3.0.0 return code priority / change?
All,
Seems that the return code priority is behaving different in 3.0 -
specifically the following config:
authorize {
updated
files
if (noop) {
...
}
}
...gives:
(0) authorize {
(0) [updated] = updated
(0) [files] = noop
(0) ? if (noop)
(0) ? if (noop) - FALSE
i.e. the noop from the files module is ignored. This is a change from
2.x where the most recent module return code can be checked.
Have I missed the change, or is this not intentional?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 14/10/13 16:01, Jonathan Gazeley wrote: On 10/10/13 15:03, a.l.m.bu...@lboro.ac.uk wrote: Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4 server for EAP-MSCHAPv2). But at least it exists on RHEL/CentOS as a package. it can also BE an AD master etc. anyway, you dont know how tempting it was to yum install samba4 on our production system;-) I'd certainly like to see some samba3.x versus samba4 benchmarks in this sort of context This morning I upgraded a couple of our radius servers from samba 3.6.9 to 4.0.0-rc4. It works, but it's not yet clear how much of an improvement it makes. Early indication is that it helps spread the load more evenly between domain controllers at peak times, but it is by no means the magic bullet. I am wondering if using ntlm_auth in pipe mode, in the same way Squid does, would improve this, as it would avoid forkexec. I might try and knock up a PoC patch. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3.0.0 return code priority / change?
On 14/10/13 16:18, Phil Mayers wrote: i.e. the noop from the files module is ignored. This is a change from 2.x where the most recent module return code can be checked. Have I missed the change, or is this not intentional? Looks like this happened in the modcall.c rewrite (d0aa96709cea) and has been ported to 2.x as well, so it'll change there too? https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/main/modcall.c#L959 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3.0.0 return code priority / change?
On 14/10/13 17:15, Phil Mayers wrote: On 14/10/13 16:18, Phil Mayers wrote: i.e. the noop from the files module is ignored. This is a change from 2.x where the most recent module return code can be checked. Have I missed the change, or is this not intentional? Looks like this happened in the modcall.c rewrite (d0aa96709cea) and has been ported to 2.x as well, so it'll change there too? Fix seems easy; assuming the old behaviour is what's wanted: https://github.com/philmayers/freeradius-server/commit/51c43419 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Generating timing stats for ntlm_auth
All, We're seeing bursts of: Thu Oct 10 11:52:14 2013 : Info: WARNING: Child is hung for request 47516341 in component authenticate module peap. Thu Oct 10 11:52:16 2013 : Info: WARNING: Module rlm_eap became unblocked for request 47516341 ...since the return of our students this year. I am 99% sure this is ntlm_auth being slow, and I have a strong suspicion this is related to some changes in our AD infrastructure over the summer. In order to prove this to the AD team, I need to gather some timing stats for ntlm_auth; can anyone think of an easy way to do this within FreeRADIUS? AFAIK there aren't any xlat that back onto gettimeofday; the various request time attribute all expand to the static request-timestamp value, whereas I want to do wallclock timing. I could wrap ntlm_auth in a script that times it and lots the info, but I'm slightly wary of that - it might perturb the timings. Any obvious/easy thing I'm missing? Still on 2.2.0 here... anything in 3.0 I could use? Cheers, Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 10/10/13 12:56, a.l.m.bu...@lboro.ac.uk wrote: Hi, Thu Oct 10 11:52:16 2013 : Info: WARNING: Module rlm_eap became unblocked for request 47516341 ...since the return of our students this year. I am 99% sure this is ntlm_auth being slow, and I have a strong suspicion this is related to some changes in our AD infrastructure over the summer. I've contacted our AD guys about a couple of tweaks they can do for 'legacy' Any chance you can point me in the direction of these? authentications (as microsoft call it) - but I'm also looking at samba4 - as it has a new option that will balance ntlm_auth against all known boxes rather than the first box it latches onto - to spread the load. Hmm. I'm also now getting suspicious about a couple of tuesday patches that got deployed over summer... Interesting - which ones? (we're also thinking about EAP-TLS again ;-) ) Semi-related, but to my annoyance we're seeing rather less SSL resumption than I would expect, given that iOS and Android both do it by default. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
On 09/10/13 19:09, Alan DeKok wrote: That is *exactly* what the server does for TCP. ...in which case my comment is entirely redundant, please disregard! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 10/10/13 17:16, Brian Julin wrote: You might be able to run FR under gdb (or attach/resume a running FR), and set breakpoints with commands that resume after running the GDB commands. That's in inventive one, but I'm not *that* desperate yet! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error messages in debug on 3.0
I've just ported our config to 3.0 and I'm seeing a few error messages;
they don't seem to be critical but are concerning me.
Specifically I'm seeing:
ERROR: Conditional evaluation failed due to internal sanity check.
...whenever I try to compare against absent attributes. What's the
correct syntax for this now - do I need:
if ((Attr) (Attr op RHS)) {
...or can I ignore the message?
I'm also seeing this with:
if (%{outer.request:Blah})
...if I'm not in a tunnel (in some generic logging policy); what's the
right syntax for that?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error messages in debug on 3.0
On 10/10/13 18:32, Phil Mayers wrote: I've just ported our config to 3.0 and I'm seeing a few error messages; they don't seem to be critical but are concerning me. Specifically I'm seeing: We're also getting: Info: Invalid operator for item Sql-Group: reverting to '==' ...which is logged to radiusd.log. This seems to be spurious - all our comparisons to SQL-Group are, of course using ==. Other than that, it all seems OK! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error messages in debug on 3.0
On 10/10/13 18:51, Arran Cudbard-Bell wrote: possibly if (outer.request Hmm, no same thing, and worse it's squashing Module-Failure-Message :o( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
On 09/10/13 16:36, Arran Cudbard-Bell wrote: On 9 Oct 2013, at 15:47, Alan DeKok al...@deployingradius.com wrote: Adam Bishop wrote: It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. Yes. Because of OpenSSL limitations, the server MUST have multiple threads when using radsec. Isn't it required for doing any RADIUS over TCP? Perhaps architecturally, but not inherently; you could, at least in theory: 1. Receive 4-byte length 2. Sanity-check the length 3. Allocate buffer 4. Read on TCP socket non-blocking in normal select loop until you've filled the buffer 5. Parse packet from buffer, dispatch packet SSL presents the slight (ahem) complication of having to route the read/write via a memory BIO and check for the want read / want write state (same way EAP does). So... it's almost certainly *easier* and more sanity-preserving from a development PoV to use threads ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 and DHCP
On 08/10/13 17:01, Rok Kosir wrote: authentication to mysql), when i run freeradius -X, i get Segmentation Fault when it reaches dhcp listner. See doc/bugs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing User Profile after depletion of set Volume
On 08/10/13 17:40, Mulindwa wrote: Dear pple, I have looked for this and failed to get it, i have users with set volume limits and they get knocked off once they hit the limit, however ; i want to have this taken to the next level, i.e once the limit is hit, the user's profile be changed and they can only get to certain website /URL/IPs . How can i achieve this? 1. See if your NAS supports these features - filter by URL/IP. If it doesn't, you can't do anything. 2. If the NAS supports the features, see how you can trigger them on a user or session. It's possible you can apply the filters with a CoA packet, in which case you could generate the CoA directly inside FreeRADIUS - see the examples that come with the server. 3. If you have to trigger the features some other way (poke via CLI, SNMP, HTTP/REST/SOAP API) then write a script to apply the filter to the session and use the FreeRADIUS exec module to trigger it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco WLC probes in FR 2.2.1
On 10/07/2013 08:40 AM, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
if (Service-Type == NAS-Prompt-User) {
if (NAS-IP-Address =~ /^172\.17\.107\./) {
if (User-Name =~ /^wisms\-testing/) {
update control {
Auth-Type := Accept
}
ouch do you realise how dangerous that is? there
should be no need to send an access accept packet back
to these probes - a reject should suffice - and that would stop
an end user subverting your system by simply using
that UserName (if they are using wpa_supplicant they could
add that NAS-Prompt-User attribute)
Er... wpa_supplicant speaks EAP, and Service-Type is a RADIUS attribute.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius issue : Active Directory Integration
On 10/04/2013 07:02 AM, Shameek Bhattacharya wrote:
Hello,
I am facing issue with MS CHAP authentication in Ubuntu 13.04 .
Also NTLM Authentication takes place when putting 'wait = no' in
/etc/freeradius/modules/ntlm_auth
ie
exec ntlm_auth {
wait = no
wait = no is wrong here. You need to wait, to check the result of
authentication.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password gets changed while proxying
On 02/10/13 17:14, JB wrote: Hi! We're proxying auth requests to another RADIUS service and encounter the following problem: The password seems to get changed somewhere along the way. In our case, a 9 character password arrives as 16 character garbage at the home server, which then -of course- rejects the access request. You've got the shared secret wrong. This causes password decryption to fail. If you were using Message-Authenticator (as you, and indeed everyone, should be) the entire packet would fail the MA check and be dropped; but since you're not, only the fields encrypted by the shared secret are affected. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password gets changed while proxying
On 02/10/13 17:30, JB wrote: Yes, we double checked the secret. Well, you missed something. There is no other reasonable explanation for the behaviour you're seeing. In *theory* it could be broken MD5 libraries at one end, but that's so unlikely that the possibility can be discarded. You have the shared secret wrong. Check again, using a new shared secret with unambiguous characters i.e. only letters and numbers. Once you've got it working with a simple secret, then change to a complex one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy auth should supersede local auth
On 24/09/13 12:25, JB wrote: At first glance, this seems to work but I wanted to know if there's a better or more common way to achieve this. Or is this completely stupid after all? (Why?) Looks fine to me; you're conditionally executing the rest of your policy based on earlier results. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: message freeradius
On 24/09/13 17:58, María Teresa Mondragón Reyes wrote: rad_recv: Accounting-Request packet from host 192.168.4.224 port 32769, id=157, length=285 Invalid packet code 4 sent to a proxy port from home server 192.168.4.224 port 32769 - ID 157 : IGNORED Ready to process requests. This should be clear. Someone is sending accounting packets to a non-accounting port. Check your listen blocks, and either fix them, or fix the client to send to the right port. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
On 23/09/13 17:33, paul trader wrote: am i doing something glaringly wrong, or just going plain crazy? It's difficult to say, because the debug you sent has all the useful bits trimmed out - like the original packet, and the full module processing chain. Send a full debug, and odds are someone will spot the issue. Most likely is that the Windows machine is sending a different format of username e.g. DOMAIN\user, so whatever database you're doing a lookup for the password or hash - SQL, LDAP, files - isn't matching. But that's a guess - post the full debug. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
On 23/09/2013 18:19, paul trader wrote: hi phil - ok, here's the full debug for a successful request: [files] users: Matched entry test at line 1 Versus and here's the full output of a failed request: [files] users: Matched entry DEFAULT at line 172 The two request look very similar, but you've x.x.x.x'ed out some data (grr...). Whatever you've X'ed out, one request is matching on line 1 of the users file, one on line 172, so they're obviously different. Carefully examine the two entries on line 1 and 172, determine what's different, examine the unredacted data in the packets, and correct it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTP and IPSEC/IKE1/2
On 22/09/2013 15:12, WorkingMan wrote: I am wondering is it possible to configure one server using a single IP to handle PPTP/IPSEC --- freeradius? Does it make sense (or possible) to create a virtual servers against PPTP and IPSEC separately? I am just wondering what's the best practice. I don't want to increase number of hardware so things can be segregated either. This is a pretty vague question. Yes, it is possible to use a single server and single IP for both PPTP and IPSec RADIUS auth. It might or might not make sense to use a virtual server - it depends what you want to achieve. Without a more specific question, I doubt you'll get a useful answer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius setup
On 11/09/13 12:05, stefan.pae...@diamond.ac.uk wrote: The alternative is getting your users to install something like SecureW2 (which I believe requires a license now), and using EAP-TTLS- PAP which submits the users password in plaintext, or I believe more recent flavours of Windows support EAP-TTLS too. If I remember correctly, when using EAP-TTLS-PAP, the top-level default_eap_type should be ttls, and then the default_eap_type in the TTLS section should be gtc (which uses PAP by default). AFAIK (and please correct me if I'm wrong), you cannot set the TTLS default_eap_type setting to PAP. That's because EAP-TTLS/PAP doesn't use EAP on the inner tunnel. Just PAP. So default_eap_type is irrelevant. You support EAP-TTLS/PAP by ensuring PAP is working in the inner tunnel - by populating a cleartext or hashed password and calling the pap module in the authorize/authenticate section, or other more specialised configs. EAP-TTLS/EAP-GTC is a different thing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
On 09/09/13 14:04, Stefan Winter wrote: Hi, mv raddb raddb-noinst mkdir raddb touch raddb/all.mk make install do 'mkdir raddb/mods-config' you've 'messed around' with the configuration directory which assumes that mods-config exists... i guess that could be fixed to make dir directory first if it doesnt exist. The idea is that make install is not supposed to touch my production config in any way. I don't want it to generously add directories without me knowing. I would tend to agree. Really, anything that touches raddb should only run if the top-level raddb directory doesn't exist or is completely empty. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking TLS-Cert-* and and accept/reject based on them
On 29/08/13 13:21, Axel Thimm wrote:
The reason I'm not simply applying the patch is that this system is
covered by support by Red Hat and replacing the vendor shipped
freeradius (2.1.12) with a self-compiled one voids the support. So any
other solution that would allow me to keep the system under support
and still be able to check the certs Subject/CN would be great!
Ask RedHat? Since it's supported...
Otherwise, you could look at the verify { } stanza of the tls { }
block in eap.conf; this allows you to run an external script once you've
got the client cert, and there you can write any code you want to access
the various issuer/subject fields.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking TLS-Cert-* and and accept/reject based on them
On 29/08/13 14:25, Axel Thimm wrote:
On Thu, Aug 29, 2013 at 02:12:35PM +0100, Phil Mayers wrote:
Otherwise, you could look at the verify { } stanza of the tls {
} block in eap.conf; this allows you to run an external script once
you've got the client cert, and there you can write any code you
want to access the various issuer/subject fields.
Thanks, I'm already using it for other purposes. But do I have the
request data at hand to check for the requested SSID?
It's run using the standard exec helper, so it has access to all the
stuff that a normal exec module has; specifically there should be
environment variables matching each request attribute, mangled into
upper-case + underscores.
e.g.
Calling-Station-Id
...should appear as:
CALLING_STATION_ID
Suggest you try it and see.
Or is there a way to set variables in this script to check later in
the authorize section's modules (with an exec script)?
No. The output of the verify script is thrown away, so in that respect
it's not like a normal exec. It's a binary yes/no.
Obviously you could work around this; you could set a request variable
to a unique value e.g. timestamp+random, have your verify{} script use
that as the basis of a filename to dump the info to, then read it with
*another* exec module lower down.
Or you could abandon the prejudice against upgrading because it's
supported (support you're not taking advantage of, I might add, since
you're asking here) and upgrade to 2.2.0 which, IIRC, has those patches in.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On 29/08/13 14:35, Robert Roll wrote: I'm trying to do a proxy from the inner-tunnel over to another radius server. The primary reason for this is that we need to strip off the realm before passing to the proxy. I'm getting an EAP error response from the other server about it not liking the id number Supplicant sent unmatched EAP response packet identifier ( This is an EAP-PEAP-MSCHAPv2 scenerio) The EAP.conf file is configured with: proxy_tunneled_request_as_eap = yes I've included a TCP dump of the main freeradius server below But not a debug gathered with radiusd -X which is the only thing anyone ever wants to see. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking TLS-Cert-* and and accept/reject based on them
On 29/08/13 15:09, Matthew Newton wrote: On Thu, Aug 29, 2013 at 02:48:59PM +0100, Phil Mayers wrote: Or you could abandon the prejudice against upgrading because it's supported (support you're not taking advantage of, I might add, since you're asking here) and upgrade to 2.2.0 which, IIRC, has those patches in. I don't think it's in 2.2.0 - it is in 2.x HEAD, though, so should be in 2.2.1. Ah, my mistake. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking TLS-Cert-* and and accept/reject based on them
On 29/08/13 15:49, stefan.pae...@diamond.ac.uk wrote: That said, I commiserate with the original poster that yes, when the policy is that you're only allowed to use vendor packages, you're limited in what you can and cannot do. Failing to direct these queries towards your paid support option creates moral hazard, as it generates a positive externality for the paid vendor (they get to charge you for the easy stuff, but don't pay the cost for their unwillingness to forward-port features). You ABSOLUTELY should be opening tickets with your paid vendor every time something like this comes up. Not maybe. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On 29/08/13 15:56, Robert Roll wrote: I guess I assumed the id: in the TCP dump below was the EAP Response Identifier maybe not ? Is there a different EAP response identifier ? Yes, in the EAP-Message attribute (EAP packet) I actually have been running with debug radius -X. Obviously a lot longer output than just the TCP dump. That is why I first tried just the TCP dump. I guess I was also hoping somebody might have just had a thought about a common configuration issue... TBH proxying EAP inner is not common at all; there have been bugs in that area in the past. Re-reading I notice that you're running 2.10 - upgrade. I'm pretty certain that version has inner-eap proxy bugs. Go to 2.2.0. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On 29/08/13 17:01, Robert Roll wrote: Ok, Below is the TCP dump. I have attached the Freeradius Debug output beginning near the start of the proxy.. The problem here is pretty straightforward, but not obvious from the debugs since FR is just proxying. Basically, the client sends the inner EAP-identity, and the proxy server responds with an EAP-TLS start i.e. you would be doing EAP-TLS inside PEAP, if this worked: rad_recv: Access-Challenge packet from host 155.97.185.76 port 1812, id=216, length=128 State = ... Proxy-State = 0x313231 EAP-Message = 0x010900060d20 0x0d == 13 == EAP-TLS. This is encrypted and sent down the tunnel. The client then sends an EAP-NAK, listing 26 as the only supported EAP type (which is weird - is it a Windows machines set to some odd combo like cryptobinding enabled?): [peap] Got tunneled request EAP-Message = 0x02090006031a 0x03 == 3 = NAK, 0x1a == 26 == MS-EAP (SoH, I think?) ...which the proxy server then rejects: rad_recv: Access-Reject packet from host 155.97.185.76 port 1812, id=71, length=49 Proxy-State = 0x313232 EAP-Message = 0x04090004 So the solution is simple - if you're going to proxy the inner auth, ensure the client inner auth method and upstream proxy auth method are mutually compatible. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On 29/08/13 18:16, Alan DeKok wrote: Phil Mayers wrote: [peap] Got tunneled request EAP-Message = 0x02090006031a 0x03 == 3 = NAK, 0x1a == 26 == MS-EAP (SoH, I think?) That's EAP-MSCHAP-v2. Doh, yes, brain fade. TBH this page could be clearer: http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On 29/08/13 18:16, Alan DeKok wrote: i.e. set proxy_tunneled_request_as_eap = no Although IIRC that *definitely* had issues in 2.1.10, right? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28/08/13 14:49, Arran Cudbard-Bell wrote: Does anyone have a configuration which gets it down to a single LDAP query for PEAP? What inner? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28/08/13 15:11, Arran Cudbard-Bell wrote:
On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote:
On 28/08/13 14:49, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a single LDAP query for
PEAP?
What inner?
MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2?
Apparently not; you can apparently run EAP-TLS inside PEAP, which is a
new one on me.
For PEAP/MSCHAP, under 2.x the link someone posted to my horrible hack
works. Or under 3.x, eap { ok = return } in the inner-tunnel also works.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28/08/13 15:46, Arran Cudbard-Bell wrote: OK. Just wondering if you could really get it down to a single lookup, IIRC you needed the 'known good' NT-Password data for a couple of rounds of MSCHAPv2? Nope, just one. The MSCHAP challenge response arrive at you, you validate them and in turn generate the response2. You might be thinking of the first pass in EAP-MSCHAP, where the client sends EAP-identity and the server sends EAP-MSCHAP challenge, but that's stateless - just a random number. Likewise, the 3rd pass MSCHAP success/fail packet is stateless. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28/08/13 16:00, Martin Kraus wrote: I found that if I nest ifs then default = return won't skip the authorize section and putting the tests on multiple lines doesn't work so it is this ugly:-) Yeah, that's an annoyance of the configurable failover stuff. However this really isn't foolproof. I think the identifier is first set by NAS as it sends eap request for identity so if that starts at something weird then this will be totaly off. I don't know if any rfc requires the identifier to start at 0. It doesn't, and you will see cases where this doesn't happen, so I'm afraid it's not totally robust. If you were to upgrade, you could do this all a lot more cleanly; the TLS virtual server solves the problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Troubleshooting PostgreSQL Integration
On 08/26/2013 12:10 AM, mdeche...@comcast.net wrote:
Dear Users --
This is my first posting to the FreeRADIUS users list, so please be patient :)
You're already doing pretty well - you actually posted a full debug,
which hardly anyone does first time!
Ok, so for the SQL case the server startup shows:
authorize_check_query =
authorize_group_check_query =
authorize_group_reply_query =
...which then causes this:
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: -
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 4
++[sql] returns fail
i.e. because authorize_check_query is blank, the SQL module fails.
I can see from the debug output that it's complaining about the user being
invalid.
Sort of; that's the server core talking, based in the SQL module
returning. The actual error is a few lines higher up (see above).
authorize_check_query = SELECT id, UserName, Attribute, Value, Op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id
[info on case ordering of fields]
This isn't actually significant in SQL; it's case-insensitive to
table/column names unless you double-quote them, and ordering is as-per
the query, not table def. But it's not the cause of your issue.
What else is left to provide as far as details?
Nothing, you've been very comprehensive. The actual problem seems to be
that sql/postgres/dialup.conf isn't being read. The 2.x series
sql.conf basically looks like this:
sql {
database = blah
driver = rlm_sql_${blah}
...
$INCLUDE sql/${database}/dialup.conf
}
Check that this INCLUDE hasn't vanished or gotten lost; if you look
right at the top of the server startup, it reads all the config,
including all including lines, and you can see it loads sql.conf, then
policy.conf - there's no message saying it's including dialup.conf.
So, in short, the SQL queries aren't being read from your config file -
check the raddb/sql.conf file, and compare it to the original, or the
one for reference here:
https://github.com/FreeRADIUS/freeradius-server/blob/release_2_1_12/raddb/sql.conf
Finally, and not related to your issue - consider upgrading to 2.2.0 as
2.1.12 has security issues and bugs which are fixed.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Groups in active directory and checks in MySQL
On 08/26/2013 09:04 AM, Atomikramp wrote: but it's not giving the same result, the check against sql is ignored and the user is authed successfully. Because: [sql] User sogo1 not found ++[sql] returns notfound - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
On 08/26/2013 12:11 PM, Iliya Peregoudov wrote: On 25.08.2013 15:03, ken.farrington wrote: Module: Linked to sub-module rlm_eap_sim Module: Instantiating eap-sim rlm_eap_sim is compiled in. /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory rlm_sim_files is not compiled in. Oops yes sorry. rlm_sim_files, not rlm_eap_sim In fact you do not need rlm_eap_files. All can be done using rlm_files module. I'll defer to you on that ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
On 25/08/2013 12:03, ken.farrington wrote: /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory Your version of FreeRADIUS wasn't compiled with rlm_eap_sim enabled, or it wasn't installed. I can't remember if you need to build with --experimental-modules or whatever the ./configure options is called. Also, upgrade to 2.2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Escaping regex + character
On 08/23/2013 09:35 AM, Arran Cudbard-Bell wrote: Or if you shift that hyphen one to the right, it'll probably work OK too :) Usually first in the range works: [-.a-z0-9] IIRC + doesn't need to be escaped inside a range, same as . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
Matthew Newton m...@leicester.ac.uk wrote: On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote: well looking at man wpa_supplicant I can see EAP-PEAP/TLS I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what it's talking about. Huh, and I thought MS-PEAP specified only soh and mschap as valid inners. Nice to see ms honouring their own specs ;o) Or maybe they updated it since I last read it. -- Sent from my phone with, please excuse brevity and typos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
On 21/08/13 23:44, Chris Parker wrote: Okay, pardon my confusion then. I had been following a howto online and it reported that the command when run manually will produce the key. Either way, I'm still having a failure in MSCHAP with radtest that I'm not quite grasping. Well, as I explained in my other email, mschap == challenge/response, modules/ntlm_auth != challenge/response. To reiterate, modules/ntlm_auth is almost certainly not what you want, and is not intended to be used as-is. I would unconfigure it and concentrate on getting modules/mschap working. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On 22/08/13 10:54, Alan Buxey wrote: TLS in PEAP. Yes I've seen it. And EAP-MSCHAPV2 in PEAP PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no bare MSCHAP variant, because there's no spec for how to derive the MSCHAP challenge from the TLS master secret. The EAP methods are all a pile of crap; it's truly disappointing how many hoops you have to jump through just because Microsoft gifted us a crappy EAP method, and everyone else slavishly implemented it. Microsoft could solve a lot of problems right now by providing an API to execute EAP-PWD with the NT-hash variant of the secret against an AD controller. Instead, we're all flailing around with the very best of early 90s crypto protecting our wireless :o( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
On 22/08/13 15:14, Chris Parker wrote: Exec-Program output: Reading winbind reply failed! (0xc001) Check the permissions on the winbind socket directory, specifically that the freeradius daemon user can access it; this is usually at: /var/cache/samba/winbindd_privileged or /var/lib/samba/winbindd_privileged - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl issue
On 22/08/13 16:46, Dean, Barry wrote: Anyone want to throw in 2 cents/pennies worth to this? Yep, don't do it like this. Instead, write the user/ip entries to a file using the linelog module, and use a long-running perl process to tail the file (using File::Tail) and post them to the PAN. This will likely be more performant and avoid the hassles of a random module interfering with FreeRADIUS. You probably want to write a timestamp to the file, and have the long-running process ignore lines X old, in case it lags behind e.g. because it hangs, gets shutdown and restarted much later, etc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
On 08/21/2013 05:11 AM, Chris Parker wrote:
Log output:
rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114,
length=57
User-Name = wyse1
User-Password = K503D
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = wyse1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[ntlm_auth] expand: --username=%{mschap:User-Name} - --username=wyse1
[ntlm_auth] expand: --password=%{User-Password} - --password=K503D
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
You're running ntlm_auth in the authorize section, and then:
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
user
...nothing in the authenticate section.
You either want:
authorize {
...
ntlm_auth
if (ok) {
update control {
Auth-Type := Accept
}
}
...
}
...or:
authorize {
...
# don't run ntlm_auth here, and right at the bottom
if (User-Password) {
# PAP request, tell ntlm_auth to run in authenticate
update control {
Auth-Type = ntlm_auth
}
}
}
authenticate {
Auth-Type ntlm_auth {
ntlm_auth
}
}
HOWEVER - you should note that the (EXTREMELY unfortunately named)
ntlm_auth module instance is usually not what you want for wireless.
Wireless is typically 802.1x with PEAP/MSCHAP, which will entail setting
up the ntlm_auth configuration *item* of the mschap module.
Read the extensive docs, wiki, and walkthrough on deployingradius.com
for more info.
Failed to authenticate the user.
Login incorrect: [wyse1/K503D] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - wyse1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 114 to 127.0.0.1 port 35826
Waking up in 4.9 seconds.
Cleaning up request 7 ID 114 with timestamp +843
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python
On 08/20/2013 02:27 PM, stefan.pae...@diamond.ac.uk wrote: Hello all, I'm currently attempting to use rlm_python to query LDAP (with python-ldap) and then return an XML string in a VSA (SAML-AAA-Assertion). However, when I try to load it, I get the dreaded undefined symbol: PyExc_SystemError error. This is on Ubuntu 12 with, I know, I know, FreeRADIUS 2.1.10. Python-LDAP was Well... as Alan says, upgrade. Particularly if you know. However - embedding python is a pain in the arse. Various versions have issues with the module.so not linking to libpython.so, and not pulling in all the symbols it should. See: http://bugs.python.org/issue4434 ...and try not to despair at the (ahem) confusion of the python dev, and the various mouth-breathers who suggest static linking :o( Try ldd blah/_ldap.so and see if it links to libpython.so. If not, that's your problem, and there isn't much you can do about it because python is broken on your system. The OP in the bug above seems to think it's fixed for him in Python 2.5, but TBH I suspect distro-specific build-time options, rather than any change to the python runtime. built on the local machine for the newest version (although the existing version in the Ubuntu repository has the same problem). Freeradius_samlldap exists in the correct path for Python eggs, and Just to point out that this is of course not the issue. It's one of the modules that this tries to pull in. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On 21/08/2013 12:17, Martin Kraus wrote: Hi. I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer Is this really what you mean? TTLS outer and TLS inner, versus PEAP outer and TLS inner? Because the latter is unlikely to work; it's not a supported combo per the PEAP spec. TLS tunnel is established: WARNING: !! WARNING: !! EAP session for state 0x992158e5992955e0 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! and then later on rlm_eap: No EAP session matching the State variable. [inner-eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request Post a full debug, gathered with radiusd -X, of a failing attempt. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
On 21/08/2013 19:28, Chris Parker wrote: So I doubt this issue is with FR, but more of that Samba is being cranky. I can never get ntlm_auth to give me that NT key, which I feel if I could resolve that, I could continue with FR. No. NT_KEY is only generated by mschap, not by username/password auth. See my other email. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
On 21/08/2013 13:55, Chris Parker wrote: Thank you Phil! That resolved my first steps, and I figured there was something like that. I have poured over deployingfreeradius.com, but for the life of me I could not find anything of assistance for my set up. Yeah... to be honest, I think I've just confused matters. I have enabled the ntlm_auth line in modules/mschap but no password is sent to ntlm_auth to be checked. So the fact that it's failing makes sense, since there's no password being read in and thus it fails authorize. So this is just escaping me on how to get the password into ntlm_auth via MSCHAP. On top of that, when my access point succeeds against the users file, I suspect it's doing EAP but the logs never say I have detected EAP, setting EAP I see a lot of confusion in that paragraph. In brief: RADIUS supports multiple authentication algorithms, and the client chooses the algorithm. modules/ntlm_auth can only handle PAP, which sends a username password. modules/mschap can handle MSCHAP, which sends a challenge/response based on the password eap handles EAP, and then calls other modules to handle what runs inside the EAP tunnel. You're getting confused because you seem to be trying to configure modules/ntlm_auth to handle MSCHAP, which won't work. MSCHAP doesn't send the password to the server; just a one-time function of it. My advice - go back to the default configs, and ignore modules/ntlm_auth. It's not really intended for use as-is; it's a sample config for people to build on if the have advanced knowledge of the server. Re-read the stuff on deployingradius.com - if you're trying to do WPA-Enterprise (aka 802.1x) then it is definitive. If you're trying to do something else, describe what, and show a *full* debug of a client trying and failing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: smbencrypt calculates false hash for German umlauts and other non-ASCII letters
Matthias Nagel matthias.h.na...@gmail.com wrote: Hello, if a do a smbencrypt ä then the output for the NT hash is B5CF5E386433C7CB69E43ED774717792 but the correct hash would be 3104EAB484D59EFABCEA2C44B07F41D3. (If you do not see the letter: It is a small a with two dots, unicode code point 00E4.) Similar results hold for other umlauts, too. My Freeradius version is 2.2.0 running on Linux 3.8.13 with system locale set to en_US.utf8. I wrote an own utitly to calculate NT hashes to fill the Radius database. While I compared the results of my own utility with those from smbencrypt, I found these discrepancies. In order to check which result was the correct one, I took a Windows computer, added a dummy user to it and set the passwords in concern. Then I extracted the NT hashes from the SAM database. One note of caution: If you take a web site like http://www.onlinehashcrack.com/hash-calculator.php, do not trust it. If it comes to non-ASCII letters the output is false, too. Matthias -- Matthias Nagel Parkstraße 27 76131 Karlsruhe Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Almost certainly. Nt hashes are the 16-bit encoding, and smbencrypt likely treats each byte in the utf8 encoding as on ASCII char and pads it to 16 bits. I made some effort to handle this in the mschap password change code, but really the server should probably pull in libiconv for the few places this is needed (such as calculating correct nt hashes). Probably a fairly trivial patch if you feel like it ;o) -- Sent from my phone with, please excuse brevity and typos- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Policy to split domain and host
On 08/16/2013 08:24 AM, nicolas@ricoh-industrie.fr wrote:
Hi list,
I'm searching the best way to configure a policy to split the domain
and the prefix ' /host' when it is a computer connection.
You probably don't want to do this.
Instead, you probably want to use the expansion:
%{mschap:User-Name}
...which correctly transforms:
host/name.domain.com
...to:
name$
...which is the correct form of the samaccountname for an AD computer
account, which is I assume what you're dealing with.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to accept RADIUS traffic on multiple interfaces?
On 08/14/2013 09:25 PM, McNutt, Justin M. wrote: One other thing with multiple interfaces: RHEL 6 comes with some anti-spoofing features in the kernel enabled by default. I'm afraid As I noted elsewhere in the thread, the terms to google for this are martians and rp filter, and you are correct this is a behaviour change in RHEL6, which has caught us a couple of times. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS basic setup for PEAP using example certificates
On 15/08/13 14:30, Darlington, Andrew wrote:
Couldn't open /etc/freeradius/acct_users for reading: Permission denied
Errors reading /etc/freeradius/acct_users
/etc/freeradius/modules/files[7]: Instantiation failed for module files
/etc/freeradius/sites-enabled/inner-tunnel[124]: Failed to load module files.
/etc/freeradius/sites-enabled/inner-tunnel[47]: Errors parsing authorize
section.
I thought I was running it as root (root@hd), and I also used sudo just to be
sure (not too confident on Ubuntu's root system).
Let me know if that's not the case.
main {
user = freerad
group = freerad
Ensure user/group freerad has permissions on /etc/freeradius/acct_users
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to accept RADIUS traffic on multiple interfaces?
On 14/08/13 15:07, Kurt Hillig wrote: But radiusd isn't seeing any of the inbound RADIUS traffic on eth1 - tcpdump shows it coming in, but radiusd -X shows no indication of this traffic (but is reporting all of the traffic on eth0). If radiusd -X isn't reporting *anything*, then it's not reaching FreeRADIUS, which means some part of the network stack is dropping it. If you're sure your iptables are correct, google linux log martians and linux rp filter. RHEL6 has different defaults to previous RHEL versions in this regard. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Apple devices can´t authenticate
On 14/08/13 15:55, Roberto Carna wrote: I tried with Android device and it use CHAP authentication as Apple devices. Ok, there is some confusion here. You are using a captive portal, so it's actually your captive portal web-based login that is doing CHAP - the Apple/Android devices are just doing HTTP forms-based login. If Apple devices aren't working, it's a problem with the captive portal. Captive portals are just web pages from the client point of view. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN assignment to HP Switch with 802.1x client
On 08/08/13 11:07, Shaw, Colin M. wrote:
difference. Lastly, for testing purposes, if I insert the required
attributes into the default post-auth then it all works and the wired
client is assigned the correct vlan, so again the switch side must be ok
and I also therefore presume all the dictionary entries are there as
required. But I shouldn’t need (or want) to do this.
Yes you should. You should always aim to set these attributes in
post-auth; otherwise you'll see what you are seeing, the attributes
getting set in access-challenge. This is a function of how EAP is
processed by the server.
It’s as though the attributes are being removed or ignored somewhere in
the PEAP/inner-tunnel process (but that’s just a guess).
What am I just not getting here? I’m sure it must be something simple
but I can’t see it.
Without a full debug, it's not obvious what you need to change, because
it's not obvious what you are doing. But it *might* be that you've
missed use_tunneled_reply in the peap {} section.
Hopefully this sort of thing has been done enough times that someone out
there has fallen into whatever trap I currently find myself in and can
point me in the right direction I need to be looking. But if not, I can
of course supply the output of radiusd –X and the switch debug if it’s
going to help any.
Yes, it will.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN assignment to HP Switch with 802.1x client
On 08/08/13 16:16, Shaw, Colin M. wrote:
Thanks for the reply Phil.
difference. Lastly, for testing purposes, if I insert the required
attributes into the default post-auth then it all works and the wired
client is assigned the correct vlan, so again the switch side must be
ok and I also therefore presume all the dictionary entries are there
as required. But I shouldn't need (or want) to do this.
Yes you should. You should always aim to set these attributes in post-auth;
otherwise you'll see what you are seeing, the attributes getting set in access-
challenge. This is a function of how EAP is processed by the server.
Ok, but the attribute values are going to be different for different clients (as
matched specified in the users file). Can I deal with that in post-auth?
Sure. Exactly how is a very open question - it depends. However,
that's not *exactly* your problem - see below.
Ok. Below is an example of the output from the switch debug and radiusd -x (
The *specific* reason this isn't working for you is that you have a
config like this (and I'll grant you - this is not obvious unless you
know what to look for):
authorize {
...
eap {
ok = return
}
files
...
}
...and because EAP returns ok on every pass other than the first, your
files module isn't getting called in the final pass, so the attributes
are absent from the Access-Accept.
First packet:
[eap] EAP packet type response id 1 length 24
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 20
++[files] returns ok
++[expiration] returns noop
...and all other packets:
[eap] EAP packet type response id 2 length 137
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
The ok = return bit of EAP is designed to let people avoid running
costly modules, like SQL and LDAP, on every pass through the server
during EAP session setup, but it's catching you out here.
You could move files above eap but IMO it's better (cleaner, more
obvious) to run this in post-auth like so:
authorize {
...
eap {
ok = return
}
...
}
post-auth {
...
files
...
}
Note that you'll need to set the postauth_usersfile on your files
instance. Alternatively, you can cheat and call the authorize section
of the module:
post-auth {
...
files.authorize
...
}
...which is a handy trick for things like SQL and LDAP.
I should add that you're also setting these attributes in the outer
tunnel, so your setting of use_tunneled_reply is not relevant.
However, people typically set these in the inner tunnel virtual server.
The reason is that the outer tunnel may see an empty/anonymous username
(if your config allows that, which is good practice for privacy). The
inner tunnel OTOH has the real auth username.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pptpd mschap auth fails
On 06/08/13 16:04, Horatiu Nimigean wrote: i have pptpd on a centos 6 box configured to use radius for auth. radius in turn checks credentials in ldap. the user in ldap has a samba extension and a configured password (i used ldap account manager to set it up) it also has a sambaNTPassword field and it's populated. rpm -q freeradius gives freeradius-2.1.12-4.el6_3.x86_64 the auth fails however when i try conencting from my windows8 client. i need to mention that i am sure i'm inputting correct passwords. I you are *really* sure of this (have you created a test user with a simple password?), then it might be the PAP module helpfully fiddling with the password: [pap] Normalizing NT-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding Try commenting out pap, since you're not using it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit internet bandwidth but not local
On 05/08/13 16:34, Fabrizio wrote: Hi to all, i'm using FreeRADIUS Version 2.1.10 with rp-pppoe-3.11 as NAS. I would like to configure this system to be able to limit the user internet bandwidth ( this is possible by WISPr-Bandwidth-Max-Down and WISPr-Bandwidth-Max-Up attributes ) but at the same time allow local user's traffic (i.e. to my smtp or ftp server) to be guaranteed at maximum speed. How can i do this? Read the docs for your NAS. Find out if it has this feature. If it does, send the required attributes. If it doesn't, you can't do it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting packets not received
On 08/01/2013 08:51 AM, Gab Quidilla wrote: Good day, We have several branches configured for RADIUS. We are using freeradius 2.1.12 from CentOS 6.4 repo, plus daloradius 0.9.9, and MySQL. The problem is that accounting packets are not received here in our head office when accessing other branches' switches. When we access our own switches, everything is logged into the db. Branches connection is Head office firewall point-to-point to retail retail isp branch Firewall connection to branches is allow-all, so this is the confusing part Are you sure the NAS is sending accouting packets? Requests are logged in freeradius log file, but it is incomplete and what we would like to accomplish is accounting packets to be recorded If the accounting packets don't reach FreeRADIUS, then FreeRADIUS can't do anything with them. Check the NAS is actually sending accounting packets. If it is, tcpdump on the server to see if it arrives. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting packets not received
On 08/01/2013 09:35 AM, Gab Quidilla wrote: office, it would not pass through the firewall. Accessing the branches passess through the firewall, but the fw WAN link is configured for accepting all packets Yeah... sorry, but we hear that a lot on this mailing list, and quite often the firewall was not, in fact, configured to permit all Authentication and authorization works fine, but accounting packets are not received. Is there any setting in the config files that I should check/modify? Like I said, use tcpdump to *confirm* the accounting packets are actually arriving at the server before focussing on the server. As for settings to check - you said the shared secrets are different, so check and double-check those, and that the correct client statements are matching. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting packets not received
On 01/08/13 10:02, Gab Quidilla wrote: Hi, I ran radsniff. I had someone at our branch login to the switches, and still no accounting packets, while when I log into our switches, the accounting packet is received. This is somewhat network-related yes? Entirely. If the accounting packets don't arrive, then they're either not getting sent, or getting dropped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySql + Crypt-Password unable to authenticate
On 29/07/13 12:55, Marcel Kraan wrote: Yes i want to use PAP (?) but where do i change that? into my Wifi router ? or in the Freeradius config? On the client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm attribute population
On 25/07/13 10:43, stefan.pae...@diamond.ac.uk wrote:
Alan,
https://confluence.terena.org/display/H2eduroam/freeradius-sp implies that after v2.1.9,
%{Realm} would contain DEFAULT, not whatever the realm extracted from
User-Name was, when used in logging... Hence my question.
Of course, if this is no longer an issue, then I'll happily amend our instructions to
leave the DEFAULT realm as-is. Also, when I wrote DEFAULT {}, it was a
shortening (for the sake of brevity) of:
realm DEFAULT {
authhost = blah
etc etc etc
}
I was just trying to save some lines and extraneous text here.
IMHO you're much better off avoiding the realm module, and handling
the processing yourself in unlang, particularly if you're using doing an
eduroam or other federation. This lets Realm and Proxy-To-Realm be
different values, and for extended checking to be done on the realm value.
We do something like this:
authorize {
if (User-Name =~ /^(.*)@(.+)$/) {
update request {
Stripped-User-Name := %{1}
Realm := %{toupper:%{2}}
}
if ((Realm == MY.REALM1) || (Realm == MY.REALM2)) {
update control {
Proxy-To-Realm := MYREALM
}
}
elsif (Realm !~ /^([-A-Z0-9]+\.)+[-A-Z0-9]+/) {
# invalid realm format
reject
}
else {
update control {
Proxy-To-Realm := EDUROAM
}
}
}
else {
reject
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: omnisniff
a.l.m.bu...@lboro.ac.uk wrote: Hi, Feel free to add your own feature requests :) number of UDP packets - i.e. is/was the datagram fragmented? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If it's re-assembling fragments then I'm impressed... -- Sent from my phone with, please excuse brevity and typos- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
a.l.m.bu...@lboro.ac.uk wrote: Hi, My guess is dual-stack NAS-RADIUS is going to be rare. ummm. take a hold on that assertion. the joy of dual-stack deployment is that you need to ensure your servers are ready on IPv4 and IPv6 - and as part of that, you need to ensure that your using both methods in case either your IPv4 goes...or your IPv6 goes. we use both IPv4 and IPv6 on our kit...and our servers are configured for both..as are our NAS kit that can do IPv6 for RADIUS (we had some discussion about the best fall-over order to use..which in itself is interesting) my personal view is that network/sys admins who are avoiding IPv6 as much as they can are just storing themselves up for a whole lot of pain later when its forced onto them by internet evolution...embrace the IPv6 now whilst you can do it in your own time. it not like you havent been given over 15 years of advance notice ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, I've been unclear. What I meant was that I strongly suspect nas-radius comms will either be v4 or v6 for a given pairing at any one time, for periods of minutes or hours. Hence treating the addresses as separately should be fine -- Sent from my phone with, please excuse brevity and typos- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap query in FR3
On 23/07/13 17:19, Franks Andy (RLZ) IT Systems Engineer wrote: This will probably be obvious, but I can’t see it! Looks like a bug - the code here: https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_ldap/groups.c#L495 ...passes NULL for the result argument to rlm_ldap_search, which means this code: https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_ldap/ldap.c#L679 ...doesn't get run, so 0 results is ok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
On 22/07/13 13:47, Arran Cudbard-Bell wrote: It'd be nice to get some feedback from people though... do you think you'll ever need to record both your NAS IPv4 and IPv6 addresses? I'm guessing for dual stacking it'd be nice to record Framed-IP-Address and Framed-IPv6-Prefix, should they both be used to identify clients in areas like session management? It seems like the safest way of doing it to me. Yes. It's important to record them separately, and useful for the reasons you suggest. But would it break things? What if the NAS started just using the SRC IPv6 address in packets, and source IP protection was enabled? Does this happen in the real world? Not sure I follow here; can you expand on this? I don't have any experience managing an IPv6 enabled network. Does anyone else? Or is it all too new? It's complicated. I've replied to your email on -devel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
On 22/07/13 14:32, Arran Cudbard-Bell wrote:
On 22 Jul 2013, at 14:15, Phil Mayers p.may...@imperial.ac.uk
wrote:
On 22/07/13 13:47, Arran Cudbard-Bell wrote:
It'd be nice to get some feedback from people though... do you
think you'll ever need to record both your NAS IPv4 and IPv6
addresses?
I'm guessing for dual stacking it'd be nice to record
Framed-IP-Address and Framed-IPv6-Prefix, should they both be
used to identify clients in areas like session management? It
seems like the safest way of doing it to me.
Yes. It's important to record them separately, and useful for the
reasons you suggest.
For the NAS too? Or would it be OK to have a single attribute?.
Good question. Not sure on that one - I think most NASes treat an IPv4
and IPv6 RADIUS server as a separate server, so I guess treating it as a
separate client is no big problem. OTOH two columns == less rows for
dual-stack NAS.
My guess is dual-stack NAS-RADIUS is going to be rare.
But would it break things? What if the NAS started just using the
SRC IPv6 address in packets, and source IP protection was
enabled? Does this happen in the real world?
Not sure I follow here; can you expand on this?
Envisaging use in session identification. If the NAS was dumb, and
was just looking at packets coming from one of it's directly
connected devices, and pulling off the SRC IP address and using it to
enrich Accounting-Requests, you may have that IP change during the
Ah, gotcha.
course of a session.
Some NASes already do something similar with Framed-IP-Address only
being present in some acct packets. We handle this with:
update radacct set
...
framedipaddress=coalesce(nullif('%{..}', ''), framedipaddress)
...
...which is basically use the IP from the packet if set, or on the
existing row if unset
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 dhcp: regression
On 12/07/13 11:17, Eugene Grosbein wrote: Please help. We need at least 1000 concurrent threads to deal with the load here. 1000 threads is a crazy number. Can you explain why you think you need that many? Are you doing very slow logic/lookups or something? Anyway, the problem is almost certainly system ulimits. I don't know why it's different under 2.2 to 2.1, but I would look into ulimit. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 dhcp: regression
On 12/07/13 11:55, Eugene Grosbein wrote: On 12.07.2013 17:38, Phil Mayers wrote: On 12/07/13 11:17, Eugene Grosbein wrote: Please help. We need at least 1000 concurrent threads to deal with the load here. 1000 threads is a crazy number. Can you explain why you think you need that many? Are you doing very slow logic/lookups or something? Our database is powerful enough to deal with so many requests. We may easily get that many requests and want to be able to process them in parallel without needless queueing. With respect, this is a pretty basic logic. The figure of merit here is offered load in terms of request/sec, and the average/max processing time per-request. If you have 1000 request/sec and each request takes 1 millisecond to process, a single thread is sufficient. If you have 100,000 request/sec and each request takes 10 milliseconds, then you need 100 threads. If your database is so powerful it shouldn't be taking too long, so unless you have a truly enormous number of request/sec, you don't need 1000 threads. If you really do have that many request/sec, you probably should look at some form of load balancing, rather than having enormous thread pool. The thread pool performance will not scale linearly - various server internal data structures are locked, and you will probably run into lock contention at high thread counts. I assert that 1000 (posix, shared-memory) threads is always the wrong answer to pretty much *any* problem ;o) Anyway, the problem is almost certainly system ulimits. I don't know why it's different under 2.2 to 2.1, but I would look into ulimit. ulimit for files is over 11000 here. And radiusd successfully opens more than 1024 files. It just breaks afterwards. It could be the use of select() then. If rlm_perl opens FDs 5-1023, then the radius server needs to open some sockets, it will get FD #1024, which might cause select to complain. Try running the server under strace and see if you can see where it goes wrong, and what it calls just before it does. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius seeing anonymous identity as username
On 11/07/13 09:39, sebastian buettrich wrote: is this expected behaviour, the way anonymous identities are implemented, Yes. The outer EAP virtual server only sees the anonymous identity. The inner EAP virtual server can see the real identity. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Update sections
On 10/07/13 15:43, Arran Cudbard-Bell wrote:
Update sections may now also return fail.
Can you clarify - AIUI, sql xlat can now also distinguish between empty
and fail, so if I do this:
update {
request:Tmp-String-0 := %{sql:...}
}
...and the SQL server is down, the xlat will fail and the update section
as a whole will fail? If so - very very cool.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2 fails - samba version?
On 08/07/13 14:59, Lovaas,Steven wrote: Exec-Program output: Reading winbind reply failed! (0xc001) Check the permissions on the winbind socket, which usually lives in either /var/cache/samba/winbindd_privileged or /var/lib/samba/winbindd_privileged - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting Class attribute by LDAP Groups
On 07/04/2013 04:35 AM, Patrick Gawthorne wrote:
update request {
Class = “%{Ldap-Group}”
}
You can't do that, because Ldap-Group is not a real attribute with a
value; it's a virtual attribute, which you compare against (think about
it - you can be in 1 group)
You would have to do something like this:
if (Ldap-Group = grp1) {
update reply {
Class = grp1
}
}
...which can be slow-ish as it does 1 LDAP query per comparison.
Also not Class is a reply attribute; adding it to request does nothing.
I did read somewhere if you included the Class variable within the reply
in the Access-Accept packet that it would be sent back and used within
the accounting messages as well but this hasn’t been the case for me.
Well, as noted above you're setting class in request not reply.
Even if it’s just some static variable that I set within the
‘acct_users’ to get it to send the class attribute; this will achieve my
goal.
Assuming that the ‘users’ file and the ‘acct_users’ file have the same
behaviour then why can’t I set Class within the ‘acct_users’ file like I
can with ‘users’ file?
acct_users runs on accounting packets, which is *after* the
Access-Accept has been sent. You need to set it in authorize or better
yet, post-auth, for it to get into the Access-Accept.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-challenge timeout on IOS
On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, I’m experimenting with a system involving an access-challenge to a NAS. It works fine with FR so far on, say, the cisco ipsec vpn client, which waits a long time until timing out waiting for user input. I’d like to also discoverhowother NAS’s behave using this and have found the timeout on a particular cisco 1131 access point to be quite short. Does anyone know if there’s a radius attribute I can send that will Not as far as I know. extend this timeout, or an internal setting that will change the default on the ap? Maybe. This usually depends on link-layer timers, e.g. EAPOL timeouts, IPSec/IKE timeouts, etc. rather than anything radius-related. Session-timeout and Idle-timeout are attributes mentioned by the cisco docs but neither of these seem to be what I’m after. Neither are relevant; they're for established sessions, not timeouts in *establishing* one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-challenge timeout on IOS
On 04/07/13 14:34, David Mitton wrote: Quoting Phil Mayers p.may...@imperial.ac.uk: On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, Session-timeout and Idle-timeout are attributes mentioned by the cisco docs but neither of these seem to be what I'm after. Neither are relevant; they're for established sessions, not timeouts in *establishing* one. - Actually, that is incorrect Session-Timeout _is_ used to control the authentication timeout, when in the initial AccReq. I'd quote the RFC, but I'm not at home. The *-Timeouts in the Acc-Accept control the session. Hmm, so it does; 5.27 of 2865 and 2.3.2 of 2869. However - does any equipment actually *honour* this? Also, I note the wording is very loose indeed - no MUST. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and non-EAP on same port?
On 03/07/13 15:29, Bruce Bauman wrote:
Right now we have freeradius configured so that EAP and non-EAP are
handled by separate virtual servers which are listening on separate
virtual ports.
We'd like to simplify our configuration and use the same port for both.
I've looked through the documentation without much success.
Does anyone have an example configuration of this?
The default config handles both eap and non-EAP just fine. You just list
the eap and other auth modules (mschap, pap, chap) in authorize
and authenticate, and pull the password info from LDAP/SQL/files as per
usual.
However, it's likely you mean something more than the simple config
you've specified. Can you be more specific about what is unclear to you?
If you want to do some logic conditional on whether the request is EAP
or not, you can do this;
authorize {
...
if (EAP-Message) {
# we're an EAP request
sql
eap
blahblah
}
else {
# we're non-eap
files
ldap
mschap
chap
pap
}
...
}
And of course, the inner EAP auth can be sent to a virtual server - see
the sample eap.conf that comes with the server.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name not set when using nostrip?
On 03/07/13 16:24, Júlíus Þór Bess Ríkharðsson wrote: Hi, For some reason I cannot get Stripped-User-Name attribute to get populated when using nostrip for a realm. Is this normal behaviour or am I missing something? Normal. nostrip means don't populate Stripped-User-Name I need the User-Name attribute unchanged for EAP but it gets stripped as expected when nostrip is unset. strip on the realm should not change User-Name; it just populates Stripped-User-Name. Also, your debug isn't EAP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap instances, which instance is used for searching?
On 03/07/13 17:34, Martin Kraus wrote:
Now my setup stopped working because suddenly ldap-eduroam was checking for
groups when matching Ldap-Group. I was under the impression that when not
specificed with ldap-eduroam-Ldap-Group the default ldap entry would be used.
No. Most recently instantiated, which can be essentially random.
Basically, don't do this; if you have 1 ldap instance, don't use
Ldap-Group, always use instance-Ldap-Group
I had to instantiate the ldap modules in a special order
instantiate {
ldap-eduroam
ldap-netdefault
ldap
}
so the ldap instance would take over again. Is this an expected behaviour?
Yes
Will this solution hold or should I name the ldap instance as well and use
the name-Ldap-Group everywhere?
Yes
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: something like huntgroups?
On 07/02/2013 02:30 AM, Matt Zagrabelny wrote:
If a user is not in the secret group, then their login should fail if
the Vendor-3076-Attr-146 = 0x554d44 pair is in the request.
This is pretty easy:
authorize {
...
if (Vendor-3076-Attr-146 == 0x554d44) {
if (SQL-Group == secret) {
noop
}
else {
reject
}
}
...
}
See man unlang for more info.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius as proxy for EAP-SIM/EAP-AKA
On 07/02/2013 07:56 AM, Ming-Ching Tiew wrote: So this [^@]*@wlan.mncX.mccY.3gppnetwork.org is unique ? All the SIMs from the same mobile operator will have the same string and it will be different from another mobile operator ? Yes, though be aware the pattern given isn't exactly valid; X and Y are N-digit numbers (the MNC and MCC, obviously). Twiddle as appropriate to make a valid regexp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: something like huntgroups?
On 07/02/2013 07:52 AM, Arran Cudbard-Bell wrote: This may work for 2.x.x but definitely wont't work for 3.0 which uses direct DICT_ATTR pointer comparisons in some places (instead of comparing vendor/attribute number). So... what *can* you do with Vendor-X-Attr-Y? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: something like huntgroups?
On 02/07/13 11:37, Arran Cudbard-Bell wrote:
On 2 Jul 2013, at 08:53, Phil Mayers p.may...@imperial.ac.uk
wrote:
On 07/02/2013 07:52 AM, Arran Cudbard-Bell wrote:
This may work for 2.x.x but definitely wont't work for 3.0 which
uses direct DICT_ATTR pointer comparisons in some places (instead
of comparing vendor/attribute number).
So... what *can* you do with Vendor-X-Attr-Y?
Use it to figure out which dictionary entries you're missing.
I was hoping for something more specific than that ;o)
So you can't compare them; can you set them:
update reply {
Vendor-X-Attr-Y = 0xff
}
?
Can you xlat them?
update request {
Tmp-String-0 = %{Vendor-X-Attr-Y}
}
?
Or are they basically display-only i.e. debug output and detail file?
We can't modify the dictionaries dynamically after startup without
locking the tree (on every read/write), else we could of added
unknown attributes as octet type attributes.
The compromise is to dynamically allocate fake DICT_ATTR entries for
attributes which couldn't be resolved in the dictionaries, or that
have values which don't match their data type (64bit value in integer
type for example).
As these DICT_ATTRs are dynamically allocated and unique to each
request, comparing the pointers doesn't result in a match.
Ah.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inactive users can authenticate
On 28/06/13 08:14, Mathieu Simon wrote:
Second, I can't remember if mschap checks the acct control flags in authorize
or authenticate. If the latter you'll need to move away from using LDAP bind
for auth
Hmm, I guess that would require me studying the code :-\
I've just taken a look - sure enough, rlm_mschap only checks/enforces
the SMB-Account-CTRL attribute during authenticate {}.
Since your testing auth request was PAP, mschap will never be called for
this, so you're stuck basically.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inactive users can authenticate
On 28/06/13 14:03, Arran Cudbard-Bell wrote:
On 28 Jun 2013, at 11:50, Phil Mayers p.may...@imperial.ac.uk
wrote:
On 28/06/13 08:14, Mathieu Simon wrote:
Second, I can't remember if mschap checks the acct control
flags in authorize or authenticate. If the latter you'll
need to move away from using LDAP bind for auth
Hmm, I guess that would require me studying the code :-\
I've just taken a look - sure enough, rlm_mschap only
checks/enforces the SMB-Account-CTRL attribute during authenticate
{}.
Since your testing auth request was PAP, mschap will never be
called for this, so you're stuck basically.
Seeing as it's a string value, can't he just pull it out of the
directory using the attribute map and check it with a regex?
Sorry, yes. stuck is not correct. I meant can't use the mschap module
for this.
Numerous other solutions exist, and regexp is probably the easiest.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inactive users can authenticate
On 28/06/13 17:31, Mathieu Simon wrote: The result was same when using radtest with -t mschap if that's what you're pointing out. Interesting. I would not have expected that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate without password or wrong password
On 26/06/13 12:54, Omer Faruk SEN wrote: User Authentication for UserPassword That's not a type of authentication. For example, are you using EAP for 802.1x/Wi-Fi, and if so, which EAP outer and inner methods? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inactive users can authenticate
Couple of things: IIRC the account control flags are checked by the mschap module, which I see is running before the LDAP lookup - try moving mschap after LDAP in authorise Second, I can't remember if mschap checks the acct control flags in authorize or authenticate. If the latter you'll need to move away from using LDAP bind for auth -- Sent from my phone with, please excuse brevity and typos- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username/Host authorization
On 24/06/13 12:47, nicolas@ricoh-industrie.fr wrote: Hi list, I'm searching the best way to configure an authorization based on both Host + Username ( mschapv2 + /usr/bin/ntlm_auth) but not Host *or* Username. Is it possible to verify host with mschapv2 and if the module return ok proceed to username verfication with the same module ? No. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username/Host authorization
On 24/06/13 14:09, nicolas@ricoh-industrie.fr wrote: Thanks for your help. We want two authorization in the same times, for example, to ensure that user not used his iPhone with his DOMAIN/UserName account. Sorry, but that's not currently possible. No EAP method supports it. In theory EAP-TEAP might, but that's too new, and it's not clear if clients would support 1 auth anyway. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19/06/13 13:11, Marco Streich wrote: When I run radtest from my laptop, the authentication is successful: radtest does not send eap. Download the wpa_supplicant sources and compile eapol_test to test EAP. WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? This suggests your LDAP server does not contain, or is not returning, password info. So auth would probably have failed... [ttls] eaptls_verify returned 11 [ttls] TLS 1.0 Alert [length 0002], warning close_notify TLS Alert read:warning:close notify [ttls] WARNING: No data inside of the tunnel. ...except it never gets as far as the inner tunnel because the client drops the EAP session. Most likely the client doesn't trust the server cert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminate eap-ttls
On 19/06/13 13:28, adrian.p.sm...@bt.com wrote: What I really need to do is proxy the inner message to another Radius server which will do the authentication but I cannot get this to work. Whatever I try, I always see an EAP-Message avp heading off to the remote server. I have looked at the proxy-inner-tunnel virtual server but am unsure how to use it. This *is* proxying the inner tunnel; the inner tunnel auth is also EAP, and you're sending it to the remote server. If the remote server doesn't support EAP, you will need to investigate the: proxy_tunneled_request_as_eap ...option in eap.conf. This is set on the outer EAP type (peap or ttls) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminate eap-ttls
On 19/06/13 14:54, adrian.p.sm...@bt.com wrote:
What I really need to do is proxy the inner message to another
Radius server which will do the authentication but I cannot get
this to work. Whatever I try, I always see an EAP-Message avp
heading off to the remote server. I have looked at the
proxy-inner-tunnel virtual server but am unsure how to use it.
This *is* proxying the inner tunnel; the inner tunnel auth is also
EAP, and you're sending it to the remote server.
Thanks, this is NOT what I want to do. I want to send the inner
message, not the tunnel and do PAP on the remote server.
You can only do PAP on the remote server if your inner auth method was
PAP. Basically, this means EAP-TTLS/PAP.
Doing that is simple:
server inner-tunnel {
authorize {
update control {
Proxy-To-Realm := THEREALM
}
}
}
If this isn't working, send a debug from radiusd -X
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19/06/13 15:32, Olivier Beytrison wrote:
On 19.06.2013 16:02, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Some other comments -
Upgrade from 2.1.12 to 2.2.x, as there are security issues pre
2.2.x.
Save yourself some round trip packets by setting default_eap_type
= ttls in eap.conf
Save yourself some LDAP lookups by removing ldap from the outer.
..and save some more hits to LDAP by wrapping the call to it in the
authorization stage to just the EAP Identity packet :-)
That's pretty interesting, what's the if() you're doing to achieve that?
He he he... if I recall correctly I came up with something like:
server inner-tunnel {
authorize {
eap
# stop processing authorize on eap identity or mschap success/fail
if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) {
noop
}
else {
# rest of config goes here
}
}
}
Note however that you can avoid this in master versions of the server
with:
server inner-tunnel {
authorize {
eap {
ok = return
}
}
}
...as the EAP module was updated to return ok on identity/mschap
responses. Yet another reason to upgrade!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec problems in FR3.0
On 06/14/2013 07:39 AM, Franks Andy (RLZ) IT Systems Engineer wrote: Hi Do I need to file a bug report or something? No, the issue was raised on -devel You can revert: https://github.com/FreeRADIUS/freeradius-server/commit/4c3030db2743e682c58a0fba30b43d066f22beb0 ...until a proper fix is available. git show 4c3030db2743e68 will give you a patch file, which you can apply with -R to undo it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
