Help with sqlcounter for data transferred
Hi, i'm configuring a server with a sql counter to check the total byte in a week for the users. But the server will reply a wrong count. Here's the counter: sqlcounter weeklybytecounter { counter-name = Weekly-Total-Max-Octets check-name = Max-Weekly-Octets reply-name = Mikrotik-Total-Limit sqlmod-inst = sql key = User-Name reset = weekly query = SELECT (SUM(acctinputoctets)+SUM(acctoutputoctets)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime '%b' But the reply doesn't is the operation between (check-name value) - (query value) for example: rlm_sqlcounter: Authorized user fabrizio, check_item=30, counter=38101894 I expect a reply of 30 - 38101894 = 2961898106 but i receive different value also bigger. Any idea ? -- Fabrizio Fiore Donati Mobile: +39 3289872420 E-mail: fabrizio.fioredon...@2bite.net 2bite s.r.l. Via Saragat snc 67100 L'Aquila (AQ) - Italy Tel.: +39 0862441583 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looking for help with DHCP
Not many people know that FreeRADIUS implements DHCP. I'd like to change that. I'm therefore offering to pay for some work on the feature. As background, the current version does DHCP, and DHCP relaying. It allocates IPs from an SQL pool. The git master branch has a script to import an ISC lease file into the SQL database. We need more. I'm looking for the following: - detailed documentation on how to get it working. Ideally a step-by-step guide, in the style of the EAP docs on http://deployingradius.com/ - the documentation should include examples of an ISC configuration, and how it maps to a FreeRADIUS configuration - the documentation should include simple tests, and common problems to check - it should include any new scripts, etc. necessary to get it working. - any code / configuration will become part of the main FreeRADIUS releases - the documentation and worked examples will get hosted on the FreeRADIUS web site, and prominently linked from the main page - your name will go on everything - since my company is paying for it, all copyright will belong to Network RADIUS SARL. This is a request for *paid* work. I'm prepared to pay reasonable rates for this. And not the $100 bounty for 6 days work kind of nonsense, either. Please send email to me with your proposal, background, and price. I'll pick someone in the next week, and work behind the scenes to get this done. The hope is to crush that pesky ISC server. It's been frustrating people world-wide for years. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql xlat help
Hello i am getting an issue with xlat i tried this sql sql2 { } sql sql_gowifi{ sql_user_name = %{sql2:select s.* from (select @userhttps://github.com/user:=BINARY '%{User-Name}' p) parm , upm s} } and using sql_gowifi in sites-enabled/default for mysql based login and accounting again when using sql_user_name = %{User-Name} it saves the username entered in login page of hotspot to radpostauth table but with the code above the username remains blank when i run the sql query above in mysql server it returns the correct username please help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
On 14 Jun 2013, at 18:22, Go WiFi i...@gowifi.in wrote: Hello i am getting an issue with xlat i tried this sql sql2 { } sql sql_gowifi{ sql_user_name = %{sql2:select s.* from (select @user:=BINARY '%{User-Name}' p) parm , upm s} } and using sql_gowifi in sites-enabled/default for mysql based login and accounting again when using sql_user_name = %{User-Name} it saves the username entered in login page of hotspot to radpostauth table but with the code above the username remains blank when i run the sql query above in mysql server it returns the correct username please help Post full config for the sql module (sans queries) and debug output. Please. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
this is the section i am having issues so i don't think it's needed to post the full config also there is nothing special in debug just the sql_user_name field is blank also i managed to write some sql functions to archive the same - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
Go WiFi wrote: this is the section i am having issues so i don't think it's needed to post the full config If you're smarter than the experts on this list, you can figure it out for yourself. Or, if you're not going to follow instructions, you shouldn't be asking questions on this list. You were already blocked on github for being unable to follow the simplest of instructions. If you repeat your behavior here, you will be unsubscribed and permanently banned. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
On 14 Jun 2013, at 19:07, Go WiFi i...@gowifi.in wrote: this is the section i am having issues so i don't think it's needed to post the full config if you want help, post the full sql config sans queries and any sensitive information. also there is nothing special in debug just the sql_user_name field is blank run the server with -Xx and post the debug output. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
sql sql2 { } sql sql_gowifi{ driver = rlm_sql_mysql # Connection info: server = localhost #port = 3306 login = dbuser password = pass radius_db = radius # Print all SQL statements when in debug mode (-x) sqltrace = yes sqltracefile = ${logdir}/custom.sql # number of sql connections to make to server num_sql_socks = 5 # number of seconds to dely retrying on a failed database connect_failure_retry_delay = 60 # lifetime of an SQL socket. If you are having network issues # such as TCP sessions expiring lifetime = 0 # Maximum number of queries used by an SQL socket. If you are # having issues with SQL sockets lasting too long. max_queries = 0 # Set to 'yes' to read radius clients from the database ('nas' table) readclients = yes #default_user_profile = 0 sql_user_name = %{sql2:select s.* from (select @user:=BINARY '%{User-Name}' p) parm , upm s} group_membership_query = SELECT plan FROM `voucher` WHERE (code =BINARY '%{SQL-User-Name}' and `sts`='1') } this is the section where i am having problem and i will give the debug output shortly also i denied to give the full code as it's part of my confidential company files if i give the full code then someone might get the details about the table structure - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
ok after a close look at the debug i found the log [sql_gowifi] WARNING: Unknown module sql2 in string expansion % [sql_gowifi] sql_set_user escaped user -- '' it's not able to find the module sql2 but in my config the very first line is sql sql2 { - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
On Sat, Jun 15, 2013 at 12:42:49AM +0530, Go WiFi wrote: also i denied to give the full code as it's part of my confidential company files if i give the full code then someone might get the details about the table structure Sorry, 'Go', but nobody here cares about your confidential files. If you ask for help on a public *free* mailing list, then it's common courtesy to provide the information that people need to help you. There are experts here that know more than you do about FreeRADIUS (which is why you're asking here, right?) and therefore you should provide the requested information. If you can't or won't, then please find some commercial paid support for your problems and stop wasting people's time having to read e-mails that they can't help with. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
On 14 Jun 2013, at 20:21, Go WiFi i...@gowifi.in wrote: ok after a close look at the debug i found the log [sql_gowifi] WARNING: Unknown module sql2 in string expansion % [sql_gowifi] sql_set_user escaped user -- '' it's not able to find the module sql2 but in my config the very first line is sql sql2 { sql2 doesn't inherit it's configuration, you need to duplicate the config items in sql_gowifi and move the sql_user_name config item out of the queries file into the sql module configurations using the default value for sql2 and your query for sql_gowifi. The reason for using two instances is to avoid creating an expansion loop. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
can you tell what files you need?? and the code i am giving is form sql configurations file to simulate this according to your instruction i changed the file like sql sql2{ sql_user_name = %{sql_inst2:select s.* from (select @user:=BINARY '%{User-Name}' p) parm , upm s} } and in sql sql_gowifi{ sql_user_name = %{sql2:select s.* from (select @user:=BINARY '%{User-Name}' p) parm , upm s} } i am calling module sql_gowifi form authorize section of sites-enabled/default - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
On 14 Jun 2013, at 22:36, Go WiFi i...@gowifi.in wrote: can you tell what files you need?? and the code i am giving is form sql configurations file to simulate this according to your instruction i changed the file like sql sql2{ sql_user_name = %{sql_inst2:select s.* from (select @user:=BINARY '%{User-Name}' p) parm , upm s} } No in sql2, it needs to have: sql_user_name = %{User-Name} and in sql sql_gowifi{ sql_user_name = %{sql2:select s.* from (select @user:=BINARY '%{User-Name}' p) parm , upm s} } i am calling module sql_gowifi form authorize section of sites-enabled/default - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
Hi all, I use only radiusClient : radclient -xf test.tcs ip:port -r1 -s auth secret log received: rad_recv: Access-Accept packet from host IP port 28120, id=20, length=266 radclient: received response to request we did not send. (id=20 socket 3) radclient: no response from server for ID 20 socket 3 BR 2013/5/27 Giovanni Perna perna.giova...@gmail.com I send an access request( to port 1812), the server send the response (same sent port) but radclient log: radclient: received response to request we did not send. (id=20 socket 3) after 3 retry: radclient: no response from server for ID 20 socket 3 Access-REQUEST sent: User-Name=TESTT003-010300.001-11.71 Calling-Station-Id=00:22:D2:02:22B:E2|99T0001 Acct-Session-Id=-0001 Proxy-State=XX Can someone help me? -- Giovanni -- Giovanni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help
I send an access request( to port 1812), the server send the response (same sent port) but radclient log: radclient: received response to request we did not send. (id=20 socket 3) after 3 retry: radclient: no response from server for ID 20 socket 3 Access-REQUEST sent: User-Name=TESTT003-010300.001-11.71 Calling-Station-Id=00:22:D2:02:22B:E2|99T0001 Acct-Session-Id=-0001 Proxy-State=XX Can someone help me? -- Giovanni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
Giovanni Perna wrote: Can someone help me? Post the full debug log as suggested in the FAQ, README, man page, web pages, and daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: Help with chap
Hi, Yes that makes sense, although the mac address was already being reported on the switch. It’s not having any negative effect anyway, so I’m happy. Thanks Andy From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org] On Behalf Of Matthias Nagel Sent: 21 May 2013 23:23 To: freeradius-users@lists.freeradius.org Subject: AW: RE: Help with chap Hello, actually this behaviour is totally correct. The switch tries to authenticate a client, when the switch learns the clients MAC address. As the MAC address is extracted from the ethernet header there must be some packages sent from the client in order to do so. If the client is quiet, the switch cannot do anything about it. Matthias Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 ICQ: 499797758 Skype: nagmat84 Franks Andy (RLZ) IT Systems Engineer andy.fra...@sath.nhs.uk hat geschrieben: ..Just an update.. might be interesting for people - rebooted the switch and not all clients were authenticated, but it seems all those that weren't have 0 bytes for all statistics, tx, rx etc. So I guess they are switched off and the switch seems to need some packets to flow for it to detect that the client needs authenticating. Otherwise it looks like it will sit with the port in an up state unathenticated all day long. I guess this sort of makes sense, but in my simple view of how things this isn't intuitive. Also HP manuals don't seem to mention it.. Thanks Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer Sent: 21 May 2013 22:27 To: FreeRadius users mailing list Subject: RE: Help with chap Thanks Phil. I'll keep that up my sleeve for future use. We tend to separate admin / wireless / mac-based auth off on to different radius boxes. Keeps things a bit easier. Not sure what cisco do, but a lot of their stuff tends to be pap or eap. HP doing chap here seems to limit quite a lot of backend options. It's still also the only protocol, or so it seems, chosen for iscsi authentication which is an interesting choice consider it's vulnerabilites. Guess ipsec gets used instead where it needs to be secure. Now to work out the useraccountcontrol setting. Seems to be different in users and computers than in an ldap viewer, but the ldap is probably a decimal conversion or something. Thanks again Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Phil Mayers Sent: 21 May 2013 08:06 To: freeradius-users@lists.freeradius.org Subject: Re: Help with chap On 05/21/2013 07:55 AM, Franks Andy (RLZ) IT Systems Engineer wrote: Can I just use the authorize section to set the password to be the same as the username, i.e. the mac address, after checking some basics like whether the user exists in ldap and perhaps the useraccountcontrol value, then in the authorize section just let the chap bit work on the assigned password? Yes. In fact that's the best approach. Something like: authorize { ... if (some condition) { update control { Cleartext-Password := %{User-Name} } } ... } some condition would normally be some sort of check to ensure it was a macauth-via-CHAP request - obviously you wouldn't want to force password==username for a PPP/EAP/other real user request. On the other hand if your server / virtual server only receives this traffic, you can omit the condition. I really dislike vendors who do macauth as CHAP. It seems to completely lack value, and adds complexity. Le sigh.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help with chap
Hi again, Hmm, I'll need to keep my eye on it then. It may have just been having a good day. The vm host is pretty gutsy, so I doubt processing power would cause such an issue for it as a host. The switch is as from the factory, just with upgraded software (to try and get rid of the issues). A reply to the original email said they have a similar setup working ok. Maybe I should power cycle the thing and see how long that takes to do all the clients... Sorry for the long sentence; midnight ramblings. In summary, the question was: Can I just use the authorize section to set the password to be the same as the username, i.e. the mac address, after checking some basics like whether the user exists in ldap and perhaps the useraccountcontrol value, then in the authorize section just let the chap bit work on the assigned password? I guess it would work but is it a bad idea? Just trying to extend my knowledge/proper use of the tool in case i need to use chap in the future. thanks Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Alan DeKok Sent: 21 May 2013 00:21 To: FreeRadius users mailing list Subject: Re: Help with chap Franks Andy (RLZ) IT Systems Engineer wrote: Thanks for the help. Anecdotally, before I get into serious discovery, I've been running the freeradius process in extra debugging mode -xx. I'd read somewhere that -X makes it run single threaded, but along those lines of thinking I wondered if -xx and the extra debug was causing any performance issues. I may be off at completely the wrong tangent, but the problem is interesting and I like the odd tangent.. Single-threaded versus multiple threads doesn't usually make a big difference. Anyway, anecdotally as I said, with the server running in fresh from a reboot, no debugging, and upping the vm to 4 core instead of 1 (just playing), the problem seems vastly reduced. Nearly all clients are authenticated within 10 seconds, Any modern CPU should be able to do 100's of EAP sessions per second. If yours can't do that, it was under-provisioned. That's why adding more CPUs helped: you gave it more CPU power. the consistent off ones are some ancient mitel voip phones with pcs running off the back, which the switch simply doesn't see for ages. It just sits there and eventually just sends an auth request. In many cases the switch sec debug doesn't even report the mac address or any activity for this weird phone, but the FR linelog shows it authenticated fine. Really strange. Well, that's a switch problem. By the way, if I was to do chap, since I'm running ldap against AD - no available plaintext or other passwords, but I'm running mac-based auth, can I just use the authorize process to check for notfound and check the useraccountcontrol setting is correct from an attribute mapping (or just use the useraccountcontrol in an ldap filter and rely on not found), then just set the cleartext-password attribute to be %{username} using some more unlang , then do nothing special in the chap authentication bit, just let it ok with the plaintext password or is that just all wrong? I figure I don't *really* need a password for mac-based auth, since it's always going to be == to the username? That's one huge sentence. I can't make heads or tails of it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with chap
On 05/21/2013 07:55 AM, Franks Andy (RLZ) IT Systems Engineer wrote: Can I just use the authorize section to set the password to be the same as the username, i.e. the mac address, after checking some basics like whether the user exists in ldap and perhaps the useraccountcontrol value, then in the authorize section just let the chap bit work on the assigned password? Yes. In fact that's the best approach. Something like: authorize { ... if (some condition) { update control { Cleartext-Password := %{User-Name} } } ... } some condition would normally be some sort of check to ensure it was a macauth-via-CHAP request - obviously you wouldn't want to force password==username for a PPP/EAP/other real user request. On the other hand if your server / virtual server only receives this traffic, you can omit the condition. I really dislike vendors who do macauth as CHAP. It seems to completely lack value, and adds complexity. Le sigh.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help with chap
Thanks Phil. I'll keep that up my sleeve for future use. We tend to separate admin / wireless / mac-based auth off on to different radius boxes. Keeps things a bit easier. Not sure what cisco do, but a lot of their stuff tends to be pap or eap. HP doing chap here seems to limit quite a lot of backend options. It's still also the only protocol, or so it seems, chosen for iscsi authentication which is an interesting choice consider it's vulnerabilites. Guess ipsec gets used instead where it needs to be secure. Now to work out the useraccountcontrol setting. Seems to be different in users and computers than in an ldap viewer, but the ldap is probably a decimal conversion or something. Thanks again Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Phil Mayers Sent: 21 May 2013 08:06 To: freeradius-users@lists.freeradius.org Subject: Re: Help with chap On 05/21/2013 07:55 AM, Franks Andy (RLZ) IT Systems Engineer wrote: Can I just use the authorize section to set the password to be the same as the username, i.e. the mac address, after checking some basics like whether the user exists in ldap and perhaps the useraccountcontrol value, then in the authorize section just let the chap bit work on the assigned password? Yes. In fact that's the best approach. Something like: authorize { ... if (some condition) { update control { Cleartext-Password := %{User-Name} } } ... } some condition would normally be some sort of check to ensure it was a macauth-via-CHAP request - obviously you wouldn't want to force password==username for a PPP/EAP/other real user request. On the other hand if your server / virtual server only receives this traffic, you can omit the condition. I really dislike vendors who do macauth as CHAP. It seems to completely lack value, and adds complexity. Le sigh.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help with chap
..Just an update.. might be interesting for people - rebooted the switch and not all clients were authenticated, but it seems all those that weren't have 0 bytes for all statistics, tx, rx etc. So I guess they are switched off and the switch seems to need some packets to flow for it to detect that the client needs authenticating. Otherwise it looks like it will sit with the port in an up state unathenticated all day long. I guess this sort of makes sense, but in my simple view of how things this isn't intuitive. Also HP manuals don't seem to mention it.. Thanks Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer Sent: 21 May 2013 22:27 To: FreeRadius users mailing list Subject: RE: Help with chap Thanks Phil. I'll keep that up my sleeve for future use. We tend to separate admin / wireless / mac-based auth off on to different radius boxes. Keeps things a bit easier. Not sure what cisco do, but a lot of their stuff tends to be pap or eap. HP doing chap here seems to limit quite a lot of backend options. It's still also the only protocol, or so it seems, chosen for iscsi authentication which is an interesting choice consider it's vulnerabilites. Guess ipsec gets used instead where it needs to be secure. Now to work out the useraccountcontrol setting. Seems to be different in users and computers than in an ldap viewer, but the ldap is probably a decimal conversion or something. Thanks again Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Phil Mayers Sent: 21 May 2013 08:06 To: freeradius-users@lists.freeradius.org Subject: Re: Help with chap On 05/21/2013 07:55 AM, Franks Andy (RLZ) IT Systems Engineer wrote: Can I just use the authorize section to set the password to be the same as the username, i.e. the mac address, after checking some basics like whether the user exists in ldap and perhaps the useraccountcontrol value, then in the authorize section just let the chap bit work on the assigned password? Yes. In fact that's the best approach. Something like: authorize { ... if (some condition) { update control { Cleartext-Password := %{User-Name} } } ... } some condition would normally be some sort of check to ensure it was a macauth-via-CHAP request - obviously you wouldn't want to force password==username for a PPP/EAP/other real user request. On the other hand if your server / virtual server only receives this traffic, you can omit the condition. I really dislike vendors who do macauth as CHAP. It seems to completely lack value, and adds complexity. Le sigh.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: RE: Help with chap
Hello, actually this behaviour is totally correct. The switch tries to authenticate a client, when the switch learns the clients MAC address. As the MAC address is extracted from the ethernet header there must be some packages sent from the client in order to do so. If the client is quiet, the switch cannot do anything about it. Matthias Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 ICQ: 499797758 Skype: nagmat84Franks Andy (RLZ) IT Systems Engineer andy.fra...@sath.nhs.uk hat geschrieben:..Just an update.. might be interesting for people - rebooted the switch and not all clients were authenticated, but it seems all those that weren't have 0 bytes for all statistics, tx, rx etc. So I guess they are switched off and the switch seems to need some packets to flow for it to detect that the client needs authenticating. Otherwise it looks like it will sit with the port in an up state unathenticated all day long. I guess this sort of makes sense, but in my simple view of how things this isn't intuitive. Also HP manuals don't seem to mention it.. Thanks Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer Sent: 21 May 2013 22:27 To: FreeRadius users mailing list Subject: RE: Help with chap Thanks Phil. I'll keep that up my sleeve for future use. We tend to separate admin / wireless / mac-based auth off on to different radius boxes. Keeps things a bit easier. Not sure what cisco do, but a lot of their stuff tends to be pap or eap. HP doing chap here seems to limit quite a lot of backend options. It's still also the only protocol, or so it seems, chosen for iscsi authentication which is an interesting choice consider it's vulnerabilites. Guess ipsec gets used instead where it needs to be secure. Now to work out the useraccountcontrol setting. Seems to be different in users and computers than in an ldap viewer, but the ldap is probably a decimal conversion or something. Thanks again Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Phil Mayers Sent: 21 May 2013 08:06 To: freeradius-users@lists.freeradius.org Subject: Re: Help with chap On 05/21/2013 07:55 AM, Franks Andy (RLZ) IT Systems Engineer wrote: Can I just use the authorize section to set the password to be the same as the username, i.e. the mac address, after checking some basics like whether the user exists in ldap and perhaps the useraccountcontrol value, then in the authorize section just let the chap bit work on the assigned password? Yes. In fact that's the best approach. Something like: authorize { ... if (some condition) { update control { Cleartext-Password := %{User-Name} } } ... } some condition would normally be some sort of check to ensure it was a macauth-via-CHAP request - obviously you wouldn't want to force password==username for a PPP/EAP/other real user request. On the other hand if your server / virtual server only receives this traffic, you can omit the condition. I really dislike vendors who do macauth as CHAP. It seems to completely lack value, and adds complexity. Le sigh.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with chap
Franks Andy (RLZ) IT Systems Engineer wrote: Thanks Alan, It takes literary a second or so for a single client auth, but problems arise with multiple clients. I'll reset a card on the switch and capture the logs and see what's happening. Nothing as far as I remember pointed towards the ntlm_auth being the issue, it was the failure to complete the eap transaction that seemed to be the problem, but then I didn't scan each and every line to be honest. See http://deployingradius.com/ It has instructions for testing PEAP via eapol_test. That lets you do some limited performance checks. An alternative is to configure a static user/password. Do performance checks using that user. If it's a lot faster than ntlm_auth, then the problem is likely ntlm_auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help with chap
Thanks for the help. Anecdotally, before I get into serious discovery, I've been running the freeradius process in extra debugging mode -xx. I'd read somewhere that -X makes it run single threaded, but along those lines of thinking I wondered if -xx and the extra debug was causing any performance issues. I may be off at completely the wrong tangent, but the problem is interesting and I like the odd tangent.. Anyway, anecdotally as I said, with the server running in fresh from a reboot, no debugging, and upping the vm to 4 core instead of 1 (just playing), the problem seems vastly reduced. Nearly all clients are authenticated within 10 seconds, the consistent off ones are some ancient mitel voip phones with pcs running off the back, which the switch simply doesn't see for ages. It just sits there and eventually just sends an auth request. In many cases the switch sec debug doesn't even report the mac address or any activity for this weird phone, but the FR linelog shows it authenticated fine. Really strange. Any else got any reports of the procurve switches just sitting there waiting for something to happen? The failure of the responses seemed previously to have kicked the switch into waiting ages then retrying later (the retry is set to 30 seconds but it was way longer). Anyway, the lack of debug seems to have helped quite a bit. By the way, if I was to do chap, since I'm running ldap against AD - no available plaintext or other passwords, but I'm running mac-based auth, can I just use the authorize process to check for notfound and check the useraccountcontrol setting is correct from an attribute mapping (or just use the useraccountcontrol in an ldap filter and rely on not found), then just set the cleartext-password attribute to be %{username} using some more unlang , then do nothing special in the chap authentication bit, just let it ok with the plaintext password or is that just all wrong? I figure I don't *really* need a password for mac-based auth, since it's always going to be == to the username? Thanks for the input Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Alan DeKok Sent: 20 May 2013 14:01 To: FreeRadius users mailing list Subject: Re: Help with chap Franks Andy (RLZ) IT Systems Engineer wrote: Thanks Alan, It takes literary a second or so for a single client auth, but problems arise with multiple clients. I'll reset a card on the switch and capture the logs and see what's happening. Nothing as far as I remember pointed towards the ntlm_auth being the issue, it was the failure to complete the eap transaction that seemed to be the problem, but then I didn't scan each and every line to be honest. See http://deployingradius.com/ It has instructions for testing PEAP via eapol_test. That lets you do some limited performance checks. An alternative is to configure a static user/password. Do performance checks using that user. If it's a lot faster than ntlm_auth, then the problem is likely ntlm_auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with chap
Franks Andy (RLZ) IT Systems Engineer wrote: Thanks for the help. Anecdotally, before I get into serious discovery, I've been running the freeradius process in extra debugging mode -xx. I'd read somewhere that -X makes it run single threaded, but along those lines of thinking I wondered if -xx and the extra debug was causing any performance issues. I may be off at completely the wrong tangent, but the problem is interesting and I like the odd tangent.. Single-threaded versus multiple threads doesn't usually make a big difference. Anyway, anecdotally as I said, with the server running in fresh from a reboot, no debugging, and upping the vm to 4 core instead of 1 (just playing), the problem seems vastly reduced. Nearly all clients are authenticated within 10 seconds, Any modern CPU should be able to do 100's of EAP sessions per second. If yours can't do that, it was under-provisioned. That's why adding more CPUs helped: you gave it more CPU power. the consistent off ones are some ancient mitel voip phones with pcs running off the back, which the switch simply doesn't see for ages. It just sits there and eventually just sends an auth request. In many cases the switch sec debug doesn't even report the mac address or any activity for this weird phone, but the FR linelog shows it authenticated fine. Really strange. Well, that's a switch problem. By the way, if I was to do chap, since I'm running ldap against AD - no available plaintext or other passwords, but I'm running mac-based auth, can I just use the authorize process to check for notfound and check the useraccountcontrol setting is correct from an attribute mapping (or just use the useraccountcontrol in an ldap filter and rely on not found), then just set the cleartext-password attribute to be %{username} using some more unlang , then do nothing special in the chap authentication bit, just let it ok with the plaintext password or is that just all wrong? I figure I don't *really* need a password for mac-based auth, since it's always going to be == to the username? That's one huge sentence. I can't make heads or tails of it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with chap
Hi, I seem to frequent this forum, hopefully one day I'll be answering some questions, not asking them. I've recently got into mac based auth on a procurve 5406. It does either chap or peap-mschap authentication, and i'm using ntlm_auth for the mschap2 when using peap. It worked brilliantly in testing, but come production, when i reboot the switch or clear the authentication on the ports it can take up to ten minutes for 10-15 clients to authenticate, simply because the nas (i guess) gets overwhelmed and consequently I see loads of eap did not complete messages. These don't happen for individual transactions - they always complete fine. I can't see a way around this - we have loads of these switches.. So the question is the best way to use chap. I can't do it with ntlm_auth - so I thought of a few, possibly ridiculous options : - Synch the content of the AD OU I have the mac address users in to an SQL database, maybe using vbscript/.net, including any state information like whether the account is disabled or expired and test against these custom fields during authentication. The authorisation process I currently have running against ldap doesn't pick up the account information being expired, maybe I need to look into this. I want to be able ideally to feed information back following a successful authentication to a custom attribute in AD, which is quite possible with an SQL database as an intermediary, for example switch and port ID, useful stuff to know. I can't think of any native linux apps that can change AD attributes, excluding samba doing groups and passwords, maybe there is one? - Use ldap as an authentication method? I know that AD will never give me back a password, but since this is mac authentication I was wondering if in the authorisation bit of the virtual server I could update the cleartext-password attribute based on the username as the two details are always identical in mac based auth, and then perform authentication with a known password. Maybe this would pick up locked usernames instead, again not sure about MS ldap in this area, never tried. - use nps as a proxy for the authentication. I don't really want to do this, but nps will (I think) allow chap / AD authentication. Any ideas which of these / other would be the right direction to follow? Need to do this in a hurry as the next switch is rolling out soon so don't have time to look into all of them.. Thanks Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with chap
Franks Andy (RLZ) IT Systems Engineer wrote: ... It worked brilliantly in testing, but come production, when i reboot the switch or clear the authentication on the ports it can take up to ten minutes for 10-15 clients to authenticate, That's bad. 10-15 clients should be done in a second or so. My guess is that the ntlm_auth process is taking a *long* time. Maybe your DNS settings are broken. Set up a test server. Run it in debugging mode and see. If the authentication takes more than a second or so (wtih debug messages), something is wrong. - Synch the content of the AD OU I have the mac address users in to an SQL database, maybe using vbscript/.net, including any state information like whether the account is disabled or expired and test against these custom fields during authentication. That will work for MS-CHAP. Not for CHAP. The authorisation process I currently have running against ldap doesn't pick up the account information being expired, maybe I need to look into this. I want to be able ideally to feed information back following a successful authentication to a custom attribute in AD, which is quite possible with an SQL database as an intermediary, for example switch and port ID, useful stuff to know. I can't think of any native linux apps that can change AD attributes, excluding samba doing groups and passwords, maybe there is one? A normal LDAP client should work. - Use ldap as an authentication method? I know that AD will never give me back a password, but since this is mac authentication I was wondering if in the authorisation bit of the virtual server I could update the cleartext-password attribute based on the username as the two details are always identical in mac based auth, and then perform authentication with a known password. Maybe this would pick up locked usernames instead, again not sure about MS ldap in this area, never tried. If it's MAC authentication, then FreeRADIUS can do the CHAP checking itself. And there's no point in doing *more* authentication. The only reasonable thing to do is various checks in LDAP for the MAC address. - use nps as a proxy for the authentication. I don't really want to do this, but nps will (I think) allow chap / AD authentication. No, it won't. It's impossible. Any ideas which of these / other would be the right direction to follow? Need to do this in a hurry as the next switch is rolling out soon so don't have time to look into all of them.. Step 1: find out what's wrong with the current system. If something is broken, fix it. Don't work around the problem. That makes it worse. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with chap
Hello, I've recently got into mac based auth on a procurve 5406. [...] [...] when i reboot the switch or clear the authentication on the ports it can take up to ten minutes for 10-15 clients to authenticate, simply because the nas (i guess) gets overwhelmed and consequently I see loads of eap did not complete messages. We have a setup of one HP 5412zl, one HP 5406 and one HP 2910. Together all but two module slots are equipped with 24-port line interface cards, hence we have about 400 ethernet ports. We either use 802.1X authentication or mac-based authentication with mschap-peap on every port but a dozen. Our FreeRADIUS server is running on a virtual machine with only 512 MB RAM and is connected with 1GB/s to the 5412zl. Anyway after a power cycle of all three switches at once, with all clients running, it only takes seconds until all clients (approx. 380) are authenticated again. Neither the HP switches nor the RADIUS server gets overwhelmed. So there must be some mis-configuration at your setup. Matthias -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help with chap
Thanks Alan, It takes literary a second or so for a single client auth, but problems arise with multiple clients. I'll reset a card on the switch and capture the logs and see what's happening. Nothing as far as I remember pointed towards the ntlm_auth being the issue, it was the failure to complete the eap transaction that seemed to be the problem, but then I didn't scan each and every line to be honest. I'll post back. Thanks Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Alan DeKok Sent: 18 May 2013 13:37 To: FreeRadius users mailing list Subject: Re: Help with chap Franks Andy (RLZ) IT Systems Engineer wrote: ... It worked brilliantly in testing, but come production, when i reboot the switch or clear the authentication on the ports it can take up to ten minutes for 10-15 clients to authenticate, That's bad. 10-15 clients should be done in a second or so. My guess is that the ntlm_auth process is taking a *long* time. Maybe your DNS settings are broken. Set up a test server. Run it in debugging mode and see. If the authentication takes more than a second or so (wtih debug messages), something is wrong. - Synch the content of the AD OU I have the mac address users in to an SQL database, maybe using vbscript/.net, including any state information like whether the account is disabled or expired and test against these custom fields during authentication. That will work for MS-CHAP. Not for CHAP. The authorisation process I currently have running against ldap doesn't pick up the account information being expired, maybe I need to look into this. I want to be able ideally to feed information back following a successful authentication to a custom attribute in AD, which is quite possible with an SQL database as an intermediary, for example switch and port ID, useful stuff to know. I can't think of any native linux apps that can change AD attributes, excluding samba doing groups and passwords, maybe there is one? A normal LDAP client should work. - Use ldap as an authentication method? I know that AD will never give me back a password, but since this is mac authentication I was wondering if in the authorisation bit of the virtual server I could update the cleartext-password attribute based on the username as the two details are always identical in mac based auth, and then perform authentication with a known password. Maybe this would pick up locked usernames instead, again not sure about MS ldap in this area, never tried. If it's MAC authentication, then FreeRADIUS can do the CHAP checking itself. And there's no point in doing *more* authentication. The only reasonable thing to do is various checks in LDAP for the MAC address. - use nps as a proxy for the authentication. I don't really want to do this, but nps will (I think) allow chap / AD authentication. No, it won't. It's impossible. Any ideas which of these / other would be the right direction to follow? Need to do this in a hurry as the next switch is rolling out soon so don't have time to look into all of them.. Step 1: find out what's wrong with the current system. If something is broken, fix it. Don't work around the problem. That makes it worse. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help: login incorrect with FR 2.2.1
On Fri, May 17, 2013 at 2:09 AM, Wang, Yu ywan...@fsu.edu wrote: Hello, I upgraded FR from 2.1.10 to 2.2.1. Everything went well except about 25% of our wireless users cannot authenticate after the upgrade. The backend authentication server is Active Directory and we use ntlm_auth from winbind to pass MSCHAPv2 response from FR to AD. rlm_perl: Added pair NT-Password = 0x33343133344331374133364243314244413638324232323239443431 [pap] Normalizing NT-Password from hex encoding Just curious. Does ALL the failed user have NT-Password attribute added by rlm_perl? IIRC the reason for using ntlm_auth is that AD would NOT give out NT-Passowrd when running in LDAP mode. Or to put it another way, if you had access to NT-Password (e.g. stored in another database, whatever), then you won't need ntlm_auth at all. If fo DO use ntlm_auth (which I don't see from the debug log), try removing NT-Password from the list of attributes added by rlm_perl. My guess is whatever your rlm_perl data source is out of sync with your AD. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
It appears that the created RPM doesn't include the TLV update that were made to the 2.x.x branch last week. Why wouldn't this be inlcuded in the RPM even though I am building the RPM with the current 2.x.x. source? Thanks. On Wed, May 8, 2013 at 5:42 PM, Divyesh Raithatha divyesh.raitha...@gmail.com wrote: Thanks everyone. Finally got the RPM build to work by doing the following: Version: 2.2.0 in the top of the freeradius.spec file to 2.2.1, and renaming source bz2 file to freeradius-server-2.2.1.tar.**bz2 Along with commenting out patches 2 and 5 #Patch2: freeradius-radtest.patch #Patch5: freeradius-radeapclient-ipv6.patch Changing the README line to README.rst # install doc files omitted by standard install for f in COPYRIGHT CREDITS INSTALL README.rst; do cp $f $RPM_BUILD_ROOT/%{docdir} diff freeradius.spec ~/freeradius-server-2.2.1/redhat/freeradius.spec 3c3 Version: 2.2.0 --- Version: 2.2.1 15c15 Patch2: freeradius-radtest.patch --- #Patch2: freeradius-radtest.patch 18c18 Patch5: freeradius-radeapclient-ipv6.patch --- #Patch5: freeradius-radeapclient-ipv6.patch 152c152 %patch2 -p1 -b .radtest --- #%patch2 -p1 -b .radtest 155c155 %patch5 -p1 -b .radeapclient-ipv6 --- #%patch5 -p1 -b .radeapclient-ipv6 239c239 for f in COPYRIGHT CREDITS INSTALL README; do --- for f in COPYRIGHT CREDITS INSTALL README.rst; do By commenting out patch 2 and patch 5 what am I missing, if anything? On Wed, May 8, 2013 at 8:20 AM, John Dennis jden...@redhat.com wrote: On 05/08/2013 03:19 AM, Fajar A. Nugraha wrote: On Wed, May 8, 2013 at 1:50 PM, Raithatha, Divyesh divyesh.raitha...@gmail.com wrote: Thanks, I got past the README but now I am getting the following file not found errors. They do exist, however, it looks like the build is looking for version 2.2.0 of the library files yet they are listed as 2.2.1. error: File not found: /home/test/rpmbuild/BUILDROOT/** freeradius-2.2.0-1.el6.x86_64/**etc/raddb/certs/README.rst That's kinda tricky. Look at %files section in the spec file. The cleanest solution right now would probably be changing Version: 2.2.0 in the top of the make file to 2.2.1, AND rename your source bz2 file to freeradius-server-2.2.1.tar.**bz2. The version macro in the spec file, the version embedded in tar file name, and the contents of tar file all *MUST* match. You have to be precise with what version you're building. I assumed that was obvious as opposed to being tricky ;-) Another way would be changing the files section, from (e.g.) %{_libdir}/freeradius/rlm_**acct_unique-%{version}.so to %{_libdir}/freeradius/rlm_**acct_unique-*.so ... or even try deleting all rlm_* lines and replace them with a one-liner %{_libdir}/freeradius/rlm_*.**so* -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/10/2013 12:05 PM, Divyesh Raithatha wrote: It appears that the created RPM doesn't include the TLV update that were made to the 2.x.x branch last week. Why wouldn't this be inlcuded in the RPM even though I am building the RPM with the current 2.x.x. source? Use the source Luke :-) I assume you built from git, therefore you've got every piece of information you need to figure this out. git log will give you exact information. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
Thanks, I got past the README but now I am getting the following file not found errors. They do exist, however, it looks like the build is looking for version 2.2.0 of the library files yet they are listed as 2.2.1. error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/etc/raddb/certs/README.rst error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_acct_unique-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_acctlog-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_always-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_attr_filter-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_attr_rewrite-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_cache-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_chap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_checkval-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_copy_packet-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_counter-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_dbm-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_detail-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_digest-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_dynamic_clients-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_gtc-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_leap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_md5-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_mschapv2-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_peap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_sim-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_tls-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_ttls-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_exec-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_expiration-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_expr-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_fastusers-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_files-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_ippool-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_linelog-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_logintime-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_mschap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_otp-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_pam-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_pap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_passwd-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_policy-2.2.0.so
Re: Need help with making RPM from v2.x.x branch
On Wed, May 8, 2013 at 1:50 PM, Raithatha, Divyesh divyesh.raitha...@gmail.com wrote: Thanks, I got past the README but now I am getting the following file not found errors. They do exist, however, it looks like the build is looking for version 2.2.0 of the library files yet they are listed as 2.2.1. error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/etc/raddb/certs/README.rst That's kinda tricky. Look at %files section in the spec file. The cleanest solution right now would probably be changing Version: 2.2.0 in the top of the make file to 2.2.1, AND rename your source bz2 file to freeradius-server-2.2.1.tar.bz2. Another way would be changing the files section, from (e.g.) %{_libdir}/freeradius/rlm_acct_unique-%{version}.so to %{_libdir}/freeradius/rlm_acct_unique-*.so ... or even try deleting all rlm_* lines and replace them with a one-liner %{_libdir}/freeradius/rlm_*.so* -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/08/2013 08:19 AM, Fajar A. Nugraha wrote: %{_libdir}/freeradius/rlm_acct_unique-*.so FWIW this is the approach we usually take when packaging things; it seems pointless to me to embed version numbers into %files macros. I'm aware this is probably frowned on by some packaging guidelines, but it works well for us ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/08/2013 03:19 AM, Fajar A. Nugraha wrote: On Wed, May 8, 2013 at 1:50 PM, Raithatha, Divyesh divyesh.raitha...@gmail.com wrote: Thanks, I got past the README but now I am getting the following file not found errors. They do exist, however, it looks like the build is looking for version 2.2.0 of the library files yet they are listed as 2.2.1. error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/etc/raddb/certs/README.rst That's kinda tricky. Look at %files section in the spec file. The cleanest solution right now would probably be changing Version: 2.2.0 in the top of the make file to 2.2.1, AND rename your source bz2 file to freeradius-server-2.2.1.tar.bz2. The version macro in the spec file, the version embedded in tar file name, and the contents of tar file all *MUST* match. You have to be precise with what version you're building. I assumed that was obvious as opposed to being tricky ;-) Another way would be changing the files section, from (e.g.) %{_libdir}/freeradius/rlm_acct_unique-%{version}.so to %{_libdir}/freeradius/rlm_acct_unique-*.so ... or even try deleting all rlm_* lines and replace them with a one-liner %{_libdir}/freeradius/rlm_*.so* -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
Thanks everyone. Finally got the RPM build to work by doing the following: Version: 2.2.0 in the top of the freeradius.spec file to 2.2.1, and renaming source bz2 file to freeradius-server-2.2.1.tar.**bz2 Along with commenting out patches 2 and 5 #Patch2: freeradius-radtest.patch #Patch5: freeradius-radeapclient-ipv6.patch Changing the README line to README.rst # install doc files omitted by standard install for f in COPYRIGHT CREDITS INSTALL README.rst; do cp $f $RPM_BUILD_ROOT/%{docdir} diff freeradius.spec ~/freeradius-server-2.2.1/redhat/freeradius.spec 3c3 Version: 2.2.0 --- Version: 2.2.1 15c15 Patch2: freeradius-radtest.patch --- #Patch2: freeradius-radtest.patch 18c18 Patch5: freeradius-radeapclient-ipv6.patch --- #Patch5: freeradius-radeapclient-ipv6.patch 152c152 %patch2 -p1 -b .radtest --- #%patch2 -p1 -b .radtest 155c155 %patch5 -p1 -b .radeapclient-ipv6 --- #%patch5 -p1 -b .radeapclient-ipv6 239c239 for f in COPYRIGHT CREDITS INSTALL README; do --- for f in COPYRIGHT CREDITS INSTALL README.rst; do By commenting out patch 2 and patch 5 what am I missing, if anything? On Wed, May 8, 2013 at 8:20 AM, John Dennis jden...@redhat.com wrote: On 05/08/2013 03:19 AM, Fajar A. Nugraha wrote: On Wed, May 8, 2013 at 1:50 PM, Raithatha, Divyesh divyesh.raitha...@gmail.com wrote: Thanks, I got past the README but now I am getting the following file not found errors. They do exist, however, it looks like the build is looking for version 2.2.0 of the library files yet they are listed as 2.2.1. error: File not found: /home/test/rpmbuild/BUILDROOT/** freeradius-2.2.0-1.el6.x86_64/**etc/raddb/certs/README.rst That's kinda tricky. Look at %files section in the spec file. The cleanest solution right now would probably be changing Version: 2.2.0 in the top of the make file to 2.2.1, AND rename your source bz2 file to freeradius-server-2.2.1.tar.**bz2. The version macro in the spec file, the version embedded in tar file name, and the contents of tar file all *MUST* match. You have to be precise with what version you're building. I assumed that was obvious as opposed to being tricky ;-) Another way would be changing the files section, from (e.g.) %{_libdir}/freeradius/rlm_**acct_unique-%{version}.so to %{_libdir}/freeradius/rlm_**acct_unique-*.so ... or even try deleting all rlm_* lines and replace them with a one-liner %{_libdir}/freeradius/rlm_*.**so* -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On Tue, May 7, 2013 at 3:35 AM, Divyesh Raithatha divyesh.raitha...@gmail.com wrote: to get past the patch error messages but I get another error below: + cp README /home/divtest/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64//usr/share/doc/freeradius-2.2.0 Look at the spec file, change cp README /home/divtest/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64//usr/share/doc/freeradius-2.2.0 to cp README.rst /home/divtest/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64//usr/share/doc/freeradius-2.2.0 ... and look near %files, change README to README.rst there as well. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On Tue, May 7, 2013 at 4:28 AM, John Dennis jden...@redhat.com wrote: These project maintained build configurations are best thought of as bleeding edge developer stuff. Make some change and you want to test on Fedora or Debian and need packages, then these build directories are the goto place, Or for those cases where a distribution has not caught up with upstream yet, then this can serve a useful purpose as well (as long as they stay generic, see below), another variant of the this is only for the latest and greatest. You've pretty much covered it. My suggestion is for upstream FreeRADIUS to maintain a generic Red Hat RPM spec file which is vanilla as possible without any patches whatsoever. In theory current upstream shouldn't need patches. Also any customization we might do really should come from us, not upstream. If one is building an RPM from the current FreeRADIUS version using the FreeRADIUS RPM spec file then one should get a vanilla FreeRADIUS build whose only customization extends to assuring the same file locations, package names, etc. are used. You pretty much get this for free. I would take an existing spec file strip out all the patches, changelog, etc. and then one only needs to take a look at the options passed to configure (I'm thinking about options which control which modules are built). IMHO some of it (e.g. changelog, patches for cert config) is/was necessary. My use case was that I wanted the build to be as much drop-in as possible, so I can (for example) upgrade to 2.2.1 as soon as possible when it comes out, but switch to Red Hat's official RPM when it's available, without having to change my config. Without some of the patches, I'd need to modify my config file as well. Would we like to maintain the ./redhat subdirectory? No, for two reasons. 1. It's impossible, as pointed out above there is no single spec file, each spec file is tied to a specific release. We maintain *independent* spec files for *every* distribution version we support, at the moment that numbers in the dozens :-( Yeah. Before 2.2.0 was out, I made sure that I can build RPMs for RHEL5 and 6 (because that's what I use), and submit the necessary changes upstream. It seems to be enough (i.e. those two versions made up for most who need to build a Red Hat RPM), because IIRC there hasn't been a mail to the list about I need to build FR 2.2.0 RPM for X flavor or Red Hat but the included spec file doesn't work. 2. We already maintain them and they are publicly available for anyone to download. Trying to maintain multiple copies in multiple repositories and assuring they all stay in sync doesn't seem justified. Thanks for the effort. If no one else does this first, I'd probably submit patches to make FR debs and RPMs build cleanly before 2.2.1 is out (need to dig out my lxc templates first). That way at least people can build packages for released version. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
John Dennis wrote: Why does FreeRADIUS maintain build configurations for Red Hat and Debian? Part historical reasons. RPMs were difficult to find, and it was easier to include RPM scripts in the server. It also means it's easy for people to build custom RPMs. They can use an established spec distributed with the server. They don't have to search for spec files. I can't speak for Debian, I'm not a Deb package maintainer, but at least in the Red Hat world there isn't just one Red Hat distribution, there are many and each can have different build requirements build configurations. Yes. The files distributed with the server should create *a* package. Not *the* canonical package. It will work, and will follow your system packaging method. But it won't be identical to an upstream package. Another problem is the spec file under ./redhat is forever getting out of sync (as evidenced by the OP). Patch sets are a superb example of this (compounded by the problem there is no single rpm spec file for all Red Hat versions). For our purposes, there doesn't need to be. My suggestion is for upstream FreeRADIUS to maintain a generic Red Hat RPM spec file which is vanilla as possible without any patches whatsoever. In theory current upstream shouldn't need patches. Also any customization we might do really should come from us, not upstream. If one is building an RPM from the current FreeRADIUS version using the FreeRADIUS RPM spec file then one should get a vanilla FreeRADIUS build whose only customization extends to assuring the same file locations, package names, etc. are used. You pretty much get this for free. I would take an existing spec file strip out all the patches, changelog, etc. and then one only needs to take a look at the options passed to configure (I'm thinking about options which control which modules are built). That's pretty much the goal, yes. The generic RPM spec file that upstream maintains should be exercised on regular basis. Far too often we've seen upstream changes that required spec file changes but which were never done (e.g. add/removing modules and/or other files). I have a redhat VM around somewhere... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/07/2013 04:46 AM, Fajar A. Nugraha wrote: On Tue, May 7, 2013 at 4:28 AM, John Dennis jden...@redhat.com mailto:jden...@redhat.com wrote: These project maintained build configurations are best thought of as bleeding edge developer stuff. Make some change and you want to test on Fedora or Debian and need packages, then these build directories are the goto place, Or for those cases where a distribution has not caught up with upstream yet, then this can serve a useful purpose as well (as long as they stay generic, see below), another variant of the this is only for the latest and greatest. You've pretty much covered it. My suggestion is for upstream FreeRADIUS to maintain a generic Red Hat RPM spec file which is vanilla as possible without any patches whatsoever. In theory current upstream shouldn't need patches. Also any customization we might do really should come from us, not upstream. If one is building an RPM from the current FreeRADIUS version using the FreeRADIUS RPM spec file then one should get a vanilla FreeRADIUS build whose only customization extends to assuring the same file locations, package names, etc. are used. You pretty much get this for free. I would take an existing spec file strip out all the patches, changelog, etc. and then one only needs to take a look at the options passed to configure (I'm thinking about options which control which modules are built). IMHO some of it (e.g. changelog, patches for cert config) is/was necessary. Yes, this is sensible. My suggestion was mostly aimed at simplifying the task with the hope it would then be more robust and easier to maintain. My use case was that I wanted the build to be as much drop-in as possible, so I can (for example) upgrade to 2.2.1 as soon as possible when it comes out, but switch to Red Hat's official RPM when it's available, without having to change my config. Without some of the patches, I'd need to modify my config file as well. I think the only thing of consequence we customize is the bootstrap cert creation which is done via RPM during the install step (plus tweaking some of the cert parameters to tighten up security). Any other patches are bug fixes found either by our QA team or customers. Those are usually break down into one of two categories. Fixes upstream has made post release and we've 'backported' or fixes we've made and have submitted to the project. The lifetime of these patches is short because in almost every instance the next upstream release has addressed the issue. Kudos to the team for that. So my thought was if you didn't try to mirror that patch set it would be much easier and little would be lost. Would we like to maintain the ./redhat subdirectory? No, for two reasons. 1. It's impossible, as pointed out above there is no single spec file, each spec file is tied to a specific release. We maintain *independent* spec files for *every* distribution version we support, at the moment that numbers in the dozens :-( Yeah. Before 2.2.0 was out, I made sure that I can build RPMs for RHEL5 and 6 (because that's what I use), and submit the necessary changes upstream. It seems to be enough (i.e. those two versions made up for most who need to build a Red Hat RPM), because IIRC there hasn't been a mail to the list about I need to build FR 2.2.0 RPM for X flavor or Red Hat but the included spec file doesn't work. Currently the biggest pain point is the transition from SysV initscripts to systemd. How daemons are installed and configured is different between Fedora and RHEL at the moment and because systemd is still in a bit of flux things can be different even between Fedora releases. Differences in BuildRequires occur less often, but do occur. There is a everlasting debate as to whether it's best to maintain one spec file thats common across distributions and parameterize so that it behaves differently in different targets or whether it's best to maintain completely different spec files and merge changes across them. Those who argue for merging cite the complexity of parameterized spec files complaining all that conditional logic is difficult to work with and fragile making it difficult to maintain. Those who argue for parameterizing cite how merging is fragile and is difficult to maintain. So obviously there isn't one right way. But because we're so constrained as to what can appear in RHEL (every change has to have numerous approvals) I gave up on trying to use Fedora spec files in RHEL and instead merge the leading edge Fedora into RHEL. 2. We already maintain them and they are publicly available for anyone to download. Trying to maintain multiple copies in multiple repositories and assuring they all stay in sync doesn't seem justified. Thanks for the effort. If no one else does this first, I'd probably submit patches to make FR
Need help with making RPM from v2.x.x branch
Hello all, has anyone had success in building an RPM from the v2.x.x branch from http://git.freeradius.org? I am following the information from http://wiki.freeradius.org/guide/Red-Hat-FAQ On a CentOS 6.4 x64 system I was able to build an RPM from 2.2.0 source successfully but I want to get all of the recent patches from the v2.x.x branch. However, when I tried to build the RPM from v2.x.x I get the following message: Hunk #1 FAILED at 121. 1 out of 1 hunk FAILED -- saving rejects to file src/main/radtest.in.rej error: Bad exit status from /var/tmp/rpm-tmp.uETav5 (%prep) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.uETav5 (%prep) Here is the radtest.in.rej file contents: --- src/main/radtest.in 2011-09-30 10:12:07.0 -0400 +++ src/main/radtest.in 2012-01-05 15:51:56.877585514 -0500 @@ -121,7 +121,7 @@ echo EAP-Code = Response echo EAP-Type-Identity = \$1\ fi - if [ $6 ] + if [ ! -z $6 ] [[ $6 =~ ^[0-9]+$ ]] [ $6 -gt 0 ] then echo Framed-Protocol = PPP fi Here is the contents of /var/tmp/rpm-tmp.uETav5 #!/bin/sh RPM_SOURCE_DIR=/home/test/rpmbuild/SOURCES RPM_BUILD_DIR=/home/test/rpmbuild/BUILD RPM_OPT_FLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic RPM_ARCH=x86_64 RPM_OS=linux export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_DOC_DIR=/usr/share/doc export RPM_DOC_DIR RPM_PACKAGE_NAME=freeradius RPM_PACKAGE_VERSION=2.2.0 RPM_PACKAGE_RELEASE=1.el6 export RPM_PACKAGE_NAME RPM_PACKAGE_VERSION RPM_PACKAGE_RELEASE LANG=C export LANG unset CDPATH DISPLAY ||: RPM_BUILD_ROOT=/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64 export RPM_BUILD_ROOT PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig export PKG_CONFIG_PATH set -x umask 022 cd /home/test/rpmbuild/BUILD LANG=C export LANG unset DISPLAY cd '/home/test/rpmbuild/BUILD' rm -rf 'freeradius-server-2.2.0' /usr/bin/bzip2 -dc '/home/test/rpmbuild/SOURCES/freeradius-server-2.2.0.tar.bz2' | /bin/tar -xf - STATUS=$? if [ $STATUS -ne 0 ]; then exit $STATUS fi cd 'freeradius-server-2.2.0' /bin/chmod -Rf a+rX,u+w,g-w,o-w . echo Patch #1 (freeradius-cert-config.patch): /bin/cat /home/test/rpmbuild/SOURCES/freeradius-cert-config.patch | /usr/bin/patch -p1 -b --suffix .cert-config --fuzz=0 echo Patch #2 (freeradius-radtest.patch): /bin/cat /home/test/rpmbuild/SOURCES/freeradius-radtest.patch | /usr/bin/patch -p1 -b --suffix .radtest --fuzz=0 #%patch3 -p1 -b .man #%patch4 -p1 -b .unix-passwd-expire echo Patch #5 (freeradius-radeapclient-ipv6.patch): /bin/cat /home/test/rpmbuild/SOURCES/freeradius-radeapclient-ipv6.patch | /usr/bin/patch -p1 -b --suffix .radeapclient-ipv6 --fuzz=0 #%patch6 -p1 #%patch7 -p1 -b perl echo Patch #8 (freeradius-dhcp_sqlippool.patch): /bin/cat /home/test/rpmbuild/SOURCES/freeradius-dhcp_sqlippool.patch | /usr/bin/patch -p1 --fuzz=0 # Some source files mistakenly have execute permissions set find $RPM_BUILD_DIR/freeradius-server-2.2.0 \( -name '*.c' -o -name '*.h' \) -a -perm /0111 -exec chmod a-x {} + exit 0 Any Ideas? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/06/2013 02:57 PM, Divyesh Raithatha wrote: Hello all, has anyone had success in building an RPM from the v2.x.x branch from http://git.freeradius.org? I am following the information from http://wiki.freeradius.org/guide/Red-Hat-FAQ On a CentOS 6.4 x64 system I was able to build an RPM from 2.2.0 source successfully but I want to get all of the recent patches from the v2.x.x branch. However, when I tried to build the RPM from v2.x.x I get the following message: Hunk #1 FAILED at 121. 1 out of 1 hunk FAILED -- saving rejects to file src/main/radtest.in.rej error: Bad exit status from /var/tmp/rpm-tmp.uETav5 (%prep) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.uETav5 (%prep) Here is the radtest.in.rej file contents: --- src/main/radtest.in http://radtest.in 2011-09-30 10:12:07.0 -0400 +++ src/main/radtest.in http://radtest.in 2012-01-05 15:51:56.877585514 -0500 @@ -121,7 +121,7 @@ echo EAP-Code = Response echo EAP-Type-Identity = \$1\ fi - if [ $6 ] + if [ ! -z $6 ] [[ $6 =~ ^[0-9]+$ ]] [ $6 -gt 0 ] then echo Framed-Protocol = PPP fi Here is the contents of /var/tmp/rpm-tmp.uETav5 #!/bin/sh RPM_SOURCE_DIR=/home/test/rpmbuild/SOURCES RPM_BUILD_DIR=/home/test/rpmbuild/BUILD RPM_OPT_FLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic RPM_ARCH=x86_64 RPM_OS=linux export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_DOC_DIR=/usr/share/doc export RPM_DOC_DIR RPM_PACKAGE_NAME=freeradius RPM_PACKAGE_VERSION=2.2.0 RPM_PACKAGE_RELEASE=1.el6 export RPM_PACKAGE_NAME RPM_PACKAGE_VERSION RPM_PACKAGE_RELEASE LANG=C export LANG unset CDPATH DISPLAY ||: RPM_BUILD_ROOT=/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64 export RPM_BUILD_ROOT PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig export PKG_CONFIG_PATH set -x umask 022 cd /home/test/rpmbuild/BUILD LANG=C export LANG unset DISPLAY cd '/home/test/rpmbuild/BUILD' rm -rf 'freeradius-server-2.2.0' /usr/bin/bzip2 -dc '/home/test/rpmbuild/SOURCES/freeradius-server-2.2.0.tar.bz2' | /bin/tar -xf - STATUS=$? if [ $STATUS -ne 0 ]; then exit $STATUS fi cd 'freeradius-server-2.2.0' /bin/chmod -Rf a+rX,u+w,g-w,o-w . echo Patch #1 (freeradius-cert-config.patch): /bin/cat /home/test/rpmbuild/SOURCES/freeradius-cert-config.patch | /usr/bin/patch -p1 -b --suffix .cert-config --fuzz=0 echo Patch #2 (freeradius-radtest.patch): /bin/cat /home/test/rpmbuild/SOURCES/freeradius-radtest.patch | /usr/bin/patch -p1 -b --suffix .radtest --fuzz=0 #%patch3 -p1 -b .man #%patch4 -p1 -b .unix-passwd-expire echo Patch #5 (freeradius-radeapclient-ipv6.patch): /bin/cat /home/test/rpmbuild/SOURCES/freeradius-radeapclient-ipv6.patch | /usr/bin/patch -p1 -b --suffix .radeapclient-ipv6 --fuzz=0 #%patch6 -p1 #%patch7 -p1 -b perl echo Patch #8 (freeradius-dhcp_sqlippool.patch): /bin/cat /home/test/rpmbuild/SOURCES/freeradius-dhcp_sqlippool.patch | /usr/bin/patch -p1 --fuzz=0 # Some source files mistakenly have execute permissions set find $RPM_BUILD_DIR/freeradius-server-2.2.0 \( -name '*.c' -o -name '*.h' \) -a -perm /0111 -exec chmod a-x {} + exit 0 Any Ideas? The patch set is targeted at a *specific* freeradius version. You're trying to apply patches from one version against another version. Sometimes that works, sometimes it doesn't. A patch may not succeed for several reasons, the code may have shifted position in the file (fuzz 0), RPM disallows this because it's evidence of not keeping the spec file current against the version being built. You can override this with %global _default_patch_fuzz 2 at the top of the spec file (2 in this case is an old default before it was changed to 0). Overriding the patch fuzz factor is not recommended, instead it's recommended you fix the patch to make it 100% correct for the current version. Another reason a patch might not succeed is because the problem was already reported upstream and upstream fixed it. If they took the patch verbatim then the error you'll see is something akin to Previously applied patch or reverse patch. If upstream fixed the issue in some other way the patch simply won't apply. Figuring exactly which lines of code changed and why is the work of a package maintainer. In this case you're assuming that role and you'll have to do that work. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
Divyesh Raithatha wrote: Hello all, has anyone had success in building an RPM from the v2.x.x branch from http://git.freeradius.org? That should work I am following the information from http://wiki.freeradius.org/guide/Red-Hat-FAQ On a CentOS 6.4 x64 system I was able to build an RPM from 2.2.0 source successfully but I want to get all of the recent patches from the v2.x.x branch. Go to redhat/freeradius.spec, and delete the following line: Patch2: freeradius-radtest.patch That should cause it to build. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
Thanks Alan, I had to comment out both Patch 2 and 5 sections #%patch2 -p1 -b .radtest #%patch5 -p1 -b .radeapclient-ipv6 to get past the patch error messages but I get another error below: + cp README /home/divtest/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64//usr/share/doc/freeradius-2.2.0 cp: cannot stat `README': No such file or directory error: Bad exit status from /var/tmp/rpm-tmp.wG9x7h (%install) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.wG9x7h (%install) Here are the contents of the temp file: cat /var/tmp/rpm-tmp.wG9x7h #!/bin/sh RPM_SOURCE_DIR=/home/test/rpmbuild/SOURCES RPM_BUILD_DIR=/home/test/rpmbuild/BUILD RPM_OPT_FLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic RPM_ARCH=x86_64 RPM_OS=linux export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_DOC_DIR=/usr/share/doc export RPM_DOC_DIR RPM_PACKAGE_NAME=freeradius RPM_PACKAGE_VERSION=2.2.0 RPM_PACKAGE_RELEASE=1.el6 export RPM_PACKAGE_NAME RPM_PACKAGE_VERSION RPM_PACKAGE_RELEASE LANG=C export LANG unset CDPATH DISPLAY ||: RPM_BUILD_ROOT=/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64 export RPM_BUILD_ROOT PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig export PKG_CONFIG_PATH set -x umask 022 cd /home/test/rpmbuild/BUILD [ $RPM_BUILD_ROOT != / ] rm -rf ${RPM_BUILD_ROOT} mkdir -p `dirname $RPM_BUILD_ROOT` mkdir $RPM_BUILD_ROOT cd 'freeradius-server-2.2.0' LANG=C export LANG unset DISPLAY mkdir -p $RPM_BUILD_ROOT//var/lib/radiusd # fix for bad libtool bug - can not rebuild dependent libs and bins #FIXME export LD_LIBRARY_PATH=$RPM_BUILD_ROOT//usr/lib64 make install R=$RPM_BUILD_ROOT # modify default configuration RADDB=$RPM_BUILD_ROOT/etc/raddb perl -i -pe 's/^#user =.*$/user = radiusd/' $RADDB/radiusd.conf perl -i -pe 's/^#group =.*$/group = radiusd/' $RADDB/radiusd.conf # logs mkdir -p $RPM_BUILD_ROOT/var/log/radius/radacct touch $RPM_BUILD_ROOT/var/log/radius/{radutmp,radius.log} install -D -m 755 /home/test/rpmbuild/SOURCES/freeradius-radiusd-init $RPM_BUILD_ROOT//etc/rc.d/init.d/radiusd install -D -m 644 /home/test/rpmbuild/SOURCES/freeradius-logrotate $RPM_BUILD_ROOT//etc/logrotate.d/radiusd install -D -m 644 /home/test/rpmbuild/SOURCES/freeradius-pam-conf $RPM_BUILD_ROOT//etc/pam.d/radiusd mkdir -p /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/var/run/ install -d -m 0710 /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/var/run/radiusd/ # remove unneeded stuff rm -rf doc/00-OLD rm -f $RPM_BUILD_ROOT/usr/sbin/rc.radiusd rm -rf $RPM_BUILD_ROOT//usr/lib64/freeradius/*.a rm -rf $RPM_BUILD_ROOT//usr/lib64/freeradius/*.la rm -rf $RPM_BUILD_ROOT//etc/raddb/sql/mssql rm -rf $RPM_BUILD_ROOT//etc/raddb/sql/oracle rm -rf $RPM_BUILD_ROOT//usr/share/dialup_admin/sql/oracle rm -rf $RPM_BUILD_ROOT//usr/share/dialup_admin/lib/sql/oracle rm -rf $RPM_BUILD_ROOT//usr/share/dialup_admin/lib/sql/drivers/oracle # remove header files, we don't ship a devel package and the # headers have multilib conflicts rm -rf $RPM_BUILD_ROOT//usr/include # remove unsupported config files rm -f $RPM_BUILD_ROOT//etc/raddb/experimental.conf # install doc files omitted by standard install for f in COPYRIGHT CREDITS INSTALL README; do cp $f $RPM_BUILD_ROOT//usr/share/doc/freeradius-2.2.0 done cp LICENSE $RPM_BUILD_ROOT//usr/share/doc/freeradius-2.2.0/LICENSE.gpl cp src/lib/LICENSE $RPM_BUILD_ROOT//usr/share/doc/freeradius-2.2.0/LICENSE.lgpl cp src/LICENSE.openssl $RPM_BUILD_ROOT//usr/share/doc/freeradius-2.2.0/LICENSE.openssl # add Red Hat specific documentation cat $RPM_BUILD_ROOT//usr/share/doc/freeradius-2.2.0/REDHAT EOF Red Hat, RHEL, Fedora, and CentOS specific information can be found on the FreeRADIUS Wiki in the Red Hat FAQ. http://wiki.freeradius.org/guide/Red_Hat_FAQ Please reference that document. EOF # Make sure our user/group is present prior to any package or subpackage installation /usr/lib/rpm/find-debuginfo.sh --strict-build-id /home/test/rpmbuild/BUILD/freeradius-server-2.2.0 /usr/lib/rpm/check-buildroot /usr/lib/rpm/redhat/brp-compress /usr/lib/rpm/redhat/brp-strip-static-archive /usr/bin/strip /usr/lib/rpm/redhat/brp-strip-comment-note /usr/bin/strip /usr/bin/objdump /usr/lib/rpm/brp-python-bytecompile /usr/lib/rpm/redhat/brp-python-hardlink /usr/lib/rpm/redhat/brp-java-repack-jars On Mon, May 6, 2013 at 1:09 PM, Alan DeKok al...@deployingradius.comwrote: Divyesh Raithatha wrote: Hello all, has anyone had success in building an RPM from the v2.x.x branch from http://git.freeradius.org? That should work I am following the information from http://wiki.freeradius.org/guide/Red-Hat-FAQ On a CentOS 6.4 x64 system I was able to build an RPM from 2.2.0 source successfully but I want to get all of the recent patches from the v2.x.x branch. Go to redhat/freeradius.spec,
Re: Need help with making RPM from v2.x.x branch
On 05/06/2013 04:09 PM, Alan DeKok wrote: Divyesh Raithatha wrote: Hello all, has anyone had success in building an RPM from the v2.x.x branch from http://git.freeradius.org? That should work I am following the information from http://wiki.freeradius.org/guide/Red-Hat-FAQ On a CentOS 6.4 x64 system I was able to build an RPM from 2.2.0 source successfully but I want to get all of the recent patches from the v2.x.x branch. Go to redhat/freeradius.spec, and delete the following line: Patch2: freeradius-radtest.patch That should cause it to build. Alan DeKok. Why does FreeRADIUS maintain build configurations for Red Hat and Debian? I suppose it makes sense for the person who wants to build an RPM or Deb package from the latest repo. It does not make sense for someone who just wants an RPM package. These project maintained build configurations are best thought of as bleeding edge developer stuff. Make some change and you want to test on Fedora or Debian and need packages, then these build directories are the goto place, Or for those cases where a distribution has not caught up with upstream yet, then this can serve a useful purpose as well (as long as they stay generic, see below), another variant of the this is only for the latest and greatest. I can't speak for Debian, I'm not a Deb package maintainer, but at least in the Red Hat world there isn't just one Red Hat distribution, there are many and each can have different build requirements build configurations. Another problem is the spec file under ./redhat is forever getting out of sync (as evidenced by the OP). Patch sets are a superb example of this (compounded by the problem there is no single rpm spec file for all Red Hat versions). My suggestion is for upstream FreeRADIUS to maintain a generic Red Hat RPM spec file which is vanilla as possible without any patches whatsoever. In theory current upstream shouldn't need patches. Also any customization we might do really should come from us, not upstream. If one is building an RPM from the current FreeRADIUS version using the FreeRADIUS RPM spec file then one should get a vanilla FreeRADIUS build whose only customization extends to assuring the same file locations, package names, etc. are used. You pretty much get this for free. I would take an existing spec file strip out all the patches, changelog, etc. and then one only needs to take a look at the options passed to configure (I'm thinking about options which control which modules are built). The generic RPM spec file that upstream maintains should be exercised on regular basis. Far too often we've seen upstream changes that required spec file changes but which were never done (e.g. add/removing modules and/or other files). Would we like to maintain the ./redhat subdirectory? No, for two reasons. 1. It's impossible, as pointed out above there is no single spec file, each spec file is tied to a specific release. We maintain *independent* spec files for *every* distribution version we support, at the moment that numbers in the dozens :-( 2. We already maintain them and they are publicly available for anyone to download. Trying to maintain multiple copies in multiple repositories and assuring they all stay in sync doesn't seem justified. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
Thank you all for your replays, I used SLES 11 freeradius standard package and it was too old, and it was my mistake and took a few days off my life. Hopefully someone else does not make the same mistake Andres 2013/4/27 Alan DeKok al...@deployingradius.com Andres wrote: FreeRADIUS server Version: 2.1.1-7.16.1 also installed freeradius-server-libs and utils Why? That version is SEVEN YEARS old. Upgrade. Really. And you're using a version of radclient which doesn't support mschap. So... why are you trying to use mschap? We presume that you're running a recent version of the server. Also, that you read the documentation which comes with the server. If radtest -h doesn't say it supports the -t parameter, then it doesn't support the -t parameter. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
On Sun, Apr 28, 2013 at 1:31 AM, Andres arvutihool...@gmail.com wrote: Thank you all for your replays, I used SLES 11 freeradius standard package and it was too old, and it was my mistake and took a few days off my life. Hopefully someone else does not make the same mistake If all you need is mschap test function, IIRC 2.1.12 also has it, and there are packages for SLE 11: http://download.opensuse.org/repositories/network:/aaa/SLE_11/x86_64/ It will be even better if you can use 2.2.0. Search the list archive, IIRC you must manually delete references to sqlite3 in spec file to get it to build on SLE11. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
Most likely your host file didnt have entry of your domain name, dump your hostname and /etc/hosts file here and then we can comment better On Thu, Apr 25, 2013 at 10:52 PM, Andres arvutihool...@gmail.com wrote: Hello All, I'm trying to test mschap with radtest but it gives me strange error message. I've tried to solve it several days, but had no success. I'm using syntax like that: $ radtest -t mschap user password 127.0.0.1 0 secret radclient : Failed to find IP address for host user: Success radclient: $Id$ built on Jan 22 2013 at 23:55:37 FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22 2013 host file looks fine I would appreciate it if someone can help me , Andres - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
this way looks my hosts file: # IP-Address Full-Qualified-Hostname Short-Hostname # 127.0.0.1 localhost # special IPv6 addresses ::1 localhost ipv6-localhost ipv6-loopback fe00::0 ipv6-localnet ff00::0 ipv6-mcastprefix ff02::1 ipv6-allnodes ff02::2 ipv6-allrouters ff02::3 ipv6-allhosts 10.58.5.58 radius.mydomain.com radius Andres 2013/4/26 Chitrang Srivastava chitrang.srivast...@gmail.com Most likely your host file didnt have entry of your domain name, dump your hostname and /etc/hosts file here and then we can comment better On Thu, Apr 25, 2013 at 10:52 PM, Andres arvutihool...@gmail.com wrote: Hello All, I'm trying to test mschap with radtest but it gives me strange error message. I've tried to solve it several days, but had no success. I'm using syntax like that: $ radtest -t mschap user password 127.0.0.1 0 secret radclient : Failed to find IP address for host user: Success radclient: $Id$ built on Jan 22 2013 at 23:55:37 FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22 2013 host file looks fine I would appreciate it if someone can help me , Andres - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
Andres wrote: this way looks my hosts file: Well... something is wrong with DNS on your system. The only advantage to using radtest is that it's simpler than radclient. But it's just a wrapper around radclient. You can edit radtest to remove the DNS lookups, or write your own wrapper which doesn't do DNS lookups. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
whats the hostname of ur system ? On Fri, Apr 26, 2013 at 6:30 PM, Andres arvutihool...@gmail.com wrote: this way looks my hosts file: # IP-Address Full-Qualified-Hostname Short-Hostname # 127.0.0.1 localhost # special IPv6 addresses ::1 localhost ipv6-localhost ipv6-loopback fe00::0 ipv6-localnet ff00::0 ipv6-mcastprefix ff02::1 ipv6-allnodes ff02::2 ipv6-allrouters ff02::3 ipv6-allhosts 10.58.5.58 radius.mydomain.com radius Andres 2013/4/26 Chitrang Srivastava chitrang.srivast...@gmail.com Most likely your host file didnt have entry of your domain name, dump your hostname and /etc/hosts file here and then we can comment better On Thu, Apr 25, 2013 at 10:52 PM, Andres arvutihool...@gmail.com wrote: Hello All, I'm trying to test mschap with radtest but it gives me strange error message. I've tried to solve it several days, but had no success. I'm using syntax like that: $ radtest -t mschap user password 127.0.0.1 0 secret radclient : Failed to find IP address for host user: Success radclient: $Id$ built on Jan 22 2013 at 23:55:37 FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22 2013 host file looks fine I would appreciate it if someone can help me , Andres - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
host name is radius ip 10.58.5.58 Full Domain host name: radius.mydomain.com radius .. resolv.conf search mydomain.com nameserver 10.58.5.39 nameserver 10.58.5.45 /etc/hosts 127.0.0.1 localhost # special IPv6 addresses ::1 localhost ipv6-localhost ipv6-loopback fe00::0 ipv6-localnet ff00::0 ipv6-mcastprefix ff02::1 ipv6-allnodes ff02::2 ipv6-allrouters ff02::3 ipv6-allhosts 10.58.5.58 radius.dpd.ee radius radius:/etc # ping mydomain.com PING mydomain.com (10.58.5.39) 56(84) bytes of data. 64 bytes from fs.mydomain.com (10.58.5.39): icmp_seq=1 ttl=128 time=0.301 ms 64 bytes from fs.mydomain.com (10.58.5.39): icmp_seq=2 ttl=128 time=0.414 ms radius:/etc # ping localhost PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.025 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.039 ms radius:/etc # ping6 localhost PING localhost(localhost) 56 data bytes 64 bytes from localhost: icmp_seq=1 ttl=64 time=0.080 ms 64 bytes from localhost: icmp_seq=2 ttl=64 time=0.054 ms . radius:/etc # radtest -t mschap testing passme 127.0.0.1 0 testing123456 radclient: Failed to find IP address for host testing: Success . radius:/etc # radtest testing passme 127.0.0.1 0 testing123456 Sending Access-Request of id 177 to 127.0.0.1 port 1812 User-Name = testing User-Password = passme NAS-IP-Address = 10.58.5.58 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=177, length=20 Yast2 network settings Hostname/DNS Network Settings ┌Global Options──Overview──Hostname/DNS──Routing───┐ │┌Hostname and Domain Name┐│ ││Hostname Domain Name ││ ││radius mydomain.com ▒▒▒││ ││[x] Change Hostname via DHCPNo interface with dhcp ││ ││[ ] Assign Hostname to Loopback IP ││ │└┘│ │Modify DNS configuration Custom Policy Rule │ │Use Default Policy▒↓ ▒↓ │ │┌Name Servers and Domain Search List─┐│ ││Name Server 1 ┌Domain Search┐ ││ ││10.58.5.45▒ │mydomain.com │ ││ ││Name Server 2 │ │ ││ ││10.58.5.39▒ │ │ ││ ││Name Server 3 │ │ ││ ││▒▒▒ └─┘ ││ │└ I cannot figure out what is the cause of it, that radtest -t mschap dont work. Is it related to DNS or IPv6? Did I something wrong... I'm using( as Windows 2008 domain member): SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 2 FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22 2013 at 23:55:29 I'd be very grateful if someone would care to assist me with this problem Andres 2013/4/26 Chitrang Srivastava chitrang.srivast...@gmail.com whats the hostname of ur system ? On Fri, Apr 26, 2013 at 6:30 PM, Andres arvutihool...@gmail.com wrote: this way looks my hosts file: # IP-Address Full-Qualified-Hostname Short-Hostname # 127.0.0.1 localhost # special IPv6 addresses ::1 localhost ipv6-localhost ipv6-loopback fe00::0 ipv6-localnet ff00::0 ipv6-mcastprefix ff02::1 ipv6-allnodes ff02::2 ipv6-allrouters ff02::3 ipv6-allhosts 10.58.5.58 radius.mydomain.com radius Andres 2013/4/26 Chitrang Srivastava chitrang.srivast...@gmail.com Most likely your host file didnt have entry of your domain name, dump your hostname and /etc/hosts file here and then we can comment better On Thu, Apr 25, 2013 at 10:52 PM, Andres arvutihool...@gmail.comwrote: Hello All, I'm trying to test mschap with radtest but it gives me strange error message. I've tried to solve it several days, but had no success. I'm using syntax like that: $ radtest -t mschap user password 127.0.0.1 0 secret radclient : Failed to find IP address for host user: Success radclient: $Id$ built on Jan 22 2013 at 23:55:37 FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22 2013 host file looks fine I would appreciate it if someone can help me , Andres - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
Hi, what version of FreeRADIUS? are you sure you arent running old copies of radclient/radtest ie you THINK you can do -t mschap but the wrapper or binary doesnt radclient -v ? which radtest then cat the resulting file. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
Hi, FreeRADIUS server Version: 2.1.1-7.16.1 also installed freeradius-server-libs and utils FreeRADIUS server and libs and utils was installed via Yast. radius:/etc # radclient -v radclient: $Id$ built on Jan 22 2013 at 23:55:37 # # Version: $Id$ # prefix=/usr exec_prefix=/usr bindir=/usr/bin usage() { echo Usage: radtest user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname] 2 yes. thats your problem. OLD the current one says this: usage() { echo Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port -number secret [ppphint] [nasname] 2 echo -d RADIUS_DIR Set radius directory 2 echo -t type Set authentication method 2 echo type can be pap, chap, mschap, or eap- md5 2 echo -x Enable debug output 2 etc etc etc note, the tool has OPTIONS. yours doesnt. and because yours doesnt, it thinks -t is the username and mschap is the password and therefore testing is the hostname and you have no such host! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
Andres wrote: FreeRADIUS server Version: 2.1.1-7.16.1 also installed freeradius-server-libs and utils Why? That version is SEVEN YEARS old. Upgrade. Really. And you're using a version of radclient which doesn't support mschap. So... why are you trying to use mschap? We presume that you're running a recent version of the server. Also, that you read the documentation which comes with the server. If radtest -h doesn't say it supports the -t parameter, then it doesn't support the -t parameter. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Help] radtest mschap problem
Hello All, I'm trying to test mschap with radtest but it gives me strange error message. I've tried to solve it several days, but had no success. I'm using syntax like that: $ radtest -t mschap user password 127.0.0.1 0 secret radclient : Failed to find IP address for host user: Success radclient: $Id$ built on Jan 22 2013 at 23:55:37 FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22 2013 host file looks fine I would appreciate it if someone can help me , Andres - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Help] How to control the authentication session timeout
Hello All, We are using EAP-MSCHAPV2 for authentication with LDAP and using version 2.2.0. So actually who control the session validity for how long the client will be authenticate after connecting to the wireless AP? So for example i key in my username / password in Windows popup, then how long do i need to key in the credential again? Is this control by Radius or by the AP or by the Windows client? Thanks in advance and sorry for this newbie question :) -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Controlled by the NAS and/or the RADIUS server depending on NAS settings. ie you should be able to set session-timeout on the NAS and then override/update the value on the RADIUS server depending on your chosen policies...eg for particular users/clients etc...and if proxying you may have agreements or filtering in place to set/agree the value alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi Alan, In which config files do i need to look / edit / add the session timeout in freeradius? Thanks Danny On Tue, Apr 23, 2013 at 3:11 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Controlled by the NAS and/or the RADIUS server depending on NAS settings. ie you should be able to set session-timeout on the NAS and then override/update the value on the RADIUS server depending on your chosen policies...eg for particular users/clients etc...and if proxying you may have agreements or filtering in place to set/agree the value alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi, In which config files do i need to look / edit / add the session timeout in freeradius? that would depend on how your configuration is done and what options and methods you are using. 'users' file is basic way, SQL tables are another, unlang is yet another way...eg update reply { Session-Timeout : = 7200 } stick this into the post-auth section of raddb/sites-available/default (if thats your virtual server in use) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Thanks Alan, let me try that. So i can apply this only if the Wireless AP is sending packet with Session-Timeout too right? I don't see this setting in Meraki Wireless AP. I'm using ldap and all the authentication just simple username / password from ldap. Is the the exact syntax to apply with? or we should use update reply-message{ Session-Timeout : = 7200 } Thanks in advance Danny On Tue, Apr 23, 2013 at 8:55 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, In which config files do i need to look / edit / add the session timeout in freeradius? that would depend on how your configuration is done and what options and methods you are using. 'users' file is basic way, SQL tables are another, unlang is yet another way...eg update reply { Session-Timeout : = 7200 } stick this into the post-auth section of raddb/sites-available/default (if thats your virtual server in use) alan -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi, Thanks Alan, let me try that. So i can apply this only if the Wireless AP is sending packet with Session-Timeout too right? I don't see this setting in Meraki Wireless AP. as i said, depends on your settings and what the NAS is willing to take from the RADIUS server - you'll have to try it and see - or contact your vendor for technical advice/support. I'm using ldap and all the authentication just simple username / password from ldap. Is the the exact syntax to apply with? ?? this is just authentication - how you apply policy is a different issue or we should use update reply-message{ Session-Timeout : = 7200 } ?? you could try making things up. but it wont get you anywhere. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Thanks again Alex, i will try your syntax. Thanks Danny On Tue, Apr 23, 2013 at 9:25 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, Thanks Alan, let me try that. So i can apply this only if the Wireless AP is sending packet with Session-Timeout too right? I don't see this setting in Meraki Wireless AP. as i said, depends on your settings and what the NAS is willing to take from the RADIUS server - you'll have to try it and see - or contact your vendor for technical advice/support. I'm using ldap and all the authentication just simple username / password from ldap. Is the the exact syntax to apply with? ?? this is just authentication - how you apply policy is a different issue or we should use update reply-message{ Session-Timeout : = 7200 } ?? you could try making things up. but it wont get you anywhere. alan -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi, Thanks again Alex, i will try your syntax. do you deliberately change words? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi, What you mean? Sorry i think you might mis-understand my previous 2 message. I mean 2 ask what is the correct syntax for update reply Is it exactly like what you said in previous email or else : update reply { Session-Timeout : = 7200 } I will search the documentation again for my question and apply it inside Post Auth. Sorry for not searching the documentation before asking, i was trying to find a quick solution :) Thanks Danny On Tue, Apr 23, 2013 at 11:08 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, Thanks again Alex, i will try your syntax. do you deliberately change words? alan -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi, What you mean? see bottom of email Is it exactly like what you said in previous email or else : update reply { Session-Timeout : = 7200 } no, its exactly liek I typed. if you add spaces like you have then the server wont like it alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi Danny, On Tue, Apr 23, 2013 at 11:13:46PM +0800, Danny Kurniawan wrote: What you mean? Sorry i think you might mis-understand my previous 2 message. I mean 2 ask what is the correct syntax for update reply Is it exactly like what you said in previous email or else : update reply { Session-Timeout : = 7200 } It should be: post-auth { update reply { Session-Timeout := 7200 } } (e.g. no space between : and =) HTH, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Thanks all. -Danny On Tue, Apr 23, 2013 at 11:59 PM, Matthew Newton m...@leicester.ac.ukwrote: Hi Danny, On Tue, Apr 23, 2013 at 11:13:46PM +0800, Danny Kurniawan wrote: What you mean? Sorry i think you might mis-understand my previous 2 message. I mean 2 ask what is the correct syntax for update reply Is it exactly like what you said in previous email or else : update reply { Session-Timeout : = 7200 } It should be: post-auth { update reply { Session-Timeout := 7200 } } (e.g. no space between : and =) HTH, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_passwd help
Hi, Good you got it working. Just as a couple of points: On Wed, Apr 17, 2013 at 02:16:25PM +1000, David Brodrick wrote: I got there. I added authtype = PAP to the passwd module There's no such option, so this is irrelevant. configuration and then DEFAULT Auth-Type = PAP to users. You /shouldn't/ need to do this - FR will generally work this out by itself - just make sure 'passwd' is above 'pap' in authorize. Setting this might cause you problems in the future. Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_passwd help
Quite right! Thanks for simplifying this for me Matthew. Cheers, Dave Matthew Newton wrote: Hi, Good you got it working. Just as a couple of points: On Wed, Apr 17, 2013 at 02:16:25PM +1000, David Brodrick wrote: I got there. I added authtype = PAP to the passwd module There's no such option, so this is irrelevant. configuration and then DEFAULT Auth-Type = PAP to users. You /shouldn't/ need to do this - FR will generally work this out by itself - just make sure 'passwd' is above 'pap' in authorize. Setting this might cause you problems in the future. Cheers, Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_passwd help
Hi, We're experimenting with freeradius for authenticating users in a custom application. It was straightforward to get this authenticating against the OS: DEFAULT Auth-Type = System But what we want to do is maintain a list of usernames and crypt passwords in an external file, separate to the operating system users. The rlm_passwd module should do what we want but I'm having some trouble getting it to work. In the radiusd.conf modules section I have: passwd our_passwd { filename = /tmp/testpwd format = *User-Name:Crypt-Password hashsize = 100 ignorenislike = no allowmultiplekeys = no } In sites-enabled/default I added our_passwd to the authorize section. I think that part is essentially working and on my random walks running freeradius -X it looks like it is reading our passwd file okay. The thing I do not understand is what to put as the Auth-Type in the users file in order to authenticate against our file rather than against the OS? Any advice would be greatly appreciated. Thanks, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_passwd help
Hi, I got there. I added authtype = PAP to the passwd module configuration and then DEFAULT Auth-Type = PAP to users. I had tried this earlier but there was a trailing delimiter in the local password file which wasn't in the format and this seems to have caused the password verification to fail which threw me off. Regards, Dave David Brodrick wrote: Hi, We're experimenting with freeradius for authenticating users in a custom application. It was straightforward to get this authenticating against the OS: DEFAULT Auth-Type = System But what we want to do is maintain a list of usernames and crypt passwords in an external file, separate to the operating system users. The rlm_passwd module should do what we want but I'm having some trouble getting it to work. In the radiusd.conf modules section I have: passwd our_passwd { filename = /tmp/testpwd format = *User-Name:Crypt-Password hashsize = 100 ignorenislike = no allowmultiplekeys = no } In sites-enabled/default I added our_passwd to the authorize section. I think that part is essentially working and on my random walks running freeradius -X it looks like it is reading our passwd file okay. The thing I do not understand is what to put as the Auth-Type in the users file in order to authenticate against our file rather than against the OS? Any advice would be greatly appreciated. Thanks, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: The old HP switches used to convert the Reply-Message into an EAP-Notification and send it after the EAP-Success or EAP-Failure. This is not compliant with the EAP specification (EAP-Notification needs to be sent prior to completion of an EAP authentication method). Sending it after EAP-Success or EAP-Failure would look like an attempt to initiate another authentication exchange. It may be possible to send it before the EAP-Success/EAP-Failure message for some EAP methods, but chances are not all supplicants will like it, and most probably won't display anything. EAP-Notification is not really supported in general and even the specification does not really require displaying anything from this message to the user.. There is also no way of authenticating this information, so this would not be ideal for authorization failures. - Jouni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
On 21 Mar 2013, at 13:26, Jouni Malinen jkmali...@gmail.com wrote: On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: The old HP switches used to convert the Reply-Message into an EAP-Notification and send it after the EAP-Success or EAP-Failure. This is not compliant with the EAP specification (EAP-Notification needs to be sent prior to completion of an EAP authentication method). Sending it after EAP-Success or EAP-Failure would look like an attempt to initiate another authentication exchange. Their 802.1X implementation was pre RFC3579. In newer firmware releases this has been fixed. It may be possible to send it before the EAP-Success/EAP-Failure message for some EAP methods, but chances are not all supplicants will like it, and most probably won't display anything. EAP-Notification is not really supported in general and even the specification does not really require displaying anything from this message to the user.. There is also no way of authenticating this information, so this would not be ideal for authorization failures. Agreed. But in the absence of a standards solution it might be interesting to experiment and see how supplicants respond to this. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
Quoting Arran Cudbard-Bell a.cudba...@freeradius.org: On 21 Mar 2013, at 13:26, Jouni Malinen jkmali...@gmail.com wrote: On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: The old HP switches used to convert the Reply-Message into an EAP-Notification and send it after the EAP-Success or EAP-Failure. This is not compliant with the EAP specification (EAP-Notification needs to be sent prior to completion of an EAP authentication method). Sending it after EAP-Success or EAP-Failure would look like an attempt to initiate another authentication exchange. Their 802.1X implementation was pre RFC3579. In newer firmware releases this has been fixed. It may be possible to send it before the EAP-Success/EAP-Failure message for some EAP methods, but chances are not all supplicants will like it, and most probably won't display anything. EAP-Notification is not really supported in general and even the specification does not really require displaying anything from this message to the user.. There is also no way of authenticating this information, so this would not be ideal for authorization failures. Agreed. But in the absence of a standards solution it might be interesting to experiment and see how supplicants respond to this. My RSA Windows EAP module sends EAP Notification messages under 4 different error circumstances. These are typically retry-able input problems. It was the default until the boffins that took over EAP for Windows 7 broke their code. XP and Vista worked fine, they took the request and responded with a blank response. No user visible message resulted. Win7 didn't respond at all, which caused the protocol to break. They patched it when I pointed out the problem. But I flipped off the default, don't know if/when that was released. There is a registry key that controls it. Dave. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
On 21 Mar 2013, at 15:56, David Mitton da...@mitton.com wrote: Quoting Arran Cudbard-Bell a.cudba...@freeradius.org: On 21 Mar 2013, at 13:26, Jouni Malinen jkmali...@gmail.com wrote: On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: The old HP switches used to convert the Reply-Message into an EAP-Notification and send it after the EAP-Success or EAP-Failure. This is not compliant with the EAP specification (EAP-Notification needs to be sent prior to completion of an EAP authentication method). Sending it after EAP-Success or EAP-Failure would look like an attempt to initiate another authentication exchange. Their 802.1X implementation was pre RFC3579. In newer firmware releases this has been fixed. It may be possible to send it before the EAP-Success/EAP-Failure message for some EAP methods, but chances are not all supplicants will like it, and most probably won't display anything. EAP-Notification is not really supported in general and even the specification does not really require displaying anything from this message to the user.. There is also no way of authenticating this information, so this would not be ideal for authorization failures. Agreed. But in the absence of a standards solution it might be interesting to experiment and see how supplicants respond to this. My RSA Windows EAP module sends EAP Notification messages under 4 different error circumstances. These are typically retry-able input problems. It was the default until the boffins that took over EAP for Windows 7 broke their code. XP and Vista worked fine, they took the request and responded with a blank response. No user visible message resulted. Win7 didn't respond at all, which caused the protocol to break. They patched it when I pointed out the problem. But I flipped off the default, don't know if/when that was released. There is a registry key that controls it. Interesting. OSX does a similar thing, but it logs the notification, which can be very helpful if you're on the helpdesk and trying to diagnose issues. I wonder if Windows also does the silent logging. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Help] Is that possible to change the reject message that appears at the Windows Pop Up
Hi All, So i have been able to authenticate my wireless user using 802.1x + LDAP + MAC address (using CallingStationID attriubute). So now for example when user A have MAC 11:22:33 but tried to login using another device there will be a pop up window when they try to connect - just a plain error popup saying Unable to connect. Is there any way we can customize this error from radius? or should be from the wireless AP? So below is the unlang code that i use to check whether the user have a set of MAC address in their ldap profile or not if(!control:Calling-Station-Id){ reject } Possible to have that reject command to return some code that Windows client can understand like No MAC address etc? Thanks in advance Danny -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
On 18.03.2013 16:48, Danny Kurniawan wrote: Hi All, So i have been able to authenticate my wireless user using 802.1x + LDAP + MAC address (using CallingStationID attriubute). So now for example when user A have MAC 11:22:33 but tried to login using another device there will be a pop up window when they try to connect - just a plain error popup saying Unable to connect. Is there any way we can customize this error from radius? or should be from the wireless AP? So below is the unlang code that i use to check whether the user have a set of MAC address in their ldap profile or not if(!control:Calling-Station-Id){ reject } Possible to have that reject command to return some code that Windows client can understand like No MAC address etc? Thanks in advance Danny you could send back a reply-message. But it is forbidden if you are doing EAP. And anyway, Micro$oft is not paying attention to it and will disregard it. so no, you can't send a message to the user. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
hi, we would all love to be able to send a relevant error message to our clients if they fail to authenticate (either locally or remotely). but we cant. :-( alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
Thanks a lot :) Well i guess we just have to live with it :) -Danny On Tue, Mar 19, 2013 at 12:07 AM, a.l.m.bu...@lboro.ac.uk wrote: hi, we would all love to be able to send a relevant error message to our clients if they fail to authenticate (either locally or remotely). but we cant. :-( alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
On 18 Mar 2013, at 12:07, a.l.m.bu...@lboro.ac.uk wrote: hi, we would all love to be able to send a relevant error message to our clients if they fail to authenticate (either locally or remotely). but we cant. :-( The old HP switches used to convert the Reply-Message into an EAP-Notification and send it after the EAP-Success or EAP-Failure. The native OSX supplicant used to log this even though it never displayed it to the user. The Windows supplicant ignored it completely. WPA_Supplicant restarted authentication and went into an infinite authentication loop. It may be possible to send it before the EAP-Success/EAP-Failure message for some EAP methods, but chances are not all supplicants will like it, and most probably won't display anything. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Hi All, I already found a way to configure it. Thanks a lot. http://wiki.freeradius.org/guide/Mac-Auth#Note Thanks Danny On Wed, Mar 13, 2013 at 10:14 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Sorry for this beginner question. I have read the man_rlm password but dont see example how to add the mac address. can some of you showed to me an example of it? I assume its as simple as key in the MAC address into some file in Radius conf file or something? Thanks Danny On Wed, Mar 13, 2013 at 9:13 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Noted. I guess using the AP to do the MAC filtering is the best options for me On Tue, Mar 12, 2013 at 9:19 PM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: Is that means we have to manually added the client MAC into radius one by one? You need *some* method to separate known devices from unknown ones. How you do it is up to you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny -- Best Regards, Danny -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Hi, Is that means we have to manually added the client MAC into radius one by one? well, you want to restrict it to known devicesso ONE way is to add the allowed MACs to a DB - they could be added to some other lookup table. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
On 03/12/2013 01:46 AM, Danny Kurniawan wrote: Is that means we have to manually added the client MAC into radius one by one? RADIUS can only act on RADIUS attributes. There's no RADIUS attribute that says: Device-Type = Bosses iPad Most NASes send username and network address of the client (MAC or IP) and that's about it for optional (non-authentication) stuff. In other words, RADIUS can't differentiate devices - *you* have to do that, by supplying data and policy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Danny Kurniawan wrote: Is that means we have to manually added the client MAC into radius one by one? You need *some* method to separate known devices from unknown ones. How you do it is up to you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Noted. I guess using the AP to do the MAC filtering is the best options for me On Tue, Mar 12, 2013 at 9:19 PM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: Is that means we have to manually added the client MAC into radius one by one? You need *some* method to separate known devices from unknown ones. How you do it is up to you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Sorry for this beginner question. I have read the man_rlm password but dont see example how to add the mac address. can some of you showed to me an example of it? I assume its as simple as key in the MAC address into some file in Radius conf file or something? Thanks Danny On Wed, Mar 13, 2013 at 9:13 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Noted. I guess using the AP to do the MAC filtering is the best options for me On Tue, Mar 12, 2013 at 9:19 PM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: Is that means we have to manually added the client MAC into radius one by one? You need *some* method to separate known devices from unknown ones. How you do it is up to you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Is that means we have to manually added the client MAC into radius one by one? -Danny On Fri, Mar 8, 2013 at 11:00 PM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: We have successfully deploy Meraki Wireless with Radius 2.1.1 connect to eDir LDAP. Everything works just fine. Now my company want to explore whether we are able to restrict a devices, that only company devices can connect to our wifi ssid. Is that possible using Radius? Like using cert etc? Or it has to be done from the AP end? The simplest way is via MAC address filtering. Allow known MACs, disallow all others. See man rlm_passwd for examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Help] Is there a way to differentiate devices using Radius?
Hi All, We have successfully deploy Meraki Wireless with Radius 2.1.1 connect to eDir LDAP. Everything works just fine. Now my company want to explore whether we are able to restrict a devices, that only company devices can connect to our wifi ssid. Is that possible using Radius? Like using cert etc? Or it has to be done from the AP end? Thanks Danny -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Danny Kurniawan wrote: We have successfully deploy Meraki Wireless with Radius 2.1.1 connect to eDir LDAP. Everything works just fine. Now my company want to explore whether we are able to restrict a devices, that only company devices can connect to our wifi ssid. Is that possible using Radius? Like using cert etc? Or it has to be done from the AP end? The simplest way is via MAC address filtering. Allow known MACs, disallow all others. See man rlm_passwd for examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help
On 03/06/2013 09:23 AM, Jed Gainer wrote: Help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to eliminate client certificate popup
2. Check fig.9 and fig-10 .. looks like there is an option to cache user information and to 'not prompt user to ...' that I think (cmiiw) will give proper solution. It will stop pop-ups for future connections but not remove pop-ups for initial connection...which is what the requester wants. alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help
On 6 Mar 2013, at 03:23, Jed Gainer jedgai...@gmail.com wrote: Help Die potatoe! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help
On 6 Mar 2013, at 09:44, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 6 Mar 2013, at 03:23, Jed Gainer jedgai...@gmail.com wrote: Help Die potatoe! *potato - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to eliminate client certificate popup
Hi, How can i do that? We are using a cert from Global sign and we already have a root ca in our laptop, but we still need to choose that Terminate / Connect popup. It doesnt matter if we need to change our cert or etc, but we just want to eliminate that popup :) its down to the OS and trust settings. the client needs to be configured. if you use a deployment tool then this error can be removed. likewise, if in eg AD you can have a group policy deployed to do the same. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to eliminate client certificate popup
Hi, Check https://supportforums.cisco.com/docs/DOC-17544 how many 'how to configure PEAP' documents does the world need? this one has fewer issues than others but still has ambiguityand this guide also contains exactly the same security prompt that the requester DOESNT want ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to eliminate client certificate popup
On 03/05/2013 01:58 AM, Danny Kurniawan wrote: Hello, We are using 802.1x wireless connection from Meraki and using PEAP-MSCHAPv2 for authentication with our LDAP. Everything works fine, it just we want to eliminate this pop-up at the 1st time people connect to it : How can i do that? We are using a cert from Global sign and we already You have only a few choices: 1. Use a program such as su1x, ExpressConnect or similar to pre-provision the CA trust settings 2. If the machines are domain members, use group policy to do the same 3. Deploy a batch file / whatever to use netsh and XML profiles to do the same - a poor mans version of #1 4. Live with it. This is not a RADIUS question; it's an issue of supplicant provisioning, which is best asked of your OS vendor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to eliminate client certificate popup
Hi All, Thanks for all your reply. Yes i do understand the solution is to deploy the network profile, but just curious at first who knows any of you have an idea how to eliminate it wthout touching the client. *for example push the profile automatically from the AP etc... But now i guess i will have to deploy netsh command using script to all PC as its not joining AD :) Thanks Danny On Tue, Mar 5, 2013 at 5:28 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 03/05/2013 01:58 AM, Danny Kurniawan wrote: Hello, We are using 802.1x wireless connection from Meraki and using PEAP-MSCHAPv2 for authentication with our LDAP. Everything works fine, it just we want to eliminate this pop-up at the 1st time people connect to it : How can i do that? We are using a cert from Global sign and we already You have only a few choices: 1. Use a program such as su1x, ExpressConnect or similar to pre-provision the CA trust settings 2. If the machines are domain members, use group policy to do the same 3. Deploy a batch file / whatever to use netsh and XML profiles to do the same - a poor mans version of #1 4. Live with it. This is not a RADIUS question; it's an issue of supplicant provisioning, which is best asked of your OS vendor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to eliminate client certificate popup
On 05/03/13 09:56, Danny Kurniawan wrote: Hi All, Thanks for all your reply. Yes i do understand the solution is to deploy the network profile, but just curious at first who knows any of you have an idea how to eliminate it wthout touching the client. You can't. It's impossible by design - allowing the AP to push CA trust settings would be a security hole. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html