Re: Re: Radius brokes down during Account ing Request
[EMAIL PROTECTED]:~/freeradius/raddb$ radiusd -v radiusd: FreeRADIUS Version 2.0.0-pre0, for host x86_64-unknown-linux-gnu, built on Jan 29 2007 at 13:36:2 tzieleniewski wrote: ... modcall: entering group preacct for request 1 Naruszenie ochrony pamięci (translation - memory segmentation fault) Which version of the server are you running? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS and BAM for Motorola Canopy SM authentication and Bandwidth Maanagement
On Wed 07 Feb 2007 07:30, Bernard Ochieng wrote: Hello All, I have configured FreeRADIUS to do bandwidth and authentication together with the BAM server, however the RADIUS does authenticate but it fails on BAM hence the CPEs are not authenticated and registered by the Access Points. Anyone who can help on this? What do you mean by fails on BAM? BAM does not accept the the authenticated elements from the FreeRADIUS hence CPEs are not registered to the respective APs. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - Original Message - From: Peter Nixon [EMAIL PROTECTED] To: Bernard Ochieng [EMAIL PROTECTED]; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, February 07, 2007 3:13 PM Subject: Re: Configuring FreeRADIUS and BAM for Motorola Canopy SM authentication and Bandwidth Maanagement - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simple mac-auth
Phil Mayers wrote: Mikko Husari wrote: Mikko Husari wrote: Hi! im currently running eap-tls with username and password (from ldap), but now we're having a bunch of stupid wlan-client machines, and we need an simple mac-auth (from ldap?) to the network. basic idea: (example from outside world) so, no certificate and login credentials, cant let you in. but im on an vip-list!. Oh, i see, come on in, sorry for inconvenience, for now we are happy to get just that to work, next level would be something concerning vlans... i think (in the long run) we don't want to have too much accessibility in those stupid machines. poorly explained, not enough coffee in veins yet... thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Wouldn't i just be able to create hints rule that says if calling-station-id == xx-xx-xx-xx-xx permit access , or something similar? Yes. Like I said, it's easy. My advice would be to use an rlm_passwd with a key of calling-station-id and use the authtype value on the module instance to set to Accept. As I said, your AP still needs to support sending the MAC to Radius on association. I suggest you consult your AP docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html well, i managed to do a module that it checks the file and returns ok/not found/noop, but now my problem is that how to do so that it authorizes me according to the maclist... at the moment it checks the eap-tls module... well, theres two section on that radiusd.conf, authenticate and authorize, i tried listing that maclist module in the last and it complained that passwd modules are not allowed in there... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql module doesn't use read_groups paramet er
Hi!!
I was setting up the sqlcounter module and I needed to set the group parameter
in
the radgroupcheck table in order to set the limit values for sqlcounter. I
found out
that sql module doesn't work correctly. I set the read_groups parameter in the
sql.conf file to 'yes' and despite that the sql module doesn't make the group
processing.
During the statrup procedure I don't see any info about that parameter no
matter it
set to 'yes' or 'no'. And then there is no processing during Request servicing
in
the authorize section:
here is the radius output for sql module:
sql: driver = rlm_sql_mysql
sql: server = localhost
sql: port =
sql: login = radius
sql: password = radiustz81
sql: radius_db = radius2_0
sql: sqltrace = yes
sql: sqltracefile = /var/log/radiusd/sqltrace.sql
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = %{Stripped-User-Name:-%{User-Name:-DEFAULT}}
sql: default_user_profile =
sql: nas_query = SELECT id, nasname, shortname, type, secret FROM nas
sql: authorize_check_query =
(sql queries)
ER BY priority
sql: connect_failure_retry_delay = 60
sql: simul_count_query =
sql: simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress,
NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0
sql: postauth_query = INSERT into radpostauth (id, user, pass, reply, date)
values
('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}',
'%S')
sql: safe-characters =
@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius2_0
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Instantiated sql (sql)
authorize section from radiusd.conf:
authorize {
preprocess
auth_req_log
digest
suffix
sql
daily
expiration
logintime
pap
auth_req_log
daily_sqlcounter
}
And request processing by sql module:
radius_xlat: 'tomix'
rlm_sql (sql): sql_set_user escaped user -- 'tomix'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck
WHERE Username = 'tomix' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'tomix' ORDER BY id
rlm_sql (sql): User found in radcheck table
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply
WHERE Username = 'tomix' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = 'tomix' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module sql returns ok for request 0
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
I kindly ask for your help
Bests
-Tomasz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS and BAM for Motorola Canopy SM authentication and Bandwidth Maanagement
Bernard Ochieng wrote: What do you mean by fails on BAM? BAM does not accept the the authenticated elements from the FreeRADIUS hence CPEs are not registered to the respective APs. Perhaps you could try explaining in more detail, and using fewer acronyms. i.e. BAM? What's that? You appear to be the first person on this list asking about BAM. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VALGRIND: Major impact on authentication!
On Thu 08 Feb 2007 05:54, Guilherme Franco wrote: Hi, I did run valgrind radiusd -xxx at Wed Feb 7 19:15:08 2007 and at Wed Feb 7 20:59:04 2007 radiusd DIED. Afterwards, service radius restart would not work and of lots of Error: Internal error processing module entry, Error: rlm_sql_oracle: fetch failed in sql_fetch_row: ORA-24338: statement handle not executed, and Error: rlm_sql (sql): failed after re-connect appeared. I've just disabled accounting in the NAS and then service radiusd start worked. Eeek. I suggest that you consider using radrelay or sqllog for you accounting to reduce the amount of connections and queries your authentication daemon is doing. The oracle driver obviously needs someone to look at it. :-( Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpRGt1gw4RQd.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius brokes down during Accounting Request
tzieleniewski wrote: I am trying to use radius as the accounting server for Sip proxy. After i send the Accounting request to radius the radius server brokes down and informs about memory segmentation fault. Please point me what could be the reason for this. Here is the radius debug output: OK, CVS should now have a fix. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS and BAM for Motorola Canopy SM authentication and Bandwidth Maanagement
Alan, Thank you for your e-mail in which you have sort more explanation on the problem. We have deployed Motorola Canopy network using Access Points(AP) and Subscriber Modules(SM) to provide fixed wireless broadbadn solution to our customers. Motorola have a management software known as PrizmEMS which incorporates Bandwidth and Authentication Management (BAM) module in it. There are several ways to configure the bandwidth and authentication for the SMs. I opted to use FreeRADIUS which has been configured as per the users manual provided. I still cannot have the Subscriber Modules be registered to authentacion eneabled Access Points. When I check the logs it shows that FreeRADIUS has authenticated the Subscriber Modules however it fails to authenticate on the Bandwidth and Authentication Management module of the PrizmEMS s/w. Kindly let me know if this is more clear. Regards, Bernard - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: Bernard Ochieng [EMAIL PROTECTED]; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, February 08, 2007 11:41 AM Subject: Re: Configuring FreeRADIUS and BAM for Motorola Canopy SM authentication and Bandwidth Maanagement Bernard Ochieng wrote: What do you mean by fails on BAM? BAM does not accept the the authenticated elements from the FreeRADIUS hence CPEs are not registered to the respective APs. Perhaps you could try explaining in more detail, and using fewer acronyms. i.e. BAM? What's that? You appear to be the first person on this list asking about BAM. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco-AVPair = client-mac-address=000f.ea20.e1ad to Calling-Station-Id = 000f.ea20.e1ad rule
Hello,
I have accouning packet with attributes like:
Acct-Session-Id = 0/0/1/3_01CC
Cisco-AVPair = client-mac-address=000f.ea20.e1ad
Framed-Protocol = PPP
Framed-IP-Address = 192.168.0.235
User-Name = global
Cisco-AVPair = connect-progress=LAN Ses Up
Cisco-AVPair = nas-tx-speed=1
Cisco-AVPair = nas-rx-speed=1
...
How can i create (or rewrite if exist) Calling-Station-Id attribute
with value 000f.ea20.e1ad (MAC from Cisco-AVPair =
client-mac-address=000f.ea20.e1ad) for SQL accounting?
If exist Cisco-AVPair with client-mac-address, sure.
ps: Im not sure than in current accounting packet its in
%{Cisco-AVPair[0]} and not %{Cisco-AVPair[3]} or %{Cisco-AVPair[156]},
etc.
Thanx!
--
Best regards,
Victor mailto:[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a problem about radius and ldap
Hi
I sent two ldapentry ldapsearch result and debug. In this ldapsearch there
is clear-text userPassword. anyway i decribe the problem shortly for your
help.
like in howto
authorize {
preprocess
files
ldap
eap
}
authenticate {
ldap
eap
}
ldapsearch result
userpassword=ramazan
.
radiusclass=groupnet
objectclass=radiusprofile
objectclass=top
objectclass=posixAccount
objectclass=shadowAccount
...
radtest successful for this configuration but xp client does't.
ldapattr.maphas User-Password to userPassword mapping. deleting the
entry ldap in
authentication block in radius.conf results unsuccessful both for radtest
and xp client.
For this configuration above debug log
rad_recv: Access-Request packet from host 192.168.100.17:1812, id=7,
length=129
NAS-IP-Address = 192.168.100.17
NAS-Port = 50001
NAS-Port-Type = Ethernet
User-Name = ramazan
Called-Station-Id = 00-0F-8F-77-DB-81
Calling-Station-Id = 00-12-79-AE-D2-4D
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0204000c0172616d617a616e
Message-Authenticator = 0x61cab38d83f6ed1abbd2ac2c8ce5b0bf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=dot1x.com'
radius_xlat: '(uid=ramazan)'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.100.18:389, authentication 0
rlm_ldap: bind as / to 192.168.100.18:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan)
ldap_release_conn: Release Id: 0
radius_xlat:
'(|((objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc=
dot1x.com
))((objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc=
dot1x.com)))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=dot1x.com, with filter
((cn=VPN)(|((objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc=
dot1x.com
))((objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc=
dot1x.com
rlm_ldap: object not found or got ambiguous search result
ldap_release_conn: Release Id: 0
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=ramazan,cn=users,cn=idc,dc=dot1x.com,
with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group VPN
ldap_release_conn: Release Id: 0
users: Matched DEFAULT at 174
modcall[authorize]: module files returns ok for request 0
rlm_eap: EAP packet type notification id 4 length 12
rlm_eap: EAP Start not found
modcall[authorize]: module eap returns updated for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ramazan
radius_xlat: '(uid=ramazan)'
radius_xlat: 'dc=dot1x.com'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan)
rlm_ldap: checking if remote access for ramazan is allowed by
radiusGroupName
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id,
value 2 op=11
rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6
op=11
rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN op=11
rlm_ldap: Adding radiusClass as Class, value employee op=11
rlm_ldap: user ramazan authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate for request 0
rlm_eap: EAP packet type notification id 4 length 12
rlm_eap: EAP Start not found
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module eap returns ok for request 0
modcall: group authenticate returns ok for request 0
Login OK: [ramazan/no User-Password attribute] (from client radius port
50001 cli 00-12-79-AE-D2-4D)
Sending Access-Challenge of id 7 to 192.168.100.17:1812
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
Tunnel-Private-Group-Id:0 = 2
Tunnel-Medium-Type:0 = 6
Tunnel-Type:0 = VLAN
Class = 0x656d706c6f796565
EAP-Message = 0x0105001604105a4f17068db0feb3ebdee25f9cfe966f
Message-Authenticator = 0x
State =
0x395efcd2fb04e81f34be33bd9cd0cf0831cbc4456746df615bd2474fb42f67add24a0e16
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.100.17:1812, id=8,
length=184
NAS-IP-Address = 192.168.100.17
NAS-Port = 50001
NAS-Port-Type = Ethernet
User-Name = ramazan
Called-Station-Id = 00-0F-8F-77-DB-81
Calling-Station-Id = 00-12-79-AE-D2-4D
Service-Type = Framed-User
Framed-MTU = 1500
State =
0x395efcd2fb04e81f34be33bd9cd0cf0831cbc4456746df615bd2474fb42f67add24a0e16
EAP-Message =
Re: Segmentation fault on PAP calling
Giovanni Lovato wrote: I'm using FreeRADIUS 1.1.4 compiled from sources on Debian Etch. I backend against LDAP with hashed password. Now I'm trying to configure authentication to use with WPA, but it segfaults on calling PAP: I've committed a fix for that bug, thanks. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up a VPN server with pptp and RADIUS for all sorts of clients
Hello, This is my First post on this mailing list, so sorry if I am in the wrong place!! I am having problems getting the Radius Serv to validate my VPN clients. Reading through the mail archives, I have found similar subjects, but the main difference I have is the fact that I don't have authority on the Radius Server. The main problem comes from my windows clients, I am trying to stick to the default Microsoft auth method (using ms-chap v2) to keep the client side as simple as possible. So I have set-up my pptp daemon, installed radiusclient, and have used the dictionary.microsoft from the sources of radiusclient. I must point out that authentication works using User-Password field (say if I am wrong, but this is a clear text password?) on 802.1X clients, and all Users in the LDAP base have a valid User-Password (but no NT/LM Passwords) The solutions I have come across until now tell me to use NT or LM password field and the problem is solved, but I can't change the layout, It has been set by eduroam, who guides the project. So I must get my radius client to work with User-password, but I don't know where to start... A log sent from the Radius Admin shows that the mschap module fails to find User-Password (this is how I have understood it!) and refuses to validate the user. here is the part I am talking about: FROM Radius log: auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. But I am sure that the field User password contains the valid password I am trying to use. Just in case, I shall post the dictionary.microsoft I am using: # # Microsoft's VSA's, from RFC 2548 # # $Id: dictionary.microsoft,v 1.1 2004/11/14 07:26:26 paulus Exp $ # VENDOR Microsoft 311 Microsoft ATTRIBUTE MS-CHAP-Response1 string Microsoft ATTRIBUTE MS-CHAP-Error 2 string Microsoft ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft # This is referred to as both singular and plural in the RFC. # Plural seems to make more sense. ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft ATTRIBUTE MS-CHAP-Domain 10 string Microsoft ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft ATTRIBUTE MS-BAP-Usage13 integer Microsoft ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft ATTRIBUTE MS-MPPE-Send-Key16 string Microsoft ATTRIBUTE MS-MPPE-Recv-Key17 string Microsoft ATTRIBUTE MS-RAS-Version 18 string Microsoft ATTRIBUTE MS-Old-ARAP-Password19 string Microsoft ATTRIBUTE MS-New-ARAP-Password20 string Microsoft ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft ATTRIBUTE MS-Filter 22 string Microsoft ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft ATTRIBUTE MS-Acct-EAP-Type24 integer Microsoft ATTRIBUTE MS-CHAP2-Response 25 string Microsoft ATTRIBUTE MS-CHAP2-Success26 string Microsoft ATTRIBUTE MS-CHAP2-CPW27 string Microsoft ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft #ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft # # Integer Translations # # MS-BAP-Usage Values VALUE MS-BAP-UsageNot-Allowed 0 VALUE MS-BAP-UsageAllowed 1
Re: Cisco-AVPair = client-mac-address=000f.ea20.e1ad to Calling-Station-Id = 000f.ea20.e1ad rule
Victor [EMAIL PROTECTED] writes: I have accouning packet with attributes like: Acct-Session-Id = 0/0/1/3_01CC Cisco-AVPair = client-mac-address=000f.ea20.e1ad Framed-Protocol = PPP Framed-IP-Address = 192.168.0.235 User-Name = global Cisco-AVPair = connect-progress=LAN Ses Up Cisco-AVPair = nas-tx-speed=1 Cisco-AVPair = nas-rx-speed=1 ... How can i create (or rewrite if exist) Calling-Station-Id attribute with value 000f.ea20.e1ad (MAC from Cisco-AVPair = client-mac-address=000f.ea20.e1ad) for SQL accounting? If exist Cisco-AVPair with client-mac-address, sure. You can create a Client-Mac-Address attribute by enabling with_cisco_vsa_hack = no in the preprocess section of radiusd.conf. You can then use this atttribute to rewrite Calling-Station-Id if you like. See src/modules/rlm_preprocess/rlm_preprocess.c for details on the implementation. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Starting radius issue - configuration files globaly readable.
Hi! I have just compiled the latest CVS and whenever I try to start radius I get the following info: Configuration file /home/radius/freeradius/raddb/radiusd.conf is globally readable. This is because I use the symbolic links to files. Can this restriction be somehow removed?? Bests -tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Starting radius issue - configuration files globaly readable.
tzieleniewski wrote: Hi! I have just compiled the latest CVS and whenever I try to start radius I get the following info: Configuration file /home/radius/freeradius/raddb/radiusd.conf is globally readable. This is because I use the symbolic links to files. Can this restriction be somehow removed?? Edit the source code. I will likely be updating the checks to be a little smarter than what they are right now. But having the config files globally readable means that anyone can pretend to be the RADIUS server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a VPN server with pptp and RADIUS for all sorts of clients
robert wrote: A log sent from the Radius Admin shows that the mschap module fails to find User-Password (this is how I have understood it!) and refuses to validate the user. Yes. The server does not know what the correct password is for the user, so it can't authenticate the user. Ask the RADIUS Admin to configure a password for the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VALGRIND: Major impact on authentication!
Hello, Thank you for the consulting offer Mr. Peter but, as you told, there seems to be some bugs in the rlm_sql oracle driver. As everything was good before and now it's breaking, the most probable cause is the increase in the number of auth users, which brings lots of acct (0 users in September 2006 and now with 4000 online users pumping radacct). The oracle tables are well indexed so the response time is low. What comes to my mind is that the driver is having trouble to work with high acct throughput under peak time, starving all the 32 threads. I've considered radrelay/sqllog before, but wouldn't that break the Simultaneous-Use functionality? Thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a VPN server with pptp and RADIUS for all sorts of clients
robert wrote: A log sent from the Radius Admin shows that the mschap module fails to find User-Password (this is how I have understood it!) and refuses to validate the user. here is the part I am talking about: FROM Radius log: auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. But I am sure that the field User password contains the valid password I am trying to use. It definitely doesn't. The server doesn't make elementary mistakes like that. Could you please post the entire output of FR run under debug (-X switch) so we can see the details. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VALGRIND: Major impact on authentication!
Guilherme Franco wrote: As everything was good before and now it's breaking, the most probable cause is the increase in the number of auth users, which brings lots of acct (0 users in September 2006 and now with 4000 online users pumping radacct). The oracle tables are well indexed so the response time is low. What comes to my mind is that the driver is having trouble to work with high acct throughput under peak time, starving all the 32 threads. The problems shown by valgrind are there independent of load. The problems SHOULD be fixed! I've considered radrelay/sqllog before, but wouldn't that break the Simultaneous-Use functionality? Not if the accounting inserts are done quickly. Separating the authentication request from the accounting may increase the uptime of the server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with the attribute Message-Authenticator
I write a program to send Access-request packet to the Radius server. The packet format is as follow: __ | code = 1 | ID = 1 |Length = 73 ( 0x 00 49 ) | __ | 16 bytes authenticator | __ | user_name = test | __ | chap_password | __ | eap_message = pdsicygx | __ | Message_authenticator | __ The Message_authenticator is calculated as follow: Message_authenticator = HMAC-MD5 (code ,ID, Length,16 bytes Authenticator, user_name,chap_password,eap_message) , using the shared secret between NAS and radius server , in this case ,testing123. While sending chap packets without the eap_message and Message_authenticator gets Access request , sending packets like above gets response from radius server as follow: rad_recv: Access-Request packet from host 202.117.7.223:1408, id=1, length=73 Received packet from 202.117.7.223 with invalid Message-Authenticator! (Shared secret is incorrect.) Server rejecting request 1. Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 1 to 202.117.7.223:1408 Segmentations of the Radiusd -X are as follow: ... Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap ... Can the eap_message attribute be set randomly, in my packets, pdsicygx? Is it right to calculate Message_authenticator as I did? Regards Guoxian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VALGRIND: Major impact on authentication!
Hello Mr. Alan, Thank you for your concern! Just another message I've seen under /var/log/messages: kernel: radiusd[1672]: segfault at 0110 rip 002a97de2c1e rsp 007fbfffe340 error 4 Gonna implement radrelay now, then! (I was holding back because I've seen somewhere in this mail list that it breaks simultaneous-use). Thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
specific username, specific conexion
Hi, I am using freeradius for ages, but a boss ask me if it is possible to create an account which is only navigate for a specific website. Yes, it is true. I need an account to navigate for only one site (or set of websites). How can I configure this account? Thanks.Acepta el reto MSN Premium: Envía hasta 500 megas diarios de fotos desde Hotmail. Descárgalo y pruébalo 2 meses gratis. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a VPN server with pptp and RADIUS for all sorts of clients
Alan DeKok wrote: robert wrote: A log sent from the Radius Admin shows that the mschap module fails to find User-Password (this is how I have understood it!) and refuses to validate the user. Yes. The server does not know what the correct password is for the user, so it can't authenticate the user. Ask the RADIUS Admin to configure a password for the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry for my confusion but as I understand it, my radius client is asking for the wrong attribute, since the User-password is used for every other application (mail accounts, wireless connections etc), and I am sure that it is already configured. I must apologize for my lack of knowledge about freeradius, I didn't imagine that I would have any problems with this part of my project, I haven't spent much time reading about freeradius (yet :-) ). Regards, Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a VPN server with pptp and RADIUS for all sorts of clients
Phil Mayers wrote:
robert wrote:
A log sent from the Radius Admin shows that the mschap module fails to
find User-Password (this is how I have understood it!) and refuses to
validate the user.
here is the part I am talking about:
FROM Radius log:
auth: type MS-CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 0
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
But I am sure that the field User password contains the valid password I
am trying to use.
It definitely doesn't. The server doesn't make elementary mistakes like
that.
Could you please post the entire output of FR run under debug (-X
switch) so we can see the details.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I didn't meen a mistake, but was wondering if my radiusclient had a
wrong mapping, that requests NT-password instead of User-password (as an
example)
Here is the output from the radius server:
Ready to process requests.
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1050,
id=109, length=152
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = test
MS-CHAP-Challenge = 0x68ac020b69febf7f1cf6338a1ed1c218
MS-CHAP2-Response =
0x0800e2f1b3176070ca65916fe24cce80d27147f1823b3c33996107424059c73866a135b07e51e08c2f4a
Calling-Station-Id = yyy.yyy.yyy.yyy
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
radius_xlat: '/var/log/radius/radacct//detail-07022007'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%d%m%Y expands
to /var/log/radius/radacct//detail-07022007
modcall[authorize]: module detail returns ok for request 0
modcall[authorize]: module attr_filter returns noop for request 0
modcall[authorize]: module chap returns noop for request 0
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
modcall[authorize]: module mschap returns ok for request 0
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = test
rlm_realm: Proxying request from user dupontd to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
modcall[authorize]: module files returns notfound for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat:
'(|((uid=test)(ulhcharte=TRUE))((eduPersonPrincipalName=test)(ulhcharte=TRUE)))'
radius_xlat: 'dc=univ-lehavre,dc=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to zzz.zzz.zzz.zzz:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/ssl/certs/cachain.txt
rlm_ldap: setting TLS CACert Directory to /etc/ssl/certs/
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: bind as / to ducati.univ-lehavre.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=univ-lehavre,dc=fr, with filter
(|((uid=test)(ulhcharte=TRUE))((eduPersonPrincipalName=test)(ulhcharte=TRUE)))
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3
op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value 13 op=11
rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value
6 op=11
rlm_ldap: Adding radiusTunnelPrivateGroupId as
Tunnel-Private-Group-Id, value 40 op=11
rlm_ldap: Adding eduPersonPrimaryAffiliation as Class, value member
op=11
rlm_ldap: Adding ulhcharte as Filter-Id, value TRUE op=11
rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3
op=11
rlm_ldap: user test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
rlm_checkval: Item Name: Calling-Station-Id, Value: 194.254.109.252
rlm_checkval: Could not find attribute named Calling-Station-Id in
check pairs
modcall[authorize]: module checkval returns notfound for
Re: a problem about radius and ldap
In my configuration there is also pap in my configuration, i forgot to
write in mail. I resend authentication block in radius.conf
authenticate {
Auth-Type PAP {
pap
}
ldap
eap
}
On 2/8/07, Ramazan Ulker [EMAIL PROTECTED] wrote:
Hi
I sent two ldapentry ldapsearch result and debug. In this ldapsearch there
is clear-text userPassword. anyway i decribe the problem shortly for your
help.
like in howto
authorize {
preprocess
files
ldap
eap
}
authenticate {
ldap
eap
}
ldapsearch result
userpassword=ramazan
.
radiusclass=groupnet
objectclass=radiusprofile
objectclass=top
objectclass=posixAccount
objectclass=shadowAccount
...
radtest successful for this configuration but xp client does't.
ldapattr.map has User-Password to userPassword mapping. deleting the entry
ldap in authentication block in radius.conf results unsuccessful both for
radtest and xp client.
For this configuration above debug log
rad_recv: Access-Request packet from host 192.168.100.17:1812, id=7,
length=129
NAS-IP-Address = 192.168.100.17
NAS-Port = 50001
NAS-Port-Type = Ethernet
User-Name = ramazan
Called-Station-Id = 00-0F-8F-77-DB-81
Calling-Station-Id = 00-12-79-AE-D2-4D
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0204000c0172616d617a616e
Message-Authenticator = 0x61cab38d83f6ed1abbd2ac2c8ce5b0bf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=dot1x.com'
radius_xlat: '(uid=ramazan)'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.100.18:389, authentication 0
rlm_ldap: bind as / to 192.168.100.18:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan)
ldap_release_conn: Release Id: 0
radius_xlat:
'(|((objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc=
dot1x.com
))((objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc=
dot1x.com)))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc= dot1x.com, with filter
((cn=VPN)(|((objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc=
dot1x.com))((objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc=
dot1x.com
rlm_ldap: object not found or got ambiguous search result
ldap_release_conn: Release Id: 0
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=ramazan,cn=users,cn=idc,dc= dot1x.com,
with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group VPN
ldap_release_conn: Release Id: 0
users: Matched DEFAULT at 174
modcall[authorize]: module files returns ok for request 0
rlm_eap: EAP packet type notification id 4 length 12
rlm_eap: EAP Start not found
modcall[authorize]: module eap returns updated for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ramazan
radius_xlat: '(uid=ramazan)'
radius_xlat: 'dc=dot1x.com'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan)
rlm_ldap: checking if remote access for ramazan is allowed by
radiusGroupName
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id,
value 2 op=11
rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6
op=11
rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN op=11
rlm_ldap: Adding radiusClass as Class, value employee op=11
rlm_ldap: user ramazan authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate for request 0
rlm_eap: EAP packet type notification id 4 length 12
rlm_eap: EAP Start not found
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module eap returns ok for request 0
modcall: group authenticate returns ok for request 0
Login OK: [ramazan/no User-Password attribute] (from client radius port
50001 cli 00-12-79-AE-D2-4D)
Sending Access-Challenge of id 7 to 192.168.100.17:1812
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
Tunnel-Private-Group-Id:0 = 2
Tunnel-Medium-Type:0 = 6
Tunnel-Type:0 = VLAN
Class = 0x656d706c6f796565
EAP-Message = 0x0105001604105a4f17068db0feb3ebdee25f9cfe966f
Message-Authenticator = 0x
State =
0x395efcd2fb04e81f34be33bd9cd0cf0831cbc4456746df615bd2474fb42f67add24a0e16
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.100.17:1812, id=8,
length=184
NAS-IP-Address = 192.168.100.17
NAS-Port = 50001
NAS-Port-Type = Ethernet
User-Name = ramazan
Re: PAP2EAP bridging
On Thu, Feb 08, 2007 at 01:52:18AM +0100, Alan DeKok wrote: You can run eapol_test directly from FreeRADIUS, but that's not much better than what you're doing right now. Huh, I was afraid you might say that :| Alright, thank you Alan. -- NAME:Dinko.kreator.Korunic DISCLAIMER:Standard.disclaimer.applies IRC:kreICQ:16965294JAB:[EMAIL PROTECTED]PGP:0xea160d0b HOME:http://dkorunic.netBLOG:http://dkorunic.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Nortel telnet authentication using FreeRadius [unclas]
Frank, That worked! Thank you! Prior to this the Nortel device would just instatntly kick back an error. By the way, do you have a list of all the reply-itmes for authenticating (telnetting/ssh) to a Nortel box? In other words, is there a specific reply-item than controls access (R - R/W access, etc), as well as any other variables? Thank you again! Paul Conn From: Ranner, Frank MR [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: RE: Nortel telnet authentication using FreeRadius [unclas] Date: Thu, 8 Feb 2007 11:52:35 +1100 You need to send the service-type reply attribute. For admins: Service-Type = Administrative-User For numpties Service-Type = Nas-Prompt-User Regards, Frank Ranner -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Paul Conn Sent: Thursday, 8 February 2007 08:04 To: freeradius-users@lists.freeradius.org Subject: Nortel telnet authentication using FreeRadius Anyone have experience configuring Nortel devices (450/60/70) for radius, telnet/ssh authentication? I keep getting Sending Access-Accept of id 2 to x.x.x.x port 1024. Thanks. Paul Conn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with the attribute Message-Authenticator
yao guoxian wrote: I write a program to send Access-request packet to the Radius server. This list isn't a general discussion for questions about implementing RADIUS clients. You have access to the FreeRADIUS source code, read it to see how RADIUS should be implemented. | eap_message = pdsicygx | Uh, no. Is it right to calculate Message_authenticator as I did? Apparently not. Go read the RFC's. They include test vectors. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql (sql): Unsupported Acct-Status-Type = 15
Hi! I am trying to process Accounting request to radius but I get the following error from sql module: rlm_sql (sql): Unsupported Acct-Status-Type = 15 I have added the $INCLUDE dictionary.ser line to the dictionary file and the dictionary.ser file contains the following records: VALUE Acct-Status-Type Interim-Update 3 # RFC2866, acc_radius VALUE Acct-Status-Type Failed 15 # RFC2866, acc_radius Why the rlm_sql doesn't see the Acct-Status-Type of the value 15? Thanks in advanced for any help. Below is the Accounting request received by radius. Thu Feb 8 17:02:04 2007 SER-Attr = Acct-Session-Id = [EMAIL PROTECTED] Sip-To-Tag = b27e1a1d33761e85846fc98f5f3a7e58.42d5 SER-From = hellboy sip:[EMAIL PROTECTED]:5061;tag=612417995 SER-Flags = 12 SER-Original-Request-ID = sip:[EMAIL PROTECTED] Sip-Method = INVITE Sip-Cseq = 19049 Sip-Translated-Request-ID = sip:[EMAIL PROTECTED] Sip-Source-IP-Address = 192.168.0.117 Sip-From-Tag = 612417995 SER-To = sip:[EMAIL PROTECTED];tag=b27e1a1d33761e85846fc98f5f3a7e58.42d5 SER-Digest-Username = hellboy SER-Request-Timestamp = 1170950524 Calling-Station-Id = sip:[EMAIL PROTECTED]:5061 Sip-Source-Port = 5061 SER-Digest-Realm = voip.touk.pl Sip-Response-Code = 480 Called-Station-Id = sip:[EMAIL PROTECTED] SER-Response-Timestamp = 1170950524 Acct-Status-Type = Failed Service-Type = IAPP-Register NAS-Port = 5060 Acct-Delay-Time = 0 NAS-IP-Address = 127.0.0.1 Acct-Unique-Session-Id = 1276a21c3858a944 Timestamp = 1170950524 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Comiling for use with Oracle
Just curious what the minimum modules required to use Freeradius to
authenticate (not sure if that is the correct terminology) from and
Oracle DB. Keep in mind that I am only planning on querying the DB and
not updating or inserting information for accounting purposes. However,
I wouldn't rule out using a text file (radutmp, I think) for accounting
purposes, though.
I have been trying to compile it using the following:
# ORACLE_HOME=/cygdrive/d/oracle/ora92; export ORACLE_HOME
# cd freeradius-1.1.4
# ./configure
Which generates an error:
rlm_perl.c: In function `rlm_perl_get_handles':
rlm_perl.c:226: warning: cast to pointer from integer of different size
rlm_perl.c: At top level:
rlm_perl.c:614: error: external linkage required for symbol
'XS_radiusd_radlog' because of 'dllexport' attribute.
I have also used:
# ./configure --without-rlm_perl
Which appear to compile successfully, but I get a lot of errors about
missing modules and/or libraries.
# ./radiusd.exe -X
...
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
radiusd.conf[10] Failed to link to module 'rlm_sql': No such file or
directory
radiusd.conf[1850] Unknown module sql.
radiusd.conf[1779] Failed to parse authorize section.
I know I have a library linking issue, but I read the a
href=http://wiki.freeradius.org/index.php/FAQ#It_says_.22Could_not_link_..._file_not_found.22.2C_what_do_I_do.3F;FAQs
/a and attempted to resolve them using the methods mentioned. I get no
errors during the configure for sql modules (other than mysql, but I'm
not trying to compile support for that anyway). Since I'm using the
Oracle libs to create the Oracle modules, I don't *think* I should
disable shared libraries. ... Or should I?
I've also tried setting:
LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/cygdrive/d/oracle/ora92/oci/lib:/cygdrive/d/oracle/ora92/lib
Without good results. I also do not have ld.conf nor ldconfig on the
system (Cygwin), but I have read elsewhere that neither of them should
be required.
I realize that this is not necessarily an issue with Freeradius.
Although I am having trouble compiling from source, I can install the
.NET version and run without issue. From my understanding, both are
basically the same, just .NET has had changes made to deal with the
different path structure in Cygwin.
I saw a lot of old posts (2003) that dealt with similar issues, but on
much older versions (Oracle 8 and Freeradius .1 - .3).
Help, insight, thoughts are all appreciated. Attached below is my
somewhat hacked up conf files. Sorry for the long post.
Thanks,
Brian
RADIUSD.CONF
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
certsdir = ${sysconfdir}/raddb/certs/FreeRADIUS.net/DemoCerts
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = no
extended_expressions= no
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
files {
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
$INCLUDE ${confdir}/oraclesql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = no
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = no
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
Re: Usage of Cleartext-Password
On Sun, Feb 04, 2007 at 01:20:17PM +0100, Federico Giannici wrote: Unfortunately it works with PAP only! With CHAP it gives me rlm_chap: Clear text password not available... Any suggestion? You may try to stick with User-Password for now, it's still recognized by rlm_pap. CVS version of rlm_chap already uses Cleartext-Password, so it's probably planned for v2.0. My guess is, that setting both User- and Cleartext-Password may work too. th. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Setting up a VPN server with pptp and RADIUS for all sorts ofclients
I didn't meen a mistake, but was wondering if my radiusclient had a
wrong mapping, that requests NT-password instead of
User-password (as an
example)
Here is the output from the radius server:
Ready to process requests.
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1050,
id=109, length=152
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = test
MS-CHAP-Challenge = 0x68ac020b69febf7f1cf6338a1ed1c218
MS-CHAP2-Response =
0x0800e2f1b3176070ca65916fe24cce80d27147f1823b
3c33996107424059c73866a135b07e51e08c2f4a
Calling-Station-Id = yyy.yyy.yyy.yyy
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
radius_xlat: '/var/log/radius/radacct//detail-07022007'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%d%m%Y expands
to /var/log/radius/radacct//detail-07022007
modcall[authorize]: module detail returns ok for request 0
modcall[authorize]: module attr_filter returns noop
for request 0
modcall[authorize]: module chap returns noop for request 0
rlm_mschap: Found MS-CHAP attributes. Setting
'Auth-Type = mschap'
modcall[authorize]: module mschap returns ok for request 0
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = test
rlm_realm: Proxying request from user dupontd to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
modcall[authorize]: module files returns notfound for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat:
'(|((uid=test)(ulhcharte=TRUE))((eduPersonPrincipalName=test
)(ulhcharte=TRUE)))'
radius_xlat: 'dc=univ-lehavre,dc=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to zzz.zzz.zzz.zzz:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/ssl/certs/cachain.txt
rlm_ldap: setting TLS CACert Directory to /etc/ssl/certs/
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: bind as / to ducati.univ-lehavre.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=univ-lehavre,dc=fr, with filter
(|((uid=test)(ulhcharte=TRUE))((eduPersonPrincipalName=test)
(ulhcharte=TRUE)))
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3
op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value 13 op=11
rlm_ldap: Adding radiusTunnelMediumType as
Tunnel-Medium-Type, value
6 op=11
rlm_ldap: Adding radiusTunnelPrivateGroupId as
Tunnel-Private-Group-Id, value 40 op=11
rlm_ldap: Adding eduPersonPrimaryAffiliation as Class,
value member
op=11
rlm_ldap: Adding ulhcharte as Filter-Id, value TRUE op=11
rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3
op=11
You see nothing like Adding userPassword here.
For instance you could have something like:
rlm_ldap: Added password
rlm_ldap: Adding myldapNTPassword
Could the freeradius admin check:
* the ldap {} section: see the password_attribute = line (till FR 1.1.4)
* the mapping in ldap.attrmap
rad_check_password: Found Auth-Type MS-CHAP
auth: type MS-CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 0
rlm_mschap: No User-Password configured. Cannot create
LM-Password.
rlm_mschap: No User-Password configured. Cannot create
NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform
authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
How is/are your password(s) stored on the Ldap directory: in clear text,
MD5-hashed, SHA-Hased, NTLM-Hashed ?
What is/are the Ldap attribute(s) used to store your password(s) ?
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius brokes down during Accounting Request
Alan DeKok napisa(a): tzieleniewski wrote: I am trying to use radius as the accounting server for Sip proxy. After i send the Accounting request to radius the radius server brokes down and informs about memory segmentation fault. Please point me what could be the reason for this. Here is the radius debug output: OK, CVS should now have a fix. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html works :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius brokes down during Accounting Request
Alan DeKok napisa(a): tzieleniewski wrote: I am trying to use radius as the accounting server for Sip proxy. After i send the Accounting request to radius the radius server brokes down and informs about memory segmentation fault. Please point me what could be the reason for this. Here is the radius debug output: OK, CVS should now have a fix. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html works :) thanks!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius brokes down during Accounting Request
Alan DeKok napisa(a): tzieleniewski wrote: I am trying to use radius as the accounting server for Sip proxy. After i send the Accounting request to radius the radius server brokes down and informs about memory segmentation fault. Please point me what could be the reason for this. Here is the radius debug output: OK, CVS should now have a fix. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html works :) thanks!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL help from someone who groks c, please?
Phil Mayers wrote: Dan Mahoney, System Admin wrote: My suggestion is that you use a custom schema and queries for your database - probably a stored procedure. Pass the NAS-IP-Address into these queries, and return different values based on the nas. Effectively you move the code that walks over the request and chooses the right values into the SQL server. So if I was looking to select a different response based on NAS what I should be doing is creating a stored procedure that ends up authenticating for me? I don't quite see where this would fit in with the rlm_sql logic. Would that go in the sql.conf file? For using a new schema, would that mean instead adding an extra column in the radcheck table and the response table to associate with the NAS IP? Would it be easier to create a function that inserts a prefex to the user name then processes the SQL as normal? The only issue I see with this is doubling the amount of users and user responses in the database . Either way, I think i'm going to have to modify the rlm_sql.c file and then having to recompile FreeRadius after I'm done editing it? -- View this message in context: http://www.nabble.com/SQL-help-from-someone-who-groks-c%2C-please--tf3172009.html#a8870617 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql (sql): Unsupported Acct-Status-Type = 15
tzieleniewski wrote: Hi! I am trying to process Accounting request to radius but I get the following error from sql module: rlm_sql (sql): Unsupported Acct-Status-Type = 15 I have added the $INCLUDE dictionary.ser line to the dictionary file and the dictionary.ser file contains the following records: VALUE Acct-Status-Type Interim-Update 3 # RFC2866, acc_radius VALUE Acct-Status-Type Failed 15 # RFC2866, acc_radius Why the rlm_sql doesn't see the Acct-Status-Type of the value 15? Because the source code to rlm_sql needs to be updated to support it. There have been ongoing discussions with the OpenSER developers about this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Comiling for use with Oracle
Brian Atkins wrote: Just curious what the minimum modules required to use Freeradius to authenticate (not sure if that is the correct terminology) from and Oracle DB. The oracle module is required. Not much else. Which generates an error: rlm_perl.c: In function `rlm_perl_get_handles': rlm_perl.c:226: warning: cast to pointer from integer of different size rlm_perl.c: At top level: rlm_perl.c:614: error: external linkage required for symbol 'XS_radiusd_radlog' because of 'dllexport' attribute. If you're not going to use rlm_perl, just delete the directory. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL help from someone who groks c, please?
On Thu, 8 Feb 2007, ChristosH wrote:
No, wrong.
You can include any %{check-item} in your query. I didn't have to modify
the code at all, but my queries are PERVERSE. Yours will probably be
simpler.
If you want to give me your proposed database setup and schema, and what
you need to auth against, I might be able to offer you a quick answer. If
it's a longer and more involved thing, contact me off-list and I might be
able to work something for you.
This is my auth query (which is actually two) (beware, it's for our site
database which polls a
LOT of info from different tables you won't need -- however I find this to
be a far more real-world example than dedicated radius tables) -- You can
see that in this case I manually insert the Password Attribute, and
Operator by using string literals.
authorize_check_query=\
SELECT `adm_permissions`.`admPermitID` AS `id`,
`adm_permissions`.`admp_username` AS `UserName`, 'Password' as Attribute,
\
`adm_permissions`.`admp_password` AS `Value`, '==' as Op FROM
`adm_permissions` , `switches` Inner Join `interface_ip` ON \
`switches`.`id` = `interface_ip`.`deviceid` WHERE admp_username =
'%{SQL-User-Name}' AND \
`interface_ip`.`interface_is_primary` = '1' AND \
interface_address = '%{NAS-IP-Address}'
This above gets permissions for any staff user, and checks our one-to-many
interface table to find out what device they're actually logging into.
UNION SELECT IPCustomerID as id,
`ip_customer`.`ipc_rmtusername`, 'Password' as \
Attribute,\
`ip_customer`.`ipc_rmtpassword` as Value, '==' as Op FROM `ip_customer`
Inner Join `interface_ip` ON \
`ip_customer`.`ipc_rmtip` = `interface_ip`.`interface_address` Inner Join
`switches` ON `switches`.`id` = \
`interface_ip`.`deviceid` WHERE interface_address = '%{NAS-IP-Address}'
AND ipc_rmtusername = '%{SQL-User-Name}' \
GROUP BY `ip_customer`.`ipc_rmtusername`,\
`interface_ip`.`interface_address`
This does the same for any customer user.
Then my reply-items
authorize_reply_query = SELECT `ip_customer`.`ipCustomerID` AS `id`,
`ip_customer`.`ipc_rmtusername` AS UserName,\
`rad_reply`.`Attribute`,`rad_reply`.`Value`, `rad_reply`.`Op` FROM
`ip_customer` Left Join `interface_ip` ON \
`ip_customer`.`ipc_rmtip` =`interface_ip`.`interface_address` Inner Join
`switches` ON `switches`.`id` = \
`interface_ip`.`deviceid` Inner Join`rad_reply` ON `switches`.`role` =
`rad_reply`.`devicetype` WHERE \
`rad_reply`.`Usertype` = '2' AND ipc_rmtusername ='%{SQL-User-Name}' and
interface_address = '%{NAS-IP-Address}' group by \
ipc_rmtusername, interface_address
This only lets a customer in if it has a devicetype of 2 (which is a
remote reboot unit AND if they are listed as having a device on that unit.
We have a table that specifies if you are a customer user then your reply
is Outlet If you're staff then it's Admin-User.
UNION
SELECT`adm_permissions`.`admPermitID` AS `id`,
`adm_permissions`.`admp_username` \
AS `UserName`, `rad_reply`.`Attribute`,`rad_reply`.`Value`,
`rad_reply`.`Op` FROM `adm_permissions` , `switches` Inner \
Join `interface_ip` ON `switches`.`id` =`interface_ip`.`deviceid` Inner
Join `rad_reply` ON `switches`.`role` = \
`rad_reply`.`devicetype` WHERE`rad_reply`.`Usertype` = '1' AND
admp_username = '%{SQL-User-Name}' and interface_address = \
'%{NAS-IP-Address}'
Do the same as above with staff.
UNION SELECT `remote`.`port`as id,
`ip_customer`.`ipc_rmtusername` as UserName, _latin1 \
'APC-Outlets' as Attribute,group_concat(remote.port order by remote.port
asc separator ',') as Value, _latin1 ':=' as \
Op FROM `remote` Inner Join`ip_customer` ON `remote`.`suite` =
`ip_customer`.`ipc_suite` AND `remote`.`row` = \
`ip_customer`.`ipc_row` AND`remote`.`rack` = `ip_customer`.`ipc_rack` AND
`remote`.`server` = `ip_customer`.`ipc_server` \
Inner Join `interface_ip` ON`remote`.`deviceid` =
`interface_ip`.`deviceid` Inner Join `switches` ON remote.deviceid = \
switches.id WHERE`ip_customer`.`ipc_rmtreboot` = 'y' AND
ip_customer.ipc_rmtusername = '%{SQL-User-Name}' AND ipc_rmtip = \
'%{NAS-IP-Address}' AND switches.role = '4' GROUP BY interface_address,
`ip_customer`.`ipc_rmtusername`
If they are a customer, return a comma-separated list of which outlets
they
are authorized for. (See the APC radius spec).
Phil Mayers wrote:
Dan Mahoney, System Admin wrote:
My suggestion is that you use a custom schema and queries for your
database - probably a stored procedure. Pass the NAS-IP-Address into
these queries, and return different values based on the nas. Effectively
you move the code that walks over the request and chooses the right
values into the SQL server.
So if I was looking to select a different response based on NAS what I
should be doing is creating a stored procedure that ends up authenticating
for me? I don't quite see where this would fit in with the rlm_sql logic.
Would that go in the sql.conf file? For using a new schema, would that mean
instead adding an
Re: VLAN assigment and Alcatel Omniswitch 7800
Hello Alan. Thank you, as you adviced i've changed users file, now it's : MYDOMAIN\\jose Tunnel-Type += VLAN, Tunnel-Medium-Type += IEEE-802, Tunnel-Private-Group-Id += 3 The Access-Accept part of radiusd -X is now sending the switch the correct information: modcall[authenticate]: module eap returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 1 to 192.168.10.20 port 1068 Tunnel-Type:0 += VLAN Tunnel-Medium-Type:0 += IEEE-802 Tunnel-Private-Group-Id:0 += 3 MS-MPPE-Recv-Key = 0x2c003c698c883936e741aeed8974f40eb012d38af20400bdd0815dac46dc2e0b MS-MPPE-Send-Key = 0x92807250a6760157aa6a39f9a05239c3d28bce8c5b7dc3563bd2ddc7cae2893e EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = MYDOMAIN\\jose Finished request 8 But still the VLAN is not assigned, what else can it be ? Best regards. Oxiel Don't set Auth-Type. Ever. Tunnel-Type += VLAN, Tunnel-Medium-Type += IEEE-802, Tunnel-Private-Group-Id += 3 But the port is never assigned to VLAN 3 for the user jose. Because that information isn't being sent back to the NAS. Is it possible to assign VLAN's with Alcatel ? I presume so. See the Alacatel documentation. It seems to me, that the VLAN parameters are never returned to the switch in the Access-Accept parth of this the result from radiusd -X. Yes. The username in the request is MYDOMAIN\\jose, not jose. Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL help from someone who groks c, please?
On Thu, 8 Feb 2007, ChristosH wrote: Phil Mayers wrote: A stored procedure is one solution to a particular set of problems. Whether it's appropriate depends on what you're trying to do. What do you want to achieve? You can certainly vary the reply info based on NAS without a stored procedure. Well, what I want to do is return a different vendor specific response based on the NAS IP. The user data doesn't change depending on the NAS IP, but depending on where the user tries to authenticate from they'll have a different source NAS IP in the authenticate request packet and my response has to return a different response depending on where they are. Right now I have only 2 different responses that they could be, so I don't think it should be too difficult. Is there a quick workaround? Okay, so create a table with your NASes, include the IP adderss, include a type flag. Create another table with the responses for each type, join to the query on the type flag. Use those responses. -Dan -- A mother can be an inspiration to her little son, change his thoughts, his mind, his life, just with her gentle hum. -No Doubt, Different People, from Tragic Kingdom Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN assigment and Alcatel Omniswitch 7800
On Thu, 8 Feb 2007, Oxiel Contreras wrote: The Access-Accept part of radiusd -X is now sending the switch the correct information: modcall[authenticate]: module eap returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 1 to 192.168.10.20 port 1068 Tunnel-Type:0 += VLAN Tunnel-Medium-Type:0 += IEEE-802 Tunnel-Private-Group-Id:0 += 3 MS-MPPE-Recv-Key = 0x2c003c698c883936e741aeed8974f40eb012d38af20400bdd0815dac46dc2e0b MS-MPPE-Send-Key = 0x92807250a6760157aa6a39f9a05239c3d28bce8c5b7dc3563bd2ddc7cae2893e EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = MYDOMAIN\\jose Finished request 8 But still the VLAN is not assigned, what else can it be ? Have you checked the documentation for the Omniswitch to verify that it supports this? If I send back the same attributes on my wireless access points, it works perfectly (we do this in production). The AP's, however, support that. -j -- Jeremy L. Gaddis, MCP, GCWN [EMAIL PROTECTED] LinuxWiz Consulting http://linuxwiz.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth authentication against multiple ADS domains
On Thu, 8 Feb 2007, Dow, Corey wrote: up, and I have it working with a single ADS domain. The problem I've encountered is performing authentication against multiple ADS domains using ntlm_auth. ADS Parent domain netidm.net ADS Child domain xyz.abc.com Are you actually trying to authenticate to domains in separate forests (e.g. netidm.net and abc.com) or are you trying to authenticate to both a parent and child domain in the same forest (e.g. abc.com and child.abc.com)? If I join to abc.com using net ads join, I can use ntlm_auth with no problems, but how do I perform authentications against xyz.abc.com ? If these domains are in separate forests, you'll need an explicit trust between the two forests. In the domains are in the same forest, there's an implicit trust between them already. Have you tried the reverse (joining child.abc.com and authenticating users in abc.com)? Not saying that would work, just curious. Any hints in the kerberos logfiles? Corey Dow Network Solution's Test Center ProCurve Networking by HP Nice products. =) Any chance you could mail me (off-list) directions for disabling the password on a 9308m from the console (password is lost and I keep forgetting how). I've bothered ProCurve support enough. =) Thanks, -j -- Jeremy L. Gaddis, MCP, GCWN [EMAIL PROTECTED] LinuxWiz Consulting http://linuxwiz.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl problem (Detaching!!)
Hi..
FR:1.1.2
FBSD:6.0
My rlm_perl keep logging error as example below. Everytime this happen
radiusd will hang and DO NOT respond to any request.
But this NEVER happen while running in debug mode and working fine.
rlm_perl is used to load timeout based on certain rules.. u can see below my
perl script (newtimeou5.pl) and also config files setting.
Please help TQ.
Error /var/log/radius.log
##
Thu Feb 8 12:30:09 2007 : Error: rlm_perl: perl_embed:: module =
/usr/local/etc/raddb/newtimeout4.pl , func = authorize exit status=
Undefined subroutine main:: called.
Thu Feb 8 12:32:00 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done.
Thu Feb 8 12:39:46 2007 : Error: rlm_perl: perl_embed:: module =
/usr/local/etc/raddb/newtimeout4.pl , func = authorize exit status= panic:
leave_scope inconsistency at /usr/local/etc/raddb/newtimeout4.pl line 184.
Thu Feb 8 12:39:47 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done.
Thu Feb 8 14:08:52 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done.
Thu Feb 8 14:22:40 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done.
Thu Feb 8 14:57:25 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done.
Fri Feb 9 09:53:52 2007 : Error: rlm_perl: perl_embed:: module =
/usr/local/etc/raddb/newtimeout5.pl , func = authorize exit status= Usage:
Encode::is_utf8(sv, check = 0) at
/usr/local/lib/perl5/site_perl/5.8.7/Convert/ASN1.pm line 422, DATA line
424.
Fri Feb 9 10:21:59 2007 : Error: rlm_perl: perl_embed:: module =
/usr/local/etc/raddb/newtimeout5.pl , func = authorize exit status=
Undefined subroutine Convert::ASN1::authorize called at
/usr/local/lib/perl5/site_perl/5.8.7/Net/LDAP.pm line 759
Fri Feb 9 10:57:59 2007 : Error: rlm_perl: perl_embed:: module =
/usr/local/etc/raddb/newtimeout5.pl , func = preacct exit status=
Undefined subroutine Convert::ASN1::preacct called at
/usr/local/lib/perl5/site_perl/5.8.7/Net/LDAP.pm line 759
##users
DEFAULT NAS-Identifier == Wireless-802.11, Autz-Type := Y5,
Auth-Type :Y5
#radiusd.conf#
authorize {
Autz-Type Y5 {
redundant {
ldapy51
ldapy52
}
y5perl
}
}
modules {
perl y5perl {
module = /usr/local/etc/raddb/newtimeout5.pl
}
}
authenticate {
Auth-Type Y5 {
redundant {
ldapy51
ldapy52
}
}
}
##
###newtimeout5.pl
sub authorize {
##main
my $return_value = 0;
$return_value = timeout;
print VALUE return: $return_value\n;
if ($return_value eq '-1'){
return RLM_MODULE_REJECT;
}else{
return RLM_MODULE_OK;
}
}
sub timeout {
my $query;
my $query2;
my $uid=$RAD_REQUEST{'User-Name'};
my $userfrom;
my $userconnect=$RAD_REQUEST{'NAS-Identifier'};
my $timeout;
if ($userconnect =~ /Wireless-802.11|WiFi/) {
$query=Service;
$query2 = TimeoutWIFI;
}
if ($query){
$userfrom = ldapquery($uid,$query);
if ($userfrom =~ /Y5PLAT|Y5GOLD/){
$userfrom = WiFi-BTP;
}elsif ($userfrom =~ /^Y5$/){
$userfrom = Wireless-802.11;
}
if ($userconnect eq $userfrom){
print rlm_perl: Local user.. No timeout.. Unlimited!!!\n;
return (1);
}elsif ($userconnect ne $userfrom){
print rlm_perl: Roaming user.. Timeout will be loaded
!!\n;
$timeout = ldapquery($uid,$query2);
print rlm_perl: $query2:$timeout\n;
if (!$timeout){
return (-1);
}else{
$RAD_REPLY{'Session-Timeout'} = $timeout;
print rlm_perl: NOT YET\n;
return (1);
}
}
}else{
print rlm_perl: Not a wifi connection !!!\n;
return (1);
}
}
sub ldapquery {
my ( $uid, $query ) = @_;
my $host = xx;
my $value;
my $baseDN = ou=Y5,ou=AAA, ou=x, dc=x, dc=;
my $ldap = Net::LDAP-new( $host ) or die $@;
my $mesg = $ldap-bind ;# an anonymous bind
$mesg = $ldap-search( # perform a search
base = $baseDN,
filter = ((uid=$uid))
);
my $count = $mesg-count;
if ($mesg-code) {
return (NULL);
}
if ($count 0 ){
Re: Advanced SQL Auth/Generate clients.conf from SQL?
Gaddis, Jeremy L. wrote: The immediate question that comes to mind is Does FreeRADIUS reread its configuration when it receives a -HUP?. The immediate answer is have you tried reading the documentation? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VPN authentication from Windows Vista
Hi, My users said the VPN login failed with their Windows Vista. I enabled freeradius debug. I came across an authentication method, md5chap in debug output that my freeradius is currently not configured to support. If the user unselects Require Data Encryption in VPN. It then works fine. Can anyone confirm the following questions for me? 1. Is it that Vista uses md5chap for VPN authentication with Data Encryption? 2. Can freeradius be configured to support md5chap? I don't get a lot of information about md5chap in google. I appreciate any pointers on this subject and how freeradius can be made to support it, as radiusd.conf seems no mentioning on this subject. Thanks. Lai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
