Re: rlm_eap: Identity does not match User-Name...
Hi,
if anybody has the same problem, here's the solution..
i've installed 2.0.0-pre2 and made just the following
changes to radiusd.conf:
mschap {
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response} --domain=%{mschap:NT-Domain}
}
after that averything works fine, so i started to add
my perl-module to every section. after that it fails
with the same error as pre1.
so i remove perl from the authorize section - where it wasn't realy
required,
and now everything works fine. i think this will also works with pre1,
but
now i'll stay on pre2 :-)
for 2.0.0 final: the sample ntlm_auth-line in radiusd.conf won't work!
this works here:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{mschap:User-Name:-%{User-Name:-None}}}
--domain=%{mschap:NT-domain} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
I think the main issue is that you REALLY need to have at least the
mschap:User-Name - the default entry doesnt have it (?) - with either
other options and defaults - but just User-Name doesnt work. it
must be mschap:User-Name
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Example listed in huntgroup file does not work
Hi, I should say that I do not want to use an external solution. Creating a huntgroup for each NAS with the exact same user list does work, but then if I have to change a user I would then have to modify what could be over 100 groups. i think, therein, lies your problem - you havent looked at the whole logical design - and are fixated on the singular huntgroups file. if you want to control users, in groups, with huntgroups etc then you should be using the huntgroup file to define NAS in groups, and then another config file eg users to tie users to those huntgroups. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Example listed in huntgroup file does not work
Hi, # This file can also be used to define restricted access # to certain huntgroups. The second and following lines # define the access restrictions (based on username and # UNIX usergroup) for the huntgroup. # so why not do as i suggest and define usergroups - then add the user to such groups? if you want this to scale then i'd have to say that SQL is the way to go. So I can create a huntgroup with multiple Nas, but the 'second and following lines' are only recognized by the last entry in the huntgroup. no, they become sub-group huntgroup entries - you need to enter the same 'following lines' on all members of the huntgroup alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS - About username sent by supplicant
Hi,
My question deals with the username sent by the supplicant when the
authentication goes on. At boot
time, the username sent is : host/user_name. After the login, the username
sent is : user_name. So, I
have to create 2 users. I want to cut 'host/' to make this task easier. It is
possible ? How do I do this ?
attr_filter or somesuch eg put these into radiusd.conf
attr_rewrite copy-user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor =
searchin = packet
replacewith = %{User-Name}
}
attr_rewrite remove-host {
attribute = Stripped-User-Name
searchfor = ^(host/.*)
searchin = packet
new_attribute = no
replacewith = %{1}
}
and then call these 2 functions in your authorize section
(radiusd.conf or sites-enabled/wherever (for FR 2.0) )
copy-user-name
remove-host
just before the other modules are called - eg chap, auth_log etc etc
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem ./configure and MYSql
hi, you have installed the user programs for mysql - the library and the tools/database - but for compiling things that USE mysql, you need to install the development programs for mysql. usually mysql-devel, or mysql-dev or somesuch alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server blown up after move
Hi, what does the 'less debugging' mode - radiusd -x give you (thats a small x rather thana big X) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + OpenWrt
Hi, Hi, I want to know is someone is using freeradius with APs with OpenWRT installed. I'd like to hear experiences about it. works. i wouldnt get a too complex system though - unless you are fortunate enough to have one of the routers with 32Mb of RAM and 16Mb of storage alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two 'secret' entries in clients.conf
Hi, Can the two stanzas both have the same CIDR and can the 'shortnames' be the same or do they have to be different? the device is chosen by its closest matching subnet mask - so you could slowly migrate people by subnet allocation - eg take a /23 of the devices and migrate those...then do another /23 until you have completed the full /16 etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
Hi, #pkill radiusd #radiusd -x -X its a large X for debug mode. the little x also works but is different! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question
Hi, Hi sir, i am using freeradius server version(1.1.7) initially i sent some request to server (radiusd),it was turned failure by server. now is there any way, so that without restarting the server (radiusd) , further requests can be sent and get processed by the server. by default the server will always be listening for more requests coming in - unless you have killed the process alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius sql server with high loads
hi, your database is too slow to handle all the accounting in real time. hence the error messages. hence the lack of accounting either speed the DB up - and/or add more handles - or move to putting the details in in 'after real time' - eg with SQL-Relay - putting them into a file then using the sql-relay script to put them into the DB - therefore the process wont wait at the accounting stage. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 problem
hi, we need to see the output of the radiusd -X - the config file looks fine(!) we also need to know HOW you are trying to use MSCHAPv2 - where is your authentication done? users file? DB, ntlm_auth etc etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
latest CVS 2.0 beta hang problem
hi, a 2.0 beta (latest CVS head) install server locked up on us today in its early test deployment case secnario a request was proxied off to another RADIUS server. no response came back. server totally fails to respond to anything else. the only entry in the 'radiusd -X' is the last 2 lines Fri Jan 4 13:40:23 2008 : Error: Rejecting request 12643 due to lack of any response from home server 10.1.2.3 port 1812 Fri Jan 4 13:40:23 2008 : Error: WARNING: Unresponsive child (id 0) for request 12643, in module server-core component server-core thats all. no further debug i'm afraid. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 problem
hi, ummm, lets get this right - you are using FreeRADIUS 1.1.0 ? I'm sorry - cannot give any support until you are using 1.1.7 (which has many old and obsolete bugs and issues removed) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 problem
Hi, [/udir/delivery_a0028/wacsim_trunk/scripts/services/freeradius-1.1.0//etc/raddb/users]:1 WARNING! Check item EAP-Sim-Rand1 ?found in reply item list for user 123242010015. ?This attribute MUST go on the first line with the other check items ..and many more - this is an obvious issue - please follow what the server says! your users file is incorrect, you must ensure all the check items are on the first line - currently you end your first line with no comma - and have a trailing comma on the last entries. please change this to user type:=XXX blah:=this oh_and:=that, EAP-SIM1 = thisnthat, EAP-blah-blah = morejunk alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: latest CVS 2.0 beta hang problem
Hi, a 2.0 beta (latest CVS head) install server locked up on us today in its early test deployment Ugh. case secnario a request was proxied off to another RADIUS server. no response came back. server totally fails to respond to anything else. the only entry in the 'radiusd -X' is the last 2 lines I'll go look at that tomorrow. If I can reproduce it, it should be easy to fix. *correction* thats the last 2 output lines from radiusd.log i dont have a radiusd -X output - i will see if i can trigger this behaviour with eg radtest or an EAP session on another test server. the issue doesnt occur with 2.0.0-pre2 PS by default in latest CVS, the server logs a lot less to radiusd.log (eg auth OK, auth fail etc - i have logging set to yes int he config but still no output) whats the required config change to get the 'old behaviour' back? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: latest CVS 2.0 beta hang problem
hi, okay - got it to do the same with a straight radtest. here is the radiusd -X - several attempts that get proxied away..and never answered. remote site marked as zombie but then any valid requests just dont get serviced. Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Proxy-State = 0x3930 Proxying request 0 to home server 10.1.2.3 port 1812 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Going to the next request Waking up in 0.9 seconds. Waking up in 28.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Waking up in 26.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Waking up in 23.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Waking up in 20.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Waking up in 17.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Waking up in 14.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Waking up in 11.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Waking up in 8.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Waking up in 5.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address =
Re: 2.0.0pre2
Hi, Is the HUP issues fixed? Just noticed it wasn't working, but didn't try CVS. the latest CVS handles HUP a lot better - various modules are now HUP friendly. why are you HUP'ing? what will HUP achieve that a service restart wont? how are you testing the config is sane before restarting the daemon with new information/config? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (was latest CVS 2.0) - logging issue
Hi,
A lot has changed since -pre2.
Hmm... it *should* be configurable in radiusd.conf. See the log
section in radiusd.conf. Some configuration items have moved, because
it was dumb to have log_foo, log_bar, log_baz, etc.
ha! a lot HAS been changing. damn. you are right. how did
i miss that fundamental change to the log {} section. ???
crazy. anyway, i have now moved all the pre-2 log stuff log_auth,
log_file etc etc into the correct single log {} stanza and removed
the legacy log_ prefix which each entry had. its all working fine
now.
there was another post by someone else on this list a while back
about latest CVS being more quiet than the old. perhaps this needs
to be highlighted a little better - perhaps have somehting in the
startup parser that can detect these old legacy configs and spew
out a warning? in 'the old days' the log_ entries could lie
anywhere in radiusd.conf - really should only be in log {}
and no entries should start with log_ .. ah! but they do. we have
a small oddity
log_destination = files
surely this should also be cleared into the log {} stanza? eg
log {
destination = files
}
sorry for the false alert and thanks for the pointer/tip to getting
this little issue sorted.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: latest CVS 2.0 beta hang problem
hi, okay - updated to latest CVS after I saw the CVS log messages regarding this proxying issue. things look a little better but at the end the server is dead - unable to respond to any legitimate requests - (ie even simple local non proxy ones) latest output: Sending Access-Request of id 108 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Proxy-State = 0x33 Proxying request 0 to home server 10.1.2.3 port 1812 Sending Access-Request of id 108 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testhunt Realm = testrealm Realm = testrealm Proxy-State = 0x33 Going to the next request Waking up in 0.9 seconds. Waking up in 28.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32772, id=3, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 108 Sending Access-Request of id 108 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testhunt Realm = testrealm Realm = testrealm Proxy-State = 0x33 Waking up in 26.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32772, id=3, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 108 Sending Access-Request of id 108 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testhunt Realm = testrealm Realm = testrealm Proxy-State = 0x33 Waking up in 23.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32772, id=3, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 108 Sending Access-Request of id 108 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testhunt Realm = testrealm Realm = testrealm Proxy-State = 0x33 Waking up in 20.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32772, id=3, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 108 Sending Access-Request of id 108 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testhunt Realm = testrealm Realm = testrealm Proxy-State = 0x33 Waking up in 17.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32772, id=3, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 108 Sending Access-Request of id 108 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testhunt Realm = testrealm Realm = testrealm Proxy-State = 0x33 Waking up in 14.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32772, id=3, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 108 Sending Access-Request of id 108 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testhunt Realm = testrealm Realm = testrealm Proxy-State = 0x33 Waking up in 11.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32772, id=3, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 108 Sending Access-Request of id 108 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testhunt Realm = testrealm Realm = testrealm Proxy-State = 0x33 Waking up in 8.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32772, id=3, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 108 Sending Access-Request of id 108 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testhunt Realm = testrealm Realm = testrealm Proxy-State = 0x33 Waking up in 5.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32772, id=3, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 108 Sending Access-Request of id 108 to 10.1.2.3 port 1812
Re: FreeRadius as PEAP proxy to IAS
Hi, Everything work OK, Ovislink send request to FreeRadius server, FreeRadius send Access-Request to IAS (mschapv2) IAS send Access-Accept, but Ovislink received Access-Challenge from FreeRadius, one two, three ... and on the end authetication failed. proxied connection - by default you will probably have the default proxy attributes set - which will filter out required attributes for successful replies to be returned. you will need to add a new entry to 'trust' the IAS return values - and have more attributes allowed through. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error on radius
Hi, 'The maximum number of threads (32) are active, cannot spawn new thread to handle request' FreeRADIUS is getting many many requests but cannot handle them in real time - usually due to the authentication or accounting being too slow - you use SQL or AD for authentication? SQL for accounting? Also, do people know what is the maximum simultaneous incoming authentication calls that the radius process can handle? Or what ways can be adopted to deal with this? we have ours at over 128 without any local issues alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error on radius
Hi, Thanks Alan, We are using SQL for authentication and accounting - do you think this could be the issue? I could potentially have thousands of requests coming in almost simultaneously, is this going to be too much for the process to handle? i dont know how good your SQL database is - specification or throughput capability etc. have you done benchmarks? I would personally suggest that you use the sqlrelay method for the accounting to stop the threads being caught in accounting processes - as accounting causes update/write to SQL which is a performance hit (compared to authentication which is just usually a read) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxied connection - please example
Hi, Hi Alan, thank you for your quick answer. Please send me some example about this proxy configuration. for example, your-proxied.realm.com Service-Type == Framed-User, Service-Type == Login-User, Login-Service == Telnet, Login-Service == Rlogin, Login-Service == TCP-Clear, Login-TCP-Port = 65536, Framed-IP-Address == 255.255.255.254, Framed-IP-Netmask == 255.255.255.255, Framed-Protocol == PPP, Framed-Protocol == SLIP, Framed-Compression == Van-Jacobson-TCP-IP, Framed-MTU = 576, Framed-Filter-ID =* ANY, Reply-Message =* ANY, Proxy-State =* ANY, EAP-Message =* ANY, MS-MPPE-Recv-Key =* ANY, MS-MPPE-Send-Key =* ANY, MS-CHAP-MPPE-Keys =* ANY, State =* ANY, Session-Timeout = 28800, Idle-Timeout = 600, Message-Authenticator =* ANY, Port-Limit = 2 note the differences between this list and the DEFAULT one alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
Hi, Hi, I want to enable only TTLS authentication and if the client is requesting any other types EAP-TLS or PEAP the authentication should be denied. I am running freeradius-1.1.6, and if try to disable EAP-TLS module the server itself is not starting up. Please let me know if there are any ways to achieve this. as per eap.conf remove the unwanted sections (eg peap) - all apart from TLS as you always need for TTLS and set the ignore_unknown_eap_types = yes alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
Hi, RADIUS certificates for EAP should ALMOST ALWAYS be self-signed. That means that no one else can successfully convince the users to send them the passwords. seconded/thirded. as UK eduroam support I agree that such a closed-loop system provides a better protection. though more config and deployment pains, certainly ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
Hi,
Oh, it exists. It's called subject_match within a network { } stanza of
wpa_supplicant, and all the Windows supplicants I've seen so far allow you
set your expectations on the server name. It's turned off by default though.
agreed. it is there.
however, this puts the security on the client end...and they'll still
get a connection with the proper server even if they've ommitted
all the checks. this is bad generally - you need to have a way
of the server checking that these client settings are enforced.
oh well. I guess thats what locked-down desktops, corporate images,
GPO pushed settings etc are all for. not handy for supporting
the average user.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
Hi, Hi, I can't still figure it out why I can't access from Linux clients. I use version 1.1.7 of freeradius. Linux client is a Fedora 8 system. what is the linux client config? i see the following in your debug rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 84 modcall: leaving group authenticate (returns invalid) for request 84 auth: Failed to validate the user. i would also advise that you upgrade to 2.0.0 - not only could this issue be resolves anyway - its a hell of a lof easier to debug - far less EAP messages! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
hi, known SNMP issues with 64bit and that version of SNMP. you will need to follow the debug instructions to help debug alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
Hi, That road is painful. What we've come up so far with is supplying pre-configured supplicants (SecureW2) that bring the proper CA certificate along and set the expected CN automatically. It can even be preconfigured to auto-discard any other certificates, which doesn't give the user any opportunity to mess around. Of course, that is just pre-setting checkboxes in the supplicant. If a user *really* wants to sacrifice security for getting online cheap and easy on possible fraud networks, he can still toggle the settings manually later and shoot himself in the foot with it. For the built-in supplicant in XP/Vista: it generally sucks. There is the new Wireless Native API that is supposed to allow scripted auto-setups of 802.1X settings for an SSID, but we haven't tested if that's really practical. If you can find a student to code on that API, please go ahead :-) we have a similar method - preconfigured setup installer for OpenSEA (open1x.sf.net) and SecureW2 3.x - both have the required CN etc already set. handy for ensuring people have eduroam already configured too ;-) my main issue with securew2 is that it is really just a windows zero config supplicant plugin - ie it inherits all the windows supplicant issues. the cisco (pre meetinghouse) supplicant is one of the best (aironet desktop utility) - the meetinghouse client is interesting - users cannot simply configure the supplicant for EAP networks - an admin system needs to be used to push settings out. not handy for those users with EAP at home :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Groups and EAP
hi, I'd like to add into this that if you upgrade to 2.0 then the EAP is simpler and quicker - and your LDAP wont get hit with each request. it'll only get the bare required outside and then the essential inner tunnel stuff. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: probs with accounting Attribute Client-IP-Address was not
Hi, it this a bug or it should be like that ( Client-IP-Address same as NAS-IP-Address. ) ? what makes you think they would be different? the client is your NAS, yes? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
Hi, hi alan, i searched the freeradius.org for the debug instructions, but i found nothing. what do you mean exactly by debug instructions i already have this in the radius debug mode read doc/bugs in the distribution tar file. i can send you a copy if your archive doesnt contain it. beware that you will need an OS kernel that has all the debugging flags enabled (most default distro kernels are compiled in such a way) I have reported this bug to bugs.freeradius.org with the debug output that my system was able to generate alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
Hi, i have to install freeRADIUS 1.1.7 on fedora core 7 ,but i am unable to add users to the 'users' file . why? 2.0.0 is out now i am getting help from the website : www.aerospacesoftware.com/radius.html way way way out of date and it doesnt follow current best practice either. johndoe Auth-Type := Local, User-Password == johndoepassword Reply-Message = Hello, %u AND AFTER THAT johndoe Cleartext-Password := passwordhere Reply-Message = hello, %u please tell me what to do basically ignore the output from the client - it cant tell you THAT much. instead, look at the output from the server - which is plenty if you use 'radiusd -X' should i install an older version ? no. the opposite. install a newer version alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help again
Hi, if the website is old where should i go buddy http://www.aerospacesoftware.com/radius.html theres a bunch of docs that come in the freeradius tar archive (they'll end up in /usr/local/share/doc/freeradius or wherever you're chosen path during configure ; make ; make install theres also http://deployingradius.com/ and wiki.freeradius.org both are top google hits alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: seg fault
Hi, If malloc() is core dumping, then something else is going wrong. i.e. some other part of the server is over-writing memory. when you say the server i assume you mean freeradius not another app.?? no - i'd read that as some other part of your 64bit x86 box is trashing the memory. hyperthreading on? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql error
Hi, Hi, I'm working with Freeradius in production enviroment (start up), at this time is working with only two users, they can connect whitout problems and all seems to work fine but looking into radius.log i found this messages: you dont state what platform you are using or what version of freeradius however, your mysql SHOULD have such a column in that table (its in the supplied schema) - the error you are getting is the accounting packets which cannot be stored as you are asking for that column...check the sql/mysql/dialup.conf sql/mysql/schema.sql: xascendsessionsvrkey varchar(10) default NULL, the stuff is in the supplied schema! sql/mysql/dialup.conf: acctstartdelay, xascendsessionsvrkey) \ ^ here is the call as part of an UPDATE check case sensitivity alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorize/authenticate with LDAP
Hi, Thierry CHICH wrote: freeradius Version 1.1.3 ??? I can't believe it ! I thank I was using the version 1.1.6 ! Is it possible it change the beahvior if I upgrade ? In 1.1.x you can set the User-Name inside of the tunnel, and then set use_tunneled_reply = yes in the EAP config. This will use that User-Name in the Access-Accept. In 2.0, you can just write logic that runs only in the inner tunnel, and sets the outer tunnel user name directly. both covered a couple of times in the mailing list archive. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query length
Hi, option is to 'exec' external scripts to perform more complex queries, am I right? It's an option, but not the only one. You can use Perl or Python, too. Sorry if this seems studpid, but, do you mean that I can embed Perl in radiusd.conf? no - you can call PERL from pre-auth, auth, post-auth, accounting etc at which point the chosen script defined in the PERL section of experimental.conf will be run and the subroutine associated with the call will be run - at which point you can inspect any RADIUS attribute, make a decision and return updated attributes, ok, reject and so on. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading from 1.0.2 to 2.0.0 problems
Hi,
the first request looks like this.NOTE the test order...
rad_recv: Access-Request packet from host 192.168.1.64 port 32775, id=35,
User-Name = test
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns updated
^^^
++[suffix] returns noop
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type PAP
+- entering group PAP
rlm_pap: login attempt with password mytest4
rlm_pap: Using CRYPT encryption.
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [test/mytest4] (from client flyer port 0)
second test looks like this:
rad_recv: Access-Request packet from host 192.168.1.64 port 32775, id=43,
User-Name = [EMAIL PROTECTED]
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
^^^
rlm_realm: Looking up realm netonecom.net for User-Name
= [EMAIL PROTECTED]
rlm_realm: Found realm netonecom.net
rlm_realm: Adding Stripped-User-Name = test
rlm_realm: Proxying request from user test to realm netonecom.net
rlm_realm: Adding Realm = netonecom.net
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
WARNING: Deprecated conditional expansion :-. See man unlang for details
expand: %{Stripped-User-Name:-%{User-Name}} - test
users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication
may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
you are calling the unix auth module before suffix - therefore the magic
hasnt yet happened. I'd try putting the unix module after the modules
that play around with User-Name
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_sql in freeradius-1.1.7
Hi, This can be done if we use the attribute Called-Station-Id (or NAS-Identifier) with the operator '=~' and a value like this: (00-1b-d1-36-e2-85|11-1b-d1-36-e2-86|22-1b-d1-36-e2-87) This is a regular expression that will match the attribute if its value is one of them that are listed. This solution still has a restriction. Since the value of an attribute is varchar(253), it cannot contain more than 14 MAC-s listed. So, a user cannot use more than 14 access points for connecting to the internet. For the time being this is acceptable for me, however I am still looking for other solutions. I am also planning to try freeradius 2. in this case, use huntgroups - assign each station or NAS to the huntgroup and then use a huntgroup check for the user alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang?
Hi,
I am not sure why, I inherited this setup and I am still trying to understand
it. The LDAP server is eDirectory (FreeRADIUS compiled with -with-edir)
The -X output says:
WARNING: Deprecated conditional expansion :-. See man unlang for details
expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=user)
expand: o=uol - o=uol
What is the replacement for :- given I don't know what it did in the first
place for man unlang to be any help!
if Stripped-User-Name exists, then use that, otherwise use User-Name
the :- operator is in unlang too - but the expansion check may need to be
rewritten - eg %{%{Stripped-User-Name}:-%{User-Name}}
its only deprecated right now - not too essential
2) Rejecting a user
I have a specific user account (call it special) it was barred using:
special Auth-Type := Reject
Reply-Message = Cannot use this user account
in the users file.
Variants like special, Special and SPECIAL etc get by this check, and
out LDAP server allows them!, so I added:
lower_user = before
lower_pass = no
nospace_user = before
nospace_pass = no
to radius.conf. These no longer seem to work. How do you achieve this with
version 2.0.0?
gosh. a lot of ways of doing this you could use the
unlang method to checkeg
if (%User-Name ~= /^special$/i )
etc etc etc
or via the attrib filter rewrite
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Administering with MySQL DB
Hi, thanks, Ive looked at this and its a good guide to initial install but doesnt seem to provide any detailed info on how to administer the data in the tables. IE there is a sample of some data from a test system but this doesnt even mention the NAS table, how are other people administering their systems? this is realyl a 'how to use mysql' question - there are several GUIs for Mysql - eg PHPMyAdmin - however, it seems theres nasty security holes found in it every week. ideally, you would use the command line eg eg to connect mysql -u username radius -p to see whats what mysqlshow tables; to get into mysqldescribe TABLENAME; to see something mysqlselect * from nas; if you need to insert/update, simply use the insert or update command the the appropriate arguments (each DB admin have their own prefered method) - do a quick google for insert mysql example alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius attributes for cisco ip phone
Hi, HP ProCurve edge series can only dynamically assign a single untagged VLAN to any one switch port. It is not possible to create dynamic VLAN trunks. It may be possible to create a VLAN trunk statically, then leave the switch to do VLAN assignment, and just deny/allow access via the RADIUS server. ..and with Cisco switches you can assign a switchport vlan and a voice vlan for the port - with each servicing each device on the port - using multihost 802.1x method...but the cisco phone has, of couse, cisco-centric features. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list with MySQL
Hi, Hi there... i am new to free radius. I already successfully installed freeradius 1.1.7 with mysql5.1. The point is NAS's IPs and secrets are configured in clients.conf. I cannot find anything how to put those data to SQL database. Sql.conf doesn't describe any table or value for clients, can anyone give any clue how to store those data in SQL database sql.conf has the readclients directive and the sql schema clearly shows the nas table mysqldescribe nas; simply populate. enable the readclients directive. with 1.1.x i believe you still need a single entry in clients.conf - a fake entry - eg 127.0.0.2 or it barfs. 2.0.0 doesnt have this issue alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list with MySQL
Hi, Can u tell me about stability in freeradius 2.0.0. I am preparing a project for servers wchich will have to serve more than few milion entries (users) and i am concercn using lastests versions personally I would go for 2.0.0 - its been in beta for a long long time, it handles the packets better, it has far better scalability and its does have the quirks that live in the 1.1.x branch alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL
Hi, I have installed MySQL and Freeradius2.0.0. I have updated the schema for MySQL and set the location, username and password in sql.conf. When I start radiusd -X I get the following output. I cannot see any mention of connecting to mysql. you arent using sql for authentication, authorization or accounting? if this is the case, then you need to add 'sql' to the instantiate stanza of the configuration to enable the module alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
Hi, i followed the bugs file. i recompiled the freeradius with --enable-developer actually i made RPM file with ( rpmbuild -ta freeradius-1.1.7.tar.gz ) are you SURE That this worked fine - as if you used the standard SPEC then you wouldnt enable the developer stuff. (no debugging symbols found) you also need to ensure your kernel is built with debugging support alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Vista EAP-PEAP Authentication
Hi, FR 1.1.6, 1.1.7 and 2.0.0/2.0.1 work fine with vista (without any special non windows-update KBs installed) are you using source from www.freeradius.org, or some distribution package? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank spaces after username - problem with accounting -MySqldatabase.
Hi, Please don't be angry. I'm trying to fix this issue because it works perfectly on FR1.1.7 if you've copied the config files direct from 1.1.7 to a 2.0.0 system then there will be quirks. wheres the full debug log? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Procedure to test performance
Hi, My radius server is not implemented yet, but i am wondering of a performance of it before it starts, I will need to simulate a performance test, My idea is to generate packet to analize the server. doc/performance-testing its in the freeradius archive - eg freeradius-server-2.0.1.tar.gz from FTP or WWW freeradius.org 3. In your experience of bad performace what to focus on to improve it? Interfaces, RAM or proessor ? depends on the type of authentication and methods being used. the vast vast vast number of performance problems that are mentioned on this list are due to SQL bottlenecks. the DB is never fast enough. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Hi, well the previous info regarding this only being read at startup was specific to data in SQL, so I suppose a kill -HUP should work. But I haven't tested it :P, maybe someone else on the list can tell us, otherwise give it a go by manually updating the clients.conf and try a kill -HUP, according to latest sources (2.0.1) users file is HUP safe, SQL is not (SQL logging is) - as Alan says - need it? code it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to run radclient - libfreeradius-radius-2.0.0.so not found
Hi, Trying to run radclient to test if I have things set up correctly and I get this. Only similar thing I could find on the net was libcrypt being missing which was pointed at being an incorrect installation of openLDAP (I think). I downloaded the src and compiled from there with ./configure, make and then make install. Any suggestions? as per the stuff that gets spewed to the screen when you do make install, ensure that /usr/local/lib in in your library path! /etc/ld.so.conf or somesuch (depends on OS/distro) will need to have that path added - after which you need to /sbin/ldconfig -v alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MySQL + system auth
Hi, In working to get my new radius server working I have run into a snag. I need to authenticate using a SQL database or system password file depending on where the request comes from, however the user may exist in both, with different passwords. How do I tell it to use the MySQL username/password pairs 'only' when it comes from a specific NAS? many many ways - you could use huntgroups and Autz-Type, you could use virtual servers and proxy the request - if NAS is this or that then use this server definition. Suggestions, pointers to documentation I may have missed, etc are gladly welcomed. looks like you've told the server to do a Crypt-Password - and it doesnt match. how ARE you storing the passwords in the SQL? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to enable ldap during authentication
Hi, I am using version 2.0.2-pre I would like to use ldap for freeradius authentication. I couldn't find anything on web about this topic. I have ldap module in the authorize section in my default virtual server. I see in the debug that ldap module returns ok during authorization please point me what do I have to do to use ldap olso for authentication is it enough to put ldap invocation in authentication section? below debug from authorization you cant use LDAP to authenticate if its not in the authenticate section. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating with PIN only not username and password.
Hi, hi all, Can someone give me an insigth into how a user can authenticate from hotspot with 10digit PIN number not username and password. make the hotspot login only ask for a PIN, then send that as the User-Name with a password of the same value, or whatever via a RADIUS - as per normal. then on radius server have something in users like 1234567890 Auth-Type := Accept, Cleartext-Password := 1234567890 probably a LOT LOT easier if you are generating these accounts via a system to throw them into an SQL database - eg the MySQL - and use the DB functions to check the user instead. scales nicely. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
Hi, 1. Proxy authorization as well - it's not clear how to do this. Can you? I'd really just like to forward the entire request elsewhere, before anything else happens, so I'd like to check the realm FIRST, and not do anything if it's not a local realm. yes, thats exactly what you do proxy stuff for - you'll define your local realm, and null realm etc. you then define the realms and the RADIUS server address for each of those realms. the requests then get proxied to the remote systems. its similar to what we do with eduroam in europe - and myself with JRS (the 'UK side' of eduroam') - http://www.ja.net/roaming I'm currently using freeradius 1.0.2, but I can upgrade if I need to. definately upgrade - 2.0.1 the proxy stuff is soo much better (failovers, dead timers, status requests etc) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Don't work freeradius with MySQL.
hi, turn on the SQL debug logging in FreeRADIUS and see what the output of the SQl was alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
Hi, i have OS RHEL5 it looks like it didnt build with the required debug parts - once again, as you are using the SPEC for your distro they could have other things that mess it up - I can only help if you build from the source and leave package management stuff alone. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about forum
Hi, There is a history of this mailing list, but searching something is a nightmare. Imho forum would be great for that. Sent from my BlackBerry® wireless device forums suck imho alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Hi, Hi again and thanks, EAP-TTLS/PAP is the defaultI tried configuring the TTLS-PAP inner and outer tunnel but it will not work. EAP-TTLS/PAP ended A. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to OTHER (LOCAL) domain then the EAP-TTLS tunnel is ended and validated against the LDAP. PAP Tunneled (proxied) B. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to SECURSERVER domain then the EAP-TTLS tunnel is ended and PAP is proxied to other Radius (Nr 2) i'll assume you are running with the attribute filter running pre and post proxy? if so, you will need to allow a few other attributes through or proxy wont work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail cisco logging
Hi, Hello, I have successfully configured freeradius 2.x to do AAA for my Cisco Catalyst 3560. Using modules rlm_detail I am able to log when the session starts and ends, however I am also interested in logging exactly what commands were issued by the user. Does anyone know how I can accomplish this? TACACS+ not FreeRADIUS unless you contribute some code alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attributes sent to proxy servers ...
hi, you are still pre-proxy attr filtering? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius v.2.0.1 and Cisco 1200AP IOS V.12.3
Hi, When installing FreeRadius 2.0.1, the only thing you should need is to add this to /etc/raddb/users username Cleartext-Password := thepassword ..and the clients file (and maybe even the firewall on the server! ;-) ) so that the AP acting as a NAS can talk to FR :-) ...and it should work. If it doesn't, by far the most likely explanation is that you have the Cisco AP configured incorrectly; you will need to examine the Cisco documentation, this is not a Cisco support list. agreed. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius v.2.0.1 and Cisco 1200AP IOS V.12.3
Hi, I have been working with freeradius v.2.0.1 and a Cisco 1200 Series Access Point (version 12.3 IOS) for many months now with no success to getting this working. I am doing research on freeradius product for a univeristy campus that I go to for implementation in the near future. I am out of ideas of how to configure this correctly. I still to this day do not have my Cisco 1200 AP authenticating with freeradius version 2.0.1. Does anyone have a configuration setup of this type of scheme or are willing to tell me how to start from ground up to make this work. My plan is simple at this point. I want to use freeradius, a Cisco 1200 Series Access Point, and one windows xp pro client to connect to the AP and authenticate against freeradius. I appreciate any input on this matter. Thanks again open source community. most of us would simply follow the FreeRADIUS EAP-TLS guide (which covers PEAP etc too!) - which works 'out of the box' when you do a make install and run it for the first time, followed by following the cisco document on how to configure WPA for the 1200 series AP. then, configure FreeRADIUS client.conf to allow the AP to talk to the FR server install the FR CA cert onto the Windows client. et voila. thats most of the work done (or all of it if you EAP-TLS) so. what exactly is your problem? have you followed the cisco docs so that your AP is configured to do WPA and has the RADIUS server configured ? whats the debug output from your FR daemon? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New bee to FreeRadius; need help in configuration
Hi, Deepak, Have you considered using a ldap or sql backend instead of flat-file? those , too, will need to be refreshed via a server restart - the SQL clients are only read upon start. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying VMPS requests
hi, we use FR with the VMPS module - and i can see the gotchas with trying to run it through some of the other modules. what we have is the VMPS calling post-auth - which runs a PERL module. the PERL module does our dirty work (check validity, return the correct VLAN etc) - but theres no reason why PERL or Python etc couldnt be used to query your MACAUTH server instead (?) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help in using mySql for freeRadius server.
Hi, you are using 2.0.0 ... they output you posted is not complete... Ready to process requests. ...which is the LAST line of output before the server is ready - the output before gives us a lot of information. can you connect to the mysql database from the command line using the credentials you have supplied FR ? ie mysql -u username -p database also, is the box running eg 'selinux' - if so, the config for selinux will need to be updated/changed so that the process can talk to each other. just disable selinux (and reboot) or set it to permissive mode with error/warn logging to check this alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
Hi, Wed Feb 6 10:43:04 2008 : Error: rlm_eap: Failed to remember handler! Wed Feb 6 10:43:07 2008 : Error: rlm_eap: Failed to remember handler! and Wed Feb 6 10:43:07 2008 : Error: rlm_eap_tls: Unexpected ACK received the reason i am looking over these logs right now is because the server segfaulted with error 4, 4 seconds after this happened. hmm, similar to a behaviour that i have seen - ours didnt segfault though, it just stopped listening/answering. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no start of radiusd after reboot : mysql connection error
Hi, Do you mean that I must allow my user on the mysql server ? I don't think so, since there is no traffic from the freeradius to mysql at boot time. And furthermore, the user *is* allowed to connect to database from the free-radius host There are perhaps permissions problems on the freeradius hosts, to launch a particular process ? Please can you telle me how I can allow user/group to talk to the MySQL server ? sounds like SELinux to me - check your SELinux security settings and their logs - if you are enforcing, your logs will show the failure of this connection alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no start of radiusd after reboot : mysql connection error
Hi, Yes I already check that, SELINUX is disabled [EMAIL PROTECTED] ~]# cat /etc/selinux/config SELINUX=disabled SELINUXTYPE=targeted SETLOCALDEFS=0 another idea ? perhaps something with permissions on binaries ? what happens if you start the daemon from the command line with radiusd -x (small x, not the big debug X! iirc, this runs it with the configured priviledges rather than with root) otherwise, as root, 'su' to the account you are running the service as eg su - radiusd and run the daemon. check what it can or cannot read! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radsqlrelay - and default config
Hi, Or, delete the sql_log queries, and use the ones from rlm_sql that are known to work. yes.i was thinking about why we have the stuff defined twice. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radsqlrelay - and default config
hi,
I've been looking at the current state of the default (commented
out ready for use) radsqlrelay commands in radiusd.conf . for a
quick reminder they look like this:
# sql_log {
# path = ${radacctdir}/sql-relay
# acct_table = radacct
# postauth_table = radpostauth
# sql_user_name = %{%{User-Name}:-DEFAULT}
#
# Start = INSERT INTO ${acct_table} (AcctSessionId, UserName, \
#NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
#AcctSessionTime, AcctTerminateCause) VALUES \
#('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
#'%{Framed-IP-Address}', '%S', '0', '0', '');
# Stop = INSERT INTO ${acct_table} (AcctSessionId, UserName, \
#NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
#AcctSessionTime, AcctTerminateCause) VALUES \
#('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
#'%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \
#'%{Acct-Terminate-Cause}');
# Alive = INSERT INTO ${acct_table} (AcctSessionId, UserName, \
#NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
#AcctSessionTime, AcctTerminateCause) VALUES \
#('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
#'%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');
#
# Post-Auth = INSERT INTO ${postauth_table} \
#(username, pass, reply, authdate) VALUES
\
#('%{User-Name}', '%{User-Password:-Chap-Password}', \
#'%{reply:Packet-Type}', '%S');
# }
now - whilst radsqlrelay is recommended for those whose accounting DB systems
cannot keep up with the real flow of packets - and we recommend it - its not
productive to have imho a broken default config. the issues which i can see
from this are the following
1) with a default postgres install, those '0' dates are not going to work with
the
supplied schema for PGSQL - in fact it takes a bit of breaking postgres for
such values to work. the simple change is to have a null entry.
2) likewise for MySQL - '-00-00 00:00:00' is iirc the correct way of doing
it
3) BOTH mysql and postgres (i havent done any looking into oracle) will have
issues
with the radacct entries - for each of them has another index in the radacct
table
which cannot be null and must be unique -
mysql
acctuniqueid varchar(32) NOT NULL default ''
KEY acctuniqueid (acctuniqueid)
postgres
AcctUniqueIdVARCHAR(32) NOT NULL
such a value is not being provided in the field. which means when the user
finally runs radsqlrelay they will be faced with issues.
as far as i can see, radpostauth will work fine.
so what I'd propose is we get a few folk who are successfully using this
function,
get their radiusd.conf entries, and have 2 sections for uncommenting - one for
postgres and one for mysql.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newslists
hi, spending more time posting pseudo-insults and complaints to people posting bahaviour RATHER than the config/file-debug etc as requested aint going to help anyone. sure, some sarcastic comments arent necessary, but the basic method of using this list doesnt change. as previously mentioned, this list is occupied by folk doing lots of other PAID work. none of us are paid for getting peoples configs working (and trust me, various commercial enterprised have come online solely through free help from this list). thus, we request some bare minimum details to help. the other possibility is you are a trail-blazer. in which case noone can help you with your requirements. at least then if you do figure it out, you too can post to other people in the future to make snide remarks at their ineptitude (which you feel is happening now) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no start of radiusd after reboot : mysql connection error
Hi, I add the following line to the /etc/init.d/radiusd : start) # Palliatif au pb du non-demarrage de radiusd apres reboot # cf freeradius-users@lists.freeradius.org thread no start of radiusd after reboot : mysql connection error ping -c 1 ntp.domain.com echo -n $Starting RADIUS server: ... hmmm, such a wierd setting requirement hints at the actual network interface needing a little more time until it is alive. this may point the finger away from the server and onto the network switch/router that it is connected to instead so you have eg 'spanning-tree portfast' configured on the port that the server is connected to? if not, you will have to wait up to 30 seconds after the network interface comes up before you are able to send/receive network packets. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help in basic configuration in connection mysql with freeradius
Hi, hi, I am trying to use mysql database with free radius 2.0.0 for the first time. I am using centOS 4.5 and mysql 4.1.2.The authentication works fine if I am using the unix username and password. I modified some configurations in radiusd.conf and sql.conf but it doesn't work. Please tell me the most basic steps to configure freeradius with mysql. Here is the log file while running in debugging mode: home-built with no sign of SQL activity in the log file. so. did the server build with mysql support? what errors were thrown during the ./configure stage? eg ./configure --with-whatever-arguments | grep WARNING you will need mysql-devel package installed to build mysql support into the system alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Freeradius2 and proxing
Hi, I do not receive any comment about my supplied patch. I will try to explain my issue better: I understood what you stated - and the patch does appear to handle the 'old style' 1.1.x DEFAULT handle properly. ..the old system could just be given a DEFAULT and stuff would go to it . i'm not sure if theres another quirky thing somewhere else..but your patch does seem to do what it claims :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius integrated with Active Directory toautenticatecisco passwords
Hi,
Thank you all.
But how do I do this? Does any one has a tutorial about it?
add the required parts to the radius config files to enable
krb5 (direct password check) against the AD - you will also need to ensure
your kerberos environment is sane and works
eg run the command
kinit your_user_id
on the command line to validate that your machine can get a kerberos
ticket
the bits you need to add to the radius config are:
krb5 {
}
to the module stanza (radiusd.conf)
and
Auth-Type krb5 {
krb5
}
to the authenticate stanza (radiusd.conf in 1.1.x and sites-enabled/default
in radiusd 2.x )
you MAY need to set Auth-Type = krb5 for the required user or NAS setting
depending on your config!
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newslists
Hi, But when it checks for the attribute in the reply packet, it says it can't find it, but it still does the attrib-rewrite changes the values and then moans it couldn’t find the value pair. This is obviously not normal in my opinion, and thus I asked about a specific problem. I only attached the debug portion as it is specific to the problem. post the relevant part of your config file? We arent seeing the whole picture. when you take a car to the garage, the mechanic hears your story AND sees the car. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
Hi, else you can get into a situation where the compiler assumed the function (in this case ldap_get_values) returns an int (32bit), but it actually returns a pointer (64bit on 64 bit systems) which can then get truncated (which is likely why it always looked the same, because the part that stayed after the truncation was the same...) good debian wiki article about implicit pointer conversion http://wiki.debian.org/ImplicitPointerConversions #define LDAP_DEPRECATED 1 added as the first line in rlm_ldap.c ... fixed the issue? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newslists
Hi, Ok but then The thing about the attr_rewrite module is that it looks at ALL attributes in the list. In this case, you have two Configuration-Tokens. One has value SHAPED_NORMAL, and the other UNSHAPED_NORMAL. It doesn't match the first, but it does match the second. After that, it says it couldn't find any more. Where does it get the second Configuration-Token from ? well, from your debug I see this: Sending Access-Accept of id 195 to 196.43.1.92 port 1820 Framed-Protocol := PPP Configuration-Token := SHAPED_NORMAL Session-Timeout := 86340 Acct-Interim-Interval := 3600 Configuration-Token = SHAPED_NORMAL Reply-Message = Your maximum monthly usage time has been reached Proxy-State = 0x313030 there are 2 Configuration-Token attributes. possibly because it was added in an incorrect way, or adjusted/set incorrectly originally? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newslists
hi, ..and i'd like to add that, once again, we are not seeing the whole picture - eg your configuration files and/or SQL tables. this case hence drags on and on... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newslists
Hi, Yes this is why I started looking at the debugs to see what was happening and found the attribute rewrite issue where it says it cannot find the configuration token, if I take the Configuration token out of the radgroup reply it shows one, if I take the attrib-rewrites out it only shows one in the access accept packet. _how_ are you adding it via the radgroup reply? which operator are you using? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl with huge load (~1000-1500 request per minute)
Hi,
Hello!
i use freeradiusd 1.7, rlm_perl with thread conf:
thread pool {
start_servers = 100
max_servers = 1500
min_spare_servers = 1
max_spare_servers = 10
max_requests_per_server = 10
}
rlm_sql uses mysql.
All works fine, but sometime, at moment with high load:
Error: Discarding duplicate request from client nas_4:63429 - ID: 154 due to
unfinished request 2176280
and radiusd like frozen, take 99% of CPU time, and not response for
client's request.
FreeBSD 6.3, Hardware is adequate - 2xXeon with 2 Gb Ram.
any ideas?
yep - your database cant keep up with either the authentication traffic,
the accounting traffic or both.
try using sql_log for the accounting - to take it out of 100% realtime
for each incoming packet.
also your config looks a bit wonky.
thread pool {
start_servers = 100
max_servers = 1500
min_spare_servers = 1
max_spare_servers = 10
max_requests_per_server = 10
}
start servers = 100
max spare servers = 10
so the first thing it has to do it kill a load off(!) - set the spare to 100.
how many SQL threads are you running?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
Hi, i am sorry, but my server doesn't have any internet-access... so, i can't use cvs for updating. use CVS on another machine, tar up the resulting CVS checkout, copy it to the server and recompile. it must have networking or some sort to be a radius server, n'est pas? ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple NAS's and Mysql
hi, a single FreeRADIUS server can do this. simply put each range of NASs into different groups and then use the group and groupreply tables in the SQL to do your return code work. if you cant google for SQL howto freeradius then http://wiki.freeradius.org/SQL_HOWTO#Configuring_FreeRadius_to_use_SQL if that document does help you enough, then please post to the list with its weaknesses so that it may be strenghtened that HOWTO link is posted each week on this list. how can we make it more obvious? (open question to others who struggle with the SQL and FReeRADIUS) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: conneting to mysql
Hi, hi, In order to connect to mysql what are the necessary configuration files to be changed. 1.x or 2.x ? generally, you need to edit radiusd.conf and.or sites-enabled/* to ensure that the sql.conf is loaded. then you need to edit sql.conf appropriately alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR2 - proxying inner tunnel
Hi, Tue Feb 12 23:45:21 2008 : Error: Warning: Found 2 auth-types on request for user '[EMAIL PROTECTED]' Tue Feb 12 23:45:21 2008 : Debug: rad_check_password: Auth-Type = Accept, accepting the user whoah. WinXP is very fussy (as should all EAP clients) about getting a proper EAP return. you seem to have thrown an 'Accept' straight back to the challenge rather than let the EAP engine do its business. config file or startup debug output please alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
Hi,
Arran Cudbard-Bell wrote:
Woah, get that working with SQL and you have an insanely useful feature.
Oooo what VLANS does this NAS support, hmm i'll just check the client
VLAN tags. Where is this NAS located, hmm i'll just check the
arbitrarily populated location tag.
Err... why? You can do that already:
if (%{sql: SELECT ... WHERE client = %{client:shortname} ...}
yep - but i think the default schema for clients didnt have these
extra features added. at least someone mentioned synchronising them
recently
more importantly for other people - do these attributes get passed
through the message structure for PERL and Python?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP tunneling issue
Hi, I've been simulating the traffic with JRadiusSimulator and used the EAP-TTLS/PAP option. Is there any other simulator you know of which I can use to simulate EAP-TTLS/(PAP and MS-CHAPv1)? I appreciate your help. wpa_supplicant is a good tool alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is tunnel right? (EAP-TTLS)
Hi, Sorry for insist on, but is right that in debug mode show the user password, even using tunnel? yes - if the password is available is a clear format - eg not a challenge/response method. ALL passwords get printed in clear text. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is tunnel right? (EAP-TTLS)
Hi, But, I don't understand, how can be shown it if password is encrypted in LDAP and I am using EAP-TTLS, is not the password into the tunnel?. I am using securew2 with PAP from windows clients. Does it mean that password could be sniffed when radius is not running in debug mode?? the server KNOWS the password. therefore it is showing it. thats how it can do the LDAP stuff...it HAS to know the password to make the LDAP attempt successful. the password will always be available in a raw format in the server engine. if you dont like passwords, move to a challenge/response system - eg MSCHAPv2 i wouldnt lose sleep over it. when the server is not running in debug mode, the only way of sniffing the password is via a few changes to the FreeRADIUS source code. in general practice that password is buried in a TTLS tunnel. its not readable by anything other than the RADIUS server. think of the information flow and process. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: where is db_mysql.sql in 2.0.2?
Hi, hi Alan, where is the db_mysql.sql file in 2.0.2? i've searched whole, but found nothing. freeradius-server-2.0.2/raddb/sql/mysql/nas.sql freeradius-server-2.0.2/raddb/sql/mysql/schema.sql freeradius-server-2.0.2/raddb/sql/mysql/ippool.sql alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Could not link driver rlm_sql_mysql.so
Hi, I couldn't be able to link the driver of mysql 5 with free radius 2.0.2due to this file rlm_sql_mysql.so. I couldn't locate this file in my entire system. I've gone througe all the faq's, but it doesn't work. the error's still there. answered every week on this list. your system didnt built FR with mysql support. why? probably because you dont have the required development package installed..eg mysql-devel if you run the configure stage through some sanity checking, you get to see all the good stuffeg ./configure --with-blah-blah | grep WARN alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can't get WPA/2 and EAP-TTLS to work
Hi, The wpa_supplicant keeps looping looking for missing keys accordint to Jouni. I suspected my Cisco access point was not configured properly, but Cisco claims that FreeRADIUS is asking the access point about dynamic VLANs which aren't even configured in FreeRADIUS (see configurations below). from what i can see, rubbish. freeradius as an AAA does not ask NAs about their VLANs - dynamic or otherwise! there a re few things wonky or wrong. first , what version of FR are you using exactly? i would STRONGLY recommend 2.0.2 as 1.1.x (you appear to be 1.1.7 with patches...) isnt as configurable. secondly foo User-Password == password foo Cleartext-Password := password (as clearly in the docs) Thu Feb 14 08:41:05 2008 : Debug: rlm_eap_tls: add_reply failed to create attribute MS-MPPE-Recv-Key: Unknown attribute MS-MPPE-Recv-Key Thu Feb 14 08:41:05 2008 : Debug: rlm_eap_tls: add_reply failed to create attribute MS-MPPE-Send-Key: Unknown attribute MS-MPPE-Send-Key this aint good. you've got to have these in your TTLS or things arent going to work. dictionary files all okay and present and loaded? you arent filtering attributes from my quick scan of the config...unless you've not copied that part. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxed EAP and eduroam project
Hi, rather than a problem, this is a question. I assume you know what eduroam is, but just in case: What is eduroam several members of this list are involved in eduroam at sites worldwide. What happens is that the EAP conversation traverls in cleartext across the public internet (really the inter-university networks). cleartext? not really. the proxied traffic will be at least encapsulated via a shared secret between each RADIUS end point. and the inner method itself is sat in the EAP tunnel. unless using very old method like EAP-MD5. ideally you wouldnt use a PAP method either - MSCHAPv2 challenge response in PEAP or EAP-TTLS would give greater security. however, EAP-TLS is the defacto top-level way of doing it. platinum service, as it were - but you've got to have a full PKI infrastructure for creation, deployment and revokation. looking to the future, RADSEC will be involved in 'beefing up' the RADIUS to RADIUS communication channel. as well as the automatic assignment/discovery of AAA end point systems. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius question
Hi, Ladies and Gentlemen, I am trying to find out how I can check what options the freeradius binary available for download was compiled with. I have STFW and RTFM, but still am not sure as to how to check. radiusd -X gives some information, but nothing about what freeradius was compiled with. I am interested in finding out if the binary was compiled with e-Directory support. Thanks for any help. WHICH binary available for download? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: upgrade broke the users file - being read only partially - FR1.1.7 to FR2.0.2
Hi, No love man. Changed the huntgroup defination and also changed the sites-enabled/SERVER-1760 file to read. did you edit the users file according to the instructions too? ..the debug logs suggest otherwise alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: your mail
Hi, I am trying to setup freeradius 1. I have chap authentication working with mysql but pap authentication will not work with mysql. This is what I receive from the nas when someone trys to connect. radius.conf does not contain the full sql details - eg sql.conf, the required SQL backend and your tables entries are all required alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: upgrade broke the users file - being read only partially - FR1.1.7 to FR2.0.2
Hi, Yes I did make that change. What in the output suggested I didn't? Auth-Type already set I don't know what the deal is, it seems odd that it will read the file and proxy my requests but failed to authenticate a locally defined user in the file. its matching on line * (iirc) the users file. and failing because of that alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
