Re: Release date for 1.1.0/CVS?
Alan DeKok wrote: Wesley Spadola [EMAIL PROTECTED] wrote: Is there any news of a approximate release date for the 1.1.0 line of FreeRADIUS? When it's ready. Hopefully in the next month or so. will there be a feature of configurable key for rlm_ippool database search? Which bugs are currently showstoppers for this line to be released as stable? The EAP linking issues. Other than that, the rest of the work is cleanups. I think it will be released as 2.0, because there are just so many things fixed, and so many new features added. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sincerely Yours, Alexander Serkin, Skylink, Moscow - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP OTP
Hello everyone, I am interested in EAP protocols with OTP (one time password). I would like to configure my freeradius 1.0.4 to be able to authenticate passwords which has been created with Shawan's method and an external key. Can anybody help me? Thank you, Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR suddenly doesn't respond any more and eats all cpu
Hello again, this time the error (you know, no response and full cpu load) occured and at least I found something in the normal logfile: Fri Aug 19 09:22:02 2005 : Error: rlm_ldap: All ldap connections are in use Fri Aug 19 09:22:03 2005 : Error: rlm_ldap: ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout. Fri Aug 19 09:22:37 2005 : Error: rlm_ldap: uid=ilebraun,ou=accounts,dc=SIAM bind to lanldap1.rus.uni-stuttgart.de:389 failed: timeout Fri Aug 19 09:24:32 2005 : Info: The maximum number of threads (32) are active,cannot spawn new thread to handle request Fri Aug 19 09:24:41 2005 : Error: WARNING: Unresponsive child (id 1123056560) for request 47 These are reapeated many times, especially the first one. They probably mean that I have a problem with my LDAP-Server, right? Has someone experience, what parameter could be critical for the eDirectory? Thanks in advance, Benedikt I've configured here a FreeRADIUS 1.0.4 and I'm running it now to handle test requests. First, everything looked ok. FR responded all requests correctly. But suddenly it didn't respond any more to RADIUS requests and I saw it used 1 of my 2 cpus completly. Before it took between 1-2 percent of the cpu. FreeRADIUS even could not be killed by a normal kill, I needed kill -9 to terminate it. It's very strange to me that happend after half an hour normal behavior. Then I started FreeRADIUS in debugging mode (-X) but then the error didn't occur until I stopped it 1 day later. Just now I ran it again in not-debugging mode and again after about half an hour the same strange error: processor load about 99% and no responses to any requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Required Clarification
Hi All, As I am using freeRADIUS I would like to know few of the following things. 1) What is the maximum length of username and password allowed in freeRADIUS ? 2) What is the maximum number of users allowed to authenticate? I mean, how many users does it maintains in its database? 3) How does it maintains database does it uses SQL, if so ? whether it provides any alternative to maintain database of username and password ? for example like by using files.. etc. 4) Is there any necessity or possibility to use secondary RADIUS server ? Thanx in advance. Regards, Raghu Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mod_auth_radius values
Hi, I have written a php script that lists the request and response headers, the result of which is below: Request Headers Accept: */* Accept-Language: en-gb Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: xx Connection: Keep-Alive Authorization: Basic bHNreVJlZ2o6ZnSpZGF5Mw== Cookie: foo=bar Response Headers Set-Cookie: RADIUS=51f673efff8c5h235410d95289666de85305b928; path=/; X-Powered-By: PHP/4.4.0 After the cookie is set the 'Set-Cookie' header appears in the Request Header as 'Cookie: foo=bar; RADIUS=51f673efff8c5h235410d95289666de85305b928;'. (I have modified the values above slightly incase I am inadvertently sending a username/password to the list ;) Ive read through mod_auth_radius-2.0.c and it appears the cookie is a MD5 hash of the users information. So, is it possible to get the information from the cookie? Gareth. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 18 August 2005 16:25 To: FreeRadius users mailing list Subject: Re: mod_auth_radius values Ayres G.J. [EMAIL PROTECTED] wrote: I am developing a web system that authenticates users to a web site through free radius using the mod_auth_radius module for apache. It all works fine, but I would like to get the username of the user that has authenticated for use on pages once they have authenticated. It's in the HTTP headers. The username password are sent in every request. I am not sure how to go about this. I guess that the values are set in a cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I could retrieve the values, either through HTML or PHP? Not HTML. Maybe PHP, if it allows you to get HTTP headers. See the module source code for where the headers are, and the PHP docs for how to get at them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Required Clarification
Hello, I'm not really experienced with FR, but maybe this is enough to help you. 3) How does it maintains database does it uses SQL, if so ? whether it provides any alternative to maintain database of username and password ? for example like by using files….. etc. FR is able to store users and their attributes in a couple of backends including sql database and a users text file. See the modules section of radiusd.conf for more information. 1) What is the maximum length of username and password allowed in freeRADIUS ? That probably depends on the backend you're using, or look in http://www.freeradius.org/rfc/rfc2865.html if there's a limit. 2) What is the maximum number of users allowed to authenticate? I mean, how many users does it maintains in its database? I guess that's a question of performance first. Propably all backends can store _enough_ users and FR can also handle them. 4) Is there any necessity or possibility to use secondary RADIUS server ? Technically it's not necessary. But if you use it for something important it's obvious better to have one... ;-) It's possible of course to set up 2 RADIUS servers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[solution] Received unexpected tunneled data after successful handshake
Hello, I was stuck for a bit on this error message before finding the solution, so I thought I'd share and get it into the list archives for future reference. Context: Trying to get WindowsXP 802.1X supplicants to be authenticated on a FreeRADIUS server. After a successful TLS handshake, the rlm_eap_tls: Received unexpected tunneled data after successful handshake message would appear and abort the process. The solution is in http://www.freeradius.org/doc/EAPTLS.pdf - the client and server certificates must contain an Enhanced Key Usage. Look for -extensions in the generation script, and for the OpenSSL extensions file section. Taking this into account and regenerating the client server certificates worked for me. I hope it helps, -Waba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR suddenly doesn't respond any more and eats all cpu
Hi,
I really enjoy answering to myself ;-)
I found the problem is not on the ldap server side but really in FR
(configuration?). And it's a matter of the number of RADIUS requests:
two clients quering FR at the same time don't cause problems for me, but
when three clients query it FreeRADIUS hangs within 2 minutes. Every
time. But those error messages in the log file (like All ldap
connections are in use, see my last posting) were not shown again.
Precicely, most of the time no error was shown at all. FR handles one
request normal and then just hangs.
So I tried different combinations of the options max_requests,
max_servers, max_request_per_server, ldap_connection_number, ldap
timeouts and so on (see below). Nothing changed. FR _always_ crashed
after about 2 minutes when queried by 3 clients.
Then I started to enable debugging mode again (-x) and noticed, that FR
doesn't crash any longer! I set all other options back to their default
values and still - FR doesn't crash! (it neither shows any error
message) Also I tested the switch -s and just the same, the error
doesn't occur then. Back in normal mode (without -x or -s) FR crashes
again, with one of both switches it doesn't. Strange to me. Is this
normal for you experts?
Have a nice weekend!
regards, Benedikt
The combination of options I tested (all combinations failed, that means
FR crashed):
max_request_time = 30
delete_blocked_requests = no
max_requests = 1024
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 20
max_requests_per_server = 0
ldap {
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 4
}
max_request_time = 5
delete_blocked_requests = no
max_requests = 1024
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 20
max_requests_per_server = *100*
ldap {
ldap_connections_number = *10*
timeout = 4
timelimit = 3
net_timeout = 4
}
max_request_time = 5
delete_blocked_requests = no
max_requests = *4096*
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 20
max_requests_per_server = *100*
ldap {
ldap_connections_number = *10*
timeout = 4
timelimit = 3
net_timeout = 4
}
max_request_time = 5
delete_blocked_requests = *yes*
max_requests = *4096*
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 20
max_requests_per_server = *100*
ldap {
ldap_connections_number = *10*
timeout = 4
timelimit = 3
net_timeout = 4
}
max_request_time = 5
delete_blocked_requests = no
max_requests = 1024
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 20
max_requests_per_server = 0
ldap {
ldap_connections_number = *10*
timeout = *2*
timelimit = *1*
net_timeout = *2*
}
Fri Aug 19 09:22:02 2005 : Error: rlm_ldap: All ldap connections are
in use
Fri Aug 19 09:22:03 2005 : Error: rlm_ldap: ldap_search() failed:
Timed out while waiting for server to respond. Please increase the
timeout.
Fri Aug 19 09:22:37 2005 : Error: rlm_ldap:
uid=ilebraun,ou=accounts,dc=SIAM bind to
lanldap1.rus.uni-stuttgart.de:389 failed: timeout
Fri Aug 19 09:24:32 2005 : Info: The maximum number of threads (32)
are active,cannot spawn new thread to handle request
Fri Aug 19 09:24:41 2005 : Error: WARNING: Unresponsive child (id
1123056560) for request 47
I've configured here a FreeRADIUS 1.0.4 and I'm running it now to
handle test requests. First, everything looked ok. FR responded all
requests correctly. But suddenly it didn't respond any more to RADIUS
requests and I saw it used 1 of my 2 cpus completly. Before it took
between 1-2 percent of the cpu. FreeRADIUS even could not be killed
by a normal kill, I needed kill -9 to terminate it. It's very strange
to me that happend after half an hour normal behavior. Then I started
FreeRADIUS in debugging mode (-X) but then the error didn't occur
until I stopped it 1 day later. Just now I ran it again in
not-debugging mode and again after about half an hour the same
strange error: processor load about 99% and no responses to any
requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR suddenly doesn't respond any more and eats all cpu
Benedikt Panzer wrote: Also I tested the switch -s and just the same, the error doesn't occur then. Back in normal mode (without -x or -s) FR crashes again, with one of both switches it doesn't. Strange to me. Is this normal for you experts? I have no idea what's causing the problem. You might try with the option '-f' too, like in bug #100. http://bugs.freeradius.org/show_bug.cgi?id=100 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius values
Ayres G.J. [EMAIL PROTECTED] wrote: Ive read through mod_auth_radius-2.0.c and it appears the cookie is a MD5 hash of the users information. So, is it possible to get the information from the cookie? No. The username/password IS in the header. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR suddenly doesn't respond any more and eats all cpu
Benedikt Panzer [EMAIL PROTECTED] wrote: Fri Aug 19 09:22:02 2005 : Error: rlm_ldap: All ldap connections are in use Fri Aug 19 09:22:03 2005 : Error: rlm_ldap: ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout. It looks like your LDAP server is down, and that FreeRADIUS needs it to authenticate users. Fri Aug 19 09:24:32 2005 : Info: The maximum number of threads (32) are active,cannot spawn new thread to handle request Yup. The server can't process any more requests. They probably mean that I have a problem with my LDAP-Server, right? Has someone experience, what parameter could be critical for the eDirectory? It looks like eDirectory is down, or too slow to be useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius cache?
hi - i wonder what people's thoughts are on a radius cache that sits in frotn of a set of real radius servers and responds quickly with a set of cached reply attributes from a previous query? this may even be worthwhile even if the caching only applies to rejected queries - so that bad requests don't waste the backend resources. tariq - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
I have read the docs, maybe I am just missing where there example was,
I see the entries commented but not for what I need I guess (or I
missed).
I have reconfigured radiusd.conf again to see it I can authenticate
and am still having trouble
Can you look at these configs and tell me where you see issues?
radiusd.conf
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
#with_ntdomain_hack = no
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
}
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
authorize {
preprocess
# auth_log
# attr_filter
# chap
mschap
# digest
# IPASS
suffix
# ntdomain
# eap
# files
# sql
# etc_smbpasswd
# ldap
# daily
# checkval
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
}
preacct {
preprocess
suffix
proxy.conf
realm gtdsolutions.org {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm LOCAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
users
DEFAULT Auth-Type = mschap
Fall-Through = 1
attempted login from a windows host via l2tp
output of radiusd -X -A
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32771, id=169, length=90
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = [EMAIL PROTECTED]
CHAP-Password = 0x44ac3d380292ea549c27ecce30ec2afe9c
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: Looking up realm gtdsolutions.org for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm gtdsolutions.org
rlm_realm: Adding Stripped-User-Name = tporritt
rlm_realm: Proxying request from user tporritt to realm gtdsolutions.org
rlm_realm: Adding Realm = gtdsolutions.org
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR suddenly doesn't respond any more and eats all cpu
Hello, I have no idea what's causing the problem. You might try with the option '-f' too, like in bug #100. you're right, that really sounds similar. Unfortunately, the switch -f doesn't help me. That's no as bad, since I can use -s or -x. Nevertheless thanks a lot for the hint! best regards, Benedikt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius cache?
Tariq Rashid [EMAIL PROTECTED] wrote: i wonder what people's thoughts are on a radius cache that sits in frotn of a set of real radius servers and responds quickly with a set of cached reply attributes from a previous query? In the CVS head, see rlm_caching. It does exactly this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
Tim P [EMAIL PROTECTED] wrote: I have reconfigured radiusd.conf again to see it I can authenticate and am still having trouble Can you look at these configs and tell me where you see issues? The client is doing CHAP. You have configured the MSCHAP module to use ntlm_auth. CHAP is not MSCHAP. CHAP will not work with AD. I've said this repeatedly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.4 and Cisco WLSE
On Thu, Aug 11, 2005 at 07:02:19PM -0400, Alan DeKok wrote: [EMAIL PROTECTED] wrote: I am trying to speak between my Freeradius server and a Cisco WLSE. I am seeing EAP timeouts while WLSE is trying to authenticate through Freeradius. Short summary: the supplicant is broken. Sending Access-Challenge of id 3 to 192.168.254.10:32815 EAP-Message = 0x010100221a0101001d10b063da2c8f5c52273cd537b0c09d69e5776c736561636374 Message-Authenticator = 0x State = 0x8c90735921dd51b22bc8ef97379845b8 ... rad_recv: Access-Request packet from host 192.168.254.10:32815, id=3, length=125 User-Name = wlseacct NAS-IP-Address = 192.168.254.10 Called-Station-Id = ABBAABBAABBA Calling-Station-Id = ABBAABBAABBA NAS-Identifier = Cisco Secure II NAS-Port = 29 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300060311 Message-Authenticator = 0x070f8a208866000f797e64be5bd48f48 The client is sending a NACK, and asking for another EAP type. But it's changing the EAP ID in a broken way, which means that the AP doesn't add the State attribute from the previous challenge. In the last packet, FreeRADIUS is seeing the middle of a conversation, without any way to know what the conversation was about. The supplicant is broken. Use another one. I am stuck using WLSE. Are there plans on an official fix in Freeradius, to work with whatever is broken in WLSE? Cisco APs are only good if you have decent management. --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.4 and Cisco WLSE
[EMAIL PROTECTED] wrote: I am stuck using WLSE. Are there plans on an official fix in Freeradius, to work with whatever is broken in WLSE? As I said: it's changing the EAP ID in a broken way, which means that the AP doesn't add the State attribute from the previous challenge. Fixing FreeRADIUS won't help. The AP just isn't sending the information FreeRADIUS needs. And the ONLY way to make the AP send the correct information is to fix the supplicant. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x and LDAP
Greetings.
I am extremely green to both 802.1x and radius and am trying to set
this system up quickly as students arrive on campus in a couple of
weeks so please forgive me if I ask questions that have been answered
or exist in the documentation.
I need to authenticate windows and osx wireless users using Cisco
AP's to the freeradius server using our OSX ldap directory as the
backend.
I can use radtest from another host and authenticate an LDAP user via
the freeradius server and get an Access-Accept packet from the server.
When I attempt to connect via a windows or osx client to the AP I get
error messages about User-Password being required and the Access-
Request packet does not have the User-Password attribute.
Many of the settings are the default. The settings I have changed
have been from several online tutorials none of which talked about
both 802.1x and LDAP.
I'm embarrassed not to have read all the documentation but I'm really
in a time pinch here. Again I beg your indulgence.
Cian Phillips
Director Network Systems
California College of the Arts
Phone: (510) 594-3745
Cell: (510) 719-0091
Fax: (510) 594-3758
email: [EMAIL PROTECTED]
OUTPUT of freeradius -X
radius:/etc# freeradius -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/freeradius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/freeradius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/freeradius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/freeradius/freeradius.pid
main: user = freerad
main: group = freerad
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/freeradius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = ldap-sf.cca.edu
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity =
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password =
ldap: basedn = cn=users,dc=cca,dc=edu
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = (null)
ldap: access_attr = uidNumber
ldap: groupname_attribute = cn
ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=
%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%
{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /etc/freeradius/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap:
Re: FR suddenly doesn't respond any more and eats all cpu
Nicolas Baradakis wrote: Benedikt Panzer wrote: Also I tested the switch -s and just the same, the error doesn't occur then. Back in normal mode (without -x or -s) FR crashes again, with one of both switches it doesn't. Strange to me. Is this normal for you experts? I have no idea what's causing the problem. You might try with the option '-f' too, like in bug #100. http://bugs.freeradius.org/show_bug.cgi?id=100 I had the same issue with 1.0.1 I have 2 radius servers which each use 2 postgresql database backends. When I stopped one server for maintenance, the radiusd process on the other server suddenly went to constantly using 100% CPU. When starting radiusd while 1 database is already down, this doesn't happen. Looks to me that it's not LDAP or Postgresql related :) -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and LDAP
Cian Phillips wrote: Many of the settings are the default. The settings I have changed have been from several online tutorials none of which talked about both 802.1x and LDAP. Seems to me you didn't search well enough... http://www.google.com/search?hl=nlq=freeradius+802.1x+ldap+howto -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 1.0.4 and Cisco WLSE
Hello, I am having an issue getting Cisco's WLSE 2.11 to successfully authenticate with FreeRadius 1.0.4. I read where Alan DeKok stated that the supplicant is broken, and was wondering if this is something Cisco has to fix with the WLSE? or is there a way for me to fix the supplicant? Finally, I read where there were some freeradius patches that would remedy this problem. Can someone provide me with a copy of those patches ? The ones posted on this site have errors in them and the LEAP patch fails consistently at line 147 of rlm_eap/types/rlm_leap/rlm_eap_leap.c Any help would be greatly appreciated. Best Regards, Mike McNeil Sr. Network Engineer University of California Berkeley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and LDAP
Sorry, I should have mentioned the pages I have already tried to follow. http://www.bughost.org/ipw/docs/freeRadius_configuration_HOWTO.TXT http://www.kevan.net/cisco_freeradius_tls_peap_auth.php http://mattzz.dyndns.org/twiki/bin/view/Projects/ FreeRadiusAuthentication http://www.missl.cs.umd.edu/wireless/eaptls/ http://lists.freeradius.org/mailman/htdig/freeradius-users/2004-June/ 033143.html http://vuksan.com/linux/dot1x/802-1x-LDAP.html#Set_up_OpenLDAP http://www.sas.upenn.edu/~omar/wireless/work_freeradius.html#freeradius http://tldp.org/HOWTO/html_single/8021X-HOWTO/ With each of these I still have the problem where the Access-Request packet doesn't contain a User-Password attribute. I am guessing that there is something very fundamental that I am not understanding.. like there isn't supposed to be a User-Password attribute coming from the AP but if that's the case then I really don't understand how we authenticate against the LDAP directory without a password. I have tried a bunch of different how-to's and haven't had any success.. if someone could say they were certain that one of them worked that in itself would be a great deal of help. I guess I should also mention that I have searched the list for rlm_ldap: Attribute User-Password is required for authentication. and some other permutations of that string but didn't find anything that seemed especially conclusive or applicable.. The problem is that I'm not sure I would know if I saw it. Again my apologies for trying to get up to speed in a couple of hours.. and many thanks for attempting to help me find a solution. Cian Phillips Director Network Systems California College of the Arts Phone: (510) 594-3745 Cell: (510) 719-0091 Fax: (510) 594-3758 email: [EMAIL PROTECTED] On Aug 19, 2005, at 10:30 AM, Thor Spruyt wrote: Cian Phillips wrote: Many of the settings are the default. The settings I have changed have been from several online tutorials none of which talked about both 802.1x and LDAP. Seems to me you didn't search well enough... http://www.google.com/search?hl=nlq=freeradius+802.1x+ldap+howto -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and LDAP
Cian Phillips [EMAIL PROTECTED] wrote: With each of these I still have the problem where the Access-Request packet doesn't contain a User-Password attribute. I am guessing that there is something very fundamental that I am not understanding.. like there isn't supposed to be a User-Password attribute coming from the AP but if that's the case then I really don't understand how we authenticate against the LDAP directory without a password. You don't. LDAP is a database, not an authentication server. FreeRADIUS is an authentication server. It pulls the password from LDAP, and uses that to authenticate the user. I have tried a bunch of different how-to's and haven't had any success.. if someone could say they were certain that one of them worked that in itself would be a great deal of help. If you're looking for details of how the authentication protocols work, the HOWTO's won't help you. They tell you how to get it to work, and they assume that you don't care about the internal design details of the system. If you DO really care about the design details of the authentication protocols, read the RFC's. They're in doc/rfc/*. Otherwise, configure the system as per the HOWTO's, and it *will* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR with MySQL. Proxying and repeated entries
Hi. Sorry if this is a dumb thing, but I've searched a lot and din't find any solution to this problem. I'm using freeradius (versions 0.9.3, 1.0.0 and 1.0.4) with MySQL 3.23 and 4.1.7 (different mappings between FR and My) I have some clients to wich I'm proxying requests to some realms. All works OK but there is one client wich is using Cisco Secure ACS, wich is giving me some headaches. With this one, Access-* packets go OK, but when the NAS (Cisco AS5300) sends an Accounting-Request to that realm and I proxy it to the home server, it sends me an Accounting-Response with an (I think) irregular attribute: Message-Authenticator (Ext. Attr. 80), wich I think is not permitted in the RFC for accounting packets. So, my FR, discards it as supposed thus leading my NAS to re-send accounting request a lot of times until it gives up. This leads me to three main questions: 1) Am I reading OK the RFC? I mean ¿Is it right that Attribute 80 is NOT permitted in Accounting-* packets? 2) Each time the NAS re-sends packets, FR handles it as it were a new packet, for a new call/connection. This way, I have each call for this specific realm n times, with n being the times I configure the NAS to re-send the packet. Every time the NAS re-sends an Accounting-start, the SQL query in sql.conf says INSERT blah blah blah, wich leads to a new record be inserted into the database, and every time the NAS re-sends an Accounting-stop, the SQL query says UPDATE blah blah blah, so it leads to calls being recorded many times. The question is ¿is there any way to solve this through configuration, and I didn't find it because I'm a dumb? ¿Or I have to touch the code for the radius to verify if the packet is a repeated one or not? 3) Is there any known bug or propietary feature from Cisco wich causes this incompatibility thing? I've searched about it and didn't find anything. I know that 3 is not at all about freeradius, but perhaps some of you came accross this at any time. Any help will be very appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
Tim P [EMAIL PROTECTED] wrote: I understand you have said that repeatedly what I am asking is where is that chap coming from? As I've also said repeatedly, the client sends the authentication request to the server, and the server does not, and can not control what authenticate type the client uses. I am not sure if it is coming from pppd or l2tpd or my windows client as I have radius properly configured correct? It probably comes from pppd or l2tpd. I recall that the configuration you posted earlier disabled chap, so I don't know why the client would still be using it. The client is windows xp sp2 with a vpn tunnel going to the box, ipsec works fine, l2tp recieves the auth request and hands it to pppd which then passes it to radius. On the windows side I have set it to only use mschap-v2 (also tried it with only ms chap) so it would seem the windows client is configured properly. If the RADIUS server is receiving a CHAP-Password in the request, then something else in the system is using CHAP. You *think* you've configured it to use MSCHAP, but that is obviously not happening. So does my radius config look correct and another peice of the chain is broken and for some reason passing auth as chap? Yes. I'm sorry I'm not that knowledgable when it comes to radius, this is my first time using it, please be patient, I am just trying to figure out how it works (and yes I have read the conf file but still am not 100% sure of it). The problem isn't understanding how it works. The problem is believing things that are explained on the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR with MySQL. Proxying and repeated entries
Paolo Rotela [EMAIL PROTECTED] wrote: With this one, Access-* packets go OK, but when the NAS (Cisco AS5300) sends an Accounting-Request to that realm and I proxy it to the home server, it sends me an Accounting-Response with an (I think) irregular attribute: Message-Authenticator (Ext. Attr. 80), wich I think is not permitted in the RFC for accounting packets. The IETF RADIUS extensions working group has a document which proposes fixes to a number of issues like this. 1) Am I reading OK the RFC? I mean ¿Is it right that Attribute 80 is NOT permitted in Accounting-* packets? I don't think it's specifically permitted, but it shouldn't be a problem. 2) Each time the NAS re-sends packets, FR handles it as it were a new packet, for a new call/connection. The RFC's say that's what the NAS is supposed to do. So for FreeRADIUS, it looks like a new connection. 3) Is there any known bug or propietary feature from Cisco wich causes this incompatibility thing? I've searched about it and didn't find anything. No. It's a bug in FreeRADIUS. I'll put a patch into 1.0.5 that should fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and LDAP
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 19, 2005 at 10:54 -0800 wrote: With each of these I still have the problem where the Access-Request packet doesn't contain a User-Password attribute. I am guessing that there is something very fundamental that I am not understanding.. like there isn't supposed to be a User-Password attribute coming from the AP but if that's the case then I really don't understand how we authenticate against the LDAP directory without a password. Hi there, Do some reasearch on configuring TTLS with FreeRadius -- there's a howto around somewhere. Once you get TTLS/PAP working (with the auth info in the users file), you can easily make LDAP work. An understanding of the tunnelling system used with most 802.1x auth protocols would be helpful for you -- the trouble is that the password is inside the tunnel, and your FreeRadius config isn't understanding your tunnel. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug #256 should go into 1.0.5
http://bugs.freeradius.org/show_bug.cgi?id=256 It's a really big mistake and only a 1-line change! -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP OTP
Juan Daniel Moreno [EMAIL PROTECTED] wrote: I am interested in EAP protocols with OTP (one time password). FreeRADIUS doesn't support EAP-OTP. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Release date for 1.1.0/CVS?
Alexander Serkin [EMAIL PROTECTED] wrote: will there be a feature of configurable key for rlm_ippool database search? It's already in the CVS head, so yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR suddenly doesn't respond any more and eats all cpu
Benedikt Panzer [EMAIL PROTECTED] wrote: Then I started to enable debugging mode again (-x) and noticed, that FR doesn't crash any longer! It sounds like something in the server is failing to deal with threading issues properly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug #256 should go into 1.0.5
Thor Spruyt [EMAIL PROTECTED] wrote: http://bugs.freeradius.org/show_bug.cgi?id=256 It's a really big mistake and only a 1-line change! The program isn't in 1.0.5. I've added the patch to the CVS head. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Howto make eap-peap accounting
Hello all How to make freeradius support eap-peap accounting Thanks you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql troubles
Versions:
FreeRADIUS Version 1.0.4, for host , built on Aug 19 2005 at 12:44:42
mysql Ver 14.7 Distrib 4.1.12, for pc-linux-gnu (i686) using readline 4.3
mysql server version: 4.1.12-max
Trouble:
Per FAQ, started with the simple plain users file auth, which works. Moved
to mysql which does not. radiusd -X shows the mysql connection being made
and all appears well on startup as noted.
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = before
main: nospace_pass = before
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded SQL
sql: driver = rlm_sql_mysql
sql: server = 10.10.0.51
sql: port =
sql: login = login
sql: password = passwd
sql: radius_db = radius
sql: acct_table = radacct
sql: acct_table2 = radacct
sql: authcheck_table = radcheck
sql: authreply_table = radreply
sql: groupcheck_table = radgroupcheck
sql: groupreply_table = radgroupreply
sql: usergroup_table = usergroup
sql: nas_table = nas
sql: dict_table = dictionary
sql: sqltrace = yes
sql: sqltracefile = /var/log/radius/sqltrace.sql
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = %{User-Name}
sql: default_user_profile =
sql: query_on_not_found = no
sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id
sql: authorize_group_check_query = SELECT
