Re: mac authentication, log rejected device in radius.log
On 10/18/2013 11:00 AM, Alan DeKok wrote:
Bertalan Voros wrote:
I have one question, I would like to log a message in radius.log when a
device is rejected based on its mac address.
I would like to put a message saying that the device was unauthorised
and the Calling-Station-Id into the radius.log logfile.
See the radiusd.conf, the log subsection. There are limited
possibilities for customizing the log messages.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I use a modified module for syslog based off exec for this type of
thing (on a UNIX system):
exec syslog-portauth {
wait = no
program = /usr/bin/logger -p local3.info -t portauth switch
%{NAS-IP-Address} port %{NAS-Port-Id} %{NAS-Port} - User %{sql_start2:
select determineUserFromMac('%{User-Name}')} on MAC %{User-Name}
assigned to %{reply:Tunnel-Private-Group-Id}
input_pairs = request
packet_type = Access-Accept
shell_escape = no
}
Granted, you might need to execute this on an Access-Reject but you can
log anything you want with that. I even grab some values from my
database (MySQL functions actually) to include in the log line.
- JohnD
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case statement error
Hi, Ah... a fix wasn't pulled over from v3.0.x to master. I've just done that now. server now starts with such switch/case config present. cheers! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Username format
I think I know the answer to this question but I wanted to check with the Gurus! Does FreeRADIUS give a fig about what the username is? If it were all numeric, say 123456789 I guess it is happy with that? It's just a string to FreeRADIUS? If there was to be an issue, it would be the back end authentication system Unix/LDAP/AD etc and what it finds acceptable right? Thanks as always... Barry Dean Principal Programmer/Analyst Networks Team Computing Service Department - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Case statement error
Thank both, that's great news. I really need to teach myself some C.. Cheers Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: 14 October 2013 07:27 To: FreeRadius users mailing list Subject: Re: Case statement error Hi, Ah... a fix wasn't pulled over from v3.0.x to master. I've just done that now. server now starts with such switch/case config present. cheers! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
On Fri, Oct 11, 2013 at 05:41:07PM +0100, Fabrizio Vecchi wrote: As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... Add DEFAULT Auth-Type := Reject to the bottom of your authorized_macs file. You might as well move the mac address check up above eap in the authorize section. There's no point going through all the eap processing if you're just going to reject afterwards based on something that could easily have been done first. Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
On Mon, Oct 14, 2013 at 10:40:19AM +0100, Matthew Newton wrote: On Fri, Oct 11, 2013 at 05:41:07PM +0100, Fabrizio Vecchi wrote: As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... DEFAULT Auth-Type := Reject I misread (and replied before I'd seen the other thread from your duplicate message...) - to set the vlan for any users that *don't* match other entries, then add this at the bottom: DEFAULT Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := 999 To Reject, you can do it in authorize. To set the VLAN, as Alan said, post-auth is the better place. Use := to force the values to be set. = will not change the values if already set by the inner tunnel, etc. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username format
Hi, Does FreeRADIUS give a fig about what the username is? If it were all numeric, say 123456789 I guess it is happy with that? It's just a string to FreeRADIUS? FreeRADIUS is just a RADIUS serverand hence any decisions made by it are all down to defined policies. so if you have a policy that cares about username format, case sensitivity etc...or have a backend that has such feelings and emotions then you will find out :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case statement error
Franks Andy (RLZ) IT Systems Engineer wrote: Hi again, Sorry to bang on about this, but I'm struggling still. Brand new machine, Ubuntu 13.04 server, never had freeradius installed on it. Pulled from git, - (FreeRADIUS Version 3.1.0 (git #209982d), I didn't see the 3.1.0... At this point, you may want to be running from the 3.0.0 release, or the v3.0.x branch. There are NO new features in master (3.1.0) over 3.0.0. Our plan for 3.1.0 is to finish the conversion to talloc, which may introduce instabilities. In contrast, 2.2.x and 3.0.x will have minimal changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Terminate dsl ppp sessions daily
Hi list, we use freeradius for our dsl user authentication. We want to disconnect some users via radius at fixed times, e.g. 04:00 am. Which attribute and value should / can i use? Session-Timeout doesnt do the job. Regards, Volker Lieder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 10/10/13 15:03, a.l.m.bu...@lboro.ac.uk wrote: Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4 server for EAP-MSCHAPv2). But at least it exists on RHEL/CentOS as a package. it can also BE an AD master etc. anyway, you dont know how tempting it was to yum install samba4 on our production system;-) I'd certainly like to see some samba3.x versus samba4 benchmarks in this sort of context This morning I upgraded a couple of our radius servers from samba 3.6.9 to 4.0.0-rc4. It works, but it's not yet clear how much of an improvement it makes. Early indication is that it helps spread the load more evenly between domain controllers at peak times, but it is by no means the magic bullet. Cheers, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate dsl ppp sessions daily
On 14 Oct 2013, at 15:52, Volker Lieder v.lie...@uvensys.de wrote: Hi list, we use freeradius for our dsl user authentication. We want to disconnect some users via radius at fixed times, e.g. 04:00 am. Which attribute and value should / can i use? Session-Timeout doesnt do the job. Calculate time difference between now at 04:00am and insert it into Session-Timeout? If your NAS doesn't implement Session-Timeout then you can use CoA/DM or SNMP. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3.0.0 return code priority / change?
All,
Seems that the return code priority is behaving different in 3.0 -
specifically the following config:
authorize {
updated
files
if (noop) {
...
}
}
...gives:
(0) authorize {
(0) [updated] = updated
(0) [files] = noop
(0) ? if (noop)
(0) ? if (noop) - FALSE
i.e. the noop from the files module is ignored. This is a change from
2.x where the most recent module return code can be checked.
Have I missed the change, or is this not intentional?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 14/10/13 16:01, Jonathan Gazeley wrote: On 10/10/13 15:03, a.l.m.bu...@lboro.ac.uk wrote: Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4 server for EAP-MSCHAPv2). But at least it exists on RHEL/CentOS as a package. it can also BE an AD master etc. anyway, you dont know how tempting it was to yum install samba4 on our production system;-) I'd certainly like to see some samba3.x versus samba4 benchmarks in this sort of context This morning I upgraded a couple of our radius servers from samba 3.6.9 to 4.0.0-rc4. It works, but it's not yet clear how much of an improvement it makes. Early indication is that it helps spread the load more evenly between domain controllers at peak times, but it is by no means the magic bullet. I am wondering if using ntlm_auth in pipe mode, in the same way Squid does, would improve this, as it would avoid forkexec. I might try and knock up a PoC patch. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate dsl ppp sessions daily
Hi, we tried to calculate it via expr. How would you calculate it? Regards, Volker Am 14.10.2013 um 17:03 schrieb Arran Cudbard-Bell: On 14 Oct 2013, at 15:52, Volker Lieder v.lie...@uvensys.de wrote: Hi list, we use freeradius for our dsl user authentication. We want to disconnect some users via radius at fixed times, e.g. 04:00 am. Which attribute and value should / can i use? Session-Timeout doesnt do the job. Calculate time difference between now at 04:00am and insert it into Session-Timeout? If your NAS doesn't implement Session-Timeout then you can use CoA/DM or SNMP. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate dsl ppp sessions daily
On 14 Oct 2013, at 16:27, Volker Lieder v.lie...@uvensys.de wrote: Hi, we tried to calculate it via expr. How would you calculate it? Pretty sure the expiration module does exactly this. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3.0.0 return code priority / change?
On 14/10/13 16:18, Phil Mayers wrote: i.e. the noop from the files module is ignored. This is a change from 2.x where the most recent module return code can be checked. Have I missed the change, or is this not intentional? Looks like this happened in the modcall.c rewrite (d0aa96709cea) and has been ported to 2.x as well, so it'll change there too? https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/main/modcall.c#L959 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3.0.0 return code priority / change?
On 14/10/13 17:15, Phil Mayers wrote: On 14/10/13 16:18, Phil Mayers wrote: i.e. the noop from the files module is ignored. This is a change from 2.x where the most recent module return code can be checked. Have I missed the change, or is this not intentional? Looks like this happened in the modcall.c rewrite (d0aa96709cea) and has been ported to 2.x as well, so it'll change there too? Fix seems easy; assuming the old behaviour is what's wanted: https://github.com/philmayers/freeradius-server/commit/51c43419 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configure freeradius to use UPN instead of samaccountname
We have our freeradius setup to authenticate with Active Directory for EAP. Currently, it uses the samaccountname but we want to use UPN instead. We get NT_STATUS_NO_SUCH_USER when testing with ntlm through command line. ntlm_auth --request-nt-key --domain=test.local --username=tu...@pub.com Can you please let us know what needs to be configured to support the UPN? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure freeradius to use UPN instead of samaccountname
Angelica Delgado wrote: We have our freeradius setup to authenticate with Active Directory for EAP. Currently, it uses the samaccountname but we want to use UPN instead. We get NT_STATUS_NO_SUCH_USER when testing with ntlm through command line. ntlm_auth --request-nt-key --domain=test.local --username=tu...@pub.com Can you please let us know what needs to be configured to support the UPN? ntlm_auth is from Samba. It's not part of FreeRADIUS. Ask the Samba people how it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: configure freeradius to use UPN instead of samaccountname
You might want to do an LDAP lookup first on your UPN to find the samAccountName, then use that with ntlm_auth. Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Angelica Delgado Sent: 14 October 2013 21:51 To: FreeRadius users mailing list Subject: configure freeradius to use UPN instead of samaccountname We have our freeradius setup to authenticate with Active Directory for EAP. Currently, it uses the samaccountname but we want to use UPN instead. We get NT_STATUS_NO_SUCH_USER when testing with ntlm through command line. ntlm_auth --request-nt-key --domain=test.local --username=tu...@pub.commailto:tu...@pub.com Can you please let us know what needs to be configured to support the UPN? Thanks. -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Case statement error
Hi again,
Sorry to bang on about this, but I'm struggling still.
Brand new machine, Ubuntu 13.04 server, never had freeradius installed
on it. Pulled from git, - (FreeRADIUS Version 3.1.0 (git #209982d), for
host x86_64-unknown-linux-gnu, built on Oct 13 2013 at 18:42:55)
./configure
Make
Make install
Nothing else except putting this in the authorize section of a brand new
default vs
switch %{control:Tmp-String-0} {
case {
update control {
Tmp-String-0 := new value
}
}
}
Same outcome :
# Loading authorize {...}
/usr/local/etc/raddb/sites-enabled/default[222]: case statements may
only appear within a switch section
/usr/local/etc/raddb/sites-enabled/default[222]: Failed to parse case
subsection.
/usr/local/etc/raddb/sites-enabled/default[220]: Errors parsing
authorize section.
It just can't be an old binary, guaranteed this machine has never been
near FR.
Any ideas?
Does anyone mind trying it?
Thanks
Andy
-Original Message-
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Alan DeKok
Sent: 11 October 2013 18:59
To: FreeRadius users mailing list
Subject: Re: Case statement error
Franks Andy (RLZ) IT Systems Engineer wrote:
I still get
# Loading authorize {...}
/usr/local/etc/raddb/sites-enabled/default[222]: case statements may
only appear within a switch section
You need to upgrade your binary. You're not using the latest version.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case statement error
Hi, this error is also present with 3.1.0 when using the provided orginate-coa virtual-server - so its reproducable with a minimally adjusted configuration (just drop originate-coa from sites-available to sites-enabled) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Book for freeradius 3.0
Is there any book about the new version of FreeRADIUS 3.0? -- - Osvaldo T Crispim Filho - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case statement error
a.l.m.bu...@lboro.ac.uk wrote: this error is also present with 3.1.0 when using the provided orginate-coa virtual-server - so its reproducable with a minimally adjusted configuration (just drop originate-coa from sites-available to sites-enabled) Ah... a fix wasn't pulled over from v3.0.x to master. I've just done that now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
Fabrizio Vecchi wrote: First of all, sorry if my email is very long, I am just trying not to leave any important details out. :) That's good. So far, I managed to do the dynamic VLAN assignment, but cannot seem to get it to work together with the MAC checking. They key thing to remember is that they are two independent pieces. Get them working independently. Then, put the pieces together. I can get an auth to be refused if the MAC is not listed in the authorized_macs file, but can't quite put the two things together. Perhaps I am a bit confused with regards to where to put the MAC check. Put it into authorize. For now, I just managed to get the check to work only on the authorization phase in sites-enabled/default, but then the VLAN assignment, which is done in the internal-tunnel, seems to overwrite my changes. That can be fixed. So I tried to put the MAC check in the post-auth section in the default file, but the MAC check doesn't seem to ever work. Because the users file works differently there. Here are the relevant config files: Which seem to use a reasonable approach. As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... I think part of the problem is you're juggling a lot. You also mentioned MACs and VLANs... and then halfway through the message Oh, there's an inner-tunnel, too. Stop with all of your solutions. Instead, write down exactly what you have. Write down what you want to happen in plain English. Write down what should happen, and when. Then, convert it to the configuration. Your system is using TTLS. OK... I'll ignore the question of *why* you're authenticating unknown MACs. That seems weird. The debug log shows this: [ttls] Got tunneled reply code 2 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 40 Where did that VLAN come from? Why is it there? If you don't know, that's a huge problem. Generally, the policies should be arranged like this: authorize: allow only known kinds of authentication decide which authentication method to use grab known good passwords authenticate: run authentication methods post-auth: return attributes for a successfully authenticated user In your case, I'd say return to a default configuration. Then, get the MAC address filtering working in post-auth. Once that's working, add VLAN assignment. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with compiling freeradius on Ubuntu Linux
Hello, I imported FreeRADIUS from git on Eclipse, and tried to build it, but this error occurs while building the project: *threads.h:47:2: error: #error WITH_THREADS defined, but pthreads not available* * * Can anybody guide me how to solve this issue? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with compiling freeradius on Ubuntu Linux
On 12 Oct 2013, at 17:40, Andrei Petru Mura mapand...@gmail.com wrote: Hello, I imported FreeRADIUS from git on Eclipse, and tried to build it, but this error occurs while building the project: threads.h:47:2: error: #error WITH_THREADS defined, but pthreads not available Can anybody guide me how to solve this issue? Thanks. This is an invalid state. The configure script will not define WITH_THREADS unless the pthread headers are available. Check if HAVE_PTHREAD_H and WITH_THREADS are defined src/include/autoheader.h. If they're both defined then Eclipse is messing with the build system, if one is defined and the other is not, then autoconf/the configure scripts are broken. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
Hi Alan and thanks for the reply. On 12 October 2013 13:42, Alan DeKok al...@deployingradius.com wrote: So far, I managed to do the dynamic VLAN assignment, but cannot seem to get it to work together with the MAC checking. Get them working independently. Then, put the pieces together. I managed to get them to work independently, it's the putting together phase that I can't quite crack... :) I can get an auth to be refused if the MAC is not listed in the authorized_macs file, but can't quite put the two things together. Perhaps I am a bit confused with regards to where to put the MAC check. Put it into authorize. If I put the MAC check in the authorize section, then I can allow users to use only the devices in the authorized_macs file (unless I am missing something). I would like the users to use any device, but just have a limited access to the network if the device isn't listed in the authorized_macs file... For now, I just managed to get the check to work only on the authorization phase in sites-enabled/default, but then the VLAN assignment, which is done in the internal-tunnel, seems to overwrite my changes. That can be fixed. So I tried to put the MAC check in the post-auth section in the default file, but the MAC check doesn't seem to ever work. Because the users file works differently there. Can you point me to some part of the docs that explain what is different, please? Here are the relevant config files: Which seem to use a reasonable approach. As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... I think part of the problem is you're juggling a lot. You also mentioned MACs and VLANs... and then halfway through the message Oh, there's an inner-tunnel, too. Stop with all of your solutions. Instead, write down exactly what you have. Write down what you want to happen in plain English. Write down what should happen, and when. Then, convert it to the configuration. Your system is using TTLS. OK... I'll ignore the question of *why* you're authenticating unknown MACs. That seems weird. What I am trying to achieve is the following: 1. Authenticate the users through LDAP 2. IF the user is using a device listed in the authorized_macs file, then assign a VLAN which depends on the user's LDAP group. 3. IF the user is using another (their own), allow them to access an isolated VLAN, which doesn't allow the device to talk to our servers. This will allow my colleagues to connect to the Internet with their devices, but not to mess around with our servers in case there is malware installed on them. Does this make sense? The debug log shows this: [ttls] Got tunneled reply code 2 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 40 Where did that VLAN come from? Why is it there? If you don't know, that's a huge problem. SO SORRY! I pasted twice the sites-available/default file! It comes from the post-auth section in the inner-tunnel file. In inner-tunnel, I check if the user belongs to the dept_tech_corporate_it group, and if so, I update the outher request by assigning a VLAN with ID 40. This part of the config works properly, as showed by the following few lines of debug output: rlm_ldap::ldap_groupcmp: User found in group cn=dept_tech_corporate_it,ou= Groups,c=gb,dc=mindcandy,dc=com [ldap] ldap_release_conn: Release Id: 0 ? Evaluating (LDAP-Group == cn=dept_tech_corporate_it,ou=Groups,c=gb,dc=mindcandy,dc=com) - TRUE Generally, the policies should be arranged like this: authorize: allow only known kinds of authentication decide which authentication method to use grab known good passwords authenticate: run authentication methods post-auth: return attributes for a successfully authenticated user In your case, I'd say return to a default configuration. Then, get the MAC address filtering working in post-auth. Once that's working, add VLAN assignment. That seems to be an approach similar to the one I am trying to use. I would like to do the check of the MAC address for last, so that I can associate the right VLAN to the user. But for some reason this check doesn't seem to work. I guess at the end of the day my question boils down to the following: where should I put the MAC check, so that the user gets assigned to the right VLAN? If I put it in the authorize part of sites-enabled/default, the VLAN update request will get overwritten by the post-auth part of sites-enabled/inner-tunnel; and if I put it in the post-auth of the file sites-enabled/default file (which gets executed after inner-tunnel), the authorized_macs function always returns noop. If I could get any pointers towards a working solution, I'd be really grateful. Thanks, Fabrizio - List
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
Fabrizio Vecchi wrote: I guess at the end of the day my question boils down to the following: where should I put the MAC check, so that the user gets assigned to the right VLAN? In post-auth. If I put it in the authorize part of sites-enabled/default, the VLAN update request will get overwritten by the post-auth part of sites-enabled/inner-tunnel; The default configuration for the inner-tunnel does *not* set a VLAN in post-auth. So one configuration you added prevents you from using another configuration you added. and if I put it in the post-auth of the file sites-enabled/default file (which gets executed after inner-tunnel), the authorized_macs function always returns noop. Delete the set VLAN stuff from the post-auth of the inner tunnel. As you've seen, it breaks the other configuration you're trying to use. When you put authorized_macs into the post-auth, it runs the post-auth processing. Which doesn't read the users file... as the users file is done only in the authorize section. You should be able to put authorized_macs.authorize in the post-auth section. That will make it process the users file, and do what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: clone break freeradius
hi, you must ensure you 'sign out' of the AD before you clone as otherwise both objects are the same...and, as you have found, doing something with the cloen breaks the first server. or just dont bind to the AD before cloning. to fix, you need to ensure that both machines have their own identity (eg /etc/hosts and $HOSTNAME all refer to a unique name per machine) and that there is nothing in the AD referencing either system. THEN net ads join each boxbut this isnt a freeradius question. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: clone break freeradius
Did you also change the MAC address for the network adapter in the VMWare settings? Otherwise VMWare believes (and possibly your network too) the two machines are the same. After changing the MAC address, reconfigure your network settings on the clone and reboot. Delete the trust (computer) account for the original machine from Active Directory. Then retry the net join command for both machines. Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of trevor obba Sent: 11 October 2013 00:38 To: freeradius-users@lists.freeradius.org Subject: clone break freeradius I configured freeradius version 2.2.0 running on Ubuntu 12.04 to authenticate against active directory and it is working fine until I decide to clone (vmware) the machine. Once the machine is clone I changed the IP address, hostname in (/etc/hosts and /etc/hostname) and also changed the name in /etc/samba/smb.conf Finally I tried to join the clone machine using “net join –U administrator” unfortunately this break the original freeradius machine by no longer authenticating to active directory and the clone machine will not join the Domain also. I think the clone machine is still referring the original machine which breaks the original machine unfortunately I do not know how to fix it. How do I fix the original machine? What else do I change on the clone machine so that I can successfully join it to domain with breaking the original machine? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Case statement error
Hi again.
I'm confused now. I've recompiled, renamed all old folder under
/usr/local and done a complete reinstall.
I've pared it all down and simply put
switch %{control:Tmp-String-0} {
case {
update control {
Tmp-String-0 := new value
}
}
}
In the default VS.
I still get
# Loading authorize {...}
/usr/local/etc/raddb/sites-enabled/default[222]: case statements may
only appear within a switch section
/usr/local/etc/raddb/sites-enabled/default[222]: Failed to parse case
subsection.
/usr/local/etc/raddb/sites-enabled/default[220]: Errors parsing
authorize section.
I'm running git #57e69c9
Sorry, but I can't see what I'm doing wrong!
Thanks
Andy
-Original Message-
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Alan DeKok
Sent: 09 October 2013 15:26
To: FreeRadius users mailing list
Subject: Re: Case statement error
Franks Andy (RLZ) IT Systems Engineer wrote:
Trying version #d166290 results in
Which is old. The bug has already been fixed.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLAN assignment depending on LDAP user group and MAC address
Hi everyone.
First of all, sorry if my email is very long, I am just trying not to leave
any important details out. :)
In my Company, I'd like to setup a freeradius based wifi authentication
following the same principle:
First check if a user is using the Company's laptop (or phone) by checking
a list of MAC addresses. If the device is in the list, let the user
authenticate through LDAP and get a VLAN depending on the user's group; if
it's not present, authenticate the user against ldap, but assign the user
to a public VLAN, which cannot reach our internal servers.
This is basically to take care of users who connect to our network with
their own devices, on which we don't have control and that could spread all
sorts of malware in the internal network.
So far, I managed to do the dynamic VLAN assignment, but cannot seem to get
it to work together with the MAC checking.
I can get an auth to be refused if the MAC is not listed in the
authorized_macs file, but can't quite put the two things together. Perhaps
I am a bit confused with regards to where to put the MAC check. For now, I
just managed to get the check to work only on the authorization phase in
sites-enabled/default, but then the VLAN assignment, which is done in the
internal-tunnel, seems to overwrite my changes.
So I tried to put the MAC check in the post-auth section in the default
file, but the MAC check doesn't seem to ever work.
Here are the relevant config files:
Radius version:
2.1.10+dfsg-2+squeeze1 (running on Debian)
--- policy.conf
policy {
forbid_eap {
if (EAP-Message) {
reject
}
}
permit_only_eap {
if (!EAP-Message) {
if (!%{outer.request:EAP-Message}) {
reject
}
}
}
deny_realms {
if (User-Name =~ /@|\\/) {
reject
}
}
do_not_respond {
update control {
Response-Packet-Type := Do-Not-Respond
}
handled
}
cui_authorize {
update request {
Chargeable-User-Identity:='\\000'
}
}
cui_postauth {
if (FreeRadius-Proxied-To == 127.0.0.1) {
if (outer.request:Chargeable-User-Identity) {
update outer.reply {
Chargeable-User-Identity:=%{md5:%{config:cui_hash_key}%{User-Name}}
}
}
}
else {
if (Chargeable-User-Identity) {
update reply {
Chargeable-User-Identity=%{md5:%{config:cui_hash_key}%{User-Name}}
}
}
}
}
cui_updatedb {
if (reply:Chargeable-User-Identity) {
cui
}
}
cui_accounting {
if (!Chargeable-User-Identity) {
update control {
Chargable-User-Identity := %{cui: SELECT cui FROM cui
WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid =
'%{Calling-Station-Id}' AND username = '%{User-Name}'}
}
}
if (Chargeable-User-Identity (Chargeable-User-Identity != )) {
cui
}
}
rewrite_calling_station_id {
if (Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
Calling-Station-Id :=
%{1}-%{2}-%{3}-%{4}-%{5}-%{6}
}
}
else {
noop
}
}
}
--- modules/files:
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
files second_files {
usersfile = ${confdir}/second_users
acctusersfile = ${confdir}/second_acct_users
preproxy_usersfile = ${confdir}/second_preproxy_users
}
files authorized_macs {
key = %{tolower:%{Calling-Station-ID}}
usersfile = ${confdir}/authorized_macs
compat = no
}
---authorized_macs
e8-99-c4-a2-39-36
Reply-Message = Device with MAC Address %{Calling-Station-Id} authorized
for network access
--- sites-available/default
authorize {
preprocess
auth_log
suffix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
sql {
fail = 1
}
}
session {
radutmp
sql {
fail = 1
}
}
post-auth {
rewrite_calling_station_id
authorized_macs
if (!ok) {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 36
}
}
sql {
fail = 1
}
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
--- sites-available/inner-tunnel
authorize {
preprocess
auth_log
suffix
eap {
ok = return
}
Eaps TTLS and Plain Text
I have a Free Radius Server (2.1.10-5 packaged with CentOS 6) that is configured to handle radius authentication eaps ttls in a tunnel (Motorola/Cambium Canopy Product). I want to be able to authenticate plain text requests from other devices that do not support eaps. Can Free Radius handle both encrypted and unencrypted connections at the same time? If it can, can someone lead me down the correct path? Cambium EAPS settings for Free Radius default_eap_type = ttls copy_request_to_tunnel=yes use_tunnel_reply=yes Thank you, Gilbert T. Gutierrez, Jr. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eaps TTLS and Plain Text
Gilbert T. Gutierrez, Jr. wrote: I have a Free Radius Server (2.1.10-5 packaged with CentOS 6) that is configured to handle radius authentication eaps ttls in a tunnel (Motorola/Cambium Canopy Product). I want to be able to authenticate plain text requests from other devices that do not support eaps. Can Free Radius handle both encrypted and unencrypted connections at the same time? If it can, can someone lead me down the correct path? Yes. And there's nothing to do. Just configure a user with a password. *All* authentication types will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLAN assignment depending on LDAP user group and MAC address
Hi everyone.
First of all, sorry if my email is very long, I am just trying not to leave
any important details out. :)
In my Company, I'd like to setup a freeradius based wifi authentication
following the same principle:
First check if a user is using the Company's laptop (or phone) by checking
a list of MAC addresses. If the device is in the list, let the user
authenticate through LDAP and get a VLAN depending on the user's group; if
it's not present, authenticate the user against ldap, but assign the user
to a public VLAN, which cannot reach our internal servers.
This is basically to take care of users who connect to our network with
their own devices, on which we don't have control and that could spread all
sorts of malware in the internal network.
So far, I managed to do the dynamic VLAN assignment, but cannot seem to get
it to work together with the MAC checking.
I can get an auth to be refused if the MAC is not listed in the
authorized_macs file, but can't quite put the two things together. Perhaps
I am a bit confused with regards to where to put the MAC check. For now, I
just managed to get the check to work only on the authorization phase in
sites-enabled/default, but then the VLAN assignment, which is done in the
internal-tunnel, seems to overwrite my changes.
So I tried to put the MAC check in the post-auth section in the default
file, but the MAC check doesn't seem to ever work.
Here are the relevant config files:
Radius version:
2.1.10+dfsg-2+squeeze1 (running on Debian)
--- policy.conf
(...)
rewrite_calling_station_id {
if (Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
Calling-Station-Id :=
%{1}-%{2}-%{3}-%{4}-%{5}-%{6}
}
}
else {
noop
}
}
}
--- modules/files:
(...)
files authorized_macs {
key = %{tolower:%{Calling-Station-ID}}
usersfile = ${confdir}/authorized_macs
compat = no
}
---authorized_macs
e8-99-c4-a2-39-36
Reply-Message = Device with MAC Address %{Calling-Station-Id} authorized
for network access
--- sites-available/default
authorize {
preprocess
auth_log
suffix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
sql {
fail = 1
}
}
session {
radutmp
sql {
fail = 1
}
}
post-auth {
rewrite_calling_station_id
authorized_macs
if (!ok) {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 36
}
}
sql {
fail = 1
}
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
--- sites-available/inner-tunnel
authorize {
preprocess
auth_log
suffix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
sql {
fail = 1
}
}
session {
radutmp
sql {
fail = 1
}
}
post-auth {
rewrite_calling_station_id
authorized_macs
if (!ok) {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 36
}
}
sql {
fail = 1
}
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
And here is an authentication example, with a device not listed in
authorized_macs:
(...)
rad_recv: Access-Request packet from host 192.168.59.202 port 32769,
id=129, length=345
User-Name = fabrizio.vecchi
Calling-Station-Id = 60-fa-cd-47-1a-44
Called-Station-Id = 24-01-c7-28-aa-d0:MindCandyAuth
NAS-Port = 1
Cisco-AVPair = audit-session-id=ca3ba8c000dede1c5852
NAS-IP-Address = 192.168.59.202
NAS-Identifier = Cisco_6e:1f:4f
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 36
EAP-Message =
0x0206005f1580005517030100506509e5008fb8b33c992bdddc007472c4f5d210aa8d535f747241bc99c4cb8785066c7ef4f262c470986626e1d31efc71f0d3b42b80663afc9fdc68715d1ee49c02af509c6b12de0bca5bf5501cba
State = 0xf1f3e6cbf5f5f3adc22ef694ca5dfcba
Message-Authenticator = 0xeff670953d883040f13b8dfc42d39849
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
MSCHAPv2 use_tunneling_reply problem
Hi all! I have a problem with users using the anonymous identity field during connecting. It turned out that for privacy reasons it is hidden outside of the tunnel. I found that by setting use_tunneling_reply to yes i can transfer the inner username outside of the tunnel, and the correct (not anonymous) username will appear in the accounting records. I've uncommented even the update outer.reply... part in the sites-enabled/inner-tunnel file. Unfortunatelly it does not work. Is there anything else, what i need to do to get it work? I use coovachilli for nas. Thanks for you help, all the best Dávid - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAPv2 use_tunneling_reply problem
So what you're saying is that even though the users are using anonymous outerid and want anonymity you want to release their id to the site they are at? -- Sent from my Android device with K-9 Mail. Please excuse my brevity.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2.2.0 on Fedora and oracle module
Hi there, Im trying use freeradius with oracle database. I've used guide on this site http://wiki.freeradius.org/modules/Rlm_sql_oracle to compile oracle driver. I'e installed oracle instant client from rpm packages (basic + devel) When i use ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/lib/oracle/11.2/client64 i got this output checking for oci.h... checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed no configure: WARNING: oracle headers not found. Use --with-oracle-include-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: creating ./config.status Could you help me with that? Tnx a lot Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
Hi, I'e installed oracle instant client from rpm packages (basic + devel) okay. if you've done this rather than manually installing from Oracle then its most likely that the paths are different...you will need to check where your Oracle files have been installed and use those paths instead alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
On Thu, Oct 10, 2013 at 2:22 PM, Puzzel puzzel1...@gmail.com wrote: --with-oracle-include-dir=/usr/lib/oracle/11.2/client64 ** ** configure: WARNING: oracle headers not found. Use --with-oracle-include-dir=path.configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: creating ./config.status ** ** Could you help me with that? ** Does oci.h exist on that directory? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 2.2.0 on Fedora and oracle module
Yes, you are right, the oracle inlcude path was in the different location (/usr/include/oracle/11.2/client64 not /usr/lib...). Now i've got another problem. ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 checking for oci.h... checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed yes configure: WARNING: oracle libraries not found. Use --with-oracle-lib-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: libclntsh libnnz. configure: creating ./config.status config.status: creating Makefile In the folder i've made ln links ls -la /usr/lib/oracle/11.2/client64/lib/ razem 151112 drwxr-xr-x. 2 root root 4096 10-10 10:14 . drwxr-xr-x. 4 root root 4096 10-09 14:46 .. lrwxrwxrwx. 1 root root 17 10-10 10:14 libclntsh - libclntsh.so.11.1 lrwxrwxrwx. 1 root root 17 10-09 14:46 libclntsh.so - libclntsh.so.11.1 -rw-r--r--. 1 root root 48797739 2009-08-15 libclntsh.so.11.1 -rw-r--r--. 1 root root15365 2009-08-15 libheteroxa11.so lrwxrwxrwx. 1 root root 11 10-10 10:09 libnnz - libnnz11.so -rw-r--r--. 1 root root 787 2009-08-15 libnnz11.so lrwxrwxrwx. 1 root root 15 10-09 14:46 libocci.so - libocci.so.11.1 -rw-r--r--. 1 root root 1261302 2009-08-15 libocci.so.11.1 -rw-r--r--. 1 root root 89382994 2009-08-15 libociei.so -rw-r--r--. 1 root root 165157 2009-08-15 libocijdbc11.so -rw-r--r--. 1 root root 997069 2009-08-15 libsqora.so.11.1 -rw-r--r--. 1 root root 1996228 2009-08-15 ojdbc5.jar -rw-r--r--. 1 root root 2111220 2009-08-15 ojdbc6.jar -rw-r--r--. 1 root root 1656280 2009-08-15 orai18n.jar -rw-r--r--. 1 root root82983 2009-08-15 orai18n-mapping.jar -rw-r--r--. 1 root root 298388 2009-08-15 ottclasses.zip -rw-r--r--. 1 root root37807 2009-08-15 xstreams.jar but it didn't help. -Original Message- From: freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: Thursday, October 10, 2013 9:41 AM To: FreeRadius users mailing list Subject: Re: freeradius 2.2.0 on Fedora and oracle module Hi, I'e installed oracle instant client from rpm packages (basic + devel) okay. if you've done this rather than manually installing from Oracle then its most likely that the paths are different...you will need to check where your Oracle files have been installed and use those paths instead alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
On 10 Oct 2013, at 09:22, Puzzel puzzel1...@gmail.com wrote: Yes, you are right, the oracle inlcude path was in the different location (/usr/include/oracle/11.2/client64 not /usr/lib...). Now i've got another problem. ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 checking for oci.h... checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed yes configure: WARNING: oracle libraries not found. Use --with-oracle-lib-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: libclntsh libnnz. configure: creating ./config.status config.status: creating Makefile Please use version 3.0.0 the configure script is much better. http://freeradius.org/download.html Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 2.2.0 on Fedora and oracle module
Tnx Arran, ./configure went fine and then created all.mk file. What to do next? make don't work. I'm sorry i'm not very much experienced in linux. -Original Message- From: freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Thursday, October 10, 2013 11:04 AM To: FreeRadius users mailing list Subject: Re: freeradius 2.2.0 on Fedora and oracle module On 10 Oct 2013, at 09:22, Puzzel puzzel1...@gmail.com wrote: Yes, you are right, the oracle inlcude path was in the different location (/usr/include/oracle/11.2/client64 not /usr/lib...). Now i've got another problem. ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 checking for oci.h... checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed yes configure: WARNING: oracle libraries not found. Use --with-oracle-lib-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: libclntsh libnnz. configure: creating ./config.status config.status: creating Makefile Please use version 3.0.0 the configure script is much better. http://freeradius.org/download.html Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
o.k deinstalled the package and package manager I was using, installed homebrew, installed latest openssl and talloc and ….. just compiled and installed. Simples! Thanks for that A On 9 Oct 2013, at 11:54, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 9 Oct 2013, at 11:21, Alex Sharaz alex.sha...@york.ac.uk wrote: you don't know how hard it was to wait till the official release :-) A brew install talloc brew link talloc ./configure make make install ? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
On 10 Oct 2013, at 10:31, Puzzel puzzel1...@gmail.com wrote: Tnx Arran, ./configure went fine and then created all.mk file. What to do next? make don't work. I'm sorry i'm not very much experienced in linux. You need to do make in the top level directory not in the module directory. all.mk is a make include not an actual make file. It should pick up that rlm_sql_oracle has been configured (even if it's not marked as stable) and build it. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
On 10 Oct 2013, at 10:44, Alex Sharaz alex.sha...@york.ac.uk wrote: o.k deinstalled the package and package manager I was using, installed homebrew, installed latest openssl and talloc and ….. just compiled and installed. Simples! Hmm wonder what rudix was doing to mess up talloc installation. Anyway, we have our own set of AC_CHECK_LIB and AC_CHECK_HEADERS functions which are smarter than the stadard ones, and search in places like /usr/local/lib. They also add -L and -I for libs/headers in non-standard locations, so the majority of the time 3.0.0 configure/make should just work. Were you installing your own version of SSL to get around the OpenSSL header/library mismatch? Apple messed up and bumped the library version for OpenSSL without bumping the header versions. You can just edit the system headers to match, though that's a bit icky. Hopefully apple will just drop OpenSSL in Mavericks and we can do a clean install without all the stupid deprecated pragmas from another package management system. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Generating timing stats for ntlm_auth
All, We're seeing bursts of: Thu Oct 10 11:52:14 2013 : Info: WARNING: Child is hung for request 47516341 in component authenticate module peap. Thu Oct 10 11:52:16 2013 : Info: WARNING: Module rlm_eap became unblocked for request 47516341 ...since the return of our students this year. I am 99% sure this is ntlm_auth being slow, and I have a strong suspicion this is related to some changes in our AD infrastructure over the summer. In order to prove this to the AD team, I need to gather some timing stats for ntlm_auth; can anyone think of an easy way to do this within FreeRADIUS? AFAIK there aren't any xlat that back onto gettimeofday; the various request time attribute all expand to the static request-timestamp value, whereas I want to do wallclock timing. I could wrap ntlm_auth in a script that times it and lots the info, but I'm slightly wary of that - it might perturb the timings. Any obvious/easy thing I'm missing? Still on 2.2.0 here... anything in 3.0 I could use? Cheers, Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
On 10 Oct 2013, at 12:02, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 10 Oct 2013, at 10:44, Alex Sharaz alex.sha...@york.ac.uk wrote: o.k deinstalled the package and package manager I was using, installed homebrew, installed latest openssl and talloc and ….. just compiled and installed. Simples! Hmm wonder what rudix was doing to mess up talloc installation. Anyway, we have our own set of AC_CHECK_LIB and AC_CHECK_HEADERS functions which are smarter than the stadard ones, and search in places like /usr/local/lib. They also add -L and -I for libs/headers in non-standard locations, so the majority of the time 3.0.0 configure/make should just work. Were you installing your own version of SSL to get around the OpenSSL header/library mismatch? Apple messed up and bumped the library version for OpenSSL without bumping the header versions. Yup. Had that problem with FR 2 as well. You can just edit the system headers to match, though that's a bit icky. Hopefully apple will just drop OpenSSL in Mavericks and we can do a clean install without all the stupid deprecated pragmas from another package management system. Probably a good idea. Anyway, can now look at radsec /IPv4 - radsec/Pv6 using FR now. A Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
On 10 Oct 2013, at 12:34, Puzzel puzzel1...@gmail.com wrote: When i do make at top level, i'm getting this output: make Makefile:10: *** Missing 'Make.inc' Run './configure [options]' and retry. Stop. - Missing - Something is not there that should be. - 'Make.inc' - The thing that should be there but isn't. - Run - Execute a command. - './configure' - The command you should execute. - '[options]' - Any additional options you want to add like --prefix or --with-shared-libs=no. - and - There's something additional you have to do as well as running the previous command. - retry - Repeat the previous command which generated this error message. *sigh* -Arran -Original Message- From: freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Thursday, October 10, 2013 12:50 PM To: FreeRadius users mailing list Subject: Re: freeradius 2.2.0 on Fedora and oracle module On 10 Oct 2013, at 10:31, Puzzel puzzel1...@gmail.com wrote: Tnx Arran, ./configure went fine and then created all.mk file. What to do next? make don't work. I'm sorry i'm not very much experienced in linux. You need to do make in the top level directory not in the module directory. all.mk is a make include not an actual make file. It should pick up that rlm_sql_oracle has been configured (even if it's not marked as stable) and build it. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
Hi, Thu Oct 10 11:52:16 2013 : Info: WARNING: Module rlm_eap became unblocked for request 47516341 ...since the return of our students this year. I am 99% sure this is ntlm_auth being slow, and I have a strong suspicion this is related to some changes in our AD infrastructure over the summer. I've contacted our AD guys about a couple of tweaks they can do for 'legacy' authentications (as microsoft call it) - but I'm also looking at samba4 - as it has a new option that will balance ntlm_auth against all known boxes rather than the first box it latches onto - to spread the load. I'm also now getting suspicious about a couple of tuesday patches that got deployed over summer... (we're also thinking about EAP-TLS again ;-) ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 2.2.0 on Fedora and oracle module
I've made configure at top level ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 Then i made make, but i still can't find rlm_sql_oracle.so file. :/ -Original Message- From: freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Thursday, October 10, 2013 1:51 PM To: FreeRadius users mailing list Subject: Re: freeradius 2.2.0 on Fedora and oracle module On 10 Oct 2013, at 12:34, Puzzel puzzel1...@gmail.com wrote: When i do make at top level, i'm getting this output: make Makefile:10: *** Missing 'Make.inc' Run './configure [options]' and retry. Stop. - Missing - Something is not there that should be. - 'Make.inc' - The thing that should be there but isn't. - Run - Execute a command. - './configure' - The command you should execute. - '[options]' - Any additional options you want to add like --prefix or --with-shared-libs=no. - and - There's something additional you have to do as well as running the previous command. - retry - Repeat the previous command which generated this error message. *sigh* -Arran -Original Message- From: freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+puzzel1982=gmail.com@lists.freeradius .org] On Behalf Of Arran Cudbard-Bell Sent: Thursday, October 10, 2013 12:50 PM To: FreeRadius users mailing list Subject: Re: freeradius 2.2.0 on Fedora and oracle module On 10 Oct 2013, at 10:31, Puzzel puzzel1...@gmail.com wrote: Tnx Arran, ./configure went fine and then created all.mk file. What to do next? make don't work. I'm sorry i'm not very much experienced in linux. You need to do make in the top level directory not in the module directory. all.mk is a make include not an actual make file. It should pick up that rlm_sql_oracle has been configured (even if it's not marked as stable) and build it. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
Phil Mayers wrote: In order to prove this to the AD team, I need to gather some timing stats for ntlm_auth; can anyone think of an easy way to do this within FreeRADIUS? I had patches for this a while ago. But they won't apply to the current code. The idea was to update the modsingle struct to have an elapsed entry/array. Then, call_modsingle() calls gettimeofday() before and after the call to the module. It takes the elapsed time, and updates the modsingle struct. After a few more hooks, you can get at the stats via radmin. Any obvious/easy thing I'm missing? Nope. Instrumentation is hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 10/10/13 12:56, a.l.m.bu...@lboro.ac.uk wrote: Hi, Thu Oct 10 11:52:16 2013 : Info: WARNING: Module rlm_eap became unblocked for request 47516341 ...since the return of our students this year. I am 99% sure this is ntlm_auth being slow, and I have a strong suspicion this is related to some changes in our AD infrastructure over the summer. I've contacted our AD guys about a couple of tweaks they can do for 'legacy' Any chance you can point me in the direction of these? authentications (as microsoft call it) - but I'm also looking at samba4 - as it has a new option that will balance ntlm_auth against all known boxes rather than the first box it latches onto - to spread the load. Hmm. I'm also now getting suspicious about a couple of tuesday patches that got deployed over summer... Interesting - which ones? (we're also thinking about EAP-TLS again ;-) ) Semi-related, but to my annoyance we're seeing rather less SSL resumption than I would expect, given that iOS and Android both do it by default. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
On 10 Oct 2013, at 13:39, Puzzel puzzel1...@gmail.com wrote: I've made configure at top level ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 Then i made make, but i still can't find rlm_sql_oracle.so file. :/ run the configure script in src/modules/rlm_sql/drivers/rlm_sql_oracle and post the output and config.log file. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
Puzzel wrote: I've made configure at top level ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 If the build is having issues, you should READ the output of configure. It tells you what it's building, and what it's not building. Just look for oracle in the output. It's not hard. Then i made make, but i still can't find rlm_sql_oracle.so file. :/ Again, READ the output of make. Look for oracle. It's not hard. You're like someone who's sitting next to a road sign, and claiming he's lost. Well... look up. You're not lost. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
On 10/10/2013 08:39 AM, Puzzel wrote: I've made configure at top level ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 Then i made make, but i still can't find rlm_sql_oracle.so file. :/ Try reading the output of the build process, it will tell you what went wrong. Hint: Redirection: do_something 21 | tee -a some_file -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Generating timing stats for ntlm_auth
authentications (as microsoft call it) - but I'm also looking at samba4 - as it has a new option that will balance ntlm_auth against all known boxes rather than the first box it latches onto - to spread the load. Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4 server for EAP-MSCHAPv2). But at least it exists on RHEL/CentOS as a package. Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
Hi, Any chance you can point me in the direction of these? heres one: http://support.microsoft.com/kb/2688798 Semi-related, but to my annoyance we're seeing rather less SSL resumption than I would expect, given that iOS and Android both do it by default. Cisco wireless problem? theres go to be something messing us up here as we are using the same FreeRADIUS as last year (2.2.0), seeing the same number of concurrent clients as at the end of the last academic year (around 8k) and we didnt have this number of those errors then alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
Hi, Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4 server for EAP-MSCHAPv2). But at least it exists on RHEL/CentOS as a package. it can also BE an AD master etc. anyway, you dont know how tempting it was to yum install samba4 on our production system ;-) I'd certainly like to see some samba3.x versus samba4 benchmarks in this sort of context alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Generating timing stats for ntlm_auth
it can also BE an AD master etc. anyway, you dont know how tempting it was to yum install samba4 on our production system ;-) Indeed. That's exactly what I'm using it for. :-) I'd certainly like to see some samba3.x versus samba4 benchmarks in this sort of context Yes, versus Windows 2008 R2 or 2012 as well... just for good measure. :-) Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
On 09/10/13 19:09, Alan DeKok wrote: That is *exactly* what the server does for TCP. ...in which case my comment is entirely redundant, please disregard! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Generating timing stats for ntlm_auth
Phil wrote: I could wrap ntlm_auth in a script that times it and lots the info, but I'm slightly wary of that - it might perturb the timings. Any obvious/easy thing I'm missing? You might be able to run FR under gdb (or attach/resume a running FR), and set breakpoints with commands that resume after running the GDB commands. Google gdb breakpoint commands Note sure how that would impact the overall timing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 10/10/13 17:16, Brian Julin wrote: You might be able to run FR under gdb (or attach/resume a running FR), and set breakpoints with commands that resume after running the GDB commands. That's in inventive one, but I'm not *that* desperate yet! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error messages in debug on 3.0
I've just ported our config to 3.0 and I'm seeing a few error messages;
they don't seem to be critical but are concerning me.
Specifically I'm seeing:
ERROR: Conditional evaluation failed due to internal sanity check.
...whenever I try to compare against absent attributes. What's the
correct syntax for this now - do I need:
if ((Attr) (Attr op RHS)) {
...or can I ignore the message?
I'm also seeing this with:
if (%{outer.request:Blah})
...if I'm not in a tunnel (in some generic logging policy); what's the
right syntax for that?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error messages in debug on 3.0
On 10/10/13 18:32, Phil Mayers wrote: I've just ported our config to 3.0 and I'm seeing a few error messages; they don't seem to be critical but are concerning me. Specifically I'm seeing: We're also getting: Info: Invalid operator for item Sql-Group: reverting to '==' ...which is logged to radiusd.log. This seems to be spurious - all our comparisons to SQL-Group are, of course using ==. Other than that, it all seems OK! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error messages in debug on 3.0
On 10 Oct 2013, at 18:32, Phil Mayers p.may...@imperial.ac.uk wrote:
I've just ported our config to 3.0 and I'm seeing a few error messages; they
don't seem to be critical but are concerning me.
Specifically I'm seeing:
ERROR: Conditional evaluation failed due to internal sanity check.
...whenever I try to compare against absent attributes. What's the correct
syntax for this now - do I need:
if ((Attr) (Attr op RHS)) {
Yes.
...or can I ignore the message?
I'm also seeing this with:
if (%{outer.request:Blah})
...if I'm not in a tunnel (in some generic logging policy); what's the right
syntax for that?
possibly if (outer.request
Sorry about the errors, I think they should be more descriptive in master
unless Alan changed something when he did the second pass fix up for conditions.
But yes, in general a presence check is now required. It makes it easier to
spot attributes which should be there but aren't.
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error messages in debug on 3.0
On 10/10/13 18:51, Arran Cudbard-Bell wrote: possibly if (outer.request Hmm, no same thing, and worse it's squashing Module-Failure-Message :o( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error messages in debug on 3.0
Phil Mayers wrote:
I've just ported our config to 3.0 and I'm seeing a few error messages;
they don't seem to be critical but are concerning me.
Specifically I'm seeing:
ERROR: Conditional evaluation failed due to internal sanity check.
That should be fixed. Either it can be deleted, or reworded.
...whenever I try to compare against absent attributes. What's the
correct syntax for this now - do I need:
if ((Attr) (Attr op RHS)) {
...or can I ignore the message?
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 10/10/13 15:01, a.l.m.bu...@lboro.ac.uk wrote: Hi, Any chance you can point me in the direction of these? heres one: http://support.microsoft.com/kb/2688798 Semi-related, but to my annoyance we're seeing rather less SSL resumption than I would expect, given that iOS and Android both do it by default. Cisco wireless problem? theres go to be something messing us up here as we are using the same FreeRADIUS as last year (2.2.0), seeing the same number of concurrent clients as at the end of the last academic year (around 8k) and we didnt have this number of those errors then alan - Can confirm that we at Bristol (Cisco wireless, MS AD auth backend) are also seeing load problems at peak times (every hour, at lecture change-over time when approximately one billion iPhones start roaming the campus). We're also not seeing as much session resumption as we'd expect. We're also seeing the same messages as reported in this thread. Will be watching this thread with interest - happy to test patches etc. Cheers, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error messages in debug on 3.0
On 10 Oct 2013, at 22:23, Alan DeKok al...@deployingradius.com wrote:
Phil Mayers wrote:
I've just ported our config to 3.0 and I'm seeing a few error messages;
they don't seem to be critical but are concerning me.
Specifically I'm seeing:
ERROR: Conditional evaluation failed due to internal sanity check.
That should be fixed. Either it can be deleted, or reworded.
I've reworded it. The code in master actually tells you what was wrong, but the
changes
were quite extensive so it didn't get ported to v3.0.x.
I've also removed the error on accessing a request which doesn't exist, so
presence checks work as expected.
The actual presence check itself is ok.
In radius_evaluate_tmpl:
case VPT_TYPE_ATTR:
case VPT_TYPE_LIST:
if (radius_vpt_get_vp(request, vpt) != NULL) {
rcode = true;
} else {
rcode = false;
}
break;
Which works for
if (outer.request:Attribute)
and
if (outer.request)
It's just one of the functions called to convert the enumerated request type to
an actual REQUEST threw an error when the request didn't exist.
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
clone break freeradius
I configured freeradius version 2.2.0 running on Ubuntu 12.04 to authenticate against active directory and it is working fine until I decide to clone (vmware) the machine. Once the machine is clone I changed the IP address, hostname in (/etc/hosts and /etc/hostname) and also changed the name in /etc/samba/smb.conf Finally I tried to join the clone machine using “net join –U administrator” unfortunately this break the original freeradius machine by no longer authenticating to active directory and the clone machine will not join the Domain also. I think the clone machine is still referring the original machine which breaks the original machine unfortunately I do not know how to fix it. How do I fix the original machine? What else do I change on the clone machine so that I can successfully join it to domain with breaking the original machine?- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang - delete attribute - !*
Hello list,
I want to delete one reply attribute from the reply list if the access-request
is originating not from a special NAS-IP-Address.
Currently I have solved this by adding this unlang code in authorize section:
if(!NAS-IP-Address == x.x.x.x) {
update reply {
Aruba-Admin-Role :=
}
}
The man page of unlang says:
!* Delete all occurances of the named attribute, no matter what the value.
I think this is the better way than just to clear the attribute value. But how
can I use this, what's the correct syntax?
I have tested the following without success:
Aruba-Admin-Role !*
Aruba-Admin-Role !*
!* Aruba-Admin-Role
Thanks in advance,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang - delete attribute - !*
On 9 Oct 2013, at 07:05, Hachmer, Tobias tobias.hach...@stadt-frankfurt.de
wrote:
Hello list,
I want to delete one reply attribute from the reply list if the
access-request is originating not from a special NAS-IP-Address.
Currently I have solved this by adding this unlang code in authorize section:
if(!NAS-IP-Address == x.x.x.x) {
update reply {
Aruba-Admin-Role :=
}
}
The man page of unlang says:
!* Delete all occurances of the named attribute, no matter what the value.
I think this is the better way than just to clear the attribute value. But
how can I use this, what’s the correct syntax?
I have tested the following without success:
Aruba-Admin-Role !*
Aruba-Admin-Role !*
!* Aruba-Admin-Role
update reply {
Aruba-Admin-Role !* ANY
}
Will delete all.
update reply {
Aruba-Admin-Role -= %{reply:Aruba-Admin-Role}
}
Will delete the first instance.
-Arran
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: unlang - delete attribute - !*
Hello Arran,
thanks for the answer. This has worked!
Regards,
Tobias Hachmer
-Ursprüngliche Nachricht-
Von:
freeradius-users-bounces+tobias.hachmer=stadt-frankfurt...@lists.freeradius.org
[mailto:freeradius-users-bounces+tobias.hachmer=stadt-frankfurt...@lists.freeradius.org]
Im Auftrag von Arran Cudbard-Bell
Gesendet: Mittwoch, 9. Oktober 2013 08:22
An: FreeRadius users mailing list
Betreff: Re: unlang - delete attribute - !*
On 9 Oct 2013, at 07:05, Hachmer, Tobias tobias.hach...@stadt-frankfurt.de
wrote:
Hello list,
I want to delete one reply attribute from the reply list if the
access-request is originating not from a special NAS-IP-Address.
Currently I have solved this by adding this unlang code in authorize section:
if(!NAS-IP-Address == x.x.x.x) {
update reply {
Aruba-Admin-Role :=
}
}
The man page of unlang says:
!* Delete all occurances of the named attribute, no matter what the value.
I think this is the better way than just to clear the attribute value. But
how can I use this, what's the correct syntax?
I have tested the following without success:
Aruba-Admin-Role !*
Aruba-Admin-Role !*
!* Aruba-Admin-Role
update reply {
Aruba-Admin-Role !* ANY
}
Will delete all.
update reply {
Aruba-Admin-Role -= %{reply:Aruba-Admin-Role}
}
Will delete the first instance.
-Arran
Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Usage of Session-Timeout
Hi,
we upgraded a freeradius setup from 1.x to 2.1.10+dfsg-2+squeeze1 on Debian
Squeeze.
Within the old version, we used a database config for groups with an attribute
Session-Timeout and the value `%{expr:06:00}`
With new version freeradius send an error while looking in debug mode like:
Tue Oct 1 16:15:23 2013 : Info: [sql] expand: 06:00 - 06:00
Tue Oct 1 16:15:23 2013 : Info: [sql] Not a number at :00
Tue Oct 1 16:15:23 2013 : Info: [sql] expand: %{expr:06:00} -
Can you explain why this value isnt working with new version or what we have to
change to set the Session-Timeout that user get disconnected e.g. at 06:00 am?
Regards,
Volker Lieder
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
well almost got FR 3.0 to compile on OS X :-)
Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
load balancing radius with F5 devices
Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. As far as I'm aware ( systems section support the F5 boxes) 1). We're using round robin to spread the load over 2 back end radius servers. 2). There is some general sticky persistence so that once a RAS device starts talking to a particular back end server it continues to talk to that server for a predetermined length of time ( might be an hour, not sure). This ensures that an eap dialogue will always talk to the same back end server for the duration of the stuck time. Not sure what happens when you get to the end of the time interval though. According to the F5 statistics, overall radius traffic seems to be shared evenly over the 2 back end servers. However, our most heavily loaded RAS client is our wireless network. While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Dear Aran C. Bell
Thanks for everything, Here is update.
1.)
All-In-MB counter works. Please note, when a user has downloaded his
quota, counter
do not force log off . Saying other way, if the user is online, he would
remain online until he log off him self or stop browsing. But point to be
noted that counter prevents from login him again. user cannot login again
if he has already hit quota threshold. Please look the example of reject. This
user is allowed for 7GB, please mind that *check_item which shows
7168*is specified in
MB.
*[gigawordcounter] expand: %{sql:SELECT SUM(AcctInputOctets) /
(1024*1024) + SUM(AcctOutputOctets) / (1024*1024) FROM radacct WHERE
UserName='quotauser'} - 7389.1705*
*rlm_sqlcounter: (Check item - counter) is less than zero*
*rlm_sqlcounter: Rejected user quotauser, check_item=7168, counter=7389*
*++[gigawordcounter] returns reject*
Which basically means that initially authorization is done by SQL then
max_all_mb, checks are only done once when the user makes the logon
attempt and checks are never done again. This is where i have failed. Since
you are more in to this, is there a way to perform this check
on frequent basis and send reply to NAS to logoff user? then it should
work.
Counter:
sqlcounter gigawordcounter {
counter-name = Max-All-MB
check-name = Max-All-MB
reply-name = Max-All-MB
reply-message = You have reached your bandwidth limit
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT SUM(AcctInputOctets) / (1024*1024) +
SUM(AcctOutputOctets) / (1024*1024) FROM radacct WHERE UserName='%{%k}'
}
*2.) Solution offered by You. *
I tried your recommendations also, i tried to maintain following in local
FR dictionary */etc/freeradius/dictionary* and Chilli dictionary
ATTRIBUTE Acct-Input-Octets64 3005integer64
ATTRIBUTE Acct-Output-Octets643006integer64
Results: failed to start FR
reason for failing: : un recognized value specified in *
/etc/freeradius/dictionary*
reason for failing: : un recognized value specified in *
/usr/share/freeradius/dictionary.chillihotspot*
Thanks / Regards
RM --
On Tue, Oct 8, 2013 at 3:38 PM, Arran Cudbard-Bell
a.cudba...@freeradius.org wrote:
On 8 Oct 2013, at 15:40, Russell Mike radius@gmail.com wrote:
Dear Arran C. Bell,
Thank you very much, i am extremely grateful for your advise and
guidelines for troubleshoot also. i am currently experimenting a different
rlm_sqlcounter using CoovaChilli dictionary All-In-MB. In result, i can
store short number in db. This counter would reset at 2TB with same 32bit
number. i have actually tested up to 6GB. it just works!!!. Next test is in
progress to logout user when 7GB downloaded. i really appreciated your
input and TIME.
i will try your proposed solution as well after All-In-MB has tested.
After the successful practical of both solutions. i would like to document
this topic on one page for archives, so that it can help others. i may need
your support incase i came across some challenges during the test of your
solution.
wiki.freeradius.org is the place to do that :)
Thanks once again !!!
No problem, glad I could help.
-Arran
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On Wed, Oct 9, 2013 at 3:41 PM, Alex Sharaz alex.sha...@york.ac.uk wrote: While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Have you asked F5? At the very least, common load balancers (e.g. keepalived on linux, a frontend for ipvs) should have the option of distributing traffic to backends based on source IP. Since you say you have 3 RAS clients, it should work somewhat. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
Am Mittwoch, 9. Oktober 2013, 09:41:19 schrieb Alex Sharaz: Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. As far as I'm aware ( systems section support the F5 boxes) 1). We're using round robin to spread the load over 2 back end radius servers. 2). There is some general sticky persistence so that once a RAS device starts talking to a particular back end server it continues to talk to that server for a predetermined length of time ( might be an hour, not sure). This ensures that an eap dialogue will always talk to the same back end server for the duration of the stuck time. Not sure what happens when you get to the end of the time interval though. According to the F5 statistics, overall radius traffic seems to be shared evenly over the 2 back end servers. However, our most heavily loaded RAS client is our wireless network. While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. You would need to use application layer load balancing on the BigIPs. But I don't think that you can configure this on the BigIPs. The RADIUS protocol is stateless, so there is no criteria in the application that a load balancer could use to balance inside the application. Greetings, -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
Hi, Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable Alan uses OSX so I'm *SURE* it compiles fine with the right support stuff present - you should have been compiling it before the official release ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On 09.10.2013 10:41, Alex Sharaz wrote: Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. I have f5 loadbalancers but atm I don't use them for our RADIUS trafic As far as I'm aware ( systems section support the F5 boxes) 1). We're using round robin to spread the load over 2 back end radius servers. 2). There is some general sticky persistence so that once a RAS device starts talking to a particular back end server it continues to talk to that server for a predetermined length of time ( might be an hour, not sure). This ensures that an eap dialogue will always talk to the same back end server for the duration of the stuck time. Not sure what happens when you get to the end of the time interval though. Point 2 should be setup carefully. I recommend using the iApp to deploy your radius through the f5 [1] (they use Freeradius as an example) I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. You can play with an iRule to statically assign one of your two pool member to your RAS servers. you can even decode the radius packet and base your load-balancing decision based on radius attributes [2] As you said, the most important thing is to ensure that a Client/NAS always talk to the same pool member, otherwise EAP won't work. Olivier [1] http://www.f5.com/pdf/deployment-guides/iapp-radius-dg.pdf [2] https://devcentral.f5.com/articles/radius-aware-load-balancing-via-irules#.UlUfIobjx1Y -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On 9 Oct 2013, at 10:16, Fajar A. Nugraha l...@fajar.net wrote: On Wed, Oct 9, 2013 at 3:41 PM, Alex Sharaz alex.sha...@york.ac.uk wrote: While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Have you asked F5? At the very least, common load balancers (e.g. keepalived on linux, a frontend for ipvs) should have the option of distributing traffic to backends based on source IP. Since you say you have 3 RAS clients, it should work somewhat. You had a nose round the f5 site and subscribed to some of the communities. Shall we say that the response wasn't that great! A -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On 09.10.2013 11:25, Olivier Beytrison wrote: On 09.10.2013 10:41, Alex Sharaz wrote: I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Another nice thing to do is to do persistence based on radius AVP https://devcentral.f5.com/questions/radius-load-bnalancing-persistence So you can load balance incoming requests based on any standard AVP (User-Name, NAS-IP-Address, Calling-Station-Id ) Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: load balancing radius with F5 devices
Hi,
Just to give some infos if I can help (this mailing has helped me a lot !)
I have F5 BigIP devices in two 2 DCs. They have each a VirtualServer with a
shared IP (not activated in VLANs used to communicate between the 2 DC to avoid
IP conflits, a much simple config for NAS - only one IP address for server).
Everything works fine with the following config :
The Virtual Server ( IP is A.B.C.D has it's public for external DC ...)
ltm virtual /Common/VS-RADIUS-AUTH {
destination /Common/A.B.C.D:1812
ip-protocol udp
mask 255.255.255.255
pool /Common/POOL-RADIUS-AUTH
profiles {
/Common/radiusLB { }
/Common/udp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vlans {
[...]
}
vlans-enabled
}
The pool used :
ltm pool /Common/POOL-RADIUS-AUTH {
members {
/Common/10.10.6.7:1812 {
address 10.10.6.7
}
/Common/10.20.6.3:1812 {
address 10.20.6.3
}
}
monitor /Common/Radius-Auth
}
The monitor :
ltm monitor radius /Common/Radius-Auth {
debug no
defaults-from /Common/radius
destination *:*
interval 30
nas-ip-address 10.16.81.11
password Monitor
secret **
time-until-up 0
timeout 31
username radius@domain
}
Profile radiusLB is the following :
ltm profile radius radiusLB {
clients none
persist-avp none
}
And one other not used but available in default config.
ltm profile radius radiusLB-subscriber-aware {
defaults-from radiusLB
subscriber-aware enabled
}
If I look at pool statistics, each servers has equivalent volume of requests
(48.1k against 48.2k).
You could play with Priority Group depending location or failover architecture
of Radius if you want
Fabien VINCENT
Ingénieur Réseaux Sécurité / ASSR Produits
Niveau 3 - Infrastructure Produits
fabien.vinc...@coreye.fr
De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org
[mailto:freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org]
De la part de Michael Schwartzkopff
Envoyé : mercredi 9 octobre 2013 11:17
À : FreeRadius users mailing list
Objet : Re: load balancing radius with F5 devices
Am Mittwoch, 9. Oktober 2013, 09:41:19 schrieb Alex Sharaz:
Hi,
Is anyone out there load balancing RADIUS with an F5 load balancer? We're
doing it here, but I can't help thinking that the actual load balancing
algorithm need some tweaking.
As far as I'm aware ( systems section support the F5 boxes)
1). We're using round robin to spread the load over 2 back end radius
servers. 2). There is some general sticky persistence so that once a RAS
device starts talking to a particular back end server it continues to talk
to that server for a predetermined length of time ( might be an hour, not
sure). This ensures that an eap dialogue will always talk to the same back
end server for the duration of the stuck time. Not sure what happens when
you get to the end of the time interval though.
According to the F5 statistics, overall radius traffic seems to be shared
evenly over the 2 back end servers. However, our most heavily loaded RAS
client is our wireless network. While we have 900 switches doing mac and
802.1x based auth, we can have 6000+ users on our wireless network all
authenticating to RADIUS via 3 RAS clients. Looking at the back end server
log files, it does look as if, in general, all wireless RADIUS auths head
for the same back end server.
I was wondering if there's a way off having a bit more granularity in terms
of how the f5 load balances incoming RADIUS requests.
You would need to use application layer load balancing on the BigIPs. But I
don't think that you can configure this on the BigIPs. The RADIUS protocol is
stateless, so there is no criteria in the application that a load balancer
could use to balance inside the application.
Greetings,
--
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
you don't know how hard it was to wait till the official release :-) A On 9 Oct 2013, at 10:19, a.l.m.bu...@lboro.ac.uk wrote: Hi, Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable Alan uses OSX so I'm *SURE* it compiles fine with the right support stuff present - you should have been compiling it before the official release ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
Many thanks for this Olivier, much appreciated Rgds A On 9 Oct 2013, at 11:07, Olivier Beytrison oliv...@heliosnet.org wrote: On 09.10.2013 11:25, Olivier Beytrison wrote: On 09.10.2013 10:41, Alex Sharaz wrote: I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Another nice thing to do is to do persistence based on radius AVP https://devcentral.f5.com/questions/radius-load-bnalancing-persistence So you can load balance incoming requests based on any standard AVP (User-Name, NAS-IP-Address, Calling-Station-Id ) Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
On 9 Oct 2013, at 10:19, a.l.m.bu...@lboro.ac.uk wrote: Hi, Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable Alan uses OSX so I'm *SURE* it compiles fine with the right support stuff present - you should have been compiling it before the official release ;-) Ah! that explains it. When I 1st compiled FR 2.x.x on my Lion box I do remember being impressed with the fact that it just talked to the back end open directory without doing anything . Looking forward to setting up radsec in FR3 A alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
On 9 Oct 2013, at 11:21, Alex Sharaz alex.sha...@york.ac.uk wrote: you don't know how hard it was to wait till the official release :-) A brew install talloc brew link talloc ./configure make make install ? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 and DHCP
On 10/08/2013 07:09 PM, Arran Cudbard-Bell wrote: On 8 Oct 2013, at 17:44, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/10/13 17:01, Rok Kosir wrote: authentication to mysql), when i run freeradius -X, i get Segmentation Fault when it reaches dhcp listner. See doc/bugs. and skip to section 2. :) Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Rebuilt manually and with dhcp it started the server, when dhcp request came it crashed. I did use --enable-development when configuring All i got in logs is kernel: [7949524.015421] radiusd[19648] general protection ip:7fa7082c1670 sp:7fff9dcc1a48 error:0 in libc-2.15.so[7fa70817f000+1b5000] no other coredump available except from gdb Generated gdb http://pastebin.com/raw.php?i=C1NYzckb Also debug from radiusd -X http://pastebin.com/raw.php?i=B8tRs1xh config options were: ./configure --build x86_64-linux-gnu --config-cache --enable-developer --prefix=/usr --exec-prefix=/usr --mandir=/usr/share/man --sysconfdir=/etc --libdir=/usr/lib/freeradius --datadir=/usr/share --localstatedir=/var --with-raddbdir=/etc/freeradius --with-logdir=/var/log/freeradius --with-large-files --with-udpfromto --without-rlm_eap_tnc --without-rlm_eap_ikev2 --without-rlm_sql_oracle --without-rlm_sql_unixodbc on Ubuntu 12.04 kernel 3.2.0-29-generic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Usage of Session-Timeout
Volker Lieder wrote:
Within the old version, we used a database config for groups with an
attribute Session-Timeout and the value `%{expr:06:00}`
Which never worked. 06:00 isn't a number. You can't just invent
syntax and use i.
With new version freeradius send an error while looking in debug mode like:
Tue Oct 1 16:15:23 2013 : Info: [sql]expand: 06:00 - 06:00
Tue Oct 1 16:15:23 2013 : Info: [sql] Not a number at :00
Tue Oct 1 16:15:23 2013 : Info: [sql]expand: %{expr:06:00} -
Can you explain why this value isnt working with new version or what we have
to change to set the Session-Timeout that user get disconnected e.g. at 06:00
am?
It didn't work in the old version, either. It just didn't complain.
You should use the Expiration attribute:
bob Cleartext-Password := hello, Expiration := 06:00
That should work.
Or, calculate the Session-Timeout manually.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Russell Mike wrote: All-In-MB counter works. Please note, when a user has downloaded his quota, counter do not force log off . The counter modules DOES NOT DO THAT. To see why, ask yourself what does FreeRADIUS see when the user has downloaded his quota? The answer is nothing. The users traffic doesn't go through FreeRADIUS, because FreeRADIUS isn't a router. What FreeRADIUS *may* see is an Accounting-Request for the user. Which contains the total traffic for the user. So if you want to do something when the users traffic is over the quota, you have to do it in the accounting section. You have to update the SQL database, and then check if the user is over quota. If so, send a Disconnect-Message, or exec a program to kick the user offline. Which basically means that initially authorization is done by SQL then max_all_mb, checks are only done once when the user makes the logon attempt and checks are never done again. Yes. That's what you've configured. If you want more, you need to tell the server to do more This is where i have failed. Since you are more in to this, is there a way to perform this check on frequent basis and send reply to NAS to logoff user? then it should work. Read the debug output. You'll see the server receiving Accounting-Request packets, with the users traffic over quota. THAT is when FreeRADIUS can do something. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Case statement error
Hi All. I have some code in an sql policy:
sql_check_user_present {
update control {
Tmp-String-0 := %{sql_pwifi:SELECT COUNT(*) from voucher v left
join state s on v.id=s.voucher_id where v.id=s.voucher_id and
v.code='%{User-Name}' and (s.state='Inactive' or s.state='Active')}
}
switch %{control:Tmp-String-0} {
case 0 {
update control {
User-RejectInformation := Sorry, that voucher code is invalid
or has expired.
Debug-RejectInformation := Voucher code not present in database
table, or voucher expired
}
reject
}
case 1 {
noop
}
case {
# voucher has multiple table entries, oooh errr.
update control {
User-RejectInformation := Sorry, there has been an error.
Please contact IT.
Debug-RejectInformation := Multiple voucher codes the same, or
database error - SQL count not = 0 or 1. This should never happen due to
primary key constraint!
}
reject
}
}
}
This works fine in 3.0, git version #f66d411, but I have a problem with
a regex related thing causing a segfault in that version and wouldn't
mind trying the latest version to see if it's fixed.
Trying version #d166290 results in
/usr/local/etc/raddb/policy.d/sql[6]: case statements may only appear
within a switch section
/usr/local/etc/raddb/policy.d/sql[6]: Failed to parse case subsection.
/usr/local/etc/raddb/policy.d/sql[5]: Failed to parse switch
subsection.
/usr/local/etc/raddb/sites-enabled/default[220]: Errors parsing
authorize section.
Do I need to change how the switch statement works? The unlang page
doesn't seem to have changed as far as I can tell.
Thanks
Andy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR3 Debugging Switches
It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. # radiusd -fxx -l stdout Works as expected (threaded debugging with no timestamps), however: # radiusd -fXx -l stdout snip Wed Oct 9 14:44:18 2013 : Error: /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: Threading must be enabled for TLS sockets to function properly. Wed Oct 9 14:44:18 2013 : Error: /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: You probably need to do 'radiusd -fxx -l stdout' for debugging '-fXxx -l stdout' reacts in the same way, but '-fxxx -l stdout' does run and produce timestamps, so I think this one is just a documentation issue - I can't find anything doc/ that says xxx is a valid combination. radiusd --help also indicates that -fXx should still be valid. Similarly, when doing a config check: # ./sbin/radiusd -Cfxx -l stdout snip /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: Threading must be enabled for TLS sockets to function properly. /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: You probably need to do 'radiusd -fxx -l stdout' for debugging The init scripts for debian (possibly RHEL too) trigger the latter one, as it runs a config check on restart (which bails out due to the error above). Regards, Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 and DHCP
On 9 Oct 2013, at 11:56, Rok Kosir rok.ko...@cosylab.com wrote: On 10/08/2013 07:09 PM, Arran Cudbard-Bell wrote: On 8 Oct 2013, at 17:44, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/10/13 17:01, Rok Kosir wrote: authentication to mysql), when i run freeradius -X, i get Segmentation Fault when it reaches dhcp listner. See doc/bugs. and skip to section 2. :) Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Rebuilt manually and with dhcp it started the server, when dhcp request came it crashed. I did use --enable-development when configuring All i got in logs is kernel: [7949524.015421] radiusd[19648] general protection ip:7fa7082c1670 sp:7fff9dcc1a48 error:0 in libc-2.15.so[7fa70817f000+1b5000] no other coredump available except from gdb Generated gdb http://pastebin.com/raw.php?i=C1NYzckb Thanks for that. git clone g...@github.com:FreeRADIUS/freeradius-server.git cd freeradius-server git checkout v3.0.x Should no longer segv. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case statement error
Franks Andy (RLZ) IT Systems Engineer wrote: Trying version #d166290 results in Which is old. The bug has already been fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Thanks Alan. D
So if you want to do something when the users traffic is over the quota,
you have to do it in the accounting section.
Could you please kindly indicate what should i do there ? i tried to
perform the check again when user is online by adding counter entry in *
session* section. but did not work either.
session {
sql
gigawordcounter
}
You have to update the SQL database, and then check if the user is over
quota. If so, send a Disconnect-Message, or exec a program to kick the user
offline.
I am not very clear how to update mysql db perform the check on frequent
basis. base on the output from the counter module (ok,noop,etc..), i
understand how to update the reply from un-lang to log off user.
Thanks / Regards
RM--
On Wed, Oct 9, 2013 at 1:12 PM, Alan DeKok al...@deployingradius.comwrote:
Russell Mike wrote:
All-In-MB counter works. Please note, when a user has downloaded his
quota, counter do not force log off .
The counter modules DOES NOT DO THAT.
To see why, ask yourself what does FreeRADIUS see when the user has
downloaded his quota?
The answer is nothing. The users traffic doesn't go through
FreeRADIUS, because FreeRADIUS isn't a router.
What FreeRADIUS *may* see is an Accounting-Request for the user.
Which contains the total traffic for the user.
So if you want to do something when the users traffic is over the
quota, you have to do it in the accounting section. You have to update
the SQL database, and then check if the user is over quota.
If so, send a Disconnect-Message, or exec a program to kick the user
offline.
Which basically means that initially authorization is done by SQL then
max_all_mb, checks are only done once when the user makes the logon
attempt and checks are never done again.
Yes. That's what you've configured. If you want more, you need to
tell the server to do more
This is where i have failed.
Since you are more in to this, is there a way to perform this check
on frequent basis and send reply to NAS to logoff user? then it should
work.
Read the debug output. You'll see the server receiving
Accounting-Request packets, with the users traffic over quota. THAT is
when FreeRADIUS can do something.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
Adam Bishop wrote: It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. Yes. Because of OpenSSL limitations, the server MUST have multiple threads when using radsec. # radiusd -fxx -l stdout Works as expected (threaded debugging with no timestamps), however: # radiusd -fXx -l stdout snip Wed Oct 9 14:44:18 2013 : Error: /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: Threading must be enabled for TLS sockets to function properly. Wed Oct 9 14:44:18 2013 : Error: /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: You probably need to do 'radiusd -fxx -l stdout' for debugging So... what's wrong with following that documentation? '-fXxx -l stdout' reacts in the same way, Because the -X means -f, which is invalid for radsec. but '-fxxx -l stdout' does run and produce timestamps, Which is what the error message says to use. What's wrong with that? so I think this one is just a documentation issue - I can't find anything doc/ that says xxx is a valid combination. radiusd --help also indicates that -fXx should still be valid. Similarly, when doing a config check: # ./sbin/radiusd -Cfxx -l stdout snip /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: Threading must be enabled for TLS sockets to function properly. /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: You probably need to do 'radiusd -fxx -l stdout' for debugging The init scripts for debian (possibly RHEL too) trigger the latter one, as it runs a config check on restart (which bails out due to the error above). The -C code should be changed to remove it's setting of -f. We'll fix that for 3.0.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
Hi, It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. # radiusd -fxx -l stdout yep. if you try 'radiusd -X' it will tell you to run it like that. # radiusd -fXx -l stdout # ./sbin/radiusd -Cfxx -l stdout single thread methods wont work with RADSEC being present. the docs probably need a slight update with the presence of TLS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
