Re: Signal 10
On Dec 5, 2005, at 14:31, Alan DeKok wrote:
Doug Hardie [EMAIL PROTECTED] wrote:
I have a primary and backup freeradius server running on different
machines. For the last couple days they have both been receiving a
signal 10 at almost the same time.
Signal 10 is SIGBUS: Bus error. It's usually indicative of bad
memory.
I suspect its a request from somewhere. I am going to enable
tcpdump on the secondary server but am at a loss to figure out how
to get a core dump. I don't see any place in the code where signal
10 is redirected. Any other ideas on how to diagnose this problem?
Thanks.
Use tcpdump to see what packet is causing the problem.
If you're running a version prior to 1.0.5, then upgrade. See
http://www.freeradius.org/security.html for more information.
Well, it finally happened again. This is the packet with the same
timestamp as the signal 10 message. There is no response to it. I
haven't decoded it completely yet, but it appears that the user id is
corrupt. I wonder if something in that field is causing the
problem. I was able to identify the user from the phone number and
that user did successfully connect about 6 times earlier today so I
don't think its a configuration issue but most likely a line issue
(dial-in) causing corruption of the user-id. The NAS is Ascend and I
would have thought it would catch that and not forward junk at us.
23:24:24.340733 IP o1-laxradius1.o1.com.3787 zook.radius: RADIUS,
Access Request (1), id: 0xad length: 443
0x: 00a0 cc3e 87dc 0c38 6fe1 0800 4500
8o...E.
0x0010: 01d7 475c 7011 7767 4251 6787 ce75 ..G
\..p.wgBQg..u
0x0020: 1205 0ecb 066d 01c3 ee22 01ad 01bb
96b0 .m.
0x0030: f002 4858 4ab7 33e4 2f64 8901 ce7f 0194 ..HXJ.3./
d..
0x0040: 2821 522e 616a 2c71 4942 3872 6c76 4148 (!
R.aj,qIB8rlvAH
0x0050: 496b 6576 663a 4b42 5b2e 576b 4476 5434 Ikevf:KB
[.WkDvT4
0x0060: 4a34 6a5e 417c 6147 6b75 4c35 7153 7a6f J4j^A|
aGkuL5qSzo
0x0070: 6c40 5878 3061 6075 2040 3637 6177 3f5f
[EMAIL PROTECTED]@67aw?_
0x0080: 4622 462a 497e 4f36 5661 7570 3f36 7d73
FF*I~O6Vaup?6}s
0x0090: 4979 4d5b 4078 5428 4569 585a 457b 3345 [EMAIL PROTECTED]
(EiXZE{3E
0x00a0: 5136 2477 3d56 2068 6671 505a 4738 2354 Q6
$w=V.hfqPZG8#T
0x00b0: 2a3f 4f7e 3029 246c 5331 4c70 3d62 5529 *?O~0)
$lS1Lp=bU)
0x00c0: 704e 7e42 512c 6d26 6646 3e24 436e 2965 pN~BQ,mfF
$Cn)e
0x00d0: 2e52 0406 4513 db2e 200a 6c61 7861
7078 .R..E.laxapx
0x00e0: 3038 0506 5a54 1a0c 0211 0d06
08ZT
0x00f0: 0003 3d06 0606
0001 =...
0x0100: 1f0c 3831 3839 3939 3936 3432 1a0c ..
818642
0x0110: 0211 4206 1a0c 0211
4306 ..B...C.
0x0120: 1e0c 3831 3834 3531 3230 3231 ..
8184512021
0x0130: 2c0b 3436 3430 3430 3339 391a 0c00 0002 ,.
464040399.
0x0140: 11c5 0600 005d c01a 0c00 0002 11ff
0600 .]..
0x0150: 00cb 2002 9228 43cf bc9a 6370 3060 7a0b .
(C...cp0`z.
0x0160: ad93 4cf2 4390 7d64 46c7 5bca 29c0 1d4c ..L.C.}dF.
[.)..L
0x0170: 815a c49d ac21 c6e8 35c1 2703 ff14 4b6a .Z...!..
5.'...Kj
0x0180: 3b50 3177 8497 9089 b92a 38d1 61ce
42e6 ;P1w.*8.a.B.
0x0190: e556 d74d 47d6 c1a8 5b90 4c25 63d0 d9ca .V.MG...[.L
%c...
0x01a0: 5ebf 4d49 5de2 adfd baa6 9607 542f bb86
^.MI]...T/..
0x01b0: f138 9922 3179 aa7a 2225 1756 11b5 a87a .
8.1y.z%.V...z
0x01c0: c40c 2b6e f6f3 c8b7 f084 1fe5 dd60 3231 ..
+n.`21
0x01d0: aafa 6a7d f4cb b21d 1ebf 1c58 8e33
1d61 ..j}...X.3.a
0x01e0: 5355 f9be ef SU...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free Radius compatible with Oracle 9.2.0.7?
Title: Free Radius compatible with Oracle 9.2.0.7? Hi, I'm running freeradius1.0.2 and the database is Oracle 9.2.0.3. Planning to upgrade to Oracle 9.2.0.7. Are there any compatibility issues with this, or are these two completely compatible with each other? Appreciate the advice in advance. Rog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS Accounting
It should be sent everytime they connect/disconnect. Don't think you can change it David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernell Williams Sent: 09 December 2005 04:16 To: FreeRadius users mailing list Subject: Re: RADIUS Accounting Madhuraka Godahewa wrote: Hi All, I have installed freeRADIUS 1.0.5 recently and configured it. It works perfectly for authenticating users connecting through WLAN AP. I have a little problem with RADIUS accounting. I understand that the accounting requests should be sent by the NAS to the RADIUS server. My problem is how can we set the frequency of sending these accounting requests. That is how often the NAS will send accounting requests to the RADIUS server? Can we configure that setting (frequency of sending the accounting requests) through freeRADIUS conf files or do we need to configure it throough the configuration interface of the NAS? Thanking You., Madhuraka Godahewa Telecommunications Engineer Research and Development Unit Electroteks Global Networks (Pvt.) Ltd. Mobile: + 94-777-647055 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I use freeradius MySQL. I am able to set frequency of acct update by setting attribute Acct-Interim-Interval in rad[group]reply table to number of seconds between updates. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
parsing certificate fields ?
Hello, I am using freeradius with 802.11i, everything works fine qith certificate authentication but I Can only parse the CN of the certificate I would like to parse for Locality L field. the new version 1.0.5 support this ? thanks Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_mysql on FreeBSD 5.4 - Segmentation fault at startup
Brian A. Seklecki wrote: On Thu, 8 Dec 2005, Nicolas Baradakis wrote: Someone else managed to make MySQL work under FreeBSD. http://lists.freeradius.org/pipermail/freeradius-users/2005-October/047693.html With that kind of cynicism flying around, someone is likely to have their feeling get hurt. It was absolutely not my intention. I apologize to Matthew if my statement was poorly formulated, nevertheless the long version of what I really wanted to say is: Someone else experienced the same troubles on FreeBSD, and you may look at the post below to find out how he managed to get around the problem. I hope other people can understand that: - I have no obligation to give answers on the list - I don't have much time to do that either - I'm not a native english speaker So if sometimes you get ungraceful answers, it's not out of bad intentions. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap behavior: authorize v.s. authenticate
From reading debug logs, am I correct in concluding that rlm_ldap's
behavior:
- when processing authorize{ } is to bind to the LDAP as the provided
administrative DN and search for the DN of the user in the Access-Request
packet
- when processing authenticate{ } is to, if successful during authorize,
then re-bind to the LDAP using the provided username and password and
return Access-Accept only if the bind-as-the-user succeeds?
Correct, as the default behavior?
~BAS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: parsing certificate fields ?
Riccardo Veraldi [EMAIL PROTECTED] wrote: I would like to parse for Locality L field. the new version 1.0.5 support this ? No. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: parsing certificate fields ?
Alan DeKok wrote: Riccardo Veraldi [EMAIL PROTECTED] wrote: I would like to parse for Locality L field. the new version 1.0.5 support this ? No. As always, patches are welcome. I wonder about this actually; I submitted a patch to pam_radius_auth and didn't get any comments or feedback of any kind. Maybe the diff was too big or something, but I would have expected to get at least a gruff 'your patch sucks' if that was the case... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap behavior: authorize v.s. authenticate
From reading debug logs, am I correct in concluding that rlm_ldap's
behavior:
- when processing authorize{ } is to bind to the LDAP as the provided
administrative DN and search for the DN of the user in the Access-Request
packet
- when processing authenticate{ } is to, if successful during authorize, then
re-bind to the LDAP using the provided username and password and return
Access-Accept only if the bind-as-the-user succeeds?
Correct, as the default behavior?
Sounds right to me.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap behavior: authorize v.s. authenticate
On Fri, 9 Dec 2005, Dusty Doris wrote: From reading debug logs, am I correct in concluding that rlm_ldap's Correct, as the default behavior? Sounds right to me. I have to ask then: If on the authorization stage, the module can read (and cache) the entire DN's attribute set (actually, any DN in the LDAP), why does it need to use a re-connect as the user method for authentication? If the password in cleartext, comparison is easy. If it's in SSHA/SHA/MD5/blowfish/crypt, then the comparison can happen against those algorithms. ~BAS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap behavior: authorize v.s. authenticate
Brian A. Seklecki [EMAIL PROTECTED] wrote: If on the authorization stage, the module can read (and cache) the entire DN's attribute set (actually, any DN in the LDAP), why does it need to use a re-connect as the user method for authentication? Because some LDAP servers don't supply the password. Also, some administrators use LDAP only for authentication. If the password in cleartext, comparison is easy. If it's in SSHA/SHA/MD5/blowfish/crypt, then the comparison can happen against those algorithms. Which is the default behavior of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_mysql on FreeBSD 5.4 - Segmentation fault at startup
Thank you nico for posting this. I did have a hard time with the seg faults at FBsd5.4 but I did manage to compile statically and got that to work (after hundreds of config changes). This post will help others who are suffering. We are here to learn, not to fight an OS war. --- Nicolas Baradakis [EMAIL PROTECTED] wrote: Brian A. Seklecki wrote: On Thu, 8 Dec 2005, Nicolas Baradakis wrote: Someone else managed to make MySQL work under FreeBSD. http://lists.freeradius.org/pipermail/freeradius-users/2005-October/047693.html With that kind of cynicism flying around, someone is likely to have their feeling get hurt. It was absolutely not my intention. I apologize to Matthew if my statement was poorly formulated, nevertheless the long version of what I really wanted to say is: Someone else experienced the same troubles on FreeBSD, and you may look at the post below to find out how he managed to get around the problem. I hope other people can understand that: - I have no obligation to give answers on the list - I don't have much time to do that either - I'm not a native english speaker So if sometimes you get ungraceful answers, it's not out of bad intentions. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Documentation on Group Locking using FreeRADIUS/AD/Cisco VPN Concentrator
Hello all, I have spent a few bit of time trying to get FreeRADIUS/Active Directory/Cisco VPN Concentrator 3005 to lock users into group using the class attribute. Dusty Doris gave me a hand too. It has been tested and it works as expected. http://www.cisco.com/warp/public/471/altigagroup.html This feature is very, very neat and flexible. I would now like to write up a step-by-step document on how to make these work together. I don't have a public web site to host this page. I'm looking for suggestions on how to make it readily available to other users since the VPN Concentrator is gaining popularity. Is the wiki page mentioned here a while back going to materialize? Or should I write up a text document so that it could be added to doc/ directory in the source code? I would hate for someone to have to reinvent the wheel on this issue. Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
