Re: Connecting the dots.

2010-09-16 Thread Alan DeKok
Lance Haig wrote:
> I posted my debug output to the list in another mail but I will add it to
> the end of this mail so they two are on the same page as it were.

  What you posted earlier was a *tiny* portion of the debug output.  And
the email I'm replying to contains no debug output.

> The documentation does not match the current config file structure and so it
> is very difficult for anyone to follow. Your insinuation that I am being
> lazy by asking a list for answers would be valid if that was the case.

  The config file structure has change *only* in layout on the disk.
The files are still included into radiusd.conf.  i.e. the config from
1.x will very likely work with 2.x.

> I do realise you have had to answer many questions on this subject but I
> would recommend a review of the docs tomake sure it is easier to follow for
> people then your argument would be valid.

  Sure.  Send a patch to update the documentation.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Connecting the dots.

2010-09-16 Thread Alan Buxey
Hi,

> would recommend a review of the docs tomake sure it is easier to follow for
> people then your argument would be valid.

personally I foudn the docs weak when I first started with FreeRADIUS 0.x - but 
then 
have sicne then learnt everything from the actual config files and the man 
pages.
(and docs in the tarball itself) - 

i am horrified that your config was minimised like some jus into just ince 
single monolithic
config file - that is actually very bad ( I would even say, in this case, bad 
practice)
as it makes it very difficult to see the new changes and config options when a 
new version
from out... if you use the seperate modules, virtual servers etc then you can 
simply DIFF them 
and get to see the goodies.  it also allows you to know what you can enable etc 
- this is why
Apache is moving into seperate module files etc themselves. people lose view of 
the possibilities
otherwise.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Connecting the dots.

2010-09-16 Thread Lance Haig
HI Alan,

Thanks for the response mine are inline


 
>   Well... nothing in the server magically changes it's behavior on a
> certain day.  *Something* changed.

I agree and I am having a hard time finding what.


> 
>   And... what does the debug output say?

I posted my debug output to the list in another mail but I will add it to
the end of this mail so they two are on the same page as it were.

> 
>   The documentation is pretty clear on this, as are the comments in the
> configuration files.  It's more efficient to read them than to ask a
> question on this list, and wait for an answer.
> 

I beg to differ.

The documentation does not match the current config file structure and so it
is very difficult for anyone to follow. Your insinuation that I am being
lazy by asking a list for answers would be valid if that was the case.

I do realise you have had to answer many questions on this subject but I
would recommend a review of the docs tomake sure it is easier to follow for
people then your argument would be valid.

Please do not take this as a flame just someone hoping to find out how to
use a great tool.

Lance




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Connecting the dots.

2010-09-16 Thread Alan DeKok
Lance Haig wrote:
> Thanks for the response On this particular server we have not run any
> updates to the software stack as it is our policy to only update at regular
> intervals so that we can catch these things.

  Well... nothing in the server magically changes it's behavior on a
certain day.  *Something* changed.

> As soon as I try to auth using my cisco wirless conection it fails unable to
> find the realm.

  And... what does the debug output say?

> That is why I was asking how the doc's on the site match up to the latest
> conf files. So I can find out where to add the REALM settings so that it
> works.

  The documentation is pretty clear on this, as are the comments in the
configuration files.  It's more efficient to read them than to ask a
question on this list, and wait for an answer.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Connecting the dots.

2010-09-16 Thread Lance Haig
Hi Alan,

Thanks for the response.

We do know about the samba update and it was the first thing I check when
the system broke. We have about 400 ubuntu vm's running on our environment
and we have not yet updated our corporate repo with this update as we have
not tested it yet.

I checked the winbindd_privileged directory and it has the correct file
permissions 

I want to add to me original post to the list in that this server was not
originally configured by myself and the original person created a monolithic
radiusd.conf file with all the settings in the one file this is making it
difficult to match the settings to the docs. Hence my question about how the
docs match to the new conf files.

Freeradius -X and -Xx have not highlighted anything suspicious that I
believe is different to what was being logged there before.

The reason for the new server build is so that I can understand how
freeradius works and specifically how it will work with AD as a backend.

I have been able to get the server connecting to AD and authing me against
it as per one of my other posts to the list.

I am just not sure I have done this correctly as the auth request fails when
I try to connect using my laptop. (we mostly have mac's in this office)

This is against my new server by the way.

This is what led me to copntact the list to see how the docs match the new
config as I have seen

=

Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.210.4 port 32768, id=187,
length=205
User-Name = "Lance.Haig"
Calling-Station-Id = "00-26-08-e8-c9-85"
Called-Station-Id = "00-1b-8f-8a-d8-90:LNH"
NAS-Port = 13
NAS-IP-Address = 10.0.210.4
NAS-Identifier = "FWDWLC"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0207002b19001703010020520cb27842380dee8600973e5967661e03fab0689f23a28f27cb
78dce34bfcc5
State = 0x47419e384246876f90468b6b37412030
Message-Authenticator = 0x4bb2d4d267947887f5bcb88b9c8dfbb2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "Lance.Haig", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 43
[eap] Continuing tunnel setup.

==


Which leads me to believe that the REALMS config is not working properly.

And I cant find instructions on what to check to make sure this is the case.

Apologies for rambling on a bit.

Lance


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Connecting the dots.

2010-09-16 Thread Lance Haig
Hi C.J.

Thanks for the tip. We do run out config in Git and it has not changed since it 
was configured about 2 months ago, this is what is baffling me.

The windows servers were not changed (well that is what the windows admins have 
informed us@)

Thanks

Lance

On 15/09/2010 21:10, "C.J. Adams-Collier KF7BMP"  wrote:

I've found that keeping config file history using RCS or git to be very useful. 
 It's saved me a bunch of headache with bind, apache, sendmail and freeradius.  
If you'd like some tips, I'm happy to oblige either on-list or off, depending 
on whether the regulars consider it OT.

Cheers,

C.J.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Connecting the dots.

2010-09-16 Thread Lance Haig
Hi Ken,

Thanks for the response On this particular server we have not run any
updates to the software stack as it is our policy to only update at regular
intervals so that we can catch these things.

I only sent the e-mail to the list after spending the day in freeradius -X
and -Xx to see if I can find out why it is failing.

I wanted to start fresh with a server so I could see at what stage it starts
failing. 

But funnily enough the new server lets me auth against ad using a local
query using radtest and a forced auth method of "DEFAULT Auth-Type =
ntlm_auth" in the users file.

As soon as I try to auth using my cisco wirless conection it fails unable to
find the realm.

That is why I was asking how the doc's on the site match up to the latest
conf files. So I can find out where to add the REALM settings so that it
works.

We also have 2 AD trees we connect to but once I get the one working the
other will be easy.

Thanks for the help

Lance


On 15/09/2010 20:38, "Kenneth Marshall"  wrote:

> Many times this is caused by a software update to the system.
> To figure out where the problem lies, you will need to follow
> the very well documented procedure for debugging freeradius
> if you do not have logs of what was updated on the system so
> you can rollback the update(s).
> 
> Cheers,
> Ken


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Connecting the dots.

2010-09-15 Thread Alan Buxey
Hi,

> We have implemented a freeradius server on ubuntu 10.04 connecting to AD on 
> windows 2003 to allow our users to auth against for wirless access.
> 
> This morning it all broke. And we don’t know why.

okay. a not so wild stab in the dark.


yesterday or day before a SAMBA security issue was highlighted, my guess
is that the Ubuntu folk have released an update for this - which meant that
a new version of SAMBA was put onto your system. this new version has most 
likely
blatted the settings on your winbindd_privileged directory   (use eg 'locate'
on your system to find its location...usually somewhere like /var/cache/samba/
or /var/lib/samba) that dir (winbindd_privileged) needs to be group owned by 
the 
process which radiusd runs as usually radiusd


another thing you can do is to actually see whats breaking. just run the 
FreeRADIUS
daemon in debug mode


radiusd -X



yes, theres a hell of a lot of output. a lot of it can be just skimmed...it all 
starts to
make sense when you get used to it but run it in that mode...capturing the 
output
(even just by setting your terminal scroll buffer to eg 5000 lines then select 
all
copy and paste into an editor if needs be) when a few clients try 
connecting.
then read through whilst having a coffee it should be quite clear whats 
gone wrong.


> So I started looking to build a new server to fault find.

you really really dont need to do that


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Connecting the dots.

2010-09-15 Thread C.J. Adams-Collier KF7BMP
I've found that keeping config file history using RCS or git to be very
useful.  It's saved me a bunch of headache with bind, apache, sendmail
and freeradius.  If you'd like some tips, I'm happy to oblige either
on-list or off, depending on whether the regulars consider it OT.

Cheers,

C.J.

On Wed, 2010-09-15 at 14:38 -0500, Kenneth Marshall wrote:

> Many times this is caused by a software update to the system.
> To figure out where the problem lies, you will need to follow
> the very well documented procedure for debugging freeradius
> if you do not have logs of what was updated on the system so
> you can rollback the update(s).
> 
> Cheers,
> Ken
> 
> On Wed, Sep 15, 2010 at 08:25:10PM +0100, Lance Haig wrote:
> > Hi,
> > 
> > We have implemented a freeradius server on ubuntu 10.04 connecting to AD on 
> > windows 2003 to allow our users to auth against for wirless access.
> > 
> > This morning it all broke. And we don?t know why.
> > 
> > So I started looking to build a new server to fault find.
> > 
> > I am trying to find some documentation to help me.
> > 
> > Looking through the wiki and Alan?s website I found some documentation but 
> > it does not quite match the files and config I find In the freeradius 
> > directory.
> > 
> > I am not sure how best to continue, can someone tell me how these two 
> > document site atch up?
> > 
> > Thanks in advance
> > 
> > Lance
> > 
> > 
> > 
> > --
> > Lance Haig
> > Virtualisation Engineer
> > 
> > Forward
> > Floor 1, Centro 3
> > 19 Mandela Street
> > London NW1 0DU
> > 
> > T: 020 7121 1199
> > F: 020 7121 1196
> > M: 07786167805
> > 
> > W: www.forward.co.uk
> > 
> > 
> > This message contains confidential information and is intended only for
> > the individual named. If you are not the named addressee you should not
> > disseminate, distribute or copy this e-mail. Please notify Forward
> > immediately by e-mail if you have received this e-mail by mistake and
> > delete this e-mail from your system. E-mail transmission cannot be
> > guaranteed to be secure or error-free as information could be
> > intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
> > contain viruses. Forward does not accept liability for any errors
> > or omissions in the contents of this message, which arise as a result of
> > e-mail transmission. Opinions expressed in this email are those of
> > Lance Haig, and do not necessarily reflect those of Forward.
> > 
> > If verification is required please request a hard-copy version.
> > 
> > Forward Internet Group, a company incorporated in England with
> > registered company number 05199774.
> > Registered address: 1 Conduit Street, London W1S 2XA, United Kingdom;
> > VAT Number: 844386209.
> > 
> > 
> 
> > -
> > List info/subscribe/unsubscribe? See 
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




signature.asc
Description: This is a digitally signed message part
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Connecting the dots.

2010-09-15 Thread Kenneth Marshall
Many times this is caused by a software update to the system.
To figure out where the problem lies, you will need to follow
the very well documented procedure for debugging freeradius
if you do not have logs of what was updated on the system so
you can rollback the update(s).

Cheers,
Ken

On Wed, Sep 15, 2010 at 08:25:10PM +0100, Lance Haig wrote:
> Hi,
> 
> We have implemented a freeradius server on ubuntu 10.04 connecting to AD on 
> windows 2003 to allow our users to auth against for wirless access.
> 
> This morning it all broke. And we don?t know why.
> 
> So I started looking to build a new server to fault find.
> 
> I am trying to find some documentation to help me.
> 
> Looking through the wiki and Alan?s website I found some documentation but it 
> does not quite match the files and config I find In the freeradius directory.
> 
> I am not sure how best to continue, can someone tell me how these two 
> document site atch up?
> 
> Thanks in advance
> 
> Lance
> 
> 
> 
> --
> Lance Haig
> Virtualisation Engineer
> 
> Forward
> Floor 1, Centro 3
> 19 Mandela Street
> London NW1 0DU
> 
> T: 020 7121 1199
> F: 020 7121 1196
> M: 07786167805
> 
> W: www.forward.co.uk
> 
> 
> This message contains confidential information and is intended only for
> the individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify Forward
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system. E-mail transmission cannot be
> guaranteed to be secure or error-free as information could be
> intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
> contain viruses. Forward does not accept liability for any errors
> or omissions in the contents of this message, which arise as a result of
> e-mail transmission. Opinions expressed in this email are those of
> Lance Haig, and do not necessarily reflect those of Forward.
> 
> If verification is required please request a hard-copy version.
> 
> Forward Internet Group, a company incorporated in England with
> registered company number 05199774.
> Registered address: 1 Conduit Street, London W1S 2XA, United Kingdom;
> VAT Number: 844386209.
> 
> 

> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: Connecting the dots

2004-03-12 Thread Jamie Thain
Alan,

One other point. The SQL queries we have are already customized, and
connected. We need to change the connection point. So I need to rewrite
them to do that. 

Regards:jamie 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: Connecting the dots

2004-03-12 Thread Jamie Thain
Alan,

> My problem is that I have to rewrite the SQL code to go fetch the 
> right databases.

  I don't see why. 

>> Because the guy who wrote it originally wrote it wrong. I need more
functionality.

I looked back at what you wrote, I know what you said to do, no problem.
However, because of my billing system I need to build a few more pieces
than the average guy. I need to map services numbers in AV pairs, and
have Freeradius perform that query for me. 

It would be really helpful if I knew what the server was doing so I
could know when to do it. 

Regards:jamie


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Connecting the dots

2004-03-12 Thread Alan DeKok
"Jamie Thain" <[EMAIL PROTECTED]> wrote:
> My problem is that I have to rewrite the SQL code to go fetch the right
> databases.

  I don't see why.

> After I need to be able to have AVPairs answered back to set speed and
> things, and there is a custom database, (billing software) that I need
> to do this with.

  The server does this.  It does this no differently than 0.4.

> I do appreciate the help, I am not too thick, I just need to know what
> to do.

  I already told you.  Did you not read my messages?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: Connecting the dots

2004-03-12 Thread Jamie Thain
Alan,

My problem is that I have to rewrite the SQL code to go fetch the right
databases. I understand the "authenticate" means something different. I
have to swap out a live ISP environment, so I don't have a go with the
flow way of doing it. 

I need a little understanding to do this. 

Cisco Authenticate --> calls --> What code to fetch from SQL

Cisco Authorize --> calls -->  What code to fetch from SQL. 

There are the terms, authorize and authenticate in both radiusd.conf,
and sql.conf. 

I do appreciate the help, I am not too thick, I just need to know what
to do. 

After I need to be able to have AVPairs answered back to set speed and
things, and there is a custom database, (billing software) that I need
to do this with.

All the best, 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Friday, March 12, 2004 12:13 PM
To: [EMAIL PROTECTED]
Subject: Re: Connecting the dots 

"Jamie Thain" <[EMAIL PROTECTED]> wrote:
> Thanks for the help. How does the Cisco authenticate then to my SQL 
> server. This is the part I am missing?

  It doesn't.  That's the point.  Even in 0.4, it didn't authenticate to
the SQL server.

  Q: Do you really want all of your users to have accounts where they
 can access the SQL database?

  A: No, so you don't "authenticate" to the SQL server.

  You store passwords in SQL, and the server figures out what to do from
there.

  To put it another way, your question is based on the wrong
assumptions, so the question itself is wrong.  Throw away your
assumptions.

  My original answer stands.  Please READ it, and BELIEVE it.

  The server will figure out what to do on its own.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Connecting the dots

2004-03-12 Thread Alan DeKok
"Jamie Thain" <[EMAIL PROTECTED]> wrote:
> Thanks for the help. How does the Cisco authenticate then to my SQL
> server. This is the part I am missing?

  It doesn't.  That's the point.  Even in 0.4, it didn't authenticate
to the SQL server.

  Q: Do you really want all of your users to have accounts where they
 can access the SQL database?

  A: No, so you don't "authenticate" to the SQL server.

  You store passwords in SQL, and the server figures out what to do
from there.

  To put it another way, your question is based on the wrong
assumptions, so the question itself is wrong.  Throw away your
assumptions.

  My original answer stands.  Please READ it, and BELIEVE it.

  The server will figure out what to do on its own.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: Connecting the dots

2004-03-12 Thread Jamie Thain
Alan, 

Thanks for the help. How does the Cisco authenticate then to my SQL server. This is 
the part I am missing? 

regards:jamie 

Jamie Thain CEO - Sbi 
(Direct: (441) 278 6007   š Email: [EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Friday, March 12, 2004 10:45 AM
To: [EMAIL PROTECTED]
Subject: Re: Connecting the dots 

"Jamie Thain" <[EMAIL PROTECTED]> wrote:
> Problem. I don't understand how 'authentication' gets passed through 
> radiusd.conf and onto SQL config.

  It doesn't.

> We tried a cart-blanc upgrade to 0.93
> but the 0.4 configs did not work, it complained about SQL not being an 
> authentication type.

  Delete "sql" from the "authentication" section, remove all references to Auth-Type 
SQL, and the server should now figure it out on its own.

  The SQL "authentication" duplicated existing functionality, and was thus removed.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Connecting the dots

2004-03-12 Thread Alan DeKok
"Jamie Thain" <[EMAIL PROTECTED]> wrote:
> Problem. I don't understand how 'authentication' gets passed through
> radiusd.conf and onto SQL config.

  It doesn't.

> We tried a cart-blanc upgrade to 0.93
> but the 0.4 configs did not work, it complained about SQL not being an
> authentication type.

  Delete "sql" from the "authentication" section, remove all
references to Auth-Type SQL, and the server should now figure it out
on its own.

  The SQL "authentication" duplicated existing functionality, and was
thus removed.

  Alan DeKok.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html