authorization
On 07.03.2013 22:06, Matthew Ceroni wrote:
Alan:
Yes, that works when run through ldapsearch.
I was able to get the attribute checking working (added to dictionary,
then ldap.attrmap) so I can now reject based on the value of an
attribute. Thanks for the input on that.
However, if the user isn't found in LDAP (Active Directory), how do I
get it to outright reject the user? I can't do attribute checking (tried
that and checking for an empty value, but got attribute was not found).
Right now if the user isn't found in LDAP it happily goes to
authentication (which for testing purposes right now is just using the
users file).
authorize {
ldap
if (notfound) {
reject
}
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.2.0 memory leak issue.
On 06.03.2013 11:43, kao quadrantx wrote: Hi, I try to test with the latest version of freeradius in git 2.x.x and still get the same behavior. Seems the envp variable in radius_exec_program function (exec.c) not clean? To help the developers to identify the bug, could you follow the documentation in doc/bugs [1] ? Also provide a freeradius -X output, and the relevant configuration part of your virtual server(s). Olivier [1] https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/doc/bugs -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PHP MD5 with appended salt
On 06.03.2013 17:29, René Klomp wrote: Hi all, I am trying to connect my freeradius server to a mysql database containing all users. I created a new view to represent the table structure needed by freeradius, but I a problem with validating the passwords. The passwords of my users are (from a PHP application) concatenated with a salt, which is the same for all passwords, and stored using the regular php md5 function: md5($userpass . ':' . $salt) How can I make freeradius to append this salt to the password as well and validate the password in the correct way? Is there a default way to do this? Or should I create a module to do this? First question, how are your users identifying with freeradius ? PAP ? CHAP ? MSCHAP ? EAP ? If the password is sent in clear by the user, you could use the md5 xlat function then compare the value in your database. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On 04.03.2013 21:56, Matt Zagrabelny wrote: Greetings, I am configuring a general purpose RADIUS server that any number of clients can connect to for authn - it uses a PostgreSQL DB as the backend datastore. I would also like to setup a secondary RADIUS server listening on a different port (ie. 1814) and use the same Pg DB as a backend, but use a restricted view as the users table, then configure devices (certain network gear) that wish to only allow users in the restricted view to use that secondary RADIUS server and corresponding port. You can use the same listen ports, but group clients (which mean NAS) in two groups, and assign a specific virtual server for each groups, with different policy, database lookup and such. I am currently using Debian 6.0 with corresponding FR 2.1.10+dfsg-2+squeeze1. Beware that there are some known bugs in 2.1.10 as well as some security flaws. you should go with the latest 2.2.X git branch Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On 04.03.2013 22:17, Olivier Beytrison wrote:
On 04.03.2013 21:56, Matt Zagrabelny wrote:
Greetings,
I am configuring a general purpose RADIUS server that any number of
clients can connect to for authn - it uses a PostgreSQL DB as the
backend datastore. I would also like to setup a secondary RADIUS
server listening on a different port (ie. 1814) and use the same Pg DB
as a backend, but use a restricted view as the users table, then
configure devices (certain network gear) that wish to only allow users
in the restricted view to use that secondary RADIUS server and
corresponding port.
You can use the same listen ports, but group clients (which mean NAS) in
two groups, and assign a specific virtual server for each groups, with
different policy, database lookup and such.
Just to add, I think you should define a virtual server with a default
virtual_server in the listen {} section, then for your specific NAS that
needs special policy/authn, simply specify a different virtual_server in
the client {} section
I also wanted to add that you'll find all the information you need here
http://wiki.freeradius.org/config/Virtual-server (but my @#°@¦§¬ mail
client sent the mail instead of pasting the link) :)
Olivier
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault after authorize - 2.1.12+dfsg-1.2 Debian
On 27.02.2013 02:59, Jennifer Mehl wrote: Hello, I just updated to Debian wheezy 7.0, kernel 3.2.0-4-amd64, and the accompanying freeradius-2.1.12+dfsg-1.2. (Previously using Debian squeeze 6.0 and freeradius 2.1.10+dfsg-2+squeeze1.) There's a know bug in 2.1.*. You should really upgrade to 2.2.X you can build your own debian package from source http://wiki.freeradius.org/building/Build#Building-Debian-packages After the OS update and FreeRADIUS updates, freeradius is now seg faulting after trying to process the authorize section when a wireless client attempts to connect via EAP-PEAP (MSCHAPv2). (None of the free radius configuration files have changed). see doc/bugs to report a segfault Olivier B. -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server exits without warning on radtest
Le 22.02.2013 09:30, Adrien Morvan a écrit :
Hello
I'm facing a problem with the server.
I set it and test it with a basic radtest and it exits without warning
or error message.
The last line is
Thu Feb 21 08:33:14 2013 : Info: +- entering group authorize {...}
So i guessed there was a problem in the very beginning of authorize, as
the preprocess module doesn't output anything.
But i couldn't find anything weird in the first lines :
authorize {
# The prepro cess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
preprocess
I didn't do big changes in the configuration files I only uncommented
the sql related lines und set the SQL server info.
Do you have an idea of the origin of the problem ?
Weird indeed. What version are you running on which OS (don't strip the
beginning of the debug output, it gives at least Freeradius version)
And try to run it within gdb. see doc/bugs
Olivier
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.1 showing clear text password at the debug mode
On 21.02.2013 10:15, Danny Kurniawan wrote:
In Radius 1.x - SLES 10 when i run radiusd -X ; i don't see the user
password (which is good). but in Radius 2.1.1 i can see it clearly ...
how can i eliminate this cleartext password being showed there? I'm new
to this authentication method or eap_mschap protocol, so please bear
with me :)
/[peap] Got tunnled request
EAP-Message = 0x020a00061a03
server (null) {
PEAP: Setting User-Name to sdholakia2
Sending tunneled request
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = sdholakia2
State = 0xf32f92c4f22588e5c2ccbfc052ff2f65
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[control] returns noop
++[mschap] returns noop
++[unix] returns notfound
++[control] returns notfound
[eap] EAP packet type response id 10 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for sdholakia2
[ldap] expand: (uid=%u) - (uid=sdholakia2)
[ldap] expand: ou=Active,ou=Users,o=FSID - ou=Active,ou=Users,o=FSID
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Active,ou=Users,o=FSID, with filter
(uid=sdhoakia2)
[ldap] Added the eDirectory password Test in check items as
Cleartext-Passwrd
[ldap] looking for check items in directory.../
That's how it has been hard-coded in FR2.X and FR3. It is indeed
arguable. For debugging eDirectory integration, it's quite nice. But you
really have to restrict access to the freeradius server, so no one can
start it with -X or run radmin debug.
We could by default not output the password, and if you really need to
see it, just echo control:Cleartext-Password after ldap.authorize
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing
On 13.02.2013 09:03, Muhammad Nadeem wrote: thanx john: yes i can run many instances of radclient. But i want on instance of radclient, that can send parallel requests to radius server. simply use echo User-Name=001AAD3F8165, NAS-IP-Address=10.192.100.4|radclient -p 100 -c 1 192.168.0.102 auth testing123 -x man radclient -c count Send each packet count times. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing
On 13.02.2013 09:38, Muhammad Nadeem wrote:
I used -c 1, and omit -p,, result was the same . 1 users were
authenticated in 23 seconds :) . So i think no difference of using -p
and -c together ?? M I right??
Well yeah -p works only with a file (-f)
so, feed your request multiple time to a file :
for d in {1..1} ; do echo -e
User-Name=001AAD3F8165\nNAS-IP-Address=10.192.100.4\n
rad-requests.txt ; done
(there need to be a empty line between request, hence the extra \n at
the end)
Send the requests, 100 at a time, and repeat 10 times
radclient -c 10 -p 100 -f rad-requests.txt server:port auth secret
Tested it here and works very well
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing
On 13.02.2013 11:45, Muhammad Nadeem wrote: ok, I followed your process. i make a file with User-Name and NAS-IP-Address attribute. and issue the following command radclient -c 10 -p 1000 -f radrequest.txt 192.168.0.112 auth testing123 But i only receive 10 access-accept packets. So what does it mean?? If upper command issues 1000 requests 10 times, so their should be 1 access-accept packets?? So please tell me where things are going worse :( This mean your text file contains only one packet. Check the content of radrequest.txt. there should be 30002 lines ... and each packet should be seperated by an blank line. -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: anonymous user when proxying
On 13.02.2013 15:46, Hocine M wrote: Hi, Some user who are proxied (eduroam) are acconted with username = anonymous@realm I don't want to have anonymous user in my database, do i have to reject anonymous users in post-proxy section or there is something to do to force user to use inner identity? If this is a remote user connected within your institution, and the home radius does NOT copy the inner identity to the outer tunnel, then you won't be able to know the real username of the user. You *could* reject users with an outer identity of anonymous@realm or just @realm, but you would not be eduroam-compliant anymore. for ref : https://confluence.terena.org/display/H2eduroam/eduroam+IdP second section, Anonymous outer identites Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick question about RFC 3579 2.6.5
On 25.01.2013 12:10, a.l.m.bu...@lboro.ac.uk wrote: Hi, Well, RFC 3579 2.6.5 says : If EAP-Message, then there MUST not be a Reply-Message. I understand the point on this based on the RFC. check RFC 5080 - which updates that RFC. however, your reply message is not going on as part of the EAP conversationyou are sending the reply message to the outer-tunnel as part of the reject...no within the inner-tunnel EAP session...so there shouldnt be any EAP message around (but hey, who knows? ! ;-) ) Welle there's an EAP-Message in the Access-Reject with code 0x04 for the failure ;) dont worry too much - some RADIUS servers break all the specs with regards to contents of some packets...at least FreeRADIUS gives you the chance to behave ( I assume you are running the attr filter on access requests to keep the contents legal? ;-) ) Yeah I do filter everything that comes from NAS and from outside of my eduroam realm. You can't trust people :p I only allow WISPr-Location-Info as this start to be widely used in switzerland when user are roaming :) Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick question about RFC 3579 2.6.5
On 26.01.2013 18:55, Alan Buxey wrote: Really? Hmm, the rest of eduroam are using operator-name. Will check about prevalence if the wispr attribute Well yeah this would make more sens indeed. The use of WISPr is slowly groing, but i might push the use of operator-name as it seems indeed better suited. Thanks for the information! Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filter and attribute
On 24.01.2013 14:26, Emmanuel BILLOT wrote:
I guess it is %{Realm} ?
this will contain the realm yeah.
But why do you want to to %{Stripped-User-Name}@%{Realm} when it is the
same as %{User-Name} ?
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filter and attribute
On 24.01.2013 14:03, Emmanuel BILLOT wrote:
Hi,
In LDAP config module, we can find
filter =
(|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(mail=%{%{Stripped-User-Name}:-%{User-Name}}))
Users authenticate in freeradius with login like pierre.dupont@12345678
then this will be in User-Name unless you made manipulation with it
(what you should never do btw)
We want to use both parts of adress in LDAP filter.
pierre.dupont is %{User-Name}
then your user is logging with pierre.dupont and not
pierre.dupont@123456
what should be the name of the variable for 12345678 ?
use %{User-Name}
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filter and attribute
On 24.01.2013 14:34, Emmanuel BILLOT wrote:
Le 24/01/2013 14:03, Emmanuel BILLOT a écrit :
Hi,
In LDAP config module, we can find
filter =
(|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(mail=%{%{Stripped-User-Name}:-%{User-Name}}))
Users authenticate in freeradius with login like pierre.dupont@12345678
We want to use both parts of adress in LDAP filter.
pierre.dupont is %{User-Name}
what should be the name of the variable for 12345678 ?
Ok %{Realm} seems to works, however anyway to force upcase on it ?
%{toupper:%{realm}} ?
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Quick question about RFC 3579 2.6.5
Hi, Well, RFC 3579 2.6.5 says : If EAP-Message, then there MUST not be a Reply-Message. I understand the point on this based on the RFC. In my case (remember the eduroam design thread from a while back), I have several local Radius which proxy all request to my central radius, which in turn perform the authn+z for the users, or forward the request to the top level radius if the user do not belong to our organization (eduroam stuff, nothing new so far). So, I would like, in case of Access-Reject of OUR users, logging in OUR schools, to send back a reply-message to the local radius in the outer reply, so the local admin know why its user has been rejected. This would be logged then stripped before the reply reach the NAS. If it's an external user in our network, or one of our users but in an external network, then I won't add the Reply-Message. Would this still be illegal and would I end in jail ? ;) Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as DHCP server (static IP + some options)
On 22.01.2013 22:58, Leo Combes wrote: Can you follow doc/bugs? It will tell you how to post more debugging information so we can see exactly where it's going wrong. I don't know how to do that. Any link on how to do it? /usr/share/doc/freeradius/bugs or https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/bugs Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with proxy settings for EDUROAM
On 21.01.2013 16:39, Hocine M wrote: Hello, Could anyone help me? I'm trying setting up freeradius 2.1.12 for eduroam. The local auth works well, but the proxy part not so. First you should have a look at https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus#Howtodeployeduroamon-siteoroncampus-FreeRADIUS where you have a complete and extensive example on how to configure FR for eduroam Sending Access-Request of id 243 to 193.51.224.109 port 1812 NAS-Port-Id = AP42/1 Calling-Station-Id = 74-2F-68-ED-12-1C Called-Station-Id = 00-0B-0E-94-89-40:eduroam Service-Type = Framed-User EAP-Message = 0x0201001a016573757064656d40756e69762d726f75656e2e6672 User-Name = hidden NAS-Port = 57286 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x Proxy-State = 0x3436 Mon Jan 21 15:29:56 2013 : Debug: Waking up in 4.0 seconds. Mon Jan 21 15:30:00 2013 : Info: Cleaning up request 228 ID 46 with timestamp +1976 Mon Jan 21 15:30:00 2013 : Proxy: Marking home server 193.51.224.109 port 1812 as zombie (it looks like it is dead). Seems your FLTR Eduroam server is not replying to your request. Check that you have the correct secret, that they configured the correct IP, that your firewall is open (be careful, because the proxied packet is usually sent from port 1814) Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
On 18.01.2013 12:26, Emmanuel BILLOT wrote:
Hi,
We want to force Session-Timeout for all our users. Authorization and
authentication are made by LDAP.
Is it possible to add Session-Timeout in a file or config file to apply
it to all our users ?
Add the following at the begining of the users file
DEFAULT
Session-Timeout :=
and be sure to call the file module in authorize
OR
in authorize, add
update reply {
Session-Timeout :=
}
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to call stored procedure with output varaibles in free-radius
On 15.01.2013 13:24, Arran Cudbard-Bell wrote: Jees, we really need to move to a new listserv, this latency is getting ridiculous. Posts on the educase lists are pretty much instantaneous, but there seem to get delayed randomly for 30 mins or more. Does anyone else experience that? Me, all the time, and yeah it's a pain. Sometimes I reply to a mail then watch the online archives to see the answers to my mail, before it arrives in my inbox .. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AP FR LDAP authentication reject
On 28.12.2012 09:38, Thanakorn Rattanatikul wrote: Still unable to connect. Do you have any configuration files for connecting with LDAP form AP FR LDAP ? I tried every way but nothing works. Send a full output of freeradius -X -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AP FR LDAP authentication reject
On 28.12.2012 06:17, Thanakorn Rattanatikul wrote:
I'm trying to setup the server to authenticate using LDAP. I'm having
some problem and hope to get some help from the list.
I'm trying to setup AP-FR-LDAP. FreeRadius is new installation on
CentOS. LDAP is Sun Java System Directory Server.
I'm trying radtest -FR-LDAP pass but AP-FR-LDAP not pass.
It works with radtest because it does pap. The password is sent in
cleartext in the request. Freeradius can then bind to the LDAP with the
user/password supplied to authenticate the user.
With your Access Point, you're doing EAP-PEAP with MSCHAPv2, which mean
you need the clear text password or a NT/LM_Password in your backend, or
via NTLM_Auth. If Freeradius doesn't have them, it can't do the
challenge/response. You have Plenty of warning that this will happen ...
[ldap] expand: ou=guest,dc=ku,dc=ac,dc=th - ou=guest,dc=ku,dc=ac,dc=th
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 158.108.8.214:389, authentication 0
[ldap] bind as uid=thanakorn,ou=guest,dc=ku,dc=ac,dc=th/testtest to
158.108.8.214:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=guest,dc=ku,dc=ac,dc=th, with filter
(uid=sun)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
See here ?
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
Or Here ?
[pap] WARNING! No known good password found
for the user. Authentication may fail because of this.
++[pap] returns noop
And those ?
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/default
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: sun
[mschap] Told to do MS-CHAPv2 for sun wit! h NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
And here again ...
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the
debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for reject or fail. Those earlier messages will
tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
In the default LDAP configuration file, it's clearly stated that :
# However, LDAP can be used for authentication ONLY when the
# Access-Request packet contains a clear-text User-Password
# attribute. LDAP authentication will NOT work for any other
# authentication method.
# This means that LDAP servers don't understand EAP. If you
# force Auth-Type = LDAP, and then send the server a
# request containing EAP authentication, then authentication
# WILL NOT WORK.
You need either the clear-text password in your LDAP, Store the user
password in the userfile, or use another way of getting the password
(sql database, ntlm_auth to active directory).
Read the comments in the default configuration, and look for Warning and
error in the debug output. It tells you what goes wrong, and what you
should do. In your case : Provide a Cleartext-Password
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AP FR LDAP authentication reject
On 28.12.2012 08:39, Thanakorn Rattanatikul wrote:
In LDAP server , for user sun , store password in clear-text in this test
So if you have a clear-text password in the ldap, use the ldap
attribute-map to add it in the control list. Looking at the logs I guess
you are running version 2.x, then you should have a file called
/etc/raddb/ldap.attrmap, add a line with
checkitem Cleartext-Password your-ldap-attribute
And reference the ldap.attrmap in the ldap module (if not already done)
dictionary_mapping = ${confdir}/ldap.attrmap
And finally you need to ensure that the user defined in the ldap module
(identity) has sufficient rights in the LDAP to retrieve the attribute
containing the clear text password.
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap eDir support in master branch
Hi, Now that I have my packages, i've started deploying FR3 for our eduroam federation. And I just saw that the eDir support is gone. now my question is : 1. is it abandoned ? 2. is it not yet ported to the new rlm_ldap code ? Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap eDir support in master branch
On 06.12.2012 17:45, Olivier Beytrison wrote: Hi, Now that I have my packages, i've started deploying FR3 for our eduroam federation. And I just saw that the eDir support is gone. now my question is : 1. is it abandoned ? 2. is it not yet ported to the new rlm_ldap code ? Nevermind my question, just saw AlanD message on the devel list. Well looks like i'll go nowhere whilst eDir support is not present :/ I might try to port at least the authentication against the central password to the new module, this is all I need. And if some one needs it, I can provide a working eDirectory server for testing purpose. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ubuntu package from Master branch
Hi there, I'm back at work, and i'll focus myself again for the next few days to get those packages working. after commit 2a8c11646b660b0c52eab9fa8e9e8cff3603f262 which move rlm_ldap to the new config based attribute map, we need to remove ldap.attrmap from raddb/Makefile and the corresponding debian/freeradius files diff --git a/debian/freeradius.install b/debian/freeradius.install index df66779..aba570e 100644 --- a/debian/freeradius.install +++ b/debian/freeradius.install @@ -8,7 +8,6 @@ etc/freeradius/clients.conf etc/freeradius/experimental.conf etc/freeradius/hints etc/freeradius/huntgroups -etc/freeradius/ldap.attrmap etc/freeradius/mods-available/* etc/freeradius/mods-enabled/* etc/freeradius/policy.d/* diff --git a/debian/freeradius.postinst b/debian/freeradius.postinst index bb8b3d3..c878136 100755 --- a/debian/freeradius.postinst +++ b/debian/freeradius.postinst @@ -30,7 +30,6 @@ case $1 in /etc/freeradius/proxy.conf \ /etc/freeradius/attrs.pre-proxy \ /etc/freeradius/hints \ -/etc/freeradius/ldap.attrmap \ /etc/freeradius/attrs \ /etc/freeradius/policy.txt \ /etc/freeradius/attrs.accounting_response \ diff --git a/debian/freeradius.prerm b/debian/freeradius.prerm index 201e142..a34c6de 100755 --- a/debian/freeradius.prerm +++ b/debian/freeradius.prerm @@ -16,7 +16,6 @@ case $1 in /etc/freeradius/proxy.conf \ /etc/freeradius/attrs.pre-proxy \ /etc/freeradius/hints \ - /etc/freeradius/ldap.attrmap \ /etc/freeradius/attrs \ /etc/freeradius/policy.txt \ /etc/freeradius/attrs.accounting_response \ diff --git a/raddb/Makefile b/raddb/Makefile index a2d5eba..24de901 100644 --- a/raddb/Makefile +++ b/raddb/Makefile @@ -11,7 +11,7 @@ include ../Make.inc # FILES = acct_users attrs attrs.access_reject attrs.accounting_response \ attrs.pre-proxy clients.conf dictionary templates.conf \ - experimental.conf hints huntgroups ldap.attrmap \ + experimental.conf hints huntgroups \ policy.txt preproxy_users proxy.conf radiusd.conf trigger.conf \ users attrs.access_challenge README.rst -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 21.11.2012 14:52, Arran Cudbard-Bell wrote: On 21 Nov 2012, at 13:41, Olivier Beytrison oliv...@heliosnet.org wrote: Oh dear. That'd be why that's happening... I have the same output. But I can't see what you saw. Is there a libfreeradius-eap.so missing somewhere ? Yep. Can't resolve the symbol because rlm_eap hasn't been linked against libfreeradius-eap.so, apparently TGT_PREREQS both adds the prerequisite as a targets *and* adds it to the linker flags, rlm_eap.mk looks fine, so i'm not sure why this is happening. Will have a look in a bit. Hi Arran, I just saw your commit 96c2216 from two hours ago. The error with rlm_eap is gone \o/ now it's rlm_eap_tls which whine :( rlm_eap: Failed to link EAP-Type/tls: /usr/lib/freeradius/rlm_eap_tls.so: undefined symbol: eaptls_success /etc/freeradius/mods-enabled/eap[17]: Instantiation failed for module eap /etc/freeradius/sites-enabled/default[321]: Failed to find eap in the modules section. /etc/freeradius/sites-enabled/default[263]: Errors parsing authenticate section. I'm on holidays next week but I'll keep doing my test and report the progress :) Cheers Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 22.11.2012 08:51, Olivier Beytrison wrote: On 21.11.2012 17:13, Alan DeKok wrote: Olivier Beytrison wrote: Aside this, I've been able to compile and make the packages, it correctly loads the configuration, but I back at a previous problem : /usr/local/freeradius/etc/raddb/mods-enabled/eap[17]: Failed to link to module 'rlm_eap': /usr/local/freeradius/lib/rlm_eap.so: undefined symbol: eap_wireformat I've pushed a fix. It was an error in the new build system. I've made a fresh clone right now from git. Tested again. Building is ok. Freeradius still complains about rlm_eap [1]. Just to be sure I'll try to install the deb package on a clean system. Will report later about it. Same thing on a clean system, with debian package or normal compilation. Is there a way to actually see the commands used during the building process, as it is with standard building system ? nm -A build/lib/.libs/*.a | grep eap_wireformat build/lib/.libs/libfreeradius-eap.a:eapcommon.o:0160 T eap_wireformat build/lib/.libs/rlm_eap.a:eap.o: U eap_wireformat symbols are there. Should freeradius load libfreeradius-eap before rlm_eap. Not sure as you manually load the modules libs. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
Unable to open file /etc/freeradius/radiusd.conf: No such file or
directory
Uh oh ? looking at /etc/freeradius, there's only the directories and
the symlinks, but not a single file. Great.
When looking in the build environnement, in
debian/freeradius/etc/freeradius, all the files are present.
During package creation, the files are correctly grabbed as per
debian/freeradius.install
dpkg -L list all the files.
dpkg is high on cocaine or what ?
Possibly.
Well never mind. It was my system that was left with the package
half-installed. purged everything and now the .deb installs correctly.
still, there's two issues :
1. the changes made by Arran to move all the modules to boilermake break
the linking of rlm_utf8 (see [1] below)
2. there's a package dependency issue. by default
${raddbdir}/mods-available/cui.conf is in the freeradius package. this
files reference to ${raddbdir}/sql/mysql/cui.conf, wich is part of
freeradius-mysql package. This mean that freeradius won't start if you
don't install freeradius-mysql at the same time. [2]
There's also some conflict because mods-available/sql* are both present
in package freeradius and freeradius-mysql. Should we not rather select
files independently in ${raddbdir}/mods-available/ in place of taking
everything (*) for the freeradius package ?
My two cents
Olivier
[1] linking of rlm_utf8 broken
CC src/modules/rlm_utf8/rlm_utf8.c
LINK build/bin/rlm_utf8
/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../x86_64-linux-gnu/crt1.o: In
function `_start':
(.text+0x20): undefined reference to `main'
build/objs/src/modules/rlm_utf8/rlm_utf8.o: In function `utf8_clean':
/opt/src/freeradius/FR3/freeradius-server/src/modules/rlm_utf8/rlm_utf8.c:47:
undefined reference to `fr_utf8_char'
collect2: ld returned 1 exit status
make[1]: *** [build/bin/rlm_utf8] Error 1
make[1]: Leaving directory `/opt/src/freeradius/FR3/freeradius-server'
make: *** [build-arch-stamp] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2
[2] freeradius rely on file not present in freeradius.deb
freeradius -X
freeradius: FreeRADIUS Version 3.0.0 (git #73bb767), for host
x86_64-pc-linux-gnu, built on Nov 20 2012 at 16:33:32
Copyright (C) 1999-2012 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/checkval
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/utf8
including configuration file /etc/freeradius/mods-enabled/dhcp
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/cui
including configuration file /etc/freeradius/sql/mysql/cui.conf
Unable to open file /etc/freeradius/sql/mysql/cui.conf: No such file
or directory
Errors reading or parsing /etc/freeradius/radiusd.conf
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 21.11.2012 12:00, Arran Cudbard-Bell wrote:
On 21 Nov 2012, at 10:22, Olivier Beytrison oliv...@heliosnet.org wrote:
Unable to open file /etc/freeradius/radiusd.conf: No such file or
directory
Uh oh ? looking at /etc/freeradius, there's only the directories and
the symlinks, but not a single file. Great.
When looking in the build environnement, in
debian/freeradius/etc/freeradius, all the files are present.
During package creation, the files are correctly grabbed as per
debian/freeradius.install
dpkg -L list all the files.
dpkg is high on cocaine or what ?
Possibly.
Well never mind. It was my system that was left with the package
half-installed. purged everything and now the .deb installs correctly.
still, there's two issues :
1. the changes made by Arran to move all the modules to boilermake break
the linking of rlm_utf8 (see [1] below)
Fixed.
thanks, works like a charm
2. there's a package dependency issue. by default
${raddbdir}/mods-available/cui.conf is in the freeradius package. this
files reference to ${raddbdir}/sql/mysql/cui.conf, wich is part of
freeradius-mysql package. This mean that freeradius won't start if you
don't install freeradius-mysql at the same time. [2]
There's also some conflict because mods-available/sql* are both present
in package freeradius and freeradius-mysql. Should we not rather select
files independently in ${raddbdir}/mods-available/ in place of taking
everything (*) for the freeradius package ?
I think there should probably be a package for rlm_sql, and then individual
packages for the SQL drivers.
Would be nice indeed. Something to throw in the todo list ;) Or I might
do it if I find enough time. I just need to learn how to add a new
package :p
Aside this, I've been able to compile and make the packages, it
correctly loads the configuration, but I back at a previous problem :
/usr/local/freeradius/etc/raddb/mods-enabled/eap[17]: Failed to link to
module 'rlm_eap': /usr/local/freeradius/lib/rlm_eap.so: undefined
symbol: eap_wireformat
/usr/local/freeradius/etc/raddb/sites-enabled/default[321]: Failed to
find eap in the modules section.
/usr/local/freeradius/etc/raddb/sites-enabled/default[263]: Errors
parsing authenticate section.
Just to be sure that's not due to the debian packaging, I compiled by
hand and installed FR3 in /usr/local/freeradius, but same thing occurs.
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
There's also some conflict because mods-available/sql* are both present
in package freeradius and freeradius-mysql. Should we not rather select
files independently in ${raddbdir}/mods-available/ in place of taking
everything (*) for the freeradius package ?
I think there should probably be a package for rlm_sql, and then individual
packages for the SQL drivers.
Would be nice indeed. Something to throw in the todo list ;) Or I might
do it if I find enough time. I just need to learn how to add a new
package :p
It's not too hard. I'll have a look at it today.
That would be nice. If you need help to test, just ask :)
Aside this, I've been able to compile and make the packages, it
correctly loads the configuration, but I back at a previous problem :
/usr/local/freeradius/etc/raddb/mods-enabled/eap[17]: Failed to link to
module 'rlm_eap': /usr/local/freeradius/lib/rlm_eap.so: undefined
symbol: eap_wireformat
Hmm that lives in eapcommon.c and should be built as part of
libfreeradius-eap.a.
ldd --verbose /usr/lib/freeradius/rlm_eap.so
linux-vdso.so.1 = (0x7fffb60e6000)
libc.so.6 = /lib/x86_64-linux-gnu/libc.so.6 (0x7f7974618000)
/lib64/ld-linux-x86-64.so.2 (0x7f7974bf8000)
Version information:
/usr/lib/freeradius/rlm_eap.so:
libc.so.6 (GLIBC_2.14) = /lib/x86_64-linux-gnu/libc.so.6
libc.so.6 (GLIBC_2.4) = /lib/x86_64-linux-gnu/libc.so.6
libc.so.6 (GLIBC_2.2.5) = /lib/x86_64-linux-gnu/libc.so.6
libc.so.6 (GLIBC_2.3.4) = /lib/x86_64-linux-gnu/libc.so.6
/lib/x86_64-linux-gnu/libc.so.6:
ld-linux-x86-64.so.2 (GLIBC_2.3) = /lib64/ld-linux-x86-64.so.2
ld-linux-x86-64.so.2 (GLIBC_PRIVATE) =
/lib64/ld-linux-x86-64.so.2
Oh dear. That'd be why that's happening...
I have the same output. But I can't see what you saw. Is there a
libfreeradius-eap.so missing somewhere ?
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 21.11.2012 17:13, Alan DeKok wrote: Olivier Beytrison wrote: Aside this, I've been able to compile and make the packages, it correctly loads the configuration, but I back at a previous problem : /usr/local/freeradius/etc/raddb/mods-enabled/eap[17]: Failed to link to module 'rlm_eap': /usr/local/freeradius/lib/rlm_eap.so: undefined symbol: eap_wireformat I've pushed a fix. It was an error in the new build system. I've made a fresh clone right now from git. Tested again. Building is ok. Freeradius still complains about rlm_eap [1]. Just to be sure I'll try to install the deb package on a clean system. Will report later about it. I've pushed a few other minor fixes. make -j 8 now should work out of the box. Thanks for everyone's patience. I think the new build system is worth it. Faster, simpler to understand, incremental builds, full dependencies, etc. It's alright, as long as I have working .debs for January 2013 ;) Olivier [1] freeradius -X freeradius: FreeRADIUS Version 3.0.0 (git #3857859), for host x86_64-pc-linux-gnu, built on Nov 22 2012 at 08:25:13 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. [snip] /etc/freeradius/mods-enabled/eap[17]: Failed to link to module 'rlm_eap': /usr/lib/freeradius/rlm_eap.so: undefined symbol: eap_wireformat /etc/freeradius/sites-enabled/default[321]: Failed to find eap in the modules section. /etc/freeradius/sites-enabled/default[263]: Errors parsing authenticate section. [Inferior 1 (process 29086) exited with code 01] -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
Now the service start and start loading the configuration, but fails at rlm_eap. freeradius -X output below the debian package doesn't include the libfreeradius-eap.so. maybe add it to the libfreeradius package diff --git a/debian/libfreeradius3.install b/debian/libfreeradius3.install index d08b127..0eb4b91 100644 --- a/debian/libfreeradius3.install +++ b/debian/libfreeradius3.install @@ -1 +1,2 @@ usr/lib/freeradius/libfreeradius-radius.so +usr/lib/freeradius/libfreeradius-eap.so Well even with the libfreeradius-eap.so packaged into libfreeradius3, eap is not starting. I checked on my other systems running 2.2.10, but built with libtool and libltdl, the rlm_eap.so is linked with libfreeradius-eap. It's not the case on the master branch, but I guess that's normal because it uses freeradius own system to load libraries. So is it loading libfreeradius-eap.so ? I can't tell, don't know how to look for it :p Tried to run inside gdb but didn't get any helpful information. any hints to find what's going on ? In the mean time I think I'll dig into the source code. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 20.11.2012 14:44, Alan DeKok wrote: Olivier Beytrison wrote: Well even with the libfreeradius-eap.so packaged into libfreeradius3, eap is not starting. I checked on my other systems running 2.2.10, but built with libtool and libltdl, the rlm_eap.so is linked with libfreeradius-eap. I've just pushed a fix. Please check it out. Thanks Alan, Other changes broke the make install process. Clean up so that installation dependencies work radlast.mk, radzap.mk, radtest.mk and checkrad.mk are broken install.bindir not defined and not found. INSTALL radclient INSTALL radiusd INSTALL radsniff INSTALL radmin INSTALL radattr INSTALL radconf2xml INSTALL radwho INSTALL install.bindir install: install.bindir does not exist make[1]: *** [/opt/src/freeradius/FR3/freeradius-server/debian/tmp/usr/bin/radlast] Error 1 make[1]: Leaving directory `/opt/src/freeradius/FR3/freeradius-server' make: *** [install-arch] Error 2 dpkg-buildpackage: error: debian/rules binary gave error exit status 2 Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help? On our side we support eap-peap/mschapv2 and eap-ttls/mschapv2. We're providing documentation and configuration tool for the peap method. Statistics reports 60% of peap against 40% of ttls. Total number of eduroam users live is approx 800 Olivier B. -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 20.11.2012 15:45, Alan DeKok wrote:
Olivier Beytrison wrote:
Other changes broke the make install process.
Whoops, typo. I've pushed another fix.
Yep thanks, this issue is resolved.
make install is ok for the binaries.
Now it barfs right after installing dhclient (last reference in src/all.mk)
INSTALL radwho
INSTALL radlast
INSTALL radtest
INSTALL radzap
INSTALL checkrad
INSTALL dhclient
mkdir: cannot create directory
`/opt/src/freeradius/FR3/freeradius-server/debian/tmp/etc/freeradius':
File exists
make[1]: *** [install.dirs] Error 1
make[1]: Leaving directory `/opt/src/freeradius/FR3/freeradius-server'
make: *** [install-arch] Error 2
dpkg-buildpackage: error: debian/rules binary gave error exit status 2
And what's fun, debin/tmp/etc/freeradius is a file. a perl script.
example.pl from rlm_perl.
Bug introduced with commit 3298d3cc096cc2c5a76ab22388a154a0301b1897
Possible fix : move example.pl in ${docdir}/examples/example.pl
diff --git a/src/modules/rlm_perl/Makefile.in
b/src/modules/rlm_perl/Makefile.in
index 59c5d4c..04a1482 100644
--- a/src/modules/rlm_perl/Makefile.in
+++ b/src/modules/rlm_perl/Makefile.in
@@ -15,4 +15,4 @@ include ../rules.mak
$(LT_OBJS): $(HEADERS)
install-scripts:
- @$(INSTALL) -m 755 src/modules/rlm_perl/example.pl $(R)$(raddbdir)
+ @$(INSTALL) -m 755 src/modules/rlm_perl/example.pl
$(R)$(docdir)/examples/example.pl
diff --git a/src/modules/rlm_perl/all.mk.in b/src/modules/rlm_perl/all.mk.in
index b82e83c..b582332 100644
--- a/src/modules/rlm_perl/all.mk.in
+++ b/src/modules/rlm_perl/all.mk.in
@@ -13,4 +13,4 @@ install: install.rlm_perl.scripts
.PHONY: install.rlm_perl.scripts
install.rlm_perl.scripts:
- @$(INSTALL) -m 755 src/modules/rlm_perl/example.pl $(R)$(raddbdir)
+ @$(INSTALL) -m 755 src/modules/rlm_perl/example.pl
$(R)$(docdir)/examples/example.pl
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 20.11.2012 14:44, Alan DeKok wrote: Olivier Beytrison wrote: Well even with the libfreeradius-eap.so packaged into libfreeradius3, eap is not starting. I checked on my other systems running 2.2.10, but built with libtool and libltdl, the rlm_eap.so is linked with libfreeradius-eap. I've just pushed a fix. Please check it out. your change in checkrad.mk moved the binary from sbindir do bindir. Is this change wanted or not? If yes i'll update the debin/freeradius.install accordingly. if not we'll need a install.sbindir in Makefile Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 20.11.2012 16:30, Alan DeKok wrote: Olivier Beytrison wrote: your change in checkrad.mk moved the binary from sbindir do bindir. Is this change wanted or not? If yes i'll update the debin/freeradius.install accordingly. if not we'll need a install.sbindir in Makefile I'll go fix that. Thanks for the patience. Switching to a new build system is complicated. It's alright, I'm not in a hurry, and you're quite responsive ;) I rather feel like being the one bothering you ;) Compilation, installation, and package are successfully made. After installing the package, freeradius doesn't start. Unable to open file /etc/freeradius/radiusd.conf: No such file or directory Uh oh ? looking at /etc/freeradius, there's only the directories and the symlinks, but not a single file. Great. When looking in the build environnement, in debian/freeradius/etc/freeradius, all the files are present. During package creation, the files are correctly grabbed as per debian/freeradius.install dpkg -L list all the files. dpkg is high on cocaine or what ? Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
Yes i've been working on this too today as I need debian packages for a customer, and that's exactly the point where I got to. I'm going to continue with it on monday. Feel free to pull from master, it contains a few more fixes. Hi, I made a fresh clone this morning, and I've been able to make the packages after a few changes to the files in de debian directory. Those files refer to a lot of element which don't seems to exist any more in FR3 BTW I'm far from being a debian package expert (in fact it's the first time I really dig into the package building process). Here's a summary of my changes. (the -ok version is the one containing my modifications) : http://pastebin.com/kDrWDdF0 Hop this helps. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
Yes i've been working on this too today as I need debian packages for a customer, and that's exactly the point where I got to. I'm going to continue with it on monday. Feel free to pull from master, it contains a few more fixes. Hi, I made a fresh clone this morning, and I've been able to make the packages after a few changes to the files in de debian directory. Those files refer to a lot of element which don't seems to exist any more in FR3 BTW I'm far from being a debian package expert (in fact it's the first time I really dig into the package building process). Here's a summary of my changes. (the -ok version is the one containing my modifications) : http://pastebin.com/kDrWDdF0 The packages are built, but it's not installing correctly. The main problem is that the mods-enabled directory is not created, and the symlinks are missing. There's quite some more work to do. Selecting previously unselected package freeradius-common. (Reading database ... 85588 files and directories currently installed.) Unpacking freeradius-common (from freeradius-common_3.0.0git+dfsg-1_all.deb) ... Selecting previously unselected package freeradius. Unpacking freeradius (from freeradius_3.0.0git+dfsg-1_amd64.deb) ... Selecting previously unselected package freeradius-ldap. Unpacking freeradius-ldap (from freeradius-ldap_3.0.0git+dfsg-1_amd64.deb) ... Selecting previously unselected package freeradius-mysql. Unpacking freeradius-mysql (from freeradius-mysql_3.0.0git+dfsg-1_amd64.deb) ... Selecting previously unselected package libfreeradius3. Unpacking libfreeradius3 (from libfreeradius3_3.0.0git+dfsg-1_amd64.deb) ... Selecting previously unselected package freeradius-utils. Unpacking freeradius-utils (from freeradius-utils_3.0.0git+dfsg-1_amd64.deb) ... Setting up freeradius-common (3.0.0git+dfsg-1) ... Adding user freerad to group shadow Setting up libfreeradius3 (3.0.0git+dfsg-1) ... Processing triggers for man-db ... Setting up freeradius-utils (3.0.0git+dfsg-1) ... Setting up freeradius (3.0.0git+dfsg-1) ... dpkg-statoverride: warning: --update given but /var/run/freeradius does not exist dpkg-statoverride: warning: stripping trailing / dpkg-statoverride: warning: stripping trailing / dpkg-statoverride: warning: stripping trailing / dpkg-statoverride: warning: stripping trailing / * Starting FreeRADIUS daemon freeradius ...fail! invoke-rc.d: initscript freeradius, action start failed. Processing triggers for ureadahead ... Setting up freeradius-ldap (3.0.0git+dfsg-1) ... * Checking FreeRADIUS daemon configuration... ...fail! invoke-rc.d: initscript freeradius, action force-reload failed. dpkg: error processing freeradius-ldap (--install): subprocess installed post-installation script returned error exit status 1 Setting up freeradius-mysql (3.0.0git+dfsg-1) ... * Checking FreeRADIUS daemon configuration... ...fail! invoke-rc.d: initscript freeradius, action force-reload failed. dpkg: error processing freeradius-mysql (--install): subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing: freeradius-ldap freeradius-mysql -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
Yeah you have a typo, you have mods.enabled, it should be mods-enabled? I'm also working on this, there was a bug in the MySQL configure script that may have been causing issues with the .so not being built correctly. PostgreSQL and a few others were also missing boilermake files. make that mods.available Yeah your're right, it was a typo, and freeradius-X complained about not finding the mods-enabled directory Alan has fixed it in the version he pulled in... Now working on getting rlm_dbm working as that builds a couple of utilities that get packaged. Getting there slowly. I pulled your change from tonight. Still got the problem that radmin wasn't found during the package creation. Had to add radmin.mk in src/main/all.mk SUBMAKEFILES in order to have it. Package are now created correctly. I'll try installing them now. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 20.11.2012 08:26, Olivier Beytrison wrote: Yeah you have a typo, you have mods.enabled, it should be mods-enabled? I'm also working on this, there was a bug in the MySQL configure script that may have been causing issues with the .so not being built correctly. PostgreSQL and a few others were also missing boilermake files. make that mods.available Yeah your're right, it was a typo, and freeradius-X complained about not finding the mods-enabled directory Alan has fixed it in the version he pulled in... Now working on getting rlm_dbm working as that builds a couple of utilities that get packaged. Getting there slowly. I pulled your change from tonight. Still got the problem that radmin wasn't found during the package creation. Had to add radmin.mk in src/main/all.mk SUBMAKEFILES in order to have it. Package are now created correctly. I'll try installing them now. Installation failed the first time. still missing the mods-enabled. corrected through the following patch diff --git a/debian/freeradius.install b/debian/freeradius.install index 9cbc364..cef932f 100644 --- a/debian/freeradius.install +++ b/debian/freeradius.install @@ -10,6 +10,7 @@ etc/freeradius/hints etc/freeradius/huntgroups etc/freeradius/ldap.attrmap etc/freeradius/mods-available/* +etc/freeradius/mods-enabled/* etc/freeradius/policy.d/* etc/freeradius/policy.txt etc/freeradius/preproxy_users The diff for having radmin built is here diff --git a/src/main/all.mk b/src/main/all.mk index bcd546a..b5982a8 100644 --- a/src/main/all.mk +++ b/src/main/all.mk @@ -1,3 +1,4 @@ SUBMAKEFILES := radclient.mk radiusd.mk radsniff.mk radmin.mk radattr.mk \ -radconf2xml.mk radwho.mk radlast.mk radtest.mk radzap.mk checkrad.mk dhclient.mk +radconf2xml.mk radwho.mk radlast.mk radtest.mk radzap.mk checkrad.mk dhclient.mk \ +radmin.mk Now the service start and start loading the configuration, but fails at rlm_eap. freeradius -X output below the debian package doesn't include the libfreeradius-eap.so. maybe add it to the libfreeradius package diff --git a/debian/libfreeradius3.install b/debian/libfreeradius3.install index d08b127..0eb4b91 100644 --- a/debian/libfreeradius3.install +++ b/debian/libfreeradius3.install @@ -1 +1,2 @@ usr/lib/freeradius/libfreeradius-radius.so +usr/lib/freeradius/libfreeradius-eap.so freeradius -X freeradius: FreeRADIUS Version 3.0.0 (git #d0b68ad), for host x86_64-pc-linux-gnu, built on Nov 20 2012 at 08:32:32 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/mods-enabled/ including configuration file /etc/freeradius/mods-enabled/checkval including configuration file /etc/freeradius/mods-enabled/expiration including configuration file /etc/freeradius/mods-enabled/utf8 including configuration file /etc/freeradius/mods-enabled/dhcp including configuration file /etc/freeradius/mods-enabled/detail including configuration file /etc/freeradius/mods-enabled/logintime including configuration file /etc/freeradius/mods-enabled/cui including configuration file /etc/freeradius/sql/mysql/cui.conf including configuration file /etc/freeradius/mods-enabled/counter including configuration file /etc/freeradius/mods-enabled/sradutmp including configuration file /etc/freeradius/mods-enabled/attr_filter including configuration file /etc/freeradius/mods-enabled/exec including configuration file /etc/freeradius/mods-enabled/eap including configuration file /etc/freeradius/mods-enabled/wimax including configuration file /etc/freeradius/mods-enabled/preprocess including configuration file /etc/freeradius/mods-enabled/expr including configuration file /etc/freeradius/mods-enabled/radutmp including configuration file /etc/freeradius/mods-enabled/chap including configuration file /etc/freeradius/mods-enabled/files including configuration file /etc/freeradius/mods-enabled/realm including configuration file /etc/freeradius/mods-enabled/digest including configuration file /etc/freeradius/mods-enabled/always including configuration file /etc/freeradius/mods-enabled/ntlm_auth including configuration file /etc/freeradius/mods-enabled/mschap including configuration file /etc/freeradius/mods-enabled/attr_rewrite including configuration file /etc/freeradius/mods-enabled/dynamic_clients including configuration file /etc/freeradius/mods-enabled/detail.log including configuration file /etc/freeradius/mods-enabled/replicate including configuration file /etc/freeradius/mods-enabled/unix
Git master branch Debian build
Hello, Just a quick question, before I loose too much time on this. Is the debian build system on the master repository working ? I'm getting hard time to build the deb packages. git clone from yesterday, ubuntu 12.04 LTS Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 16.11.2012 14:21, Arran Cudbard-Bell wrote: On 16 Nov 2012, at 12:58, Olivier Beytrison oliv...@heliosnet.org wrote: Hello, Just a quick question, before I loose too much time on this. Is the debian build system on the master repository working ? I've had issues with it, but haven't had time to track down the cause, what problems are you experiencing specifically? First, by default it comes with --with-system-libltdl and --with-system-libtool. With those activated, it fails at linking rlm_sql_log.la LINK rlm_sql_log.la rlm_sql_log.lo libtool: link: warning: `-release' is ignored for convenience libraries ar: /opt/src/freeradius/FR3/freeradius-server/src/modules/rlm_sql/.libs/.libs/rlm_sql.a: No such file or directory (there two times .libs in the path, when one is enough. editing the Makefile and removing the .libs in RLM_LIBS works, but it fails further down. then I've found a previous message on the mailing list and removed --with-system-libltdl and libtool. compiled correctly, but when DH started its work, it don't find the libfreeradius*-3.*.so and fail # rename radius binary to play nicely with others mv /opt/src/freeradius/FR3/freeradius-server/debian/tmp//usr/sbin/radiusd /opt/src/freeradius/FR3/freeradius-server/debian/tmp//usr/sbin/freeradius mv /opt/src/freeradius/FR3/freeradius-server/debian/tmp///usr/share/man/man8/radiusd.8 /opt/src/freeradius/FR3/freeradius-server/debian/tmp///usr/share/man/man8/freeradius.8 dh_install --sourcedir=/opt/src/freeradius/FR3/freeradius-server/debian/tmp/ -p libfreeradius3 dh_install: libfreeradius3 missing files (usr/lib/freeradius/libfreeradius*-3.*.so), aborting make: *** [install-arch] Error 255 dpkg-buildpackage: error: debian/rules binary gave error exit status 2 content of the temporary usr/lib/freeradius : ls -l usr/lib/freeradius/libfreerad* usr/lib/freeradius/libfreeradius-eap-3.0.0.la - libfreeradius-eap.la usr/lib/freeradius/libfreeradius-eap.a usr/lib/freeradius/libfreeradius-eap.la usr/lib/freeradius/libfreeradius-eap.so usr/lib/freeradius/libfreeradius-radius-3.0.0.la - libfreeradius-radius.la usr/lib/freeradius/libfreeradius-radius.a usr/lib/freeradius/libfreeradius-radius.la usr/lib/freeradius/libfreeradius-radius.so so yeah no libfreeradius-3.*.so thanks for your help Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 16.11.2012 16:55, Alan DeKok wrote: Olivier Beytrison wrote: With those activated, it fails at linking rlm_sql_log.la LINK rlm_sql_log.la rlm_sql_log.lo libtool: link: warning: `-release' is ignored for convenience libraries Well, that's minor. ar: /opt/src/freeradius/FR3/freeradius-server/src/modules/rlm_sql/.libs/.libs/rlm_sql.a: No such file or directory (there two times .libs in the path, when one is enough. editing the Makefile and removing the .libs in RLM_LIBS works, but it fails further down. I have no idea why the extra .libs is there. Where is RLM_LIBS adding the .libs? It shouldn't be doing that. --sourcedir=/opt/src/freeradius/FR3/freeradius-server/debian/tmp/ -p libfreeradius3 dh_install: libfreeradius3 missing files (usr/lib/freeradius/libfreeradius*-3.*.so), aborting Hmm... that should be there. usr/lib/freeradius/libfreeradius-radius-3.0.0.la - libfreeradius-radius.la usr/lib/freeradius/libfreeradius-radius.a usr/lib/freeradius/libfreeradius-radius.la usr/lib/freeradius/libfreeradius-radius.so so yeah no libfreeradius-3.*.so I hate libtool. It's magic. The authors seem to be hell-bent on making everyone's lives more difficult. We tell it to make a library with versioning. What does it do? Create a .la with versioning, but not a .so with versioning. Libtool needs to die in fire. Change the debian build so that it uses --boilermake=yes, and delete --with-system-libltdl and --with-system-libtool. Tried with my git clone from yesterday but still got a weird error at the begining of the package creation. cloned a fresh copy, added a few arguments to debian/rules. Compilation is ok, weird error persist. see http://pastebin.com/JDHm5dWq -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Complex eduroam radius design
On 13.11.2012 19:08, Arran Cudbard-Bell wrote: On 13 Nov 2012, at 17:23, Olivier Beytrison oliv...@heliosnet.org wrote: On 13.11.2012 18:03, Phil Mayers wrote: On 13/11/12 16:38, Olivier Beytrison wrote: Well not really a solution here. The central LDAP system is one of the Fair enough. To summarize, if I proxy the outer tunnel, there will be more load on the central server, and I'll add the custom attributes to the outer reply in order for the local radius to analyse them and add the nas-specific attribute. Yes. if I proxy the inner tunnel, the TLS is handled by the local radius (more CERT to buy), on the central server I add the attributes in the normal reply, and the local radius keep doing the authorization part. I just have to take care of the encryption between the local and central servers. thankfully l2l vpn are already established. Yes. However, buying separate certs might not be a good idea as it will complicate the client setup - they'll all have to come from the same CA and share the same CN (or you'll have to rely on wildcard CN matching on the clients). For this reason, it might be easier to do all the TLS on the central servers, and have the same cert on both of them. Another good point indeed. Well this will make the local radius setup fairly easy. Proxy everything to the central one, and just do post-auth/post-proxy section, and manage the accounting. This will also make things easier when people outside our local realm logs in on eduroam, the outer tunnel is proxied to the central radius, which in turn proxies it to the NRO radius ... All that *will* be going away eventually, you'll just use RADSec and DNS discovery. This will indeed happen eventually, but at this time ... it's not yet possible Honestly I don't really see the point of the central server here, other than to interface with the existing eduroam infrastructure, and even then it's mostly lazyness :). If I were implementing this I would terminate the EAP sessions on the local servers, and query LDAP directly from the different sites. Could be an idea, but being also in charge of the security, the fact that we need an ldap account with the permission to retrieve the cleartext password from the eDirectory central password is a big concern. I don't want to have such an account configured on the local radius servers, allowing too many people to see the cleartext password from the 25k users. (Those accounts are not just eduroam accounts, it's their global account for ActiveDirectory, Mails, vpn access and so on) I'd do this for the following reasons: a) The crypto is spread across multiple hosts, meaning you don't load central servers and the system as a whole scales better. Agreed. Fortunately virtual machine are easy to create ;) b) The likelyhood of packet loss (and EAP authentications timing out) is greatly reduced. Packet loss is a big problem with EAP over RADIUS, if the path between your central RADIUS servers and your site specific ones is in any way unreliable it's not going to work well. Also agreed. All the schools are interconnected by Switch, the Swiss educational network provider, with lot of 10gig links everywhere. So connectivity is not really a concern here I think. c) LDAP is TCP based and can recover from packet loss far quicker than RADIUS where the normal retransmission interval is ~5 seconds (granted this is configurable, but it's usually not sub second). Radsec can run over TCP. Another good reason to go for Freeradius3 and use radsec. Btw if I want to test FR3, I guess that it's available on git. But I didn't find where and how to get it. any hint ? d) It's possible to build up caches of passwords locally on each site RADIUS server (see rlm_cache) and then failover to that in the event of the central LDAP servers being unavailable, this gives you far greater resilliency. You can't do that if you never see the NT-Password or Cleartext-Password at a site level. Good point. But there will be 2 or 3 central radius servers (maybe with the f5 in front for loadbalancing). And the authentication ldap servers consist of a pool of 4 active/active ldap servers with the f5 load-balancer in front. so in term of resiliency it should be ok. As Phil says, you only need one cert. There's absolutely no way that the supplicant can tell which server is presenting the certificate, so the CN validation checks will not fail unless the user has configured a set CN string in their supplicant. Thanks for the information, this mean I don't even need a cert per central server, I just need, let's say, one cert for eduroam.hes-so.ch. good to know :) Again in my case I think that going with the topology I described in my first mail is my best solution in my particular situation. Even if it's not the most optimal :) Thanks for your feedback! Regards, Olivier B. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Complex eduroam radius design
Hello, We're planning to deploy eduroam centrally for all the university of applied science of west-switzerland. (consists of ~27 schools and 25'000 people). On one side, we will have the central radius servers, connected to the central ldap backend which contains all the user account. On the other side, we will have local radius servers (about 7 pairs of servers, because the schools are grouped regionally and under a central management). The idea is the following : User join the WLAN (802.1x, eduroam). the WiFi controller (nas) contact the local radius for authentication, which in turn contact the central radius to authenticate the user. upon successful authentication, the central radius return the Access-Accept along with some custom attribute about the user. The local radius then perform admission control based on those attributes. (selecting the correct vlan, subnet, ect) So I have two questions : 1. is this implementation possible ? 2. If it is possible, will the inner-tunnel for eap-peap and eap-ttls end on the local or central radius, taking in account that the authentication is performed by the central radius. (I'll go for the central one) Thanks in advance for your answers. Best regards, Olivier B. -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Complex eduroam radius design
On 13.11.2012 16:20, Phil Mayers wrote: On 13/11/12 14:45, Olivier Beytrison wrote: Hello, [snip] So I have two questions : 1. is this implementation possible ? Yes. But I would argue it's not ideal (see below). 2. If it is possible, will the inner-tunnel for eap-peap and eap-ttls end on the local or central radius, taking in account that the authentication is performed by the central radius. It depends what you configure. You can proxy the inner tunnel, or the outer tunnel. If you proxy the outer tunnel, it's encrypted all the way, but the central servers have to do all the TLS. The local servers then do very little (what you refer to as vlans, subnets, etc.) Well, that's what I would like to do. We have 7 different IT services running their own network the way they want. The local radius are there to let them freely manage how users access their network. If you proxy the inner tunnel, the local servers do the TLS, but the traffic to the central servers is only lightly encrypted (by the RADIUS encryption scheme). Whether this matters will depend on your environment. Not really a matter, as it will rull either over a lan-to-lan ipsec vpn, or with radsec enabled. (still thinking between using radsecproxy or going with freeradius 3 [I know, you need guinea pig ;)]) Personally, I would think carefully if this model is right. The local servers don't seem to add much value, and are entirely dependent on the central servers. It's not really about value, it's more about letting the local IT services manage how and what the users can access. We're already enforcing this central authentication, if we don't let them a minimum of control, this will lead to an IT Riot :p Have you considered replicating the LDAP database to the local servers? Well not really a solution here. The central LDAP system is one of the most complex Novell eDirectory deployment possible. Syncing 7 other ldap servers would just put more load on the actual cluster. The authentication will be made against a dedicated cluster of ldap server which contains only authentication-related informations. To summarize, if I proxy the outer tunnel, there will be more load on the central server, and I'll add the custom attributes to the outer reply in order for the local radius to analyse them and add the nas-specific attribute. if I proxy the inner tunnel, the TLS is handled by the local radius (more CERT to buy), on the central server I add the attributes in the normal reply, and the local radius keep doing the authorization part. I just have to take care of the encryption between the local and central servers. thankfully l2l vpn are already established. Thanks a lot for your answer, gives me a good idea on how I'll do it. Olivier B. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Complex eduroam radius design
On 13.11.2012 18:03, Phil Mayers wrote: On 13/11/12 16:38, Olivier Beytrison wrote: Well not really a solution here. The central LDAP system is one of the Fair enough. To summarize, if I proxy the outer tunnel, there will be more load on the central server, and I'll add the custom attributes to the outer reply in order for the local radius to analyse them and add the nas-specific attribute. Yes. if I proxy the inner tunnel, the TLS is handled by the local radius (more CERT to buy), on the central server I add the attributes in the normal reply, and the local radius keep doing the authorization part. I just have to take care of the encryption between the local and central servers. thankfully l2l vpn are already established. Yes. However, buying separate certs might not be a good idea as it will complicate the client setup - they'll all have to come from the same CA and share the same CN (or you'll have to rely on wildcard CN matching on the clients). For this reason, it might be easier to do all the TLS on the central servers, and have the same cert on both of them. Another good point indeed. Well this will make the local radius setup fairly easy. Proxy everything to the central one, and just do post-auth/post-proxy section, and manage the accounting. This will also make things easier when people outside our local realm logs in on eduroam, the outer tunnel is proxied to the central radius, which in turn proxies it to the NRO radius ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question regarding multivalued attributes in control list.
-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/
) {...}
We can see that it didn't match control:HESSO-MEMBER-KEY =~
/RORG-MASO.*RCA$/ while it has the correct value in the control list.
How can I match this multi-valued attribute ?
Regards,
Olivier B.
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding multivalued attributes in control list.
Thanks Arran for those answers,
No your check will not iterate over every instance of a value.
In order to do that you'll need to use FreeRADIUS 3.x and use the foreach
unlang construct or perl.
hmm, FreeRADIUS 3.x? Is it suitable for production environnement ? Or
i'll simply fall back to rlm_perl. But not on a friday evening, it will
wait till monday!
Plus the way you're doing policies is weird. Why don't you just use the
policy module (policy.conf)? It'd be way more memory efficient if you're
using the same policy multilple times, and you gain the ability to overload
module calls...
You're right, i'll move this in the policy file, didn't think about it.
Regards,
Olivier B.
-Arran
On 2 Sep 2011, at 15:47, Olivier Beytrison wrote:
Hello,
I'm trying since two week to do some multi-valued attribute checking on
my radius infrastructure.
I've been looking to checkval, using the users file and such but with
no luck.
I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local
authentication is made against an Novell eDirectory ldap server.
I'm fetching a multi-valued attribute from the ldap into the control
list, and based on its content, I set the correct
Airespace-Interface-Name value.
At the beginning I was using unlang to match the value, and it works
perfectly since 90% of the people only have one attribute. But some
people have multiple attributes.
So far, that's what I've been using :
In virtual server, at the end of authorize {}
if (NAS-IP-Address =~ /160\.98\.156\..*/) {
$INCLUDE ${confdir}/secure-hefr.policy
}
secure-hefr.policy content :
if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-etu
}
}
elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-col
}
}
elsif {
}
[ ... ]
Some debug from a user who is multi-valued :
server eduroam-inner-tunnel-peap {
# Executing section authorize from file
/etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap
+- entering group authorize {...}
++[mschap] returns noop
[suffix] Looking up realm hefr.ch for User-Name = didier.perr...@hefr.ch
[suffix] Found realm hefr.ch
[suffix] Adding Realm = hefr.ch
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 11 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log] expand: %t - Fri Sep 2 15:45:08 2011
++[auth_log] returns ok
[linelog] expand: %{Packet-Type} - Access-Request
[linelog] expand: %{%{Packet-Type}:-format} - Access-Request
[linelog] expand: /var/log/freeradius/linelog -
/var/log/freeradius/linelog
[linelog] expand: Requested access: %{User-Name} - Requested
access: didier.perr...@hefr.ch
++[linelog] returns ok
++? if (User-Name =~ /(.*)@.*hefr.ch$/)
? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++? if (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...}
expand: %{1} - didier.perroud
+++[request] returns ok
++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok
++[files] returns noop
[ldap] performing user authorization for didier.perroud
[ldap] expand: (uid=%{Stripped-User-Name}) - (uid=didier.perroud)
[ldap] expand: ou=courant,ou=people,o=hefr - ou=courant,ou=people,o=hefr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=courant,ou=people,o=hefr, with filter
(uid=didier.perroud)
[ldap] Added the eDirectory password *** in check items as
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RORG-HEFR-EIFR-TICO-TLCO-$-RSM
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-MASO-$-RCA
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RACA-TICO-MSEI-MTIC-$-RCA
[ldap] looking for reply items in directory...
[ldap] hessoRoleMemberKey - Class =
0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d
[ldap] hessoRoleMemberKey - Class = 0x524f52472d4d41534f2d242d524341
[ldap] hessoRoleMemberKey - Class =
0x524143412d5449434f2d4d5345492d4d5449432d242d524341
[ldap] user didier.perroud authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
++? if (NAS-IP-Address =~ /160\.98\.156
