Re: Generating AAA message for freeradius.
Hi, On Thu, Apr 12, 2007 at 11:45:37AM +0530, Prateek Gupta wrote: > Hi, > > I am working on Authentication module in NSIS protocol suite ( > http://user.informatik.uni-goettingen.de/~nsis/). > The scenario is as follows: > User A NSIS server-Radius server > > User A sends the NSIS request with its keyed hash (generated using User A's > key) appended to it to the NSIS server. Now the NSIS server needs to > authenticate that request with a Radius server. > > Is there a way to do this i.e. how to generate a AAA message with the > information available i.e. a string, its keyed hash and User A's id ? > Assuming that the Radius server has keys of all legitimate users. ==> try to experiment with radclient(part of freeradius suite) - allows you to send radius packets using command line ==> I believe there are also libraries for various programming languages available(I know at least about php: http://cz2.php.net/manual/en/ref.radius.php) > > Regards, > Prateek > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql, readclients=yes: multiple NASes with same IP
Hi, On Wed, Apr 11, 2007 at 06:17:13PM +0200, Alan DeKok wrote: > > For me at the moment it's easier to persuade freeradius > > just to ignore such "duplicities" when reading clients by following simple > > patch: > > No. Your DB configuration is wrong, and needs to be fixed. > > Maybe you need to put your "NAS IP + port" combination into a > different table. But whatever the case, duplicate NAS IP's are wrong, > and will not be supported. ==> my apologizes; forget about this silly patch. No matter what's in the nas table. When using mysql we can always give freeradius what he wants. IOW: to make the unique list of nases just change the nas_query in /etc/freeradius/sql/mysql-dialup.conf: default: SELECT id, nasname, shortname, type, secret FROM ${nas_table} unique nases modification: SELECT id, nasname, shortname, type, secret FROM ${nas_table} group by nasname I hope this helps someone. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Generating AAA message for freeradius.
Hi, I am working on Authentication module in NSIS protocol suite ( http://user.informatik.uni-goettingen.de/~nsis/). The scenario is as follows: User A NSIS server-Radius server User A sends the NSIS request with its keyed hash (generated using User A's key) appended to it to the NSIS server. Now the NSIS server needs to authenticate that request with a Radius server. Is there a way to do this i.e. how to generate a AAA message with the information available i.e. a string, its keyed hash and User A's id ? Assuming that the Radius server has keys of all legitimate users. Regards, Prateek - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool for dynamic users
ann kok wrote: > it looks like the first radius issues the ip to the A > DSL client. but seondary radius doesn't know this ip > already allocated and issue this ip to B DSL client. You've configured two different RADIUS servers to allocate the same IP to two different people? Why? > How can we avoid this problem? Each server should have it's own IP pool. IP pools should not be shared between servers. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Arran Cudbard-Bell wrote: > Coincidently started testing the 2.00 pre code in a proper environment > today instead of just using > radclient. All seems to stand up pretty well, no random crashes or > weirdness... apart from of course the dreaded HUP > which results in a segfault. That's good to hear. The HUP issue will have to be addressed before 2.0 comes out, of course. > What would be really useful, is to be able to force the server to reload > any of the 'file' based configuration files ... like users huntgroups files. > ...and the sql based clients list, and the easiest way to do this would > be via snmp. The server already supports a reload signal via SNMP, which does the same thing as HUP. Adding the ability to reload the various files may be possible. We'll see. > Other options would be a cron like function, than reloads selected > things periodically, or automatic change detection (which would be the > neatest). And probably the most work, too. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Current Opensource radius accounting details parser
Murray Hooper wrote: > Are there any open source programs that parse the accounting logs produced > by freeradius? I can find a couple in Google, but they appear to have been > left behind in 1999. Accounting detail file formats haven't changed in years, so they probably work fine. I recall radiusContext was quite good when I last used it, and it's written in python so should be very easy to extend. They reason you probably didn't find many is that often people push the accounting into an SQL server, either directly using rlm_sql, relayed using rlm_sql_log or via radrelay and a 2nd server, which obviously makes most of these packages redundant for parsing purposes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: (Solved) Re: MAC authorisation (but not authentication) via LDAP
this looks great for my purpose as well thanks very much for your help Alan, The problem for me was that when the ldapsearch failed to find the MAC address, freeradius didn't reject authorisation. The solution for me, ( I'm sure the big boys can point out how it's wrong ), was the following script.. ---snip--- #!/bin/sh if $( echo $MODULE_FAILURE_MESSAGE | grep "not found" > /dev/null ); then echo "Auth-Type := reject"; exit 0; fi ---snip--- and the following clause in radiusd.conf ---snip--- exec rejectOnNotFound { wait = yes program = "/usr/local/etc/raddb/rejectOnNotFound.sh" input_pairs = request output_pairs = config } ---snip--- which is used in the authorise section thus ---snip--- Autz-Type LdapMAC { ldapMAC rejectOnNotFound } ---snip--- As I said, works for me. Hope it helps.. Mart Alan Walters wrote: > we a trying to add mac authentication to our wireless aps radius request > comes in like so. > > rad_recv: Access-Request packet from host 10.250.100.3:1038, id=119, > length=95 > Service-Type = Framed-User > NAS-Port-Id = "wlan1" > User-Name = "00:0B:6B:56:1D:48" > User-Password = "" > NAS-Identifier = "ballyvaughan_ap_1" > NAS-IP-Address = 10.250.100.3 > > > the mac address is in a field in the ldap so i created a second > ldap.attrib.map and a new ldap autz-type. the problem is that the > user-password that is sent i blank so i added this to the users file. > like so. > > DEFAULT Huntgroup-Name == test, Autz-Type := ldapMAC, User-Password == > "", Simultaneous-Use := 1 >Fall-Through = 0 > > great now the user with authorise and authenticate from files. but what > i had hoped would happen was if they failure authorisation they would > not continue, i can see this is not the default proceedure. how can i > make this work this way. > > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > users: Matched entry DEFAULT at line 4 > modcall[authorize]: module "files" returns ok for request 0 > modcall: leaving group authorize (returns ok) for request 0 > Found Autz-Type ldapMAC > Processing the authorize section of radiusd.conf > modcall: entering group ldapMAC for request 0 > modcall: entering group redundant for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for 00:0B:6B:56:1D:48 > radius_xlat: '(rdwaveuserWirelessMac=00:0B:6B:56:1D:48)' > radius_xlat: 'o=clients,dc=radiowave,dc=net' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 > rlm_ldap: bind as cn=admin,dc=radiowave,dc=net/xxx to 127.0.0.1:389 > radiustest:/etc/freeradius/config-clients# > rlm_ldap: Bind was successful > rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with > filter (rdwaveuserWirelessMac=00:0B:6B:56:1D:48) > rlm_ldap: object not found or got ambiguous search result > rlm_ldap: search failed > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldapmac1" returns notfound for request 0 > modcall: leaving group redundant (returns notfound) for request 0 > modcall: leaving group ldapMAC (returns notfound) for request 0 > > > but when the authentication starts this stilll happens, below was an > idea someone had in respect to this issue or a similar one but i have no > idea how to deploy this look forward to your replys. > > auth: type Local > auth: user supplied User-Password matches local User-Password > Processing the session section of radiusd.conf > modcall: entering group session for request 0 > modcall: entering group redundant for request 0 > modcall[session]: module "sql2" returns noop for request 0 > modcall: leaving group redundant (returns noop) for request 0 > modcall: leaving group session (returns noop) for request 0 > Login OK: [00:0B:6B:56:1D:48/] (from client ballyvaughan port 0) > Sending Access-Accept of id 119 to 10.250.100.3 port 1038 > > > On Sun, 2007-02-25 at 20:05 +, Martin Whinnery wrote: >> Martin Whinnery wrote: >>> Markus Krause wrote: >>> Zitat von Martin Whinnery <[EMAIL PROTECTED]>: > Hi. > > Probly just me not understanding... > > What I want is for our switches to only allow access to MAC addresses in > our LDAP database. > > I don't want to store passwords on our LDAP host entries. > > I'm set up to check LDAP during authorisation, and it correctly returns > authorised / not authorised depending on whether the appropriate > attribute contains the right valu
Current Opensource radius accounting details parser
Are there any open source programs that parse the accounting logs produced by freeradius? I can find a couple in Google, but they appear to have been left behind in 1999. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pool for dynamic users
Hi all I am using two radius servers for our DSL clients. but our client has ip conflict issue. it looks like the first radius issues the ip to the A DSL client. but seondary radius doesn't know this ip already allocated and issue this ip to B DSL client. Then two clients have the same ip address and cause the ip conflict. How can we avoid this problem? Thank you Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains. http://farechase.yahoo.com/promo-generic-14795097 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
>>> That will be fixed on another commit. >>> It turns out the easiest way to fix that was to remove the multiple >>> places that called "Post-Auth-Type Reject", and move it to one central >>> location. Simpler, less code, does exactly the same thing as before, >>> and adds the call to "Post-Auth-Type Reject" when the home servers fail >>> to respond. >>> >>> We should probably have a "Post-Proxy-Type = Fail", that gets called >>> when a home server fails to respond to a request. >>> >>> That would make sense, then you can trigger a script to email admins ... etc... And well done :) Coincidently started testing the 2.00 pre code in a proper environment today instead of just using radclient. All seems to stand up pretty well, no random crashes or weirdness... apart from of course the dreaded HUP which results in a segfault. The main things that will change on our implementation will be the SQL based client list (which could change hourly). as we have a well used equipment database which the NAS list is being derived from. Techs will also want to test switches in new installs , and they won't like waiting a day for configuration changes to take effect like users won't like the service going down every hour , although we could stagger the server restarts What would be really useful, is to be able to force the server to reload any of the 'file' based configuration files ... like users huntgroups files. ...and the sql based clients list, and the easiest way to do this would be via snmp. I think this would satisfy most users requirements... if they need any more than this then they either have very strange requirements or a very poorly configured server :S. Other options would be a cron like function, than reloads selected things periodically, or automatic change detection (which would be the neatest). Thanks, Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius-apache authentication problem
FWIW, I have had a chance to test this on 2.2.3 and it did not work for me either. Not sure if it is a bug in apache or a change has been made and the mod_auth modules need updating. On 3/29/07, Nick Owen <[EMAIL PROTECTED]> wrote: > On 3/28/07, Ramazan Ulker <[EMAIL PROTECTED]> wrote: > > Hi > > these are error lines in apache error log and apache conf files. thanks for > > your assistance > > No problem. The fewer passwords the better :). I don't see anything > that stands out. However, when I set up apache with our two-factor I > did everything inside of httpd.conf inside the vhost listing: > > > > > AuthType Basic > AuthName "WiKID Two-factor + Apache" > AuthXRadiusAddServer "wikid_server:1812" "radius_secret" > AuthXRadiusTimeout 7 > AuthXRadiusRetries 2 > require valid-user > > > > So, perhaps apache is getting confused about what mechanism to use > where, putting it all in one place might clarify things. > > HTH, > > Nick > > -- > Nick Owen > WiKID Systems, Inc. > 404.962.8983 (desk) > 404.542.9453 (cell) > http://www.wikidsystems.com > At last, two-factor authentication, without the hassle factor > Now open source: http://sourceforge.net/projects/wikid-twofactor/ > -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql, readclients=yes: multiple NASes with same IP
Milan Holub wrote: > We are having multiple NASes on the same IP distinguished only by > different port(eg. multiple instances of nocat wlangw running on > differet ports). No. NASes are distinguished by IP. Nothing else. There is no way in RADIUS to have multiple NASes on the same IP with different ports. > I believe that for communication of the NAS with radius only the IP is > deciding for radius. Yes. > I know this can be solved outside radius by > creating another "bind" table in DB(binding multiple ports to one unique > nas record) and changing existing applications for viewing accounting > data(php+mysql). I have no idea what you mean by that. FreeRADIUS will look up the NAS by IP, and never by port. What you put in the DB for ports is irrelevant, and will never affect server behavior. i.e. What you use the ports for is up to you, and does not affect the server. > For me at the moment it's easier to persuade freeradius > just to ignore such "duplicities" when reading clients by following simple > patch: No. Your DB configuration is wrong, and needs to be fixed. Maybe you need to put your "NAS IP + port" combination into a different table. But whatever the case, duplicate NAS IP's are wrong, and will not be supported. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: log on device directly in "priviledged mode"
Molteni Davide wrote: > > -Messaggio originale- > Da: [EMAIL PROTECTED] per conto di Alexander Papenburg > Inviato: mer 11/04/2007 15.41 > A: FreeRadius users mailing list > Oggetto: Re: log on device directly in "priviledged mode" > > Molteni Davide wrote: > >> Finally I successfully managed to log into the cisco switch (thanks to >> your help) using freeradius. >> Now I want that the radius users can directly enter into enable mode >> of the cisco device. I set this in the users file >> >> test Auth-Type := Local, User-Password == "test" >> Cisco-AVPair = "shell:priv-lvl=15" >> >> but it doesn't work, the user "test" log into the cisco as unpriviledged. >> >> Is there something missing in the config? >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > Hi, > > you need something like that in your switch config: > > aaa authorization exec default group [YOURSERVERGROUPHERE] local > > > I have tried but with the line you suggested Authorization fails and device > won't let me in > Oh I am sorry, seems like this will work only on cisco router, for switches you need tacacs for exec mode. cisconfusion %) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
Milan Holub wrote: > Hi all, > > when I've compiled in snmp support (--with-snmp) on current cvs head I got > following segmentation fault(does not matter whether NAS are stored in DB or > in clients.conf): I just committed fixes for SNMP. I haven't tested it, but the code that was obviously wrong isn't there any more. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
inverse wrote: > Going back to the subject, a useful feature would be a periodical > reload of certificate revocation lists and the users list. These two > lists are prone to changing frequently in production environments: a > production server usually has an otherwise stable configuration. That can be done with a fair amount of work. > As for me, I was planning a CRL reload during off peak hours, so I > guess I'll stick with just a full nighttime restart. For now, it's probably safest. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
Milan Holub wrote: > - we are keeping NAS entries in DB. Then the server should re-load them via reading the DB. > - these entries are edited by operation guys via web interface > - when a new NAS entry is added then we need to reload/restart > freeradius > - we reload freeradius using SNMP write query(can be done via web > interface as well; without need of ssh to radius server) If the server automatically discovers NAS changes from the DB, then the server doesn't need to be reloaded. i.e. You're changing *one* thing: a NAS. You're then telling the server to reload *everything*. That's where the expense and complexity comes in. > In general when restarting the server you might loose some radius > packets(especially on high loaded server), don't you? It's possible. > ==> what do you imagine under these "features"? Basically I thought HUP > is good for reloading config files when one does not want to bring the > server down but wants to bring into effect some minor config change. I am trying to say that there are OTHER ways to perform some minor config change than HUP. HUP should be the *last* resort. > ==> is there any other use of HUP? No. HUP is *only* to notify the server of configuration changes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
Milan Holub wrote: > ==> I've found really useful the idea of telling freeradius > to reload via snmp - could be such functionality easily kept when using > your proposed approach? Reloading via SNMP is exactly the same as HUP. Configuring a server by doing SNMP writes is very hard. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql, readclients=yes: multiple NASes with same IP
Hi all, with currect cvs head I've observed following behaviour: - I'm using rlm_sql - clients stored in mysql DB(standard DB scheme) - in sql.conf I have "readclients=yes"(to read the nas table) We are having multiple NASes on the same IP distinguished only by different port(eg. multiple instances of nocat wlangw running on differet ports). This result in following DB records(for example): +-++---+---+---+--+---+-+ | id | nasname| shortname | type | ports | secret | community | description | +-++---+---+---+--+---+-+ | 123 | | wlan-gw51 | other | 5281 | secret | NULL | off | | 117 | | wlan-gw51 | other | 5280 | secret | NULL | off | +-++---+---+---+--+---+-+ (the only difference is in the ports) We are using nas table as a bind table to another table for "usage view". Basically such NASes can serve completely different physical locations and what really determinates the location is combination of nasname and ports. Now: freeradius refuses to start with the above configuration: >>> DEBUG OUTPUT START rlm_sql (sql): Read entry nasname=,shortname=wlan-gw51,secret=secret rlm_sql (sql): Adding client (wlan-gw51) to clients list rlm_sql (sql): Read entry nasname=,shortname=wlan-gw51,secret=secret rlm_sql (sql): Adding client (wlan-gw51) to clients list rlm_sql (sql): generate_sql_clients() returned error rlm_sql (sql): Closing sqlsocket 4 rlm_sql (sql): Closing sqlsocket 3 rlm_sql (sql): Closing sqlsocket 2 rlm_sql (sql): Closing sqlsocket 1 rlm_sql (sql): Closing sqlsocket 0 radiusd.conf[10]: sql: Module instantiation failed. radiusd.conf[1896] Failed to find module "sql". radiusd.conf[1819] Failed to parse authorize section. Errors setting up modules >>> DEBUG OUTPUT END I believe that for communication of the NAS with radius only the IP is deciding for radius. I know this can be solved outside radius by creating another "bind" table in DB(binding multiple ports to one unique nas record) and changing existing applications for viewing accounting data(php+mysql). For me at the moment it's easier to persuade freeradius just to ignore such "duplicities" when reading clients by following simple patch: Index: src/main/client.c === RCS file: /source/radiusd/src/main/client.c,v retrieving revision 1.53 diff -u -r1.53 client.c --- src/main/client.c 10 Apr 2007 14:21:24 - 1.53 +++ src/main/client.c 11 Apr 2007 15:36:19 - @@ -225,7 +225,7 @@ * Duplicate? */ if (!rbtree_insert(clients->trees[client->prefix], client)) { - return 0; + return 1; } #ifdef WITH_SNMP I hope it helps someone. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Connection failed
hi, I want to use MSSQL as a database for my Freeradius,so i have unixodbc installed. but the connection is failed ? by debug modus i can see this : rlm_sql_unixodbc: Connection failed any help? Regards, Abdelghani ELMALHI Devesestr. 1 45897 Gelsenkirchen Deutschland Tel. 00 49 176 65 84 38 50 - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: log on device directly in "priviledged mode"
-Messaggio originale- Da: [EMAIL PROTECTED] per conto di Alexander Papenburg Inviato: mer 11/04/2007 15.41 A: FreeRadius users mailing list Oggetto: Re: log on device directly in "priviledged mode" Molteni Davide wrote: > > Finally I successfully managed to log into the cisco switch (thanks to > your help) using freeradius. > Now I want that the radius users can directly enter into enable mode > of the cisco device. I set this in the users file > > test Auth-Type := Local, User-Password == "test" > Cisco-AVPair = "shell:priv-lvl=15" > > but it doesn't work, the user "test" log into the cisco as unpriviledged. > > Is there something missing in the config? > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi, you need something like that in your switch config: aaa authorization exec default group [YOURSERVERGROUPHERE] local I have tried but with the line you suggested Authorization fails and device won't let me in <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault for SNMP query
Hi all, when I've compiled in snmp support (--with-snmp) on current cvs head I got following segmentation fault(does not matter whether NAS are stored in DB or in clients.conf): >>>DEBUG OUTPUT START ... Ready to process requests. Nothing to do. Sleeping until we see a request. SMUX read start SMUX read len: 12 SMUX message received type: 67 rest len: 4 SMUX_RRSP SMUX_RRSP value: 0 errstat: 0 --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. SMUX read start SMUX read len: 40 SMUX message received type: 161 rest len: 36 SMUX_GETNEXT SMUX GET message parse: len 36 SMUX GET reqid: 182 len: 32 SMUX GET errstat 0 len: 29 SMUX GET errindex 0 len: 26 SMUX var parse: len 26 SMUX var parse: type 48 len 22 SMUX var parse: type must be 48 Request OID: 1.3.6.1.2.1.67.1.1.1.1.15.1.2.1 SMUX val_type: 5 ASN_NULL SMUX function call index is 2 SMUX function call index is 3 Segmentation fault >>>DEBUG OUTPUT END when debugging(I can attach the gdb output if needed) I've found that it fails somewhere on reading internal nas clients data structure. As I'm not interested in nas clients obtained via snmp(I keep them in mysql DB) following is the little patch which basically just ads "return NULL" when snmp asks for next nas client: Index: src/main/radius_snmp.c === RCS file: /source/radiusd/src/main/radius_snmp.c,v retrieving revision 1.31 diff -u -r1.31 radius_snmp.c --- src/main/radius_snmp.c 10 Apr 2007 14:21:24 - 1.31 +++ src/main/radius_snmp.c 11 Apr 2007 14:41:08 - @@ -194,6 +194,8 @@ RADCLIENT *c; int i, len; + return NULL; + len = *objid_len - v->namelen; if (!mainconfig.clients) Hope this helps someone. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
Hi Alan, On Wed, Apr 11, 2007 at 04:02:15PM +0200, Alan DeKok wrote: > > Do you have in mind a favorite technique for signaling daemons that > > the config files have changed? HUP is a common way to do it, but I'm > > sure there are other ways. > > A command-line tool that uses some other method to update the server > configuration. It means that the server gets told "X has changed", or > "delete client Y", which is hugely less intrusive than a HUP. > > HUPs are like kicking the server in the head, and then expecting it to > be nice to you. It can be done, but it takes work. ==> I've found really useful the idea of telling freeradius to reload via snmp - could be such functionality easily kept when using your proposed approach? > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
> > Maybe we can add features that prevent the need for the HUP, and then > > remove support for HUP. That would be best, I think. > > Do you have in mind a favorite technique for signaling daemons that > the config files have changed? HUP is a common way to do it, but I'm > sure there are other ways. hi, I'm glad Milan Holub replied with a patch, thank you! Going back to the subject, a useful feature would be a periodical reload of certificate revocation lists and the users list. These two lists are prone to changing frequently in production environments: a production server usually has an otherwise stable configuration. I think nobody is willing to experiment on radiusd.conf during peak hours, on the other hand he will be busy adding/removing users or eventually certificate revocations if using EAP-TLS in the most advanced way. As for me, I was planning a CRL reload during off peak hours, so I guess I'll stick with just a full nighttime restart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
Hi Alan, On Wed, Apr 11, 2007 at 03:45:18PM +0200, Alan DeKok wrote: > Milan Holub wrote: > > somewhere in this list there was already mentioned that current CVS > > version causes segmentation fault when received HUP signal(kill -HUP pid) - > > depending on > > the configuration it may survive 1st HUP and then it dies with 1st > > radius request/2nd HUP). > > To back up a bit, *why* are you HUPing the server? ==> main reason for HUP is for me when the configuration gets updated ==> yes it could be restarted as well but consider following: - we are keeping NAS entries in DB. - these entries are edited by operation guys via web interface - when a new NAS entry is added then we need to reload/restart freeradius - we reload freeradius using SNMP write query(can be done via web interface as well; without need of ssh to radius server) ==> using this approach simplifies "daily configuration" tasks on freeradius and I believe it's secure enough(snmp write allowed only from management machine) and elegant(as opposed to executing remote commands from within management server using ssh for example) In general when restarting the server you might loose some radius packets(especially on high loaded server), don't you? Thus I thing from this point of view HUP feature is useful and should be kept. > > Maybe we can add features that prevent the need for the HUP, and then > remove support for HUP. That would be best, I think. ==> what do you imagine under these "features"? Basically I thought HUP is good for reloading config files when one does not want to bring the server down but wants to bring into effect some minor config change. ==> is there any other use of HUP? > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Please advise. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
Ethan Dicks wrote: > On 4/11/07, Alan DeKok <[EMAIL PROTECTED]> wrote: >> To back up a bit, *why* are you HUPing the server? > > I usually HUP servers to force them to re-read their configuration > without forcing the server to restart. Well, yes. But *what* are you changing? Clients? Realms? Comments? > Do you have in mind a favorite technique for signaling daemons that > the config files have changed? HUP is a common way to do it, but I'm > sure there are other ways. A command-line tool that uses some other method to update the server configuration. It means that the server gets told "X has changed", or "delete client Y", which is hugely less intrusive than a HUP. HUPs are like kicking the server in the head, and then expecting it to be nice to you. It can be done, but it takes work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about 3Com 4500 series and Freeradius + Ldap
Hi, Is somebody configure 3Com switch series 4500 with Freeradius + Ldap auth. ? I have some problem: In debug mode i see: ---CUT--- Sending Access-Accept of id 18 to 192.168.2.201 port 5001 MS-MPPE-Recv-Key = 0x3c9698b69511f27c53657389c3994d28fa0c2db70bd6c671dc211ba697f92a09 MS-MPPE-Send-Key = 0xb571bf6045f094fa846995c6a3e89160e6eb476cc597d4dd0c6d90cd3341ca15 EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = "rka" --- But on switch and on computer, I have unauth. user :( And i don't know why ? Maybe null Message-Authenticator is wrong ? Thanks, Kamyk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
>> >> DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm := "realm" >> >> >> Ah yes, still the top entry should have worked, username would have to >> be rewritten in hints file. >> >> Or with attr_rewrite. >> > Yippiieee, > > the request has been sent through to the home-server. Still need to work > on the username but i don't expect > big problems with that. > > Thanks to both of you > A word of warning with the username, if your using EAP then the username is also sent within the EAP tunnel. If the username sent in the eap tunnel and the username sent in the access request packet don't match, then the user will be rejected. So if you rewrite the username at the proxying server, be sure to have the relevant hint on the home_server to rewrite the username back into it's original form :) And sorry your were having problems, I forgot the : in the Proxy-To-Realm. :( -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation & Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
On 4/11/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > To back up a bit, *why* are you HUPing the server? I usually HUP servers to force them to re-read their configuration without forcing the server to restart. I'm glad I found the earlier commentary that HUPping radiusd is considered harmful. I did it myself when I was writing my first config last month, and ran across the segfault, too. > Maybe we can add features that prevent the need for the HUP, and then > remove support for HUP. That would be best, I think. Do you have in mind a favorite technique for signaling daemons that the config files have changed? HUP is a common way to do it, but I'm sure there are other ways. -ethan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
Milan Holub wrote: > somewhere in this list there was already mentioned that current CVS > version causes segmentation fault when received HUP signal(kill -HUP pid) - > depending on > the configuration it may survive 1st HUP and then it dies with 1st > radius request/2nd HUP). To back up a bit, *why* are you HUPing the server? Maybe we can add features that prevent the need for the HUP, and then remove support for HUP. That would be best, I think. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log on device directly in "priviledged mode"
Molteni Davide wrote: > > Finally I successfully managed to log into the cisco switch (thanks to > your help) using freeradius. > Now I want that the radius users can directly enter into enable mode > of the cisco device. I set this in the users file > > test Auth-Type := Local, User-Password == "test" > Cisco-AVPair = "shell:priv-lvl=15" > > but it doesn't work, the user "test" log into the cisco as unpriviledged. > > Is there something missing in the config? > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi, you need something like that in your switch config: aaa authorization exec default group [YOURSERVERGROUPHERE] local - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
Arran Cudbard-Bell wrote: Alan DeKok wrote: Alexander Papenburg wrote: Okay I tested both ways: 1st with suffix disabled in authorize section of radiusd.conf and: DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm := "realm" User-Name = "[EMAIL PROTECTED]" In the "users" file? That sets the User-Name used in the reply, not the one being sent to the home server. 2nd with suffix enabled and: DEFAULT NAS-IP-Address == 10.0.0.1 User-Name = "[EMAIL PROTECTED]" DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm := "realm" Ah yes, still the top entry should have worked, username would have to be rewritten in hints file. Or with attr_rewrite. Yippiieee, the request has been sent through to the home-server. Still need to work on the username but i don't expect big problems with that. Thanks to both of you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault on sigHUP
Hi all, somewhere in this list there was already mentioned that current CVS version causes segmentation fault when received HUP signal(kill -HUP pid) - depending on the configuration it may survive 1st HUP and then it dies with 1st radius request/2nd HUP). Reason is also known: wrong freeing of memory. I've looked into the code for some time but I got lost in debugging of internal freeradius data structures. Until Alan comes with clean solution I'm offering following workaround: Here is a patch which just comments out freeing of config memory: Index: src/main/mainconfig.c === RCS file: /source/radiusd/src/main/mainconfig.c,v retrieving revision 1.106 diff -u -r1.106 mainconfig.c --- src/main/mainconfig.c 7 Apr 2007 14:25:12 - 1.106 +++ src/main/mainconfig.c 11 Apr 2007 12:44:08 - @@ -804,9 +804,9 @@ * Note that where possible, we do atomic switch-overs, * to ensure that the pointers are always valid. */ - oldcs = mainconfig.config; + //oldcs = mainconfig.config; mainconfig.config = cs; - cf_section_free(&oldcs); + //cf_section_free(&oldcs); snprintf(buffer, sizeof(buffer), "%.200s/%.50s", radius_dir, mainconfig.radiusd_conf); @@ -942,7 +942,7 @@ * Clean up the configuration data * structures. */ - cf_section_free(&mainconfig.config); +// cf_section_free(&mainconfig.config); free(mainconfig.radiusd_conf); realms_free(); listen_free(&mainconfig.listen); Of course it leads to memory leakage! With default configuration it will eat around 60k of memory per thread on each reload. With my configuration(rlm_sql, 65 NASes in database, some additional modules loaded) it eats something like 600k per thread/reload. Advantages: - HUP does not cause seqmentation fault. - /etc/init.d/freeradius reload is working(uses HUP) - reload using snmp is working(radiusAuthServConfigReset.0 = 2) Disadvantages: - serious memory leakage - you should definitely schedule freeradius restart(daily?, off-peak) in crontab in order to "free" unused memory - when using rlm_sql(as in my case) with this patch then please note that there will be unused open DB connections left after each reHUP ==> to get rid of these connections consider changing your DB configuration(eg. set "wait_timeout = 600" under [mysqld] section of my.cnf for mysql server; this causes to close unused connections older than 10 minutes) Hope this helps someone. PS: I hope freeing unused memory will be revisited and thus this workaround won't be needed anymore. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
log on device directly in "priviledged mode"
Finally I successfully managed to log into the cisco switch (thanks to your help) using freeradius. Now I want that the radius users can directly enter into enable mode of the cisco device. I set this in the users file test Auth-Type := Local, User-Password == "test" Cisco-AVPair = "shell:priv-lvl=15" but it doesn't work, the user "test" log into the cisco as unpriviledged. Is there something missing in the config? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
Alan DeKok wrote: > Alexander Papenburg wrote: >> Okay I tested both ways: >> >> 1st with suffix disabled in authorize section of radiusd.conf and: >> DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm := "realm" >>User-Name = "[EMAIL PROTECTED]" > > In the "users" file? That sets the User-Name used in the reply, not > the one being sent to the home server. > >> 2nd with suffix enabled and: >> DEFAULT NAS-IP-Address == 10.0.0.1 >>User-Name = "[EMAIL PROTECTED]" >> DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm := "realm" Ah yes, still the top entry should have worked, username would have to be rewritten in hints file. Or with attr_rewrite. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation & Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco hidden share
John Baker <[EMAIL PROTECTED]> writes: > I'm certain was using the right command. The number 7 in the line tells > the router that a hidden key will follow. > > coltrane(config)#radius-server key ? > 0 Specifies an UNENCRYPTED key will follow > 7 Specifies HIDDEN key will follow > LINE The UNENCRYPTED (cleartext) shared key > > Now at this point I actually got it to work. It turned out that in > trying to copy the extremely long number from the old config there was > an error. > > But I still don't know exactly what it is doing so I'm hoping somebody > can explain because I may want to change the key at some point. > > On the router end the key is configured with radius-server key 7 > "54-character-key" > > On the radius server in clients.conf this client's secret = > "totally-different-26-character-key" > > Initially I thought that one side or the other would be like /etc/shadow > passwords or the garbled string you see looking at a enable secret > password in the cisco conf. That would account for them appearing > totally different. But just copying the old configuration straight works > so I guess not. The Cisco type 7 "encryption" is just a local obfuscation of the password to avoid accidental reading-over-the-shoulder. It is "decrypted" by the router before it is used, so in fact both ends have access to the same clear text password. Please read http://www.cisco.com/warp/public/701/64.html if you think this provides any security of any sort. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
Alexander Papenburg wrote: > Okay I tested both ways: > > 1st with suffix disabled in authorize section of radiusd.conf and: > DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm = "realm" >User-Name = "[EMAIL PROTECTED]" In the "users" file? That sets the User-Name used in the reply, not the one being sent to the home server. > 2nd with suffix enabled and: > DEFAULT NAS-IP-Address == 10.0.0.1 >User-Name = "[EMAIL PROTECTED]" > > In both cases the request didn't reach the home server. Didn't reach, or wasn't sent? Debugging mode will tell you if the server was trying to send the request. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: returning VSA from exec-prog-wait
> After running the server in debugging mode as suggested I did see everything > that I expected FreeRadius to be doing Including sending the attribute back to the NAS? > and that is why I originally wrote > the inquiry. This unfortunately was not triggering the NAS to respond as > recognizing the variable. You may be confusing two separate issues: 1) Get the server to respond to the NAS with the attribute you want 2) Get the NAS to understand the attribute, and use it. If you have (1) working, but (2) doesn't, the answer is to read the NAS documentation to see what attribute it expects... which aren't the ones you're sending. > The expected line from exec-prog-wait ended up > being echo 'vsa106 vsa106=string' that was needed in the script being called > from exec-prog-wait. I find that more than a little surprising. The server doesn't parse attributes in that format from exec-program-wait. > Unfortunately, I must have missed this in the examples > and FAQ's. I think there's something else going on. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql_unixodbc: Connection failed
hi, I try to use MSSQL as database for my Freeradius server, but the connection is failed ? i have unixodbc succefly installed. so by typing radiusd -X i see this : rlm_sql_unixodbc: Connection failed so any user can connected! helps or tipps please ! Abdelghani ELMALHI Devesestr. 1 45897 Gelsenkirchen Deutschland Tel. 00 49 176 65 84 38 50 - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: returning VSA from exec-prog-wait
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:freeradius-users-bounces+m- > [EMAIL PROTECTED] On Behalf Of Alan DeKok > Sent: Wednesday, April 11, 2007 12:20 AM > To: FreeRadius users mailing list > Subject: Re: returning VSA from exec-prog-wait > > Murray Hooper wrote: > > Can I return VSA(106) from a script called from exec-prog-wait? I am > trying > > to "echo H323-redirect-number=" but the NAS does not see this as > VSA 106 > > If you run the serber in debugging mode, as suggested in the FAQ, > README, and INSTALL, you will see the results of exec-program-wait, and > what the server is doing with it. > > I never understand why people look at the NAS to see what the server > is doing. > > Alan DeKok. > -- After running the server in debugging mode as suggested I did see everything that I expected FreeRadius to be doing and that is why I originally wrote the inquiry. This unfortunately was not triggering the NAS to respond as recognizing the variable. The expected line from exec-prog-wait ended up being echo 'vsa106 vsa106=string' that was needed in the script being called from exec-prog-wait. Unfortunately, I must have missed this in the examples and FAQ's. Again thanks for the help murray - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadiusExpert Wiki
Hello Peter, On Wednesday 11 April 2007 19:12, Peter Nixon wrote: > On Tue 10 Apr 2007, Mike McCauley wrote: > > Hi all, > > > > Open System Consultants (OSC) has established a free resource for the > > RADIUS user community to collect and share information about configuring > > and implementing RADIUS protocol devices and software. > > > > RadiusExpert:Community Portal at > > http://www.open.com.au/wiki/index.php/Main_Page will become the > > repository for all the information that often resides only in the heads > > of system administrators who manage and maintain the security access and > > authentication requirements of their networks. > > > > We welcome contributions about such topics as configuring various RADIUS > > devices, load balancing with RADIUS servers and wireless authentication > > tips from our very active user community. > > > > If you can contribute any information on any RADIUS topic to the benefit > > of the entire community, please feel free. > > > > This is not a trawl for customers by OSC, but a genuine attempt to assist > > everyone in the RADIUS community. The wiki is vendor-neutral and covers > > all free and commercial RADIUS servers and compatible devices. > > This message was posted with the assent of Alan DeKok > > Hi Mike > > Welcome to the FreeRADIUS community. Many of us here have bought, sold, > used, and continue to use Radiator and we appreciate OSC's contribution to > the RADIUS world. We also recognise the lack of comprehensive documentation > about RADIUS, which is one of the reasons we started the FreeRADIUS Wiki > mid last year at: > http://wiki.freeradius.org/ > > I have taken a quick look at: > http://www.open.com.au/wiki/index.php/RadiusExpert:Community_Portal > > It is pretty sparse at present and doesn't mention FreeRADIUS Server or > Client at all (Before posting to our list, it would be nice if you would > consider listing us as a member of the RADIUS comunity on the wiki you are > asking us to contribute to :-) Fair enough. Done. Anyone is welcome to add any topic they think is helpful. We especially think there is not enough documentation on the various RADIUS compatible devices like Wireless Access Points, how to configure them and their oddities > > I also wanted to confirm one thing before contributing. You list at the > bottom of your wiki that "Content is available under GNU Free Documentation > License 1.2.". As this is the default theme and footer for mediawiki, could > you please confirm that this is actually the license you intended the wiki > content to be under? (This would allow us to share content if we were to > license under the same license..) That is indeed the license we intend. Cheers. > > Best Regards -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
Arran Cudbard-Bell schrieb: > rlm_realm instances do much the same job as the Proxy-To-Realm reply > item, just they also handle splitting the username into it's component > parts. > Usually you would use one or the other, but not both. Okay I tested both ways: 1st with suffix disabled in authorize section of radiusd.conf and: DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm = "realm" User-Name = "[EMAIL PROTECTED]" 2nd with suffix enabled and: DEFAULT NAS-IP-Address == 10.0.0.1 User-Name = "[EMAIL PROTECTED]" In both cases the request didn't reach the home server. > Erm I thought your original question was, "how do I proxy a user to a > realm based on the NAS-IP-Address and how do I rewrite that username > with that realm name" > > If thats the case ... why are you using [EMAIL PROTECTED] as your test user??? I logged on with "[EMAIL PROTECTED]" to proof the proxy function of the proxy server. For the other tests my login was only "abc"... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius to Diameter Gateway
Ashraf Al-Basti wrote: > Dear, > Is there any way to make Freeradius to work as Radius/Diameter gateway? No. > If not is there any recommended software that can do that? OpenDiameter is probably your only choice. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadiusExpert Wiki
On Tue 10 Apr 2007, Mike McCauley wrote: > Hi all, > > Open System Consultants (OSC) has established a free resource for the > RADIUS user community to collect and share information about configuring > and implementing RADIUS protocol devices and software. > > RadiusExpert:Community Portal at > http://www.open.com.au/wiki/index.php/Main_Page will become the repository > for all the information that often resides only in the heads of system > administrators who manage and maintain the security access and > authentication requirements of their networks. > > We welcome contributions about such topics as configuring various RADIUS > devices, load balancing with RADIUS servers and wireless authentication > tips from our very active user community. > > If you can contribute any information on any RADIUS topic to the benefit > of the entire community, please feel free. > > This is not a trawl for customers by OSC, but a genuine attempt to assist > everyone in the RADIUS community. The wiki is vendor-neutral and covers > all free and commercial RADIUS servers and compatible devices. > This message was posted with the assent of Alan DeKok Hi Mike Welcome to the FreeRADIUS community. Many of us here have bought, sold, used, and continue to use Radiator and we appreciate OSC's contribution to the RADIUS world. We also recognise the lack of comprehensive documentation about RADIUS, which is one of the reasons we started the FreeRADIUS Wiki mid last year at: http://wiki.freeradius.org/ I have taken a quick look at: http://www.open.com.au/wiki/index.php/RadiusExpert:Community_Portal It is pretty sparse at present and doesn't mention FreeRADIUS Server or Client at all (Before posting to our list, it would be nice if you would consider listing us as a member of the RADIUS comunity on the wiki you are asking us to contribute to :-) I also wanted to confirm one thing before contributing. You list at the bottom of your wiki that "Content is available under GNU Free Documentation License 1.2.". As this is the default theme and footer for mediawiki, could you please confirm that this is actually the license you intended the wiki content to be under? (This would allow us to share content if we were to license under the same license..) Best Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Arran Cudbard-Bell wrote: > Yep works for me too, reaches end of list of possible servers and starts > rejecting all users assigned > to that realm. :) Thanks. >>> Also little one with access-reject when home server fails to respond. >>> Not sent through access reject filter, though that's probably because it >>> never passes through post-auth. >>> >> That will be fixed on another commit. It turns out the easiest way to fix that was to remove the multiple places that called "Post-Auth-Type Reject", and move it to one central location. Simpler, less code, does exactly the same thing as before, and adds the call to "Post-Auth-Type Reject" when the home servers fail to respond. We should probably have a "Post-Proxy-Type = Fail", that gets called when a home server fails to respond to a request. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Alan DeKok wrote: > Arran Cudbard-Bell wrote: > >> Assertion failed in event.c, line 669 >> > ... > >> Happens after all the home servers have been marked as dead, and you >> have an incoming request... though could be when it's firing off a ping >> check event. >> Either way it's repeatable, and *only* happens when all home servers are >> dead. >> > > OK. I've gone over the code again, and fixed up a few corner cases of > the state machine. That test case now works for me. > > Yep works for me too, reaches end of list of possible servers and starts rejecting all users assigned to that realm. :) >> Also little one with access-reject when home server fails to respond. >> Not sent through access reject filter, though that's probably because it >> never passes through post-auth. >> > > That will be fixed on another commit. > Cool, Thanks. I'll let you know if I find any more weirdness. Thanks, Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (Solved) Re: MAC authorisation (but not authentication) via LDAP
we a trying to add mac authentication to our wireless aps radius request comes in like so. rad_recv: Access-Request packet from host 10.250.100.3:1038, id=119, length=95 Service-Type = Framed-User NAS-Port-Id = "wlan1" User-Name = "00:0B:6B:56:1D:48" User-Password = "" NAS-Identifier = "ballyvaughan_ap_1" NAS-IP-Address = 10.250.100.3 the mac address is in a field in the ldap so i created a second ldap.attrib.map and a new ldap autz-type. the problem is that the user-password that is sent i blank so i added this to the users file. like so. DEFAULT Huntgroup-Name == test, Autz-Type := ldapMAC, User-Password == "", Simultaneous-Use := 1 Fall-Through = 0 great now the user with authorise and authenticate from files. but what i had hoped would happen was if they failure authorisation they would not continue, i can see this is not the default proceedure. how can i make this work this way. Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 users: Matched entry DEFAULT at line 4 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 Found Autz-Type ldapMAC Processing the authorize section of radiusd.conf modcall: entering group ldapMAC for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:0B:6B:56:1D:48 radius_xlat: '(rdwaveuserWirelessMac=00:0B:6B:56:1D:48)' radius_xlat: 'o=clients,dc=radiowave,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=admin,dc=radiowave,dc=net/xxx to 127.0.0.1:389 radiustest:/etc/freeradius/config-clients# rlm_ldap: Bind was successful rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter (rdwaveuserWirelessMac=00:0B:6B:56:1D:48) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldapmac1" returns notfound for request 0 modcall: leaving group redundant (returns notfound) for request 0 modcall: leaving group ldapMAC (returns notfound) for request 0 but when the authentication starts this stilll happens, below was an idea someone had in respect to this issue or a similar one but i have no idea how to deploy this look forward to your replys. auth: type Local auth: user supplied User-Password matches local User-Password Processing the session section of radiusd.conf modcall: entering group session for request 0 modcall: entering group redundant for request 0 modcall[session]: module "sql2" returns noop for request 0 modcall: leaving group redundant (returns noop) for request 0 modcall: leaving group session (returns noop) for request 0 Login OK: [00:0B:6B:56:1D:48/] (from client ballyvaughan port 0) Sending Access-Accept of id 119 to 10.250.100.3 port 1038 On Sun, 2007-02-25 at 20:05 +, Martin Whinnery wrote: > Martin Whinnery wrote: > > Markus Krause wrote: > > > >> Zitat von Martin Whinnery <[EMAIL PROTECTED]>: > >> > >> > >> > >>> Hi. > >>> > >>> Probly just me not understanding... > >>> > >>> What I want is for our switches to only allow access to MAC addresses in > >>> our LDAP database. > >>> > >>> I don't want to store passwords on our LDAP host entries. > >>> > >>> I'm set up to check LDAP during authorisation, and it correctly returns > >>> authorised / not authorised depending on whether the appropriate > >>> attribute contains the right value. > >>> > >>> The trouble comes with authentication - either I set Auth-Type := > >>> Accept, in which case and failed authorisation is overridden, or I allow > >>> authentication to carry on against LDAP ( or System, or whatever ), in > >>> which case it fails always and access is denied, even for authorised MACs. > >>> > >>> Is there a way to make the Authorisation part final and authoritative? > >>> > >>> > >>> As I say, probly just being stoopid. > >>> > >>> > >>> Mart > >>> > >>> > >>> > >>> > >> don't no if it is a good solution, but i just do this by setting the > >> following in radiusd.conf: > >> > >> authenticate { > >> ... > >> Auth-Type LdapMAC { > >> ok > >> } > >> ... > >> } > >> > >> the Auth-Type is set in users file depending on huntgroups: > >> > >> DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := > >> LdapMAC > >> > >> i assume there are better/smarter sollutions as one can read "don't > >> set Auth-Type" on many places but it works here ;-) > >> > >> regards > >>markus > >> > >> > >> > > Thanks Ma
Radius to Diameter Gateway
Dear, Is there any way to make Freeradius to work as Radius/Diameter gateway? If not is there any recommended software that can do that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html