Re: Connecting the dots.
Lance Haig wrote: > I posted my debug output to the list in another mail but I will add it to > the end of this mail so they two are on the same page as it were. What you posted earlier was a *tiny* portion of the debug output. And the email I'm replying to contains no debug output. > The documentation does not match the current config file structure and so it > is very difficult for anyone to follow. Your insinuation that I am being > lazy by asking a list for answers would be valid if that was the case. The config file structure has change *only* in layout on the disk. The files are still included into radiusd.conf. i.e. the config from 1.x will very likely work with 2.x. > I do realise you have had to answer many questions on this subject but I > would recommend a review of the docs tomake sure it is easier to follow for > people then your argument would be valid. Sure. Send a patch to update the documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Hi, > would recommend a review of the docs tomake sure it is easier to follow for > people then your argument would be valid. personally I foudn the docs weak when I first started with FreeRADIUS 0.x - but then have sicne then learnt everything from the actual config files and the man pages. (and docs in the tarball itself) - i am horrified that your config was minimised like some jus into just ince single monolithic config file - that is actually very bad ( I would even say, in this case, bad practice) as it makes it very difficult to see the new changes and config options when a new version from out... if you use the seperate modules, virtual servers etc then you can simply DIFF them and get to see the goodies. it also allows you to know what you can enable etc - this is why Apache is moving into seperate module files etc themselves. people lose view of the possibilities otherwise. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
HI Alan, Thanks for the response mine are inline > Well... nothing in the server magically changes it's behavior on a > certain day. *Something* changed. I agree and I am having a hard time finding what. > > And... what does the debug output say? I posted my debug output to the list in another mail but I will add it to the end of this mail so they two are on the same page as it were. > > The documentation is pretty clear on this, as are the comments in the > configuration files. It's more efficient to read them than to ask a > question on this list, and wait for an answer. > I beg to differ. The documentation does not match the current config file structure and so it is very difficult for anyone to follow. Your insinuation that I am being lazy by asking a list for answers would be valid if that was the case. I do realise you have had to answer many questions on this subject but I would recommend a review of the docs tomake sure it is easier to follow for people then your argument would be valid. Please do not take this as a flame just someone hoping to find out how to use a great tool. Lance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Lance Haig wrote: > Thanks for the response On this particular server we have not run any > updates to the software stack as it is our policy to only update at regular > intervals so that we can catch these things. Well... nothing in the server magically changes it's behavior on a certain day. *Something* changed. > As soon as I try to auth using my cisco wirless conection it fails unable to > find the realm. And... what does the debug output say? > That is why I was asking how the doc's on the site match up to the latest > conf files. So I can find out where to add the REALM settings so that it > works. The documentation is pretty clear on this, as are the comments in the configuration files. It's more efficient to read them than to ask a question on this list, and wait for an answer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Hi Alan, Thanks for the response. We do know about the samba update and it was the first thing I check when the system broke. We have about 400 ubuntu vm's running on our environment and we have not yet updated our corporate repo with this update as we have not tested it yet. I checked the winbindd_privileged directory and it has the correct file permissions I want to add to me original post to the list in that this server was not originally configured by myself and the original person created a monolithic radiusd.conf file with all the settings in the one file this is making it difficult to match the settings to the docs. Hence my question about how the docs match to the new conf files. Freeradius -X and -Xx have not highlighted anything suspicious that I believe is different to what was being logged there before. The reason for the new server build is so that I can understand how freeradius works and specifically how it will work with AD as a backend. I have been able to get the server connecting to AD and authing me against it as per one of my other posts to the list. I am just not sure I have done this correctly as the auth request fails when I try to connect using my laptop. (we mostly have mac's in this office) This is against my new server by the way. This is what led me to copntact the list to see how the docs match the new config as I have seen = Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.210.4 port 32768, id=187, length=205 User-Name = "Lance.Haig" Calling-Station-Id = "00-26-08-e8-c9-85" Called-Station-Id = "00-1b-8f-8a-d8-90:LNH" NAS-Port = 13 NAS-IP-Address = 10.0.210.4 NAS-Identifier = "FWDWLC" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207002b19001703010020520cb27842380dee8600973e5967661e03fab0689f23a28f27cb 78dce34bfcc5 State = 0x47419e384246876f90468b6b37412030 Message-Authenticator = 0x4bb2d4d267947887f5bcb88b9c8dfbb2 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "Lance.Haig", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. == Which leads me to believe that the REALMS config is not working properly. And I cant find instructions on what to check to make sure this is the case. Apologies for rambling on a bit. Lance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Hi C.J. Thanks for the tip. We do run out config in Git and it has not changed since it was configured about 2 months ago, this is what is baffling me. The windows servers were not changed (well that is what the windows admins have informed us@) Thanks Lance On 15/09/2010 21:10, "C.J. Adams-Collier KF7BMP" wrote: I've found that keeping config file history using RCS or git to be very useful. It's saved me a bunch of headache with bind, apache, sendmail and freeradius. If you'd like some tips, I'm happy to oblige either on-list or off, depending on whether the regulars consider it OT. Cheers, C.J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Hi Ken, Thanks for the response On this particular server we have not run any updates to the software stack as it is our policy to only update at regular intervals so that we can catch these things. I only sent the e-mail to the list after spending the day in freeradius -X and -Xx to see if I can find out why it is failing. I wanted to start fresh with a server so I could see at what stage it starts failing. But funnily enough the new server lets me auth against ad using a local query using radtest and a forced auth method of "DEFAULT Auth-Type = ntlm_auth" in the users file. As soon as I try to auth using my cisco wirless conection it fails unable to find the realm. That is why I was asking how the doc's on the site match up to the latest conf files. So I can find out where to add the REALM settings so that it works. We also have 2 AD trees we connect to but once I get the one working the other will be easy. Thanks for the help Lance On 15/09/2010 20:38, "Kenneth Marshall" wrote: > Many times this is caused by a software update to the system. > To figure out where the problem lies, you will need to follow > the very well documented procedure for debugging freeradius > if you do not have logs of what was updated on the system so > you can rollback the update(s). > > Cheers, > Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Hi, > We have implemented a freeradius server on ubuntu 10.04 connecting to AD on > windows 2003 to allow our users to auth against for wirless access. > > This morning it all broke. And we don’t know why. okay. a not so wild stab in the dark. yesterday or day before a SAMBA security issue was highlighted, my guess is that the Ubuntu folk have released an update for this - which meant that a new version of SAMBA was put onto your system. this new version has most likely blatted the settings on your winbindd_privileged directory (use eg 'locate' on your system to find its location...usually somewhere like /var/cache/samba/ or /var/lib/samba) that dir (winbindd_privileged) needs to be group owned by the process which radiusd runs as usually radiusd another thing you can do is to actually see whats breaking. just run the FreeRADIUS daemon in debug mode radiusd -X yes, theres a hell of a lot of output. a lot of it can be just skimmed...it all starts to make sense when you get used to it but run it in that mode...capturing the output (even just by setting your terminal scroll buffer to eg 5000 lines then select all copy and paste into an editor if needs be) when a few clients try connecting. then read through whilst having a coffee it should be quite clear whats gone wrong. > So I started looking to build a new server to fault find. you really really dont need to do that alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
I've found that keeping config file history using RCS or git to be very useful. It's saved me a bunch of headache with bind, apache, sendmail and freeradius. If you'd like some tips, I'm happy to oblige either on-list or off, depending on whether the regulars consider it OT. Cheers, C.J. On Wed, 2010-09-15 at 14:38 -0500, Kenneth Marshall wrote: > Many times this is caused by a software update to the system. > To figure out where the problem lies, you will need to follow > the very well documented procedure for debugging freeradius > if you do not have logs of what was updated on the system so > you can rollback the update(s). > > Cheers, > Ken > > On Wed, Sep 15, 2010 at 08:25:10PM +0100, Lance Haig wrote: > > Hi, > > > > We have implemented a freeradius server on ubuntu 10.04 connecting to AD on > > windows 2003 to allow our users to auth against for wirless access. > > > > This morning it all broke. And we don?t know why. > > > > So I started looking to build a new server to fault find. > > > > I am trying to find some documentation to help me. > > > > Looking through the wiki and Alan?s website I found some documentation but > > it does not quite match the files and config I find In the freeradius > > directory. > > > > I am not sure how best to continue, can someone tell me how these two > > document site atch up? > > > > Thanks in advance > > > > Lance > > > > > > > > -- > > Lance Haig > > Virtualisation Engineer > > > > Forward > > Floor 1, Centro 3 > > 19 Mandela Street > > London NW1 0DU > > > > T: 020 7121 1199 > > F: 020 7121 1196 > > M: 07786167805 > > > > W: www.forward.co.uk > > > > > > This message contains confidential information and is intended only for > > the individual named. If you are not the named addressee you should not > > disseminate, distribute or copy this e-mail. Please notify Forward > > immediately by e-mail if you have received this e-mail by mistake and > > delete this e-mail from your system. E-mail transmission cannot be > > guaranteed to be secure or error-free as information could be > > intercepted, corrupted, lost, destroyed, arrive late or incomplete, or > > contain viruses. Forward does not accept liability for any errors > > or omissions in the contents of this message, which arise as a result of > > e-mail transmission. Opinions expressed in this email are those of > > Lance Haig, and do not necessarily reflect those of Forward. > > > > If verification is required please request a hard-copy version. > > > > Forward Internet Group, a company incorporated in England with > > registered company number 05199774. > > Registered address: 1 Conduit Street, London W1S 2XA, United Kingdom; > > VAT Number: 844386209. > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Many times this is caused by a software update to the system. To figure out where the problem lies, you will need to follow the very well documented procedure for debugging freeradius if you do not have logs of what was updated on the system so you can rollback the update(s). Cheers, Ken On Wed, Sep 15, 2010 at 08:25:10PM +0100, Lance Haig wrote: > Hi, > > We have implemented a freeradius server on ubuntu 10.04 connecting to AD on > windows 2003 to allow our users to auth against for wirless access. > > This morning it all broke. And we don?t know why. > > So I started looking to build a new server to fault find. > > I am trying to find some documentation to help me. > > Looking through the wiki and Alan?s website I found some documentation but it > does not quite match the files and config I find In the freeradius directory. > > I am not sure how best to continue, can someone tell me how these two > document site atch up? > > Thanks in advance > > Lance > > > > -- > Lance Haig > Virtualisation Engineer > > Forward > Floor 1, Centro 3 > 19 Mandela Street > London NW1 0DU > > T: 020 7121 1199 > F: 020 7121 1196 > M: 07786167805 > > W: www.forward.co.uk > > > This message contains confidential information and is intended only for > the individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify Forward > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. E-mail transmission cannot be > guaranteed to be secure or error-free as information could be > intercepted, corrupted, lost, destroyed, arrive late or incomplete, or > contain viruses. Forward does not accept liability for any errors > or omissions in the contents of this message, which arise as a result of > e-mail transmission. Opinions expressed in this email are those of > Lance Haig, and do not necessarily reflect those of Forward. > > If verification is required please request a hard-copy version. > > Forward Internet Group, a company incorporated in England with > registered company number 05199774. > Registered address: 1 Conduit Street, London W1S 2XA, United Kingdom; > VAT Number: 844386209. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Connecting the dots
Alan, One other point. The SQL queries we have are already customized, and connected. We need to change the connection point. So I need to rewrite them to do that. Regards:jamie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Connecting the dots
Alan, > My problem is that I have to rewrite the SQL code to go fetch the > right databases. I don't see why. >> Because the guy who wrote it originally wrote it wrong. I need more functionality. I looked back at what you wrote, I know what you said to do, no problem. However, because of my billing system I need to build a few more pieces than the average guy. I need to map services numbers in AV pairs, and have Freeradius perform that query for me. It would be really helpful if I knew what the server was doing so I could know when to do it. Regards:jamie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots
"Jamie Thain" <[EMAIL PROTECTED]> wrote: > My problem is that I have to rewrite the SQL code to go fetch the right > databases. I don't see why. > After I need to be able to have AVPairs answered back to set speed and > things, and there is a custom database, (billing software) that I need > to do this with. The server does this. It does this no differently than 0.4. > I do appreciate the help, I am not too thick, I just need to know what > to do. I already told you. Did you not read my messages? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Connecting the dots
Alan, My problem is that I have to rewrite the SQL code to go fetch the right databases. I understand the "authenticate" means something different. I have to swap out a live ISP environment, so I don't have a go with the flow way of doing it. I need a little understanding to do this. Cisco Authenticate --> calls --> What code to fetch from SQL Cisco Authorize --> calls --> What code to fetch from SQL. There are the terms, authorize and authenticate in both radiusd.conf, and sql.conf. I do appreciate the help, I am not too thick, I just need to know what to do. After I need to be able to have AVPairs answered back to set speed and things, and there is a custom database, (billing software) that I need to do this with. All the best, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, March 12, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: Re: Connecting the dots "Jamie Thain" <[EMAIL PROTECTED]> wrote: > Thanks for the help. How does the Cisco authenticate then to my SQL > server. This is the part I am missing? It doesn't. That's the point. Even in 0.4, it didn't authenticate to the SQL server. Q: Do you really want all of your users to have accounts where they can access the SQL database? A: No, so you don't "authenticate" to the SQL server. You store passwords in SQL, and the server figures out what to do from there. To put it another way, your question is based on the wrong assumptions, so the question itself is wrong. Throw away your assumptions. My original answer stands. Please READ it, and BELIEVE it. The server will figure out what to do on its own. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots
"Jamie Thain" <[EMAIL PROTECTED]> wrote: > Thanks for the help. How does the Cisco authenticate then to my SQL > server. This is the part I am missing? It doesn't. That's the point. Even in 0.4, it didn't authenticate to the SQL server. Q: Do you really want all of your users to have accounts where they can access the SQL database? A: No, so you don't "authenticate" to the SQL server. You store passwords in SQL, and the server figures out what to do from there. To put it another way, your question is based on the wrong assumptions, so the question itself is wrong. Throw away your assumptions. My original answer stands. Please READ it, and BELIEVE it. The server will figure out what to do on its own. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Connecting the dots
Alan, Thanks for the help. How does the Cisco authenticate then to my SQL server. This is the part I am missing? regards:jamie Jamie Thain CEO - Sbi (Direct: (441) 278 6007 š Email: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, March 12, 2004 10:45 AM To: [EMAIL PROTECTED] Subject: Re: Connecting the dots "Jamie Thain" <[EMAIL PROTECTED]> wrote: > Problem. I don't understand how 'authentication' gets passed through > radiusd.conf and onto SQL config. It doesn't. > We tried a cart-blanc upgrade to 0.93 > but the 0.4 configs did not work, it complained about SQL not being an > authentication type. Delete "sql" from the "authentication" section, remove all references to Auth-Type SQL, and the server should now figure it out on its own. The SQL "authentication" duplicated existing functionality, and was thus removed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots
"Jamie Thain" <[EMAIL PROTECTED]> wrote: > Problem. I don't understand how 'authentication' gets passed through > radiusd.conf and onto SQL config. It doesn't. > We tried a cart-blanc upgrade to 0.93 > but the 0.4 configs did not work, it complained about SQL not being an > authentication type. Delete "sql" from the "authentication" section, remove all references to Auth-Type SQL, and the server should now figure it out on its own. The SQL "authentication" duplicated existing functionality, and was thus removed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html