Help with sqlcounter for data transferred
Hi,
i'm configuring a server with a sql counter to check the total byte in a
week for the users.
But the server will reply a wrong count.
Here's the counter:
sqlcounter weeklybytecounter {
counter-name = Weekly-Total-Max-Octets
check-name = Max-Weekly-Octets
reply-name = Mikrotik-Total-Limit
sqlmod-inst = sql
key = User-Name
reset = weekly
query = SELECT (SUM(acctinputoctets)+SUM(acctoutputoctets)) FROM radacct
WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime
'%b'
But the reply doesn't is the operation between (check-name value) - (query
value)
for example:
rlm_sqlcounter: Authorized user fabrizio, check_item=30,
counter=38101894
I expect a reply of 30 - 38101894 = 2961898106
but i receive different value also bigger.
Any idea ?
--
Fabrizio Fiore Donati
Mobile: +39 3289872420
E-mail: fabrizio.fioredon...@2bite.net
2bite s.r.l.
Via Saragat snc
67100 L'Aquila (AQ) - Italy
Tel.: +39 0862441583
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looking for help with DHCP
Not many people know that FreeRADIUS implements DHCP. I'd like to change that. I'm therefore offering to pay for some work on the feature. As background, the current version does DHCP, and DHCP relaying. It allocates IPs from an SQL pool. The git master branch has a script to import an ISC lease file into the SQL database. We need more. I'm looking for the following: - detailed documentation on how to get it working. Ideally a step-by-step guide, in the style of the EAP docs on http://deployingradius.com/ - the documentation should include examples of an ISC configuration, and how it maps to a FreeRADIUS configuration - the documentation should include simple tests, and common problems to check - it should include any new scripts, etc. necessary to get it working. - any code / configuration will become part of the main FreeRADIUS releases - the documentation and worked examples will get hosted on the FreeRADIUS web site, and prominently linked from the main page - your name will go on everything - since my company is paying for it, all copyright will belong to Network RADIUS SARL. This is a request for *paid* work. I'm prepared to pay reasonable rates for this. And not the $100 bounty for 6 days work kind of nonsense, either. Please send email to me with your proposal, background, and price. I'll pick someone in the next week, and work behind the scenes to get this done. The hope is to crush that pesky ISC server. It's been frustrating people world-wide for years. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql xlat help
Hello
i am getting an issue with xlat
i tried this
sql sql2 {
}
sql sql_gowifi{
sql_user_name = %{sql2:select s.* from (select
@userhttps://github.com/user:=BINARY
'%{User-Name}' p) parm , upm s}
}
and using sql_gowifi in sites-enabled/default for mysql based login and
accounting
again when using sql_user_name = %{User-Name} it saves the username
entered in login page of hotspot to radpostauth table but with the code
above the username remains blank
when i run the sql query above in mysql server it returns the correct
username please help
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
On 14 Jun 2013, at 18:22, Go WiFi i...@gowifi.in wrote:
Hello
i am getting an issue with xlat
i tried this
sql sql2 {
}
sql sql_gowifi{
sql_user_name = %{sql2:select s.* from (select @user:=BINARY '%{User-Name}'
p) parm , upm s}
}
and using sql_gowifi in sites-enabled/default for mysql based login and
accounting
again when using sql_user_name = %{User-Name} it saves the username entered
in login page of hotspot to radpostauth table but with the code above the
username remains blank
when i run the sql query above in mysql server it returns the correct
username please help
Post full config for the sql module (sans queries) and debug output. Please.
-Arran
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
this is the section i am having issues so i don't think it's needed to post the full config also there is nothing special in debug just the sql_user_name field is blank also i managed to write some sql functions to archive the same - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
Go WiFi wrote: this is the section i am having issues so i don't think it's needed to post the full config If you're smarter than the experts on this list, you can figure it out for yourself. Or, if you're not going to follow instructions, you shouldn't be asking questions on this list. You were already blocked on github for being unable to follow the simplest of instructions. If you repeat your behavior here, you will be unsubscribed and permanently banned. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
On 14 Jun 2013, at 19:07, Go WiFi i...@gowifi.in wrote: this is the section i am having issues so i don't think it's needed to post the full config if you want help, post the full sql config sans queries and any sensitive information. also there is nothing special in debug just the sql_user_name field is blank run the server with -Xx and post the debug output. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
sql sql2 {
}
sql sql_gowifi{
driver = rlm_sql_mysql
# Connection info:
server = localhost
#port = 3306
login = dbuser
password = pass
radius_db = radius
# Print all SQL statements when in debug mode (-x)
sqltrace = yes
sqltracefile = ${logdir}/custom.sql
# number of sql connections to make to server
num_sql_socks = 5
# number of seconds to dely retrying on a failed database
connect_failure_retry_delay = 60
# lifetime of an SQL socket. If you are having network issues
# such as TCP sessions expiring
lifetime = 0
# Maximum number of queries used by an SQL socket. If you are
# having issues with SQL sockets lasting too long.
max_queries = 0
# Set to 'yes' to read radius clients from the database ('nas' table)
readclients = yes
#default_user_profile = 0
sql_user_name = %{sql2:select s.* from (select @user:=BINARY
'%{User-Name}' p) parm , upm s}
group_membership_query = SELECT plan FROM `voucher` WHERE (code =BINARY
'%{SQL-User-Name}' and `sts`='1')
}
this is the section where i am having problem and i will give the debug
output shortly
also i denied to give the full code as it's part of my confidential company
files if i give the full code then someone might get the details about the
table structure
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
ok after a close look at the debug i found the log
[sql_gowifi] WARNING: Unknown module sql2 in string expansion %
[sql_gowifi] sql_set_user escaped user -- ''
it's not able to find the module sql2 but in my config the very first line
is sql sql2 {
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
On Sat, Jun 15, 2013 at 12:42:49AM +0530, Go WiFi wrote: also i denied to give the full code as it's part of my confidential company files if i give the full code then someone might get the details about the table structure Sorry, 'Go', but nobody here cares about your confidential files. If you ask for help on a public *free* mailing list, then it's common courtesy to provide the information that people need to help you. There are experts here that know more than you do about FreeRADIUS (which is why you're asking here, right?) and therefore you should provide the requested information. If you can't or won't, then please find some commercial paid support for your problems and stop wasting people's time having to read e-mails that they can't help with. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
On 14 Jun 2013, at 20:21, Go WiFi i...@gowifi.in wrote:
ok after a close look at the debug i found the log
[sql_gowifi] WARNING: Unknown module sql2 in string expansion %
[sql_gowifi] sql_set_user escaped user -- ''
it's not able to find the module sql2 but in my config the very first line is
sql sql2 {
sql2 doesn't inherit it's configuration, you need to duplicate the config items
in sql_gowifi
and move the sql_user_name config item out of the queries file into the sql
module configurations using
the default value for sql2 and your query for sql_gowifi.
The reason for using two instances is to avoid creating an expansion loop.
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
can you tell what files you need??
and the code i am giving is form sql configurations file to simulate this
according to your instruction i changed the file like
sql sql2{
sql_user_name = %{sql_inst2:select s.* from (select @user:=BINARY
'%{User-Name}' p) parm , upm s}
}
and in
sql sql_gowifi{
sql_user_name = %{sql2:select s.* from (select @user:=BINARY
'%{User-Name}' p) parm , upm s}
}
i am calling module sql_gowifi form authorize section of
sites-enabled/default
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
On 14 Jun 2013, at 22:36, Go WiFi i...@gowifi.in wrote:
can you tell what files you need??
and the code i am giving is form sql configurations file to simulate this
according to your instruction i changed the file like
sql sql2{
sql_user_name = %{sql_inst2:select s.* from (select @user:=BINARY
'%{User-Name}' p) parm , upm s}
}
No in sql2, it needs to have:
sql_user_name = %{User-Name}
and in
sql sql_gowifi{
sql_user_name = %{sql2:select s.* from (select @user:=BINARY '%{User-Name}'
p) parm , upm s}
}
i am calling module sql_gowifi form authorize section of sites-enabled/default
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
Hi all, I use only radiusClient : radclient -xf test.tcs ip:port -r1 -s auth secret log received: rad_recv: Access-Accept packet from host IP port 28120, id=20, length=266 radclient: received response to request we did not send. (id=20 socket 3) radclient: no response from server for ID 20 socket 3 BR 2013/5/27 Giovanni Perna perna.giova...@gmail.com I send an access request( to port 1812), the server send the response (same sent port) but radclient log: radclient: received response to request we did not send. (id=20 socket 3) after 3 retry: radclient: no response from server for ID 20 socket 3 Access-REQUEST sent: User-Name=TESTT003-010300.001-11.71 Calling-Station-Id=00:22:D2:02:22B:E2|99T0001 Acct-Session-Id=-0001 Proxy-State=XX Can someone help me? -- Giovanni -- Giovanni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help
I send an access request( to port 1812), the server send the response (same sent port) but radclient log: radclient: received response to request we did not send. (id=20 socket 3) after 3 retry: radclient: no response from server for ID 20 socket 3 Access-REQUEST sent: User-Name=TESTT003-010300.001-11.71 Calling-Station-Id=00:22:D2:02:22B:E2|99T0001 Acct-Session-Id=-0001 Proxy-State=XX Can someone help me? -- Giovanni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
Giovanni Perna wrote: Can someone help me? Post the full debug log as suggested in the FAQ, README, man page, web pages, and daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: Help with chap
Hi,
Yes that makes sense, although the mac address was already being reported on
the switch. It’s not having any negative effect anyway, so I’m happy.
Thanks
Andy
From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org]
On Behalf Of Matthias Nagel
Sent: 21 May 2013 23:23
To: freeradius-users@lists.freeradius.org
Subject: AW: RE: Help with chap
Hello,
actually this behaviour is totally correct. The switch tries to authenticate a
client, when the switch learns the clients MAC address. As the MAC address is
extracted from the ethernet header there must be some packages sent from the
client in order to do so. If the client is quiet, the switch cannot do anything
about it.
Matthias
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe
Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
ICQ: 499797758
Skype: nagmat84
Franks Andy (RLZ) IT Systems Engineer andy.fra...@sath.nhs.uk hat
geschrieben:
..Just an update.. might be interesting for people - rebooted the switch
and not all clients were authenticated, but it seems all those that
weren't have 0 bytes for all statistics, tx, rx etc. So I guess they are
switched off and the switch seems to need some packets to flow for it to
detect that the client needs authenticating.
Otherwise it looks like it will sit with the port in an up state
unathenticated all day long. I guess this sort of makes sense, but in my
simple view of how things this isn't intuitive. Also HP manuals don't
seem to mention it..
Thanks
Andy
-Original Message-
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 21 May 2013 22:27
To: FreeRadius users mailing list
Subject: RE: Help with chap
Thanks Phil. I'll keep that up my sleeve for future use. We tend to
separate admin / wireless / mac-based auth off on to different radius
boxes. Keeps things a bit easier. Not sure what cisco do, but a lot of
their stuff tends to be pap or eap. HP doing chap here seems to limit
quite a lot of backend options.
It's still also the only protocol, or so it seems, chosen for iscsi
authentication which is an interesting choice consider it's
vulnerabilites. Guess ipsec gets used instead where it needs to be
secure.
Now to work out the useraccountcontrol setting. Seems to be different in
users and computers than in an ldap viewer, but the ldap is probably a
decimal conversion or something.
Thanks again
Andy
-Original Message-
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Phil Mayers
Sent: 21 May 2013 08:06
To: freeradius-users@lists.freeradius.org
Subject: Re: Help with chap
On 05/21/2013 07:55 AM, Franks Andy (RLZ) IT Systems Engineer wrote:
Can I just use the authorize section to set the password to be the
same as the username, i.e. the mac address, after checking some basics
like whether the user exists in ldap and perhaps the
useraccountcontrol value, then in the authorize section just let the
chap bit work on the assigned password?
Yes. In fact that's the best approach. Something like:
authorize {
...
if (some condition) {
update control {
Cleartext-Password := %{User-Name}
}
}
...
}
some condition would normally be some sort of check to ensure it was a
macauth-via-CHAP request - obviously you wouldn't want to force
password==username for a PPP/EAP/other real user request. On the other
hand if your server / virtual server only receives this traffic, you can
omit the condition.
I really dislike vendors who do macauth as CHAP. It seems to completely
lack value, and adds complexity. Le sigh..
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help with chap
Hi again,
Hmm, I'll need to keep my eye on it then. It may have just been having
a good day. The vm host is pretty gutsy, so I doubt processing power
would cause such an issue for it as a host. The switch is as from the
factory, just with upgraded software (to try and get rid of the issues).
A reply to the original email said they have a similar setup working ok.
Maybe I should power cycle the thing and see how long that takes to do
all the clients...
Sorry for the long sentence; midnight ramblings. In summary, the
question was:
Can I just use the authorize section to set the password to be the same
as the username, i.e. the mac address, after checking some basics like
whether the user exists in ldap and perhaps the useraccountcontrol
value, then in the authorize section just let the chap bit work on the
assigned password?
I guess it would work but is it a bad idea? Just trying to extend my
knowledge/proper use of the tool in case i need to use chap in the
future.
thanks
Andy
-Original Message-
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Alan DeKok
Sent: 21 May 2013 00:21
To: FreeRadius users mailing list
Subject: Re: Help with chap
Franks Andy (RLZ) IT Systems Engineer wrote:
Thanks for the help.
Anecdotally, before I get into serious discovery, I've been running
the freeradius process in extra debugging mode -xx. I'd read somewhere
that -X makes it run single threaded, but along those lines of
thinking I wondered if -xx and the extra debug was causing any
performance issues. I may be off at completely the wrong tangent, but
the problem is interesting and I like the odd tangent..
Single-threaded versus multiple threads doesn't usually make a big
difference.
Anyway, anecdotally as I said, with the server running in fresh from a
reboot, no debugging, and upping the vm to 4 core instead of 1 (just
playing), the problem seems vastly reduced. Nearly all clients are
authenticated within 10 seconds,
Any modern CPU should be able to do 100's of EAP sessions per second.
If yours can't do that, it was under-provisioned. That's why adding
more CPUs helped: you gave it more CPU power.
the consistent off ones are some
ancient mitel voip phones with pcs running off the back, which the
switch simply doesn't see for ages. It just sits there and
eventually just sends an auth request. In many cases the switch sec
debug doesn't even report the mac address or any activity for this
weird phone, but the FR linelog shows it authenticated fine. Really
strange.
Well, that's a switch problem.
By the way, if I was to do chap, since I'm running ldap against AD -
no available plaintext or other passwords, but I'm running mac-based
auth, can I just use the authorize process to check for notfound and
check the useraccountcontrol setting is correct from an attribute
mapping (or just use the useraccountcontrol in an ldap filter and rely
on not found), then just set the cleartext-password attribute to be
%{username} using some more unlang , then do nothing special in the
chap authentication bit, just let it ok with the plaintext password
or is that just all wrong? I figure I don't *really* need a password
for mac-based auth, since it's always going to be == to the username?
That's one huge sentence. I can't make heads or tails of it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with chap
On 05/21/2013 07:55 AM, Franks Andy (RLZ) IT Systems Engineer wrote:
Can I just use the authorize section to set the password to be the same
as the username, i.e. the mac address, after checking some basics like
whether the user exists in ldap and perhaps the useraccountcontrol
value, then in the authorize section just let the chap bit work on the
assigned password?
Yes. In fact that's the best approach. Something like:
authorize {
...
if (some condition) {
update control {
Cleartext-Password := %{User-Name}
}
}
...
}
some condition would normally be some sort of check to ensure it was a
macauth-via-CHAP request - obviously you wouldn't want to force
password==username for a PPP/EAP/other real user request. On the other
hand if your server / virtual server only receives this traffic, you can
omit the condition.
I really dislike vendors who do macauth as CHAP. It seems to completely
lack value, and adds complexity. Le sigh..
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help with chap
Thanks Phil. I'll keep that up my sleeve for future use. We tend to
separate admin / wireless / mac-based auth off on to different radius
boxes. Keeps things a bit easier. Not sure what cisco do, but a lot of
their stuff tends to be pap or eap. HP doing chap here seems to limit
quite a lot of backend options.
It's still also the only protocol, or so it seems, chosen for iscsi
authentication which is an interesting choice consider it's
vulnerabilites. Guess ipsec gets used instead where it needs to be
secure.
Now to work out the useraccountcontrol setting. Seems to be different in
users and computers than in an ldap viewer, but the ldap is probably a
decimal conversion or something.
Thanks again
Andy
-Original Message-
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Phil Mayers
Sent: 21 May 2013 08:06
To: freeradius-users@lists.freeradius.org
Subject: Re: Help with chap
On 05/21/2013 07:55 AM, Franks Andy (RLZ) IT Systems Engineer wrote:
Can I just use the authorize section to set the password to be the
same as the username, i.e. the mac address, after checking some basics
like whether the user exists in ldap and perhaps the
useraccountcontrol value, then in the authorize section just let the
chap bit work on the assigned password?
Yes. In fact that's the best approach. Something like:
authorize {
...
if (some condition) {
update control {
Cleartext-Password := %{User-Name}
}
}
...
}
some condition would normally be some sort of check to ensure it was a
macauth-via-CHAP request - obviously you wouldn't want to force
password==username for a PPP/EAP/other real user request. On the other
hand if your server / virtual server only receives this traffic, you can
omit the condition.
I really dislike vendors who do macauth as CHAP. It seems to completely
lack value, and adds complexity. Le sigh..
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help with chap
..Just an update.. might be interesting for people - rebooted the switch
and not all clients were authenticated, but it seems all those that
weren't have 0 bytes for all statistics, tx, rx etc. So I guess they are
switched off and the switch seems to need some packets to flow for it to
detect that the client needs authenticating.
Otherwise it looks like it will sit with the port in an up state
unathenticated all day long. I guess this sort of makes sense, but in my
simple view of how things this isn't intuitive. Also HP manuals don't
seem to mention it..
Thanks
Andy
-Original Message-
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 21 May 2013 22:27
To: FreeRadius users mailing list
Subject: RE: Help with chap
Thanks Phil. I'll keep that up my sleeve for future use. We tend to
separate admin / wireless / mac-based auth off on to different radius
boxes. Keeps things a bit easier. Not sure what cisco do, but a lot of
their stuff tends to be pap or eap. HP doing chap here seems to limit
quite a lot of backend options.
It's still also the only protocol, or so it seems, chosen for iscsi
authentication which is an interesting choice consider it's
vulnerabilites. Guess ipsec gets used instead where it needs to be
secure.
Now to work out the useraccountcontrol setting. Seems to be different in
users and computers than in an ldap viewer, but the ldap is probably a
decimal conversion or something.
Thanks again
Andy
-Original Message-
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Phil Mayers
Sent: 21 May 2013 08:06
To: freeradius-users@lists.freeradius.org
Subject: Re: Help with chap
On 05/21/2013 07:55 AM, Franks Andy (RLZ) IT Systems Engineer wrote:
Can I just use the authorize section to set the password to be the
same as the username, i.e. the mac address, after checking some basics
like whether the user exists in ldap and perhaps the
useraccountcontrol value, then in the authorize section just let the
chap bit work on the assigned password?
Yes. In fact that's the best approach. Something like:
authorize {
...
if (some condition) {
update control {
Cleartext-Password := %{User-Name}
}
}
...
}
some condition would normally be some sort of check to ensure it was a
macauth-via-CHAP request - obviously you wouldn't want to force
password==username for a PPP/EAP/other real user request. On the other
hand if your server / virtual server only receives this traffic, you can
omit the condition.
I really dislike vendors who do macauth as CHAP. It seems to completely
lack value, and adds complexity. Le sigh..
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: RE: Help with chap
Hello,
actually this behaviour is totally correct. The switch tries to authenticate a
client, when the switch learns the clients MAC address. As the MAC address is
extracted from the ethernet header there must be some packages sent from the
client in order to do so. If the client is quiet, the switch cannot do anything
about it.
Matthias
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe
Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
ICQ: 499797758
Skype: nagmat84Franks Andy (RLZ) IT Systems Engineer
andy.fra...@sath.nhs.uk hat geschrieben:..Just an update.. might be
interesting for people - rebooted the switch
and not all clients were authenticated, but it seems all those that
weren't have 0 bytes for all statistics, tx, rx etc. So I guess they are
switched off and the switch seems to need some packets to flow for it to
detect that the client needs authenticating.
Otherwise it looks like it will sit with the port in an up state
unathenticated all day long. I guess this sort of makes sense, but in my
simple view of how things this isn't intuitive. Also HP manuals don't
seem to mention it..
Thanks
Andy
-Original Message-
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 21 May 2013 22:27
To: FreeRadius users mailing list
Subject: RE: Help with chap
Thanks Phil. I'll keep that up my sleeve for future use. We tend to
separate admin / wireless / mac-based auth off on to different radius
boxes. Keeps things a bit easier. Not sure what cisco do, but a lot of
their stuff tends to be pap or eap. HP doing chap here seems to limit
quite a lot of backend options.
It's still also the only protocol, or so it seems, chosen for iscsi
authentication which is an interesting choice consider it's
vulnerabilites. Guess ipsec gets used instead where it needs to be
secure.
Now to work out the useraccountcontrol setting. Seems to be different in
users and computers than in an ldap viewer, but the ldap is probably a
decimal conversion or something.
Thanks again
Andy
-Original Message-
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Phil Mayers
Sent: 21 May 2013 08:06
To: freeradius-users@lists.freeradius.org
Subject: Re: Help with chap
On 05/21/2013 07:55 AM, Franks Andy (RLZ) IT Systems Engineer wrote:
Can I just use the authorize section to set the password to be the
same as the username, i.e. the mac address, after checking some basics
like whether the user exists in ldap and perhaps the
useraccountcontrol value, then in the authorize section just let the
chap bit work on the assigned password?
Yes. In fact that's the best approach. Something like:
authorize {
...
if (some condition) {
update control {
Cleartext-Password := %{User-Name}
}
}
...
}
some condition would normally be some sort of check to ensure it was a
macauth-via-CHAP request - obviously you wouldn't want to force
password==username for a PPP/EAP/other real user request. On the other
hand if your server / virtual server only receives this traffic, you can
omit the condition.
I really dislike vendors who do macauth as CHAP. It seems to completely
lack value, and adds complexity. Le sigh..
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with chap
Franks Andy (RLZ) IT Systems Engineer wrote: Thanks Alan, It takes literary a second or so for a single client auth, but problems arise with multiple clients. I'll reset a card on the switch and capture the logs and see what's happening. Nothing as far as I remember pointed towards the ntlm_auth being the issue, it was the failure to complete the eap transaction that seemed to be the problem, but then I didn't scan each and every line to be honest. See http://deployingradius.com/ It has instructions for testing PEAP via eapol_test. That lets you do some limited performance checks. An alternative is to configure a static user/password. Do performance checks using that user. If it's a lot faster than ntlm_auth, then the problem is likely ntlm_auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help with chap
Thanks for the help.
Anecdotally, before I get into serious discovery, I've been running
the freeradius process in extra debugging mode -xx. I'd read somewhere
that -X makes it run single threaded, but along those lines of thinking
I wondered if -xx and the extra debug was causing any performance
issues. I may be off at completely the wrong tangent, but the problem is
interesting and I like the odd tangent..
Anyway, anecdotally as I said, with the server running in fresh from a
reboot, no debugging, and upping the vm to 4 core instead of 1 (just
playing), the problem seems vastly reduced. Nearly all clients are
authenticated within 10 seconds, the consistent off ones are some
ancient mitel voip phones with pcs running off the back, which the
switch simply doesn't see for ages. It just sits there and eventually
just sends an auth request. In many cases the switch sec debug doesn't
even report the mac address or any activity for this weird phone, but
the FR linelog shows it authenticated fine. Really strange.
Any else got any reports of the procurve switches just sitting there
waiting for something to happen?
The failure of the responses seemed previously to have kicked the switch
into waiting ages then retrying later (the retry is set to 30 seconds
but it was way longer). Anyway, the lack of debug seems to have helped
quite a bit.
By the way, if I was to do chap, since I'm running ldap against AD - no
available plaintext or other passwords, but I'm running mac-based auth,
can I just use the authorize process to check for notfound and check
the useraccountcontrol setting is correct from an attribute mapping (or
just use the useraccountcontrol in an ldap filter and rely on not
found), then just set the cleartext-password attribute to be
%{username} using some more unlang , then do nothing special in the chap
authentication bit, just let it ok with the plaintext password or is
that just all wrong? I figure I don't *really* need a password for
mac-based auth, since it's always going to be == to the username?
Thanks for the input
Andy
-Original Message-
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Alan DeKok
Sent: 20 May 2013 14:01
To: FreeRadius users mailing list
Subject: Re: Help with chap
Franks Andy (RLZ) IT Systems Engineer wrote:
Thanks Alan,
It takes literary a second or so for a single client auth, but
problems arise with multiple clients. I'll reset a card on the switch
and capture the logs and see what's happening. Nothing as far as I
remember pointed towards the ntlm_auth being the issue, it was the
failure to complete the eap transaction that seemed to be the problem,
but then I didn't scan each and every line to be honest.
See http://deployingradius.com/
It has instructions for testing PEAP via eapol_test. That lets you do
some limited performance checks.
An alternative is to configure a static user/password. Do performance
checks using that user. If it's a lot faster than ntlm_auth, then the
problem is likely ntlm_auth.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with chap
Franks Andy (RLZ) IT Systems Engineer wrote:
Thanks for the help.
Anecdotally, before I get into serious discovery, I've been running
the freeradius process in extra debugging mode -xx. I'd read somewhere
that -X makes it run single threaded, but along those lines of thinking
I wondered if -xx and the extra debug was causing any performance
issues. I may be off at completely the wrong tangent, but the problem is
interesting and I like the odd tangent..
Single-threaded versus multiple threads doesn't usually make a big
difference.
Anyway, anecdotally as I said, with the server running in fresh from a
reboot, no debugging, and upping the vm to 4 core instead of 1 (just
playing), the problem seems vastly reduced. Nearly all clients are
authenticated within 10 seconds,
Any modern CPU should be able to do 100's of EAP sessions per second.
If yours can't do that, it was under-provisioned. That's why adding
more CPUs helped: you gave it more CPU power.
the consistent off ones are some
ancient mitel voip phones with pcs running off the back, which the
switch simply doesn't see for ages. It just sits there and eventually
just sends an auth request. In many cases the switch sec debug doesn't
even report the mac address or any activity for this weird phone, but
the FR linelog shows it authenticated fine. Really strange.
Well, that's a switch problem.
By the way, if I was to do chap, since I'm running ldap against AD - no
available plaintext or other passwords, but I'm running mac-based auth,
can I just use the authorize process to check for notfound and check
the useraccountcontrol setting is correct from an attribute mapping (or
just use the useraccountcontrol in an ldap filter and rely on not
found), then just set the cleartext-password attribute to be
%{username} using some more unlang , then do nothing special in the chap
authentication bit, just let it ok with the plaintext password or is
that just all wrong? I figure I don't *really* need a password for
mac-based auth, since it's always going to be == to the username?
That's one huge sentence. I can't make heads or tails of it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with chap
Hi, I seem to frequent this forum, hopefully one day I'll be answering some questions, not asking them. I've recently got into mac based auth on a procurve 5406. It does either chap or peap-mschap authentication, and i'm using ntlm_auth for the mschap2 when using peap. It worked brilliantly in testing, but come production, when i reboot the switch or clear the authentication on the ports it can take up to ten minutes for 10-15 clients to authenticate, simply because the nas (i guess) gets overwhelmed and consequently I see loads of eap did not complete messages. These don't happen for individual transactions - they always complete fine. I can't see a way around this - we have loads of these switches.. So the question is the best way to use chap. I can't do it with ntlm_auth - so I thought of a few, possibly ridiculous options : - Synch the content of the AD OU I have the mac address users in to an SQL database, maybe using vbscript/.net, including any state information like whether the account is disabled or expired and test against these custom fields during authentication. The authorisation process I currently have running against ldap doesn't pick up the account information being expired, maybe I need to look into this. I want to be able ideally to feed information back following a successful authentication to a custom attribute in AD, which is quite possible with an SQL database as an intermediary, for example switch and port ID, useful stuff to know. I can't think of any native linux apps that can change AD attributes, excluding samba doing groups and passwords, maybe there is one? - Use ldap as an authentication method? I know that AD will never give me back a password, but since this is mac authentication I was wondering if in the authorisation bit of the virtual server I could update the cleartext-password attribute based on the username as the two details are always identical in mac based auth, and then perform authentication with a known password. Maybe this would pick up locked usernames instead, again not sure about MS ldap in this area, never tried. - use nps as a proxy for the authentication. I don't really want to do this, but nps will (I think) allow chap / AD authentication. Any ideas which of these / other would be the right direction to follow? Need to do this in a hurry as the next switch is rolling out soon so don't have time to look into all of them.. Thanks Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with chap
Franks Andy (RLZ) IT Systems Engineer wrote: ... It worked brilliantly in testing, but come production, when i reboot the switch or clear the authentication on the ports it can take up to ten minutes for 10-15 clients to authenticate, That's bad. 10-15 clients should be done in a second or so. My guess is that the ntlm_auth process is taking a *long* time. Maybe your DNS settings are broken. Set up a test server. Run it in debugging mode and see. If the authentication takes more than a second or so (wtih debug messages), something is wrong. - Synch the content of the AD OU I have the mac address users in to an SQL database, maybe using vbscript/.net, including any state information like whether the account is disabled or expired and test against these custom fields during authentication. That will work for MS-CHAP. Not for CHAP. The authorisation process I currently have running against ldap doesn't pick up the account information being expired, maybe I need to look into this. I want to be able ideally to feed information back following a successful authentication to a custom attribute in AD, which is quite possible with an SQL database as an intermediary, for example switch and port ID, useful stuff to know. I can't think of any native linux apps that can change AD attributes, excluding samba doing groups and passwords, maybe there is one? A normal LDAP client should work. - Use ldap as an authentication method? I know that AD will never give me back a password, but since this is mac authentication I was wondering if in the authorisation bit of the virtual server I could update the cleartext-password attribute based on the username as the two details are always identical in mac based auth, and then perform authentication with a known password. Maybe this would pick up locked usernames instead, again not sure about MS ldap in this area, never tried. If it's MAC authentication, then FreeRADIUS can do the CHAP checking itself. And there's no point in doing *more* authentication. The only reasonable thing to do is various checks in LDAP for the MAC address. - use nps as a proxy for the authentication. I don't really want to do this, but nps will (I think) allow chap / AD authentication. No, it won't. It's impossible. Any ideas which of these / other would be the right direction to follow? Need to do this in a hurry as the next switch is rolling out soon so don't have time to look into all of them.. Step 1: find out what's wrong with the current system. If something is broken, fix it. Don't work around the problem. That makes it worse. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with chap
Hello, I've recently got into mac based auth on a procurve 5406. [...] [...] when i reboot the switch or clear the authentication on the ports it can take up to ten minutes for 10-15 clients to authenticate, simply because the nas (i guess) gets overwhelmed and consequently I see loads of eap did not complete messages. We have a setup of one HP 5412zl, one HP 5406 and one HP 2910. Together all but two module slots are equipped with 24-port line interface cards, hence we have about 400 ethernet ports. We either use 802.1X authentication or mac-based authentication with mschap-peap on every port but a dozen. Our FreeRADIUS server is running on a virtual machine with only 512 MB RAM and is connected with 1GB/s to the 5412zl. Anyway after a power cycle of all three switches at once, with all clients running, it only takes seconds until all clients (approx. 380) are authenticated again. Neither the HP switches nor the RADIUS server gets overwhelmed. So there must be some mis-configuration at your setup. Matthias -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help with chap
Thanks Alan, It takes literary a second or so for a single client auth, but problems arise with multiple clients. I'll reset a card on the switch and capture the logs and see what's happening. Nothing as far as I remember pointed towards the ntlm_auth being the issue, it was the failure to complete the eap transaction that seemed to be the problem, but then I didn't scan each and every line to be honest. I'll post back. Thanks Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Alan DeKok Sent: 18 May 2013 13:37 To: FreeRadius users mailing list Subject: Re: Help with chap Franks Andy (RLZ) IT Systems Engineer wrote: ... It worked brilliantly in testing, but come production, when i reboot the switch or clear the authentication on the ports it can take up to ten minutes for 10-15 clients to authenticate, That's bad. 10-15 clients should be done in a second or so. My guess is that the ntlm_auth process is taking a *long* time. Maybe your DNS settings are broken. Set up a test server. Run it in debugging mode and see. If the authentication takes more than a second or so (wtih debug messages), something is wrong. - Synch the content of the AD OU I have the mac address users in to an SQL database, maybe using vbscript/.net, including any state information like whether the account is disabled or expired and test against these custom fields during authentication. That will work for MS-CHAP. Not for CHAP. The authorisation process I currently have running against ldap doesn't pick up the account information being expired, maybe I need to look into this. I want to be able ideally to feed information back following a successful authentication to a custom attribute in AD, which is quite possible with an SQL database as an intermediary, for example switch and port ID, useful stuff to know. I can't think of any native linux apps that can change AD attributes, excluding samba doing groups and passwords, maybe there is one? A normal LDAP client should work. - Use ldap as an authentication method? I know that AD will never give me back a password, but since this is mac authentication I was wondering if in the authorisation bit of the virtual server I could update the cleartext-password attribute based on the username as the two details are always identical in mac based auth, and then perform authentication with a known password. Maybe this would pick up locked usernames instead, again not sure about MS ldap in this area, never tried. If it's MAC authentication, then FreeRADIUS can do the CHAP checking itself. And there's no point in doing *more* authentication. The only reasonable thing to do is various checks in LDAP for the MAC address. - use nps as a proxy for the authentication. I don't really want to do this, but nps will (I think) allow chap / AD authentication. No, it won't. It's impossible. Any ideas which of these / other would be the right direction to follow? Need to do this in a hurry as the next switch is rolling out soon so don't have time to look into all of them.. Step 1: find out what's wrong with the current system. If something is broken, fix it. Don't work around the problem. That makes it worse. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help: login incorrect with FR 2.2.1
On Fri, May 17, 2013 at 2:09 AM, Wang, Yu ywan...@fsu.edu wrote: Hello, I upgraded FR from 2.1.10 to 2.2.1. Everything went well except about 25% of our wireless users cannot authenticate after the upgrade. The backend authentication server is Active Directory and we use ntlm_auth from winbind to pass MSCHAPv2 response from FR to AD. rlm_perl: Added pair NT-Password = 0x33343133344331374133364243314244413638324232323239443431 [pap] Normalizing NT-Password from hex encoding Just curious. Does ALL the failed user have NT-Password attribute added by rlm_perl? IIRC the reason for using ntlm_auth is that AD would NOT give out NT-Passowrd when running in LDAP mode. Or to put it another way, if you had access to NT-Password (e.g. stored in another database, whatever), then you won't need ntlm_auth at all. If fo DO use ntlm_auth (which I don't see from the debug log), try removing NT-Password from the list of attributes added by rlm_perl. My guess is whatever your rlm_perl data source is out of sync with your AD. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
It appears that the created RPM doesn't include the TLV update that were
made to the 2.x.x branch last week. Why wouldn't this be inlcuded in the
RPM even though I am building the RPM with the current 2.x.x. source?
Thanks.
On Wed, May 8, 2013 at 5:42 PM, Divyesh Raithatha
divyesh.raitha...@gmail.com wrote:
Thanks everyone. Finally got the RPM build to work by doing the following:
Version: 2.2.0 in the top of the freeradius.spec file to 2.2.1, and
renaming source
bz2 file to freeradius-server-2.2.1.tar.**bz2
Along with commenting out patches 2 and 5
#Patch2: freeradius-radtest.patch
#Patch5: freeradius-radeapclient-ipv6.patch
Changing the README line to README.rst
# install doc files omitted by standard install
for f in COPYRIGHT CREDITS INSTALL README.rst; do
cp $f $RPM_BUILD_ROOT/%{docdir}
diff freeradius.spec ~/freeradius-server-2.2.1/redhat/freeradius.spec
3c3
Version: 2.2.0
---
Version: 2.2.1
15c15
Patch2: freeradius-radtest.patch
---
#Patch2: freeradius-radtest.patch
18c18
Patch5: freeradius-radeapclient-ipv6.patch
---
#Patch5: freeradius-radeapclient-ipv6.patch
152c152
%patch2 -p1 -b .radtest
---
#%patch2 -p1 -b .radtest
155c155
%patch5 -p1 -b .radeapclient-ipv6
---
#%patch5 -p1 -b .radeapclient-ipv6
239c239
for f in COPYRIGHT CREDITS INSTALL README; do
---
for f in COPYRIGHT CREDITS INSTALL README.rst; do
By commenting out patch 2 and patch 5 what am I missing, if anything?
On Wed, May 8, 2013 at 8:20 AM, John Dennis jden...@redhat.com wrote:
On 05/08/2013 03:19 AM, Fajar A. Nugraha wrote:
On Wed, May 8, 2013 at 1:50 PM, Raithatha, Divyesh
divyesh.raitha...@gmail.com wrote:
Thanks, I got past the README but now I am getting the following file
not found errors. They do exist, however, it looks like the build is
looking for version 2.2.0 of the library files yet they are listed as
2.2.1.
error: File not found: /home/test/rpmbuild/BUILDROOT/**
freeradius-2.2.0-1.el6.x86_64/**etc/raddb/certs/README.rst
That's kinda tricky. Look at %files section in the spec file.
The cleanest solution right now would probably be changing Version:
2.2.0 in the top of the make file to 2.2.1, AND rename your source
bz2 file to freeradius-server-2.2.1.tar.**bz2.
The version macro in the spec file, the version embedded in tar file
name, and the contents of tar file all *MUST* match. You have to be precise
with what version you're building.
I assumed that was obvious as opposed to being tricky ;-)
Another way would be changing the files section, from (e.g.)
%{_libdir}/freeradius/rlm_**acct_unique-%{version}.so
to
%{_libdir}/freeradius/rlm_**acct_unique-*.so
... or even try deleting all rlm_* lines and replace them with a
one-liner
%{_libdir}/freeradius/rlm_*.**so*
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/10/2013 12:05 PM, Divyesh Raithatha wrote: It appears that the created RPM doesn't include the TLV update that were made to the 2.x.x branch last week. Why wouldn't this be inlcuded in the RPM even though I am building the RPM with the current 2.x.x. source? Use the source Luke :-) I assume you built from git, therefore you've got every piece of information you need to figure this out. git log will give you exact information. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
Thanks, I got past the README but now I am getting the following file not found errors. They do exist, however, it looks like the build is looking for version 2.2.0 of the library files yet they are listed as 2.2.1. error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/etc/raddb/certs/README.rst error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_acct_unique-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_acctlog-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_always-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_attr_filter-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_attr_rewrite-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_cache-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_chap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_checkval-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_copy_packet-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_counter-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_dbm-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_detail-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_digest-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_dynamic_clients-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_gtc-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_leap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_md5-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_mschapv2-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_peap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_sim-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_tls-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_ttls-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_exec-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_expiration-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_expr-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_fastusers-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_files-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_ippool-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_linelog-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_logintime-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_mschap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_otp-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_pam-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_pap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_passwd-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_policy-2.2.0.so
Re: Need help with making RPM from v2.x.x branch
On Wed, May 8, 2013 at 1:50 PM, Raithatha, Divyesh
divyesh.raitha...@gmail.com wrote:
Thanks, I got past the README but now I am getting the following file not
found errors. They do exist, however, it looks like the build is looking for
version 2.2.0 of the library files yet they are listed as 2.2.1.
error: File not found:
/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/etc/raddb/certs/README.rst
That's kinda tricky. Look at %files section in the spec file.
The cleanest solution right now would probably be changing Version:
2.2.0 in the top of the make file to 2.2.1, AND rename your source
bz2 file to freeradius-server-2.2.1.tar.bz2.
Another way would be changing the files section, from (e.g.)
%{_libdir}/freeradius/rlm_acct_unique-%{version}.so
to
%{_libdir}/freeradius/rlm_acct_unique-*.so
... or even try deleting all rlm_* lines and replace them with a one-liner
%{_libdir}/freeradius/rlm_*.so*
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/08/2013 08:19 AM, Fajar A. Nugraha wrote:
%{_libdir}/freeradius/rlm_acct_unique-*.so
FWIW this is the approach we usually take when packaging things; it
seems pointless to me to embed version numbers into %files macros. I'm
aware this is probably frowned on by some packaging guidelines, but it
works well for us ;o)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/08/2013 03:19 AM, Fajar A. Nugraha wrote:
On Wed, May 8, 2013 at 1:50 PM, Raithatha, Divyesh
divyesh.raitha...@gmail.com wrote:
Thanks, I got past the README but now I am getting the following file not found
errors. They do exist, however, it looks like the build is looking for version
2.2.0 of the library files yet they are listed as 2.2.1.
error: File not found:
/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/etc/raddb/certs/README.rst
That's kinda tricky. Look at %files section in the spec file.
The cleanest solution right now would probably be changing Version:
2.2.0 in the top of the make file to 2.2.1, AND rename your source
bz2 file to freeradius-server-2.2.1.tar.bz2.
The version macro in the spec file, the version embedded in tar file
name, and the contents of tar file all *MUST* match. You have to be
precise with what version you're building.
I assumed that was obvious as opposed to being tricky ;-)
Another way would be changing the files section, from (e.g.)
%{_libdir}/freeradius/rlm_acct_unique-%{version}.so
to
%{_libdir}/freeradius/rlm_acct_unique-*.so
... or even try deleting all rlm_* lines and replace them with a one-liner
%{_libdir}/freeradius/rlm_*.so*
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
Thanks everyone. Finally got the RPM build to work by doing the following:
Version: 2.2.0 in the top of the freeradius.spec file to 2.2.1, and
renaming source
bz2 file to freeradius-server-2.2.1.tar.**bz2
Along with commenting out patches 2 and 5
#Patch2: freeradius-radtest.patch
#Patch5: freeradius-radeapclient-ipv6.patch
Changing the README line to README.rst
# install doc files omitted by standard install
for f in COPYRIGHT CREDITS INSTALL README.rst; do
cp $f $RPM_BUILD_ROOT/%{docdir}
diff freeradius.spec ~/freeradius-server-2.2.1/redhat/freeradius.spec
3c3
Version: 2.2.0
---
Version: 2.2.1
15c15
Patch2: freeradius-radtest.patch
---
#Patch2: freeradius-radtest.patch
18c18
Patch5: freeradius-radeapclient-ipv6.patch
---
#Patch5: freeradius-radeapclient-ipv6.patch
152c152
%patch2 -p1 -b .radtest
---
#%patch2 -p1 -b .radtest
155c155
%patch5 -p1 -b .radeapclient-ipv6
---
#%patch5 -p1 -b .radeapclient-ipv6
239c239
for f in COPYRIGHT CREDITS INSTALL README; do
---
for f in COPYRIGHT CREDITS INSTALL README.rst; do
By commenting out patch 2 and patch 5 what am I missing, if anything?
On Wed, May 8, 2013 at 8:20 AM, John Dennis jden...@redhat.com wrote:
On 05/08/2013 03:19 AM, Fajar A. Nugraha wrote:
On Wed, May 8, 2013 at 1:50 PM, Raithatha, Divyesh
divyesh.raitha...@gmail.com wrote:
Thanks, I got past the README but now I am getting the following file
not found errors. They do exist, however, it looks like the build is
looking for version 2.2.0 of the library files yet they are listed as 2.2.1.
error: File not found: /home/test/rpmbuild/BUILDROOT/**
freeradius-2.2.0-1.el6.x86_64/**etc/raddb/certs/README.rst
That's kinda tricky. Look at %files section in the spec file.
The cleanest solution right now would probably be changing Version:
2.2.0 in the top of the make file to 2.2.1, AND rename your source
bz2 file to freeradius-server-2.2.1.tar.**bz2.
The version macro in the spec file, the version embedded in tar file name,
and the contents of tar file all *MUST* match. You have to be precise with
what version you're building.
I assumed that was obvious as opposed to being tricky ;-)
Another way would be changing the files section, from (e.g.)
%{_libdir}/freeradius/rlm_**acct_unique-%{version}.so
to
%{_libdir}/freeradius/rlm_**acct_unique-*.so
... or even try deleting all rlm_* lines and replace them with a one-liner
%{_libdir}/freeradius/rlm_*.**so*
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On Tue, May 7, 2013 at 3:35 AM, Divyesh Raithatha divyesh.raitha...@gmail.com wrote: to get past the patch error messages but I get another error below: + cp README /home/divtest/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64//usr/share/doc/freeradius-2.2.0 Look at the spec file, change cp README /home/divtest/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64//usr/share/doc/freeradius-2.2.0 to cp README.rst /home/divtest/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64//usr/share/doc/freeradius-2.2.0 ... and look near %files, change README to README.rst there as well. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On Tue, May 7, 2013 at 4:28 AM, John Dennis jden...@redhat.com wrote: These project maintained build configurations are best thought of as bleeding edge developer stuff. Make some change and you want to test on Fedora or Debian and need packages, then these build directories are the goto place, Or for those cases where a distribution has not caught up with upstream yet, then this can serve a useful purpose as well (as long as they stay generic, see below), another variant of the this is only for the latest and greatest. You've pretty much covered it. My suggestion is for upstream FreeRADIUS to maintain a generic Red Hat RPM spec file which is vanilla as possible without any patches whatsoever. In theory current upstream shouldn't need patches. Also any customization we might do really should come from us, not upstream. If one is building an RPM from the current FreeRADIUS version using the FreeRADIUS RPM spec file then one should get a vanilla FreeRADIUS build whose only customization extends to assuring the same file locations, package names, etc. are used. You pretty much get this for free. I would take an existing spec file strip out all the patches, changelog, etc. and then one only needs to take a look at the options passed to configure (I'm thinking about options which control which modules are built). IMHO some of it (e.g. changelog, patches for cert config) is/was necessary. My use case was that I wanted the build to be as much drop-in as possible, so I can (for example) upgrade to 2.2.1 as soon as possible when it comes out, but switch to Red Hat's official RPM when it's available, without having to change my config. Without some of the patches, I'd need to modify my config file as well. Would we like to maintain the ./redhat subdirectory? No, for two reasons. 1. It's impossible, as pointed out above there is no single spec file, each spec file is tied to a specific release. We maintain *independent* spec files for *every* distribution version we support, at the moment that numbers in the dozens :-( Yeah. Before 2.2.0 was out, I made sure that I can build RPMs for RHEL5 and 6 (because that's what I use), and submit the necessary changes upstream. It seems to be enough (i.e. those two versions made up for most who need to build a Red Hat RPM), because IIRC there hasn't been a mail to the list about I need to build FR 2.2.0 RPM for X flavor or Red Hat but the included spec file doesn't work. 2. We already maintain them and they are publicly available for anyone to download. Trying to maintain multiple copies in multiple repositories and assuring they all stay in sync doesn't seem justified. Thanks for the effort. If no one else does this first, I'd probably submit patches to make FR debs and RPMs build cleanly before 2.2.1 is out (need to dig out my lxc templates first). That way at least people can build packages for released version. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
John Dennis wrote: Why does FreeRADIUS maintain build configurations for Red Hat and Debian? Part historical reasons. RPMs were difficult to find, and it was easier to include RPM scripts in the server. It also means it's easy for people to build custom RPMs. They can use an established spec distributed with the server. They don't have to search for spec files. I can't speak for Debian, I'm not a Deb package maintainer, but at least in the Red Hat world there isn't just one Red Hat distribution, there are many and each can have different build requirements build configurations. Yes. The files distributed with the server should create *a* package. Not *the* canonical package. It will work, and will follow your system packaging method. But it won't be identical to an upstream package. Another problem is the spec file under ./redhat is forever getting out of sync (as evidenced by the OP). Patch sets are a superb example of this (compounded by the problem there is no single rpm spec file for all Red Hat versions). For our purposes, there doesn't need to be. My suggestion is for upstream FreeRADIUS to maintain a generic Red Hat RPM spec file which is vanilla as possible without any patches whatsoever. In theory current upstream shouldn't need patches. Also any customization we might do really should come from us, not upstream. If one is building an RPM from the current FreeRADIUS version using the FreeRADIUS RPM spec file then one should get a vanilla FreeRADIUS build whose only customization extends to assuring the same file locations, package names, etc. are used. You pretty much get this for free. I would take an existing spec file strip out all the patches, changelog, etc. and then one only needs to take a look at the options passed to configure (I'm thinking about options which control which modules are built). That's pretty much the goal, yes. The generic RPM spec file that upstream maintains should be exercised on regular basis. Far too often we've seen upstream changes that required spec file changes but which were never done (e.g. add/removing modules and/or other files). I have a redhat VM around somewhere... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/07/2013 04:46 AM, Fajar A. Nugraha wrote: On Tue, May 7, 2013 at 4:28 AM, John Dennis jden...@redhat.com mailto:jden...@redhat.com wrote: These project maintained build configurations are best thought of as bleeding edge developer stuff. Make some change and you want to test on Fedora or Debian and need packages, then these build directories are the goto place, Or for those cases where a distribution has not caught up with upstream yet, then this can serve a useful purpose as well (as long as they stay generic, see below), another variant of the this is only for the latest and greatest. You've pretty much covered it. My suggestion is for upstream FreeRADIUS to maintain a generic Red Hat RPM spec file which is vanilla as possible without any patches whatsoever. In theory current upstream shouldn't need patches. Also any customization we might do really should come from us, not upstream. If one is building an RPM from the current FreeRADIUS version using the FreeRADIUS RPM spec file then one should get a vanilla FreeRADIUS build whose only customization extends to assuring the same file locations, package names, etc. are used. You pretty much get this for free. I would take an existing spec file strip out all the patches, changelog, etc. and then one only needs to take a look at the options passed to configure (I'm thinking about options which control which modules are built). IMHO some of it (e.g. changelog, patches for cert config) is/was necessary. Yes, this is sensible. My suggestion was mostly aimed at simplifying the task with the hope it would then be more robust and easier to maintain. My use case was that I wanted the build to be as much drop-in as possible, so I can (for example) upgrade to 2.2.1 as soon as possible when it comes out, but switch to Red Hat's official RPM when it's available, without having to change my config. Without some of the patches, I'd need to modify my config file as well. I think the only thing of consequence we customize is the bootstrap cert creation which is done via RPM during the install step (plus tweaking some of the cert parameters to tighten up security). Any other patches are bug fixes found either by our QA team or customers. Those are usually break down into one of two categories. Fixes upstream has made post release and we've 'backported' or fixes we've made and have submitted to the project. The lifetime of these patches is short because in almost every instance the next upstream release has addressed the issue. Kudos to the team for that. So my thought was if you didn't try to mirror that patch set it would be much easier and little would be lost. Would we like to maintain the ./redhat subdirectory? No, for two reasons. 1. It's impossible, as pointed out above there is no single spec file, each spec file is tied to a specific release. We maintain *independent* spec files for *every* distribution version we support, at the moment that numbers in the dozens :-( Yeah. Before 2.2.0 was out, I made sure that I can build RPMs for RHEL5 and 6 (because that's what I use), and submit the necessary changes upstream. It seems to be enough (i.e. those two versions made up for most who need to build a Red Hat RPM), because IIRC there hasn't been a mail to the list about I need to build FR 2.2.0 RPM for X flavor or Red Hat but the included spec file doesn't work. Currently the biggest pain point is the transition from SysV initscripts to systemd. How daemons are installed and configured is different between Fedora and RHEL at the moment and because systemd is still in a bit of flux things can be different even between Fedora releases. Differences in BuildRequires occur less often, but do occur. There is a everlasting debate as to whether it's best to maintain one spec file thats common across distributions and parameterize so that it behaves differently in different targets or whether it's best to maintain completely different spec files and merge changes across them. Those who argue for merging cite the complexity of parameterized spec files complaining all that conditional logic is difficult to work with and fragile making it difficult to maintain. Those who argue for parameterizing cite how merging is fragile and is difficult to maintain. So obviously there isn't one right way. But because we're so constrained as to what can appear in RHEL (every change has to have numerous approvals) I gave up on trying to use Fedora spec files in RHEL and instead merge the leading edge Fedora into RHEL. 2. We already maintain them and they are publicly available for anyone to download. Trying to maintain multiple copies in multiple repositories and assuring they all stay in sync doesn't seem justified. Thanks for the effort. If no one else does this first, I'd probably submit patches to make FR
Need help with making RPM from v2.x.x branch
Hello all, has anyone had success in building an RPM from the v2.x.x branch
from http://git.freeradius.org?
I am following the information from
http://wiki.freeradius.org/guide/Red-Hat-FAQ
On a CentOS 6.4 x64 system I was able to build an RPM from 2.2.0 source
successfully but I want to get all of the recent patches from the v2.x.x
branch. However, when I tried to build the RPM from v2.x.x I get the
following message:
Hunk #1 FAILED at 121.
1 out of 1 hunk FAILED -- saving rejects to file src/main/radtest.in.rej
error: Bad exit status from /var/tmp/rpm-tmp.uETav5 (%prep)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.uETav5 (%prep)
Here is the radtest.in.rej file contents:
--- src/main/radtest.in 2011-09-30 10:12:07.0 -0400
+++ src/main/radtest.in 2012-01-05 15:51:56.877585514 -0500
@@ -121,7 +121,7 @@
echo EAP-Code = Response
echo EAP-Type-Identity = \$1\
fi
- if [ $6 ]
+ if [ ! -z $6 ] [[ $6 =~ ^[0-9]+$ ]] [ $6 -gt 0 ]
then
echo Framed-Protocol = PPP
fi
Here is the contents of /var/tmp/rpm-tmp.uETav5
#!/bin/sh
RPM_SOURCE_DIR=/home/test/rpmbuild/SOURCES
RPM_BUILD_DIR=/home/test/rpmbuild/BUILD
RPM_OPT_FLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
RPM_ARCH=x86_64
RPM_OS=linux
export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS
RPM_DOC_DIR=/usr/share/doc
export RPM_DOC_DIR
RPM_PACKAGE_NAME=freeradius
RPM_PACKAGE_VERSION=2.2.0
RPM_PACKAGE_RELEASE=1.el6
export RPM_PACKAGE_NAME RPM_PACKAGE_VERSION RPM_PACKAGE_RELEASE
LANG=C
export LANG
unset CDPATH DISPLAY ||:
RPM_BUILD_ROOT=/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64
export RPM_BUILD_ROOT
PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig
export PKG_CONFIG_PATH
set -x
umask 022
cd /home/test/rpmbuild/BUILD
LANG=C
export LANG
unset DISPLAY
cd '/home/test/rpmbuild/BUILD'
rm -rf 'freeradius-server-2.2.0'
/usr/bin/bzip2 -dc
'/home/test/rpmbuild/SOURCES/freeradius-server-2.2.0.tar.bz2' | /bin/tar
-xf -
STATUS=$?
if [ $STATUS -ne 0 ]; then
exit $STATUS
fi
cd 'freeradius-server-2.2.0'
/bin/chmod -Rf a+rX,u+w,g-w,o-w .
echo Patch #1 (freeradius-cert-config.patch):
/bin/cat /home/test/rpmbuild/SOURCES/freeradius-cert-config.patch |
/usr/bin/patch -p1 -b --suffix .cert-config --fuzz=0
echo Patch #2 (freeradius-radtest.patch):
/bin/cat /home/test/rpmbuild/SOURCES/freeradius-radtest.patch |
/usr/bin/patch -p1 -b --suffix .radtest --fuzz=0
#%patch3 -p1 -b .man
#%patch4 -p1 -b .unix-passwd-expire
echo Patch #5 (freeradius-radeapclient-ipv6.patch):
/bin/cat /home/test/rpmbuild/SOURCES/freeradius-radeapclient-ipv6.patch |
/usr/bin/patch -p1 -b --suffix .radeapclient-ipv6 --fuzz=0
#%patch6 -p1
#%patch7 -p1 -b perl
echo Patch #8 (freeradius-dhcp_sqlippool.patch):
/bin/cat /home/test/rpmbuild/SOURCES/freeradius-dhcp_sqlippool.patch |
/usr/bin/patch -p1 --fuzz=0
# Some source files mistakenly have execute permissions set
find $RPM_BUILD_DIR/freeradius-server-2.2.0 \( -name '*.c' -o -name '*.h'
\) -a -perm /0111 -exec chmod a-x {} +
exit 0
Any Ideas?
Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/06/2013 02:57 PM, Divyesh Raithatha wrote:
Hello all, has anyone had success in building an RPM from the v2.x.x
branch from http://git.freeradius.org?
I am following the information from
http://wiki.freeradius.org/guide/Red-Hat-FAQ
On a CentOS 6.4 x64 system I was able to build an RPM from 2.2.0 source
successfully but I want to get all of the recent patches from the v2.x.x
branch. However, when I tried to build the RPM from v2.x.x I get the
following message:
Hunk #1 FAILED at 121.
1 out of 1 hunk FAILED -- saving rejects to file src/main/radtest.in.rej
error: Bad exit status from /var/tmp/rpm-tmp.uETav5 (%prep)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.uETav5 (%prep)
Here is the radtest.in.rej file contents:
--- src/main/radtest.in http://radtest.in 2011-09-30
10:12:07.0 -0400
+++ src/main/radtest.in http://radtest.in 2012-01-05
15:51:56.877585514 -0500
@@ -121,7 +121,7 @@
echo EAP-Code = Response
echo EAP-Type-Identity = \$1\
fi
- if [ $6 ]
+ if [ ! -z $6 ] [[ $6 =~ ^[0-9]+$ ]] [ $6 -gt 0 ]
then
echo Framed-Protocol = PPP
fi
Here is the contents of /var/tmp/rpm-tmp.uETav5
#!/bin/sh
RPM_SOURCE_DIR=/home/test/rpmbuild/SOURCES
RPM_BUILD_DIR=/home/test/rpmbuild/BUILD
RPM_OPT_FLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64
-mtune=generic
RPM_ARCH=x86_64
RPM_OS=linux
export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS
RPM_DOC_DIR=/usr/share/doc
export RPM_DOC_DIR
RPM_PACKAGE_NAME=freeradius
RPM_PACKAGE_VERSION=2.2.0
RPM_PACKAGE_RELEASE=1.el6
export RPM_PACKAGE_NAME RPM_PACKAGE_VERSION RPM_PACKAGE_RELEASE
LANG=C
export LANG
unset CDPATH DISPLAY ||:
RPM_BUILD_ROOT=/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64
export RPM_BUILD_ROOT
PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig
export PKG_CONFIG_PATH
set -x
umask 022
cd /home/test/rpmbuild/BUILD
LANG=C
export LANG
unset DISPLAY
cd '/home/test/rpmbuild/BUILD'
rm -rf 'freeradius-server-2.2.0'
/usr/bin/bzip2 -dc
'/home/test/rpmbuild/SOURCES/freeradius-server-2.2.0.tar.bz2' |
/bin/tar -xf -
STATUS=$?
if [ $STATUS -ne 0 ]; then
exit $STATUS
fi
cd 'freeradius-server-2.2.0'
/bin/chmod -Rf a+rX,u+w,g-w,o-w .
echo Patch #1 (freeradius-cert-config.patch):
/bin/cat /home/test/rpmbuild/SOURCES/freeradius-cert-config.patch |
/usr/bin/patch -p1 -b --suffix .cert-config --fuzz=0
echo Patch #2 (freeradius-radtest.patch):
/bin/cat /home/test/rpmbuild/SOURCES/freeradius-radtest.patch |
/usr/bin/patch -p1 -b --suffix .radtest --fuzz=0
#%patch3 -p1 -b .man
#%patch4 -p1 -b .unix-passwd-expire
echo Patch #5 (freeradius-radeapclient-ipv6.patch):
/bin/cat
/home/test/rpmbuild/SOURCES/freeradius-radeapclient-ipv6.patch |
/usr/bin/patch -p1 -b --suffix .radeapclient-ipv6 --fuzz=0
#%patch6 -p1
#%patch7 -p1 -b perl
echo Patch #8 (freeradius-dhcp_sqlippool.patch):
/bin/cat /home/test/rpmbuild/SOURCES/freeradius-dhcp_sqlippool.patch
| /usr/bin/patch -p1 --fuzz=0
# Some source files mistakenly have execute permissions set
find $RPM_BUILD_DIR/freeradius-server-2.2.0 \( -name '*.c' -o -name
'*.h' \) -a -perm /0111 -exec chmod a-x {} +
exit 0
Any Ideas?
The patch set is targeted at a *specific* freeradius version. You're
trying to apply patches from one version against another version.
Sometimes that works, sometimes it doesn't. A patch may not succeed for
several reasons, the code may have shifted position in the file (fuzz
0), RPM disallows this because it's evidence of not keeping the spec
file current against the version being built. You can override this with
%global _default_patch_fuzz 2
at the top of the spec file (2 in this case is an old default before it
was changed to 0). Overriding the patch fuzz factor is not recommended,
instead it's recommended you fix the patch to make it 100% correct for
the current version.
Another reason a patch might not succeed is because the problem was
already reported upstream and upstream fixed it. If they took the patch
verbatim then the error you'll see is something akin to Previously
applied patch or reverse patch. If upstream fixed the issue in some
other way the patch simply won't apply. Figuring exactly which lines of
code changed and why is the work of a package maintainer. In this case
you're assuming that role and you'll have to do that work.
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
Divyesh Raithatha wrote: Hello all, has anyone had success in building an RPM from the v2.x.x branch from http://git.freeradius.org? That should work I am following the information from http://wiki.freeradius.org/guide/Red-Hat-FAQ On a CentOS 6.4 x64 system I was able to build an RPM from 2.2.0 source successfully but I want to get all of the recent patches from the v2.x.x branch. Go to redhat/freeradius.spec, and delete the following line: Patch2: freeradius-radtest.patch That should cause it to build. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
Thanks Alan, I had to comment out both Patch 2 and 5 sections
#%patch2 -p1 -b .radtest
#%patch5 -p1 -b .radeapclient-ipv6
to get past the patch error messages but I get another error below:
+ cp README
/home/divtest/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64//usr/share/doc/freeradius-2.2.0
cp: cannot stat `README': No such file or directory
error: Bad exit status from /var/tmp/rpm-tmp.wG9x7h (%install)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.wG9x7h (%install)
Here are the contents of the temp file:
cat /var/tmp/rpm-tmp.wG9x7h
#!/bin/sh
RPM_SOURCE_DIR=/home/test/rpmbuild/SOURCES
RPM_BUILD_DIR=/home/test/rpmbuild/BUILD
RPM_OPT_FLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
RPM_ARCH=x86_64
RPM_OS=linux
export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS
RPM_DOC_DIR=/usr/share/doc
export RPM_DOC_DIR
RPM_PACKAGE_NAME=freeradius
RPM_PACKAGE_VERSION=2.2.0
RPM_PACKAGE_RELEASE=1.el6
export RPM_PACKAGE_NAME RPM_PACKAGE_VERSION RPM_PACKAGE_RELEASE
LANG=C
export LANG
unset CDPATH DISPLAY ||:
RPM_BUILD_ROOT=/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64
export RPM_BUILD_ROOT
PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig
export PKG_CONFIG_PATH
set -x
umask 022
cd /home/test/rpmbuild/BUILD
[ $RPM_BUILD_ROOT != / ] rm -rf ${RPM_BUILD_ROOT}
mkdir -p `dirname $RPM_BUILD_ROOT`
mkdir $RPM_BUILD_ROOT
cd 'freeradius-server-2.2.0'
LANG=C
export LANG
unset DISPLAY
mkdir -p $RPM_BUILD_ROOT//var/lib/radiusd
# fix for bad libtool bug - can not rebuild dependent libs and bins
#FIXME export LD_LIBRARY_PATH=$RPM_BUILD_ROOT//usr/lib64
make install R=$RPM_BUILD_ROOT
# modify default configuration
RADDB=$RPM_BUILD_ROOT/etc/raddb
perl -i -pe 's/^#user =.*$/user = radiusd/' $RADDB/radiusd.conf
perl -i -pe 's/^#group =.*$/group = radiusd/' $RADDB/radiusd.conf
# logs
mkdir -p $RPM_BUILD_ROOT/var/log/radius/radacct
touch $RPM_BUILD_ROOT/var/log/radius/{radutmp,radius.log}
install -D -m 755 /home/test/rpmbuild/SOURCES/freeradius-radiusd-init
$RPM_BUILD_ROOT//etc/rc.d/init.d/radiusd
install -D -m 644 /home/test/rpmbuild/SOURCES/freeradius-logrotate
$RPM_BUILD_ROOT//etc/logrotate.d/radiusd
install -D -m 644 /home/test/rpmbuild/SOURCES/freeradius-pam-conf
$RPM_BUILD_ROOT//etc/pam.d/radiusd
mkdir -p
/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/var/run/
install -d -m 0710
/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/var/run/radiusd/
# remove unneeded stuff
rm -rf doc/00-OLD
rm -f $RPM_BUILD_ROOT/usr/sbin/rc.radiusd
rm -rf $RPM_BUILD_ROOT//usr/lib64/freeradius/*.a
rm -rf $RPM_BUILD_ROOT//usr/lib64/freeradius/*.la
rm -rf $RPM_BUILD_ROOT//etc/raddb/sql/mssql
rm -rf $RPM_BUILD_ROOT//etc/raddb/sql/oracle
rm -rf $RPM_BUILD_ROOT//usr/share/dialup_admin/sql/oracle
rm -rf $RPM_BUILD_ROOT//usr/share/dialup_admin/lib/sql/oracle
rm -rf $RPM_BUILD_ROOT//usr/share/dialup_admin/lib/sql/drivers/oracle
# remove header files, we don't ship a devel package and the
# headers have multilib conflicts
rm -rf $RPM_BUILD_ROOT//usr/include
# remove unsupported config files
rm -f $RPM_BUILD_ROOT//etc/raddb/experimental.conf
# install doc files omitted by standard install
for f in COPYRIGHT CREDITS INSTALL README; do
cp $f $RPM_BUILD_ROOT//usr/share/doc/freeradius-2.2.0
done
cp LICENSE $RPM_BUILD_ROOT//usr/share/doc/freeradius-2.2.0/LICENSE.gpl
cp src/lib/LICENSE
$RPM_BUILD_ROOT//usr/share/doc/freeradius-2.2.0/LICENSE.lgpl
cp src/LICENSE.openssl
$RPM_BUILD_ROOT//usr/share/doc/freeradius-2.2.0/LICENSE.openssl
# add Red Hat specific documentation
cat $RPM_BUILD_ROOT//usr/share/doc/freeradius-2.2.0/REDHAT EOF
Red Hat, RHEL, Fedora, and CentOS specific information can be found on the
FreeRADIUS Wiki in the Red Hat FAQ.
http://wiki.freeradius.org/guide/Red_Hat_FAQ
Please reference that document.
EOF
# Make sure our user/group is present prior to any package or subpackage
installation
/usr/lib/rpm/find-debuginfo.sh --strict-build-id
/home/test/rpmbuild/BUILD/freeradius-server-2.2.0
/usr/lib/rpm/check-buildroot
/usr/lib/rpm/redhat/brp-compress
/usr/lib/rpm/redhat/brp-strip-static-archive /usr/bin/strip
/usr/lib/rpm/redhat/brp-strip-comment-note /usr/bin/strip
/usr/bin/objdump
/usr/lib/rpm/brp-python-bytecompile
/usr/lib/rpm/redhat/brp-python-hardlink
/usr/lib/rpm/redhat/brp-java-repack-jars
On Mon, May 6, 2013 at 1:09 PM, Alan DeKok al...@deployingradius.comwrote:
Divyesh Raithatha wrote:
Hello all, has anyone had success in building an RPM from the v2.x.x
branch from http://git.freeradius.org?
That should work
I am following the information from
http://wiki.freeradius.org/guide/Red-Hat-FAQ
On a CentOS 6.4 x64 system I was able to build an RPM from 2.2.0 source
successfully but I want to get all of the recent patches from the v2.x.x
branch.
Go to redhat/freeradius.spec,
Re: Need help with making RPM from v2.x.x branch
On 05/06/2013 04:09 PM, Alan DeKok wrote: Divyesh Raithatha wrote: Hello all, has anyone had success in building an RPM from the v2.x.x branch from http://git.freeradius.org? That should work I am following the information from http://wiki.freeradius.org/guide/Red-Hat-FAQ On a CentOS 6.4 x64 system I was able to build an RPM from 2.2.0 source successfully but I want to get all of the recent patches from the v2.x.x branch. Go to redhat/freeradius.spec, and delete the following line: Patch2: freeradius-radtest.patch That should cause it to build. Alan DeKok. Why does FreeRADIUS maintain build configurations for Red Hat and Debian? I suppose it makes sense for the person who wants to build an RPM or Deb package from the latest repo. It does not make sense for someone who just wants an RPM package. These project maintained build configurations are best thought of as bleeding edge developer stuff. Make some change and you want to test on Fedora or Debian and need packages, then these build directories are the goto place, Or for those cases where a distribution has not caught up with upstream yet, then this can serve a useful purpose as well (as long as they stay generic, see below), another variant of the this is only for the latest and greatest. I can't speak for Debian, I'm not a Deb package maintainer, but at least in the Red Hat world there isn't just one Red Hat distribution, there are many and each can have different build requirements build configurations. Another problem is the spec file under ./redhat is forever getting out of sync (as evidenced by the OP). Patch sets are a superb example of this (compounded by the problem there is no single rpm spec file for all Red Hat versions). My suggestion is for upstream FreeRADIUS to maintain a generic Red Hat RPM spec file which is vanilla as possible without any patches whatsoever. In theory current upstream shouldn't need patches. Also any customization we might do really should come from us, not upstream. If one is building an RPM from the current FreeRADIUS version using the FreeRADIUS RPM spec file then one should get a vanilla FreeRADIUS build whose only customization extends to assuring the same file locations, package names, etc. are used. You pretty much get this for free. I would take an existing spec file strip out all the patches, changelog, etc. and then one only needs to take a look at the options passed to configure (I'm thinking about options which control which modules are built). The generic RPM spec file that upstream maintains should be exercised on regular basis. Far too often we've seen upstream changes that required spec file changes but which were never done (e.g. add/removing modules and/or other files). Would we like to maintain the ./redhat subdirectory? No, for two reasons. 1. It's impossible, as pointed out above there is no single spec file, each spec file is tied to a specific release. We maintain *independent* spec files for *every* distribution version we support, at the moment that numbers in the dozens :-( 2. We already maintain them and they are publicly available for anyone to download. Trying to maintain multiple copies in multiple repositories and assuring they all stay in sync doesn't seem justified. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
Thank you all for your replays, I used SLES 11 freeradius standard package and it was too old, and it was my mistake and took a few days off my life. Hopefully someone else does not make the same mistake Andres 2013/4/27 Alan DeKok al...@deployingradius.com Andres wrote: FreeRADIUS server Version: 2.1.1-7.16.1 also installed freeradius-server-libs and utils Why? That version is SEVEN YEARS old. Upgrade. Really. And you're using a version of radclient which doesn't support mschap. So... why are you trying to use mschap? We presume that you're running a recent version of the server. Also, that you read the documentation which comes with the server. If radtest -h doesn't say it supports the -t parameter, then it doesn't support the -t parameter. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
On Sun, Apr 28, 2013 at 1:31 AM, Andres arvutihool...@gmail.com wrote: Thank you all for your replays, I used SLES 11 freeradius standard package and it was too old, and it was my mistake and took a few days off my life. Hopefully someone else does not make the same mistake If all you need is mschap test function, IIRC 2.1.12 also has it, and there are packages for SLE 11: http://download.opensuse.org/repositories/network:/aaa/SLE_11/x86_64/ It will be even better if you can use 2.2.0. Search the list archive, IIRC you must manually delete references to sqlite3 in spec file to get it to build on SLE11. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
Most likely your host file didnt have entry of your domain name, dump your hostname and /etc/hosts file here and then we can comment better On Thu, Apr 25, 2013 at 10:52 PM, Andres arvutihool...@gmail.com wrote: Hello All, I'm trying to test mschap with radtest but it gives me strange error message. I've tried to solve it several days, but had no success. I'm using syntax like that: $ radtest -t mschap user password 127.0.0.1 0 secret radclient : Failed to find IP address for host user: Success radclient: $Id$ built on Jan 22 2013 at 23:55:37 FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22 2013 host file looks fine I would appreciate it if someone can help me , Andres - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
this way looks my hosts file: # IP-Address Full-Qualified-Hostname Short-Hostname # 127.0.0.1 localhost # special IPv6 addresses ::1 localhost ipv6-localhost ipv6-loopback fe00::0 ipv6-localnet ff00::0 ipv6-mcastprefix ff02::1 ipv6-allnodes ff02::2 ipv6-allrouters ff02::3 ipv6-allhosts 10.58.5.58 radius.mydomain.com radius Andres 2013/4/26 Chitrang Srivastava chitrang.srivast...@gmail.com Most likely your host file didnt have entry of your domain name, dump your hostname and /etc/hosts file here and then we can comment better On Thu, Apr 25, 2013 at 10:52 PM, Andres arvutihool...@gmail.com wrote: Hello All, I'm trying to test mschap with radtest but it gives me strange error message. I've tried to solve it several days, but had no success. I'm using syntax like that: $ radtest -t mschap user password 127.0.0.1 0 secret radclient : Failed to find IP address for host user: Success radclient: $Id$ built on Jan 22 2013 at 23:55:37 FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22 2013 host file looks fine I would appreciate it if someone can help me , Andres - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
Andres wrote: this way looks my hosts file: Well... something is wrong with DNS on your system. The only advantage to using radtest is that it's simpler than radclient. But it's just a wrapper around radclient. You can edit radtest to remove the DNS lookups, or write your own wrapper which doesn't do DNS lookups. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
whats the hostname of ur system ? On Fri, Apr 26, 2013 at 6:30 PM, Andres arvutihool...@gmail.com wrote: this way looks my hosts file: # IP-Address Full-Qualified-Hostname Short-Hostname # 127.0.0.1 localhost # special IPv6 addresses ::1 localhost ipv6-localhost ipv6-loopback fe00::0 ipv6-localnet ff00::0 ipv6-mcastprefix ff02::1 ipv6-allnodes ff02::2 ipv6-allrouters ff02::3 ipv6-allhosts 10.58.5.58 radius.mydomain.com radius Andres 2013/4/26 Chitrang Srivastava chitrang.srivast...@gmail.com Most likely your host file didnt have entry of your domain name, dump your hostname and /etc/hosts file here and then we can comment better On Thu, Apr 25, 2013 at 10:52 PM, Andres arvutihool...@gmail.com wrote: Hello All, I'm trying to test mschap with radtest but it gives me strange error message. I've tried to solve it several days, but had no success. I'm using syntax like that: $ radtest -t mschap user password 127.0.0.1 0 secret radclient : Failed to find IP address for host user: Success radclient: $Id$ built on Jan 22 2013 at 23:55:37 FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22 2013 host file looks fine I would appreciate it if someone can help me , Andres - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
host name is radius ip 10.58.5.58 Full Domain host name: radius.mydomain.com radius .. resolv.conf search mydomain.com nameserver 10.58.5.39 nameserver 10.58.5.45 /etc/hosts 127.0.0.1 localhost # special IPv6 addresses ::1 localhost ipv6-localhost ipv6-loopback fe00::0 ipv6-localnet ff00::0 ipv6-mcastprefix ff02::1 ipv6-allnodes ff02::2 ipv6-allrouters ff02::3 ipv6-allhosts 10.58.5.58 radius.dpd.ee radius radius:/etc # ping mydomain.com PING mydomain.com (10.58.5.39) 56(84) bytes of data. 64 bytes from fs.mydomain.com (10.58.5.39): icmp_seq=1 ttl=128 time=0.301 ms 64 bytes from fs.mydomain.com (10.58.5.39): icmp_seq=2 ttl=128 time=0.414 ms radius:/etc # ping localhost PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.025 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.039 ms radius:/etc # ping6 localhost PING localhost(localhost) 56 data bytes 64 bytes from localhost: icmp_seq=1 ttl=64 time=0.080 ms 64 bytes from localhost: icmp_seq=2 ttl=64 time=0.054 ms . radius:/etc # radtest -t mschap testing passme 127.0.0.1 0 testing123456 radclient: Failed to find IP address for host testing: Success . radius:/etc # radtest testing passme 127.0.0.1 0 testing123456 Sending Access-Request of id 177 to 127.0.0.1 port 1812 User-Name = testing User-Password = passme NAS-IP-Address = 10.58.5.58 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=177, length=20 Yast2 network settings Hostname/DNS Network Settings ┌Global Options──Overview──Hostname/DNS──Routing───┐ │┌Hostname and Domain Name┐│ ││Hostname Domain Name ││ ││radius mydomain.com ▒▒▒││ ││[x] Change Hostname via DHCPNo interface with dhcp ││ ││[ ] Assign Hostname to Loopback IP ││ │└┘│ │Modify DNS configuration Custom Policy Rule │ │Use Default Policy▒↓ ▒↓ │ │┌Name Servers and Domain Search List─┐│ ││Name Server 1 ┌Domain Search┐ ││ ││10.58.5.45▒ │mydomain.com │ ││ ││Name Server 2 │ │ ││ ││10.58.5.39▒ │ │ ││ ││Name Server 3 │ │ ││ ││▒▒▒ └─┘ ││ │└ I cannot figure out what is the cause of it, that radtest -t mschap dont work. Is it related to DNS or IPv6? Did I something wrong... I'm using( as Windows 2008 domain member): SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 2 FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22 2013 at 23:55:29 I'd be very grateful if someone would care to assist me with this problem Andres 2013/4/26 Chitrang Srivastava chitrang.srivast...@gmail.com whats the hostname of ur system ? On Fri, Apr 26, 2013 at 6:30 PM, Andres arvutihool...@gmail.com wrote: this way looks my hosts file: # IP-Address Full-Qualified-Hostname Short-Hostname # 127.0.0.1 localhost # special IPv6 addresses ::1 localhost ipv6-localhost ipv6-loopback fe00::0 ipv6-localnet ff00::0 ipv6-mcastprefix ff02::1 ipv6-allnodes ff02::2 ipv6-allrouters ff02::3 ipv6-allhosts 10.58.5.58 radius.mydomain.com radius Andres 2013/4/26 Chitrang Srivastava chitrang.srivast...@gmail.com Most likely your host file didnt have entry of your domain name, dump your hostname and /etc/hosts file here and then we can comment better On Thu, Apr 25, 2013 at 10:52 PM, Andres arvutihool...@gmail.comwrote: Hello All, I'm trying to test mschap with radtest but it gives me strange error message. I've tried to solve it several days, but had no success. I'm using syntax like that: $ radtest -t mschap user password 127.0.0.1 0 secret radclient : Failed to find IP address for host user: Success radclient: $Id$ built on Jan 22 2013 at 23:55:37 FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22 2013 host file looks fine I would appreciate it if someone can help me , Andres - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
Hi, what version of FreeRADIUS? are you sure you arent running old copies of radclient/radtest ie you THINK you can do -t mschap but the wrapper or binary doesnt radclient -v ? which radtest then cat the resulting file. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
Hi,
FreeRADIUS server Version: 2.1.1-7.16.1
also installed freeradius-server-libs and utils
FreeRADIUS server and libs and utils was installed via Yast.
radius:/etc # radclient -v
radclient: $Id$ built on Jan 22 2013 at 23:55:37
#
# Version: $Id$
#
prefix=/usr
exec_prefix=/usr
bindir=/usr/bin
usage() {
echo Usage: radtest user passwd radius-server[:port]
nas-port-number secret [ppphint] [nasname] 2
yes. thats your problem. OLD
the current one says this:
usage() {
echo Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port
-number secret [ppphint] [nasname] 2
echo -d RADIUS_DIR Set radius directory 2
echo -t type Set authentication method 2
echo type can be pap, chap, mschap, or eap-
md5 2
echo -x Enable debug output 2
etc etc etc
note, the tool has OPTIONS. yours doesnt. and because yours doesnt, it thinks
-t is the username and mschap is the password and therefore testing
is the hostname
and you have no such host!
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] radtest mschap problem
Andres wrote: FreeRADIUS server Version: 2.1.1-7.16.1 also installed freeradius-server-libs and utils Why? That version is SEVEN YEARS old. Upgrade. Really. And you're using a version of radclient which doesn't support mschap. So... why are you trying to use mschap? We presume that you're running a recent version of the server. Also, that you read the documentation which comes with the server. If radtest -h doesn't say it supports the -t parameter, then it doesn't support the -t parameter. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Help] radtest mschap problem
Hello All, I'm trying to test mschap with radtest but it gives me strange error message. I've tried to solve it several days, but had no success. I'm using syntax like that: $ radtest -t mschap user password 127.0.0.1 0 secret radclient : Failed to find IP address for host user: Success radclient: $Id$ built on Jan 22 2013 at 23:55:37 FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22 2013 host file looks fine I would appreciate it if someone can help me , Andres - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Help] How to control the authentication session timeout
Hello All, We are using EAP-MSCHAPV2 for authentication with LDAP and using version 2.2.0. So actually who control the session validity for how long the client will be authenticate after connecting to the wireless AP? So for example i key in my username / password in Windows popup, then how long do i need to key in the credential again? Is this control by Radius or by the AP or by the Windows client? Thanks in advance and sorry for this newbie question :) -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Controlled by the NAS and/or the RADIUS server depending on NAS settings. ie you should be able to set session-timeout on the NAS and then override/update the value on the RADIUS server depending on your chosen policies...eg for particular users/clients etc...and if proxying you may have agreements or filtering in place to set/agree the value alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi Alan, In which config files do i need to look / edit / add the session timeout in freeradius? Thanks Danny On Tue, Apr 23, 2013 at 3:11 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Controlled by the NAS and/or the RADIUS server depending on NAS settings. ie you should be able to set session-timeout on the NAS and then override/update the value on the RADIUS server depending on your chosen policies...eg for particular users/clients etc...and if proxying you may have agreements or filtering in place to set/agree the value alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi,
In which config files do i need to look / edit / add the session timeout
in freeradius?
that would depend on how your configuration is done and what options and methods
you are using. 'users' file is basic way, SQL tables are another, unlang is yet
another way...eg
update reply {
Session-Timeout : = 7200
}
stick this into the post-auth section of raddb/sites-available/default (if thats
your virtual server in use)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Thanks Alan, let me try that. So i can apply this only if the Wireless AP
is sending packet with Session-Timeout too right? I don't see this setting
in Meraki Wireless AP.
I'm using ldap and all the authentication just simple username / password
from ldap. Is the the exact syntax to apply with?
or we should use update reply-message{
Session-Timeout : = 7200
}
Thanks in advance
Danny
On Tue, Apr 23, 2013 at 8:55 PM, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
In which config files do i need to look / edit / add the session
timeout
in freeradius?
that would depend on how your configuration is done and what options and
methods
you are using. 'users' file is basic way, SQL tables are another, unlang
is yet
another way...eg
update reply {
Session-Timeout : = 7200
}
stick this into the post-auth section of raddb/sites-available/default (if
thats
your virtual server in use)
alan
--
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi,
Thanks Alan, let me try that. So i can apply this only if the Wireless AP
is sending packet with Session-Timeout too right? I don't see this setting
in Meraki Wireless AP.
as i said, depends on your settings and what the NAS is willing to take from
the
RADIUS server - you'll have to try it and see - or contact your vendor for
technical advice/support.
I'm using ldap and all the authentication just simple username / password
from ldap. Is the the exact syntax to apply with?
?? this is just authentication - how you apply policy is a different issue
or we should use update reply-message{
Session-Timeout : = 7200
}
?? you could try making things up. but it wont get you anywhere.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Thanks again Alex, i will try your syntax.
Thanks
Danny
On Tue, Apr 23, 2013 at 9:25 PM, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Thanks Alan, let me try that. So i can apply this only if the
Wireless AP
is sending packet with Session-Timeout too right? I don't see this
setting
in Meraki Wireless AP.
as i said, depends on your settings and what the NAS is willing to take
from the
RADIUS server - you'll have to try it and see - or contact your vendor for
technical advice/support.
I'm using ldap and all the authentication just simple username /
password
from ldap. Is the the exact syntax to apply with?
?? this is just authentication - how you apply policy is a different issue
or we should use update reply-message{
Session-Timeout : = 7200
}
?? you could try making things up. but it wont get you anywhere.
alan
--
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi, Thanks again Alex, i will try your syntax. do you deliberately change words? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi,
What you mean? Sorry i think you might mis-understand my previous 2
message. I mean 2 ask what is the correct syntax for update reply
Is it exactly like what you said in previous email or else :
update reply {
Session-Timeout : = 7200
}
I will search the documentation again for my question and apply it inside
Post Auth. Sorry for not searching the documentation before asking, i was
trying to find a quick solution :)
Thanks
Danny
On Tue, Apr 23, 2013 at 11:08 PM, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Thanks again Alex, i will try your syntax.
do you deliberately change words?
alan
--
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi,
What you mean?
see bottom of email
Is it exactly like what you said in previous email or else :
update reply {
Session-Timeout : = 7200
}
no, its exactly liek I typed. if you add spaces like you have then the server
wont like it
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi Danny,
On Tue, Apr 23, 2013 at 11:13:46PM +0800, Danny Kurniawan wrote:
What you mean? Sorry i think you might mis-understand my previous 2
message. I mean 2 ask what is the correct syntax for update reply
Is it exactly like what you said in previous email or else :
update reply {
Session-Timeout : = 7200
}
It should be:
post-auth {
update reply {
Session-Timeout := 7200
}
}
(e.g. no space between : and =)
HTH,
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Thanks all.
-Danny
On Tue, Apr 23, 2013 at 11:59 PM, Matthew Newton m...@leicester.ac.ukwrote:
Hi Danny,
On Tue, Apr 23, 2013 at 11:13:46PM +0800, Danny Kurniawan wrote:
What you mean? Sorry i think you might mis-understand my previous 2
message. I mean 2 ask what is the correct syntax for update reply
Is it exactly like what you said in previous email or else :
update reply {
Session-Timeout : = 7200
}
It should be:
post-auth {
update reply {
Session-Timeout := 7200
}
}
(e.g. no space between : and =)
HTH,
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_passwd help
Hi, Good you got it working. Just as a couple of points: On Wed, Apr 17, 2013 at 02:16:25PM +1000, David Brodrick wrote: I got there. I added authtype = PAP to the passwd module There's no such option, so this is irrelevant. configuration and then DEFAULT Auth-Type = PAP to users. You /shouldn't/ need to do this - FR will generally work this out by itself - just make sure 'passwd' is above 'pap' in authorize. Setting this might cause you problems in the future. Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_passwd help
Quite right! Thanks for simplifying this for me Matthew. Cheers, Dave Matthew Newton wrote: Hi, Good you got it working. Just as a couple of points: On Wed, Apr 17, 2013 at 02:16:25PM +1000, David Brodrick wrote: I got there. I added authtype = PAP to the passwd module There's no such option, so this is irrelevant. configuration and then DEFAULT Auth-Type = PAP to users. You /shouldn't/ need to do this - FR will generally work this out by itself - just make sure 'passwd' is above 'pap' in authorize. Setting this might cause you problems in the future. Cheers, Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_passwd help
Hi,
We're experimenting with freeradius for authenticating users in a custom
application. It was straightforward to get this authenticating against
the OS:
DEFAULT Auth-Type = System
But what we want to do is maintain a list of usernames and crypt
passwords in an external file, separate to the operating system users.
The rlm_passwd module should do what we want but I'm having some trouble
getting it to work.
In the radiusd.conf modules section I have:
passwd our_passwd {
filename = /tmp/testpwd
format = *User-Name:Crypt-Password
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}
In sites-enabled/default I added our_passwd to the authorize section.
I think that part is essentially working and on my random walks running
freeradius -X it looks like it is reading our passwd file okay. The
thing I do not understand is what to put as the Auth-Type in the users
file in order to authenticate against our file rather than against the OS?
Any advice would be greatly appreciated.
Thanks,
Dave
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_passwd help
Hi,
I got there. I added authtype = PAP to the passwd module configuration
and then DEFAULT Auth-Type = PAP to users.
I had tried this earlier but there was a trailing delimiter in the local
password file which wasn't in the format and this seems to have caused
the password verification to fail which threw me off.
Regards,
Dave
David Brodrick wrote:
Hi,
We're experimenting with freeradius for authenticating users in a
custom application. It was straightforward to get this authenticating
against the OS:
DEFAULT Auth-Type = System
But what we want to do is maintain a list of usernames and crypt
passwords in an external file, separate to the operating system users.
The rlm_passwd module should do what we want but I'm having some
trouble getting it to work.
In the radiusd.conf modules section I have:
passwd our_passwd {
filename = /tmp/testpwd
format = *User-Name:Crypt-Password
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}
In sites-enabled/default I added our_passwd to the authorize section.
I think that part is essentially working and on my random walks
running freeradius -X it looks like it is reading our passwd file
okay. The thing I do not understand is what to put as the Auth-Type in
the users file in order to authenticate against our file rather than
against the OS?
Any advice would be greatly appreciated.
Thanks,
Dave
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: The old HP switches used to convert the Reply-Message into an EAP-Notification and send it after the EAP-Success or EAP-Failure. This is not compliant with the EAP specification (EAP-Notification needs to be sent prior to completion of an EAP authentication method). Sending it after EAP-Success or EAP-Failure would look like an attempt to initiate another authentication exchange. It may be possible to send it before the EAP-Success/EAP-Failure message for some EAP methods, but chances are not all supplicants will like it, and most probably won't display anything. EAP-Notification is not really supported in general and even the specification does not really require displaying anything from this message to the user.. There is also no way of authenticating this information, so this would not be ideal for authorization failures. - Jouni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
On 21 Mar 2013, at 13:26, Jouni Malinen jkmali...@gmail.com wrote: On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: The old HP switches used to convert the Reply-Message into an EAP-Notification and send it after the EAP-Success or EAP-Failure. This is not compliant with the EAP specification (EAP-Notification needs to be sent prior to completion of an EAP authentication method). Sending it after EAP-Success or EAP-Failure would look like an attempt to initiate another authentication exchange. Their 802.1X implementation was pre RFC3579. In newer firmware releases this has been fixed. It may be possible to send it before the EAP-Success/EAP-Failure message for some EAP methods, but chances are not all supplicants will like it, and most probably won't display anything. EAP-Notification is not really supported in general and even the specification does not really require displaying anything from this message to the user.. There is also no way of authenticating this information, so this would not be ideal for authorization failures. Agreed. But in the absence of a standards solution it might be interesting to experiment and see how supplicants respond to this. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
Quoting Arran Cudbard-Bell a.cudba...@freeradius.org: On 21 Mar 2013, at 13:26, Jouni Malinen jkmali...@gmail.com wrote: On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: The old HP switches used to convert the Reply-Message into an EAP-Notification and send it after the EAP-Success or EAP-Failure. This is not compliant with the EAP specification (EAP-Notification needs to be sent prior to completion of an EAP authentication method). Sending it after EAP-Success or EAP-Failure would look like an attempt to initiate another authentication exchange. Their 802.1X implementation was pre RFC3579. In newer firmware releases this has been fixed. It may be possible to send it before the EAP-Success/EAP-Failure message for some EAP methods, but chances are not all supplicants will like it, and most probably won't display anything. EAP-Notification is not really supported in general and even the specification does not really require displaying anything from this message to the user.. There is also no way of authenticating this information, so this would not be ideal for authorization failures. Agreed. But in the absence of a standards solution it might be interesting to experiment and see how supplicants respond to this. My RSA Windows EAP module sends EAP Notification messages under 4 different error circumstances. These are typically retry-able input problems. It was the default until the boffins that took over EAP for Windows 7 broke their code. XP and Vista worked fine, they took the request and responded with a blank response. No user visible message resulted. Win7 didn't respond at all, which caused the protocol to break. They patched it when I pointed out the problem. But I flipped off the default, don't know if/when that was released. There is a registry key that controls it. Dave. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
On 21 Mar 2013, at 15:56, David Mitton da...@mitton.com wrote: Quoting Arran Cudbard-Bell a.cudba...@freeradius.org: On 21 Mar 2013, at 13:26, Jouni Malinen jkmali...@gmail.com wrote: On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: The old HP switches used to convert the Reply-Message into an EAP-Notification and send it after the EAP-Success or EAP-Failure. This is not compliant with the EAP specification (EAP-Notification needs to be sent prior to completion of an EAP authentication method). Sending it after EAP-Success or EAP-Failure would look like an attempt to initiate another authentication exchange. Their 802.1X implementation was pre RFC3579. In newer firmware releases this has been fixed. It may be possible to send it before the EAP-Success/EAP-Failure message for some EAP methods, but chances are not all supplicants will like it, and most probably won't display anything. EAP-Notification is not really supported in general and even the specification does not really require displaying anything from this message to the user.. There is also no way of authenticating this information, so this would not be ideal for authorization failures. Agreed. But in the absence of a standards solution it might be interesting to experiment and see how supplicants respond to this. My RSA Windows EAP module sends EAP Notification messages under 4 different error circumstances. These are typically retry-able input problems. It was the default until the boffins that took over EAP for Windows 7 broke their code. XP and Vista worked fine, they took the request and responded with a blank response. No user visible message resulted. Win7 didn't respond at all, which caused the protocol to break. They patched it when I pointed out the problem. But I flipped off the default, don't know if/when that was released. There is a registry key that controls it. Interesting. OSX does a similar thing, but it logs the notification, which can be very helpful if you're on the helpdesk and trying to diagnose issues. I wonder if Windows also does the silent logging. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Help] Is that possible to change the reject message that appears at the Windows Pop Up
Hi All,
So i have been able to authenticate my wireless user using 802.1x + LDAP +
MAC address (using CallingStationID attriubute). So now for example when
user A have MAC 11:22:33 but tried to login using another device there will
be a pop up window when they try to connect - just a plain error popup
saying Unable to connect. Is there any way we can customize this error
from radius? or should be from the wireless AP?
So below is the unlang code that i use to check whether the user have a set
of MAC address in their ldap profile or not
if(!control:Calling-Station-Id){
reject
}
Possible to have that reject command to return some code that Windows
client can understand like No MAC address etc?
Thanks in advance
Danny
--
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
On 18.03.2013 16:48, Danny Kurniawan wrote:
Hi All,
So i have been able to authenticate my wireless user using 802.1x + LDAP
+ MAC address (using CallingStationID attriubute). So now for example
when user A have MAC 11:22:33 but tried to login using another device
there will be a pop up window when they try to connect - just a plain
error popup saying Unable to connect. Is there any way we can
customize this error from radius? or should be from the wireless AP?
So below is the unlang code that i use to check whether the user have a
set of MAC address in their ldap profile or not
if(!control:Calling-Station-Id){
reject
}
Possible to have that reject command to return some code that Windows
client can understand like No MAC address etc?
Thanks in advance
Danny
you could send back a reply-message.
But it is forbidden if you are doing EAP.
And anyway, Micro$oft is not paying attention to it and will disregard it.
so no, you can't send a message to the user.
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
hi, we would all love to be able to send a relevant error message to our clients if they fail to authenticate (either locally or remotely). but we cant. :-( alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
Thanks a lot :) Well i guess we just have to live with it :) -Danny On Tue, Mar 19, 2013 at 12:07 AM, a.l.m.bu...@lboro.ac.uk wrote: hi, we would all love to be able to send a relevant error message to our clients if they fail to authenticate (either locally or remotely). but we cant. :-( alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
On 18 Mar 2013, at 12:07, a.l.m.bu...@lboro.ac.uk wrote: hi, we would all love to be able to send a relevant error message to our clients if they fail to authenticate (either locally or remotely). but we cant. :-( The old HP switches used to convert the Reply-Message into an EAP-Notification and send it after the EAP-Success or EAP-Failure. The native OSX supplicant used to log this even though it never displayed it to the user. The Windows supplicant ignored it completely. WPA_Supplicant restarted authentication and went into an infinite authentication loop. It may be possible to send it before the EAP-Success/EAP-Failure message for some EAP methods, but chances are not all supplicants will like it, and most probably won't display anything. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Hi All, I already found a way to configure it. Thanks a lot. http://wiki.freeradius.org/guide/Mac-Auth#Note Thanks Danny On Wed, Mar 13, 2013 at 10:14 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Sorry for this beginner question. I have read the man_rlm password but dont see example how to add the mac address. can some of you showed to me an example of it? I assume its as simple as key in the MAC address into some file in Radius conf file or something? Thanks Danny On Wed, Mar 13, 2013 at 9:13 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Noted. I guess using the AP to do the MAC filtering is the best options for me On Tue, Mar 12, 2013 at 9:19 PM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: Is that means we have to manually added the client MAC into radius one by one? You need *some* method to separate known devices from unknown ones. How you do it is up to you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny -- Best Regards, Danny -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Hi, Is that means we have to manually added the client MAC into radius one by one? well, you want to restrict it to known devicesso ONE way is to add the allowed MACs to a DB - they could be added to some other lookup table. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
On 03/12/2013 01:46 AM, Danny Kurniawan wrote: Is that means we have to manually added the client MAC into radius one by one? RADIUS can only act on RADIUS attributes. There's no RADIUS attribute that says: Device-Type = Bosses iPad Most NASes send username and network address of the client (MAC or IP) and that's about it for optional (non-authentication) stuff. In other words, RADIUS can't differentiate devices - *you* have to do that, by supplying data and policy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Danny Kurniawan wrote: Is that means we have to manually added the client MAC into radius one by one? You need *some* method to separate known devices from unknown ones. How you do it is up to you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Noted. I guess using the AP to do the MAC filtering is the best options for me On Tue, Mar 12, 2013 at 9:19 PM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: Is that means we have to manually added the client MAC into radius one by one? You need *some* method to separate known devices from unknown ones. How you do it is up to you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Sorry for this beginner question. I have read the man_rlm password but dont see example how to add the mac address. can some of you showed to me an example of it? I assume its as simple as key in the MAC address into some file in Radius conf file or something? Thanks Danny On Wed, Mar 13, 2013 at 9:13 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Noted. I guess using the AP to do the MAC filtering is the best options for me On Tue, Mar 12, 2013 at 9:19 PM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: Is that means we have to manually added the client MAC into radius one by one? You need *some* method to separate known devices from unknown ones. How you do it is up to you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Is that means we have to manually added the client MAC into radius one by one? -Danny On Fri, Mar 8, 2013 at 11:00 PM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: We have successfully deploy Meraki Wireless with Radius 2.1.1 connect to eDir LDAP. Everything works just fine. Now my company want to explore whether we are able to restrict a devices, that only company devices can connect to our wifi ssid. Is that possible using Radius? Like using cert etc? Or it has to be done from the AP end? The simplest way is via MAC address filtering. Allow known MACs, disallow all others. See man rlm_passwd for examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Help] Is there a way to differentiate devices using Radius?
Hi All, We have successfully deploy Meraki Wireless with Radius 2.1.1 connect to eDir LDAP. Everything works just fine. Now my company want to explore whether we are able to restrict a devices, that only company devices can connect to our wifi ssid. Is that possible using Radius? Like using cert etc? Or it has to be done from the AP end? Thanks Danny -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Danny Kurniawan wrote: We have successfully deploy Meraki Wireless with Radius 2.1.1 connect to eDir LDAP. Everything works just fine. Now my company want to explore whether we are able to restrict a devices, that only company devices can connect to our wifi ssid. Is that possible using Radius? Like using cert etc? Or it has to be done from the AP end? The simplest way is via MAC address filtering. Allow known MACs, disallow all others. See man rlm_passwd for examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help
On 03/06/2013 09:23 AM, Jed Gainer wrote: Help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to eliminate client certificate popup
2. Check fig.9 and fig-10 .. looks like there is an option to cache user information and to 'not prompt user to ...' that I think (cmiiw) will give proper solution. It will stop pop-ups for future connections but not remove pop-ups for initial connection...which is what the requester wants. alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help
On 6 Mar 2013, at 03:23, Jed Gainer jedgai...@gmail.com wrote: Help Die potatoe! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help
On 6 Mar 2013, at 09:44, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 6 Mar 2013, at 03:23, Jed Gainer jedgai...@gmail.com wrote: Help Die potatoe! *potato - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to eliminate client certificate popup
Hi, How can i do that? We are using a cert from Global sign and we already have a root ca in our laptop, but we still need to choose that Terminate / Connect popup. It doesnt matter if we need to change our cert or etc, but we just want to eliminate that popup :) its down to the OS and trust settings. the client needs to be configured. if you use a deployment tool then this error can be removed. likewise, if in eg AD you can have a group policy deployed to do the same. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to eliminate client certificate popup
Hi, Check https://supportforums.cisco.com/docs/DOC-17544 how many 'how to configure PEAP' documents does the world need? this one has fewer issues than others but still has ambiguityand this guide also contains exactly the same security prompt that the requester DOESNT want ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to eliminate client certificate popup
On 03/05/2013 01:58 AM, Danny Kurniawan wrote: Hello, We are using 802.1x wireless connection from Meraki and using PEAP-MSCHAPv2 for authentication with our LDAP. Everything works fine, it just we want to eliminate this pop-up at the 1st time people connect to it : How can i do that? We are using a cert from Global sign and we already You have only a few choices: 1. Use a program such as su1x, ExpressConnect or similar to pre-provision the CA trust settings 2. If the machines are domain members, use group policy to do the same 3. Deploy a batch file / whatever to use netsh and XML profiles to do the same - a poor mans version of #1 4. Live with it. This is not a RADIUS question; it's an issue of supplicant provisioning, which is best asked of your OS vendor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to eliminate client certificate popup
Hi All, Thanks for all your reply. Yes i do understand the solution is to deploy the network profile, but just curious at first who knows any of you have an idea how to eliminate it wthout touching the client. *for example push the profile automatically from the AP etc... But now i guess i will have to deploy netsh command using script to all PC as its not joining AD :) Thanks Danny On Tue, Mar 5, 2013 at 5:28 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 03/05/2013 01:58 AM, Danny Kurniawan wrote: Hello, We are using 802.1x wireless connection from Meraki and using PEAP-MSCHAPv2 for authentication with our LDAP. Everything works fine, it just we want to eliminate this pop-up at the 1st time people connect to it : How can i do that? We are using a cert from Global sign and we already You have only a few choices: 1. Use a program such as su1x, ExpressConnect or similar to pre-provision the CA trust settings 2. If the machines are domain members, use group policy to do the same 3. Deploy a batch file / whatever to use netsh and XML profiles to do the same - a poor mans version of #1 4. Live with it. This is not a RADIUS question; it's an issue of supplicant provisioning, which is best asked of your OS vendor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to eliminate client certificate popup
On 05/03/13 09:56, Danny Kurniawan wrote: Hi All, Thanks for all your reply. Yes i do understand the solution is to deploy the network profile, but just curious at first who knows any of you have an idea how to eliminate it wthout touching the client. You can't. It's impossible by design - allowing the AP to push CA trust settings would be a security hole. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
