Re: Nas Type
On 7/30/07, Roberto Greiner [EMAIL PROTECTED] wrote: YvesDM wrote: Hi Robert, As for m0n0wall (and I guess pfsense too), you can also use the diable concurrent logins option in the CP setup. This way there will never be simultaneous use from the same nas. Kind Regards, Yves Yes, I've seen that option, and I actually have it enabled. What I don't like with it, is that instead of blocking a user, it accepts the new session and simply disconnects the session that was active. Anyway, thank you very much, Roberto Yes indeed, and that way they will never share their credentials again :-) Anyway if you plan to use simultaneous use on your radius, and have the re-authenticate every minute option in monowall enabled, you will need to allow at least 3 (or 2 don't quite remember) sessions or re-authentication will fail and user gets logged out after 1 minute. Kind regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re[2]: Adding a NAS via SQL
I have one question to this, you suposed that RADIUS and DataBase services are in the same machine, what happens if these services are in severa or there are replicate servers? My advice is to create a database trigger on INSERTs, UPDATEs,DELETEs.For example, my postgresql trigger written in plperlu:CREATE OR REPLACE FUNCTION restart_radiusd() RETURNS TRIGGER AS $rr_rad$ system("/usr/bin/sudo /usr/bin/killall -HUP radiusd"); return;$rr_rad$ LANGUAGE plperlu;DROP TRIGGER IF EXISTS need_to_restart_radiusd ON nas_table;CREATE TRIGGER need_to_restart_radiusd AFTER INSERT OR UPDATE OR DELETE ON nas_tableFOR EACH STATEMENT EXECUTE PROCEDURE restart_radiusd();/etc/sudoers:postgresqluserALL=(radiususer) NOPASSWD: /usr/bin/killall -HUP radiusdThis way, you will restart freeradius only when needed.You said that your backend is mysql, you will probably be able to comeup with the mysql version, but your main issue is not that.SIGHUP must work.Coches nuevos, coches de ocasión, coches de Km 0 Si piensas en cambiar de coche, MSN Motor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS as proxy to Windows IAS
On Mon, 2007-07-30 at 21:23 +0100, Clive Gould wrote: Hi I'd be grateful to hear from anyone out there who has got Freeradius (on a Linux box) running as a proxy server successfully validating usernames and passwords against a Windows IAS server using the MSChapv2 protocol. I have the Freeradius server up and running on CentOS 4.5, but can't get it to validate against the IAS server successfully. Please run radiusd -X and show us the debug output of a failing attempt. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
On Tue 31 Jul 2007, Kennie Lionheart wrote: Hi, I have a question about Freeradius' log. My costomer has used Remote Access VPN with Freeradius and Cisco VPN 3000, and 2 months ago, they added Cisco ASA on their system in order to expanse their VPN system. Now their users can use both VPN 3000 and ASA. VPN 3000's IP address is xx.xxx.xxx.9 and ASA's IP address is xxx.xxx.xxx.10. Both are global addresses. When their users use VPN through VPN 3000, ahthentication log can be seen on /var/log/radius/radacct/xxx.xxx.xxx.9, however when their users use VPN though ASA, no log can be seen in /var/log/radius/radacct/. I think xxx.xxx.xxx.10 should be seen there for the newly added ASA. Of course their users can connect to servers since they are ahtenticated and authorized, but no log are made on radius server. Does nyone have any idea about this? any solutions? any more configurations? Yep. Configure the ASA to send RADIUS accounting. FreeRADIUS only logs what it receives... -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: Adding a NAS via SQL
Then pipe the susdo command though ssh... -Peter On Tue 31 Jul 2007, Santiago Balaguer García wrote: I have one question to this, you suposed that RADIUS and DataBase services are in the same machine, what happens if these services are in severa or there are replicate servers? My advice is to create a database trigger on INSERTs, UPDATEs, DELETEs. For example, my postgresql trigger written in plperlu: CREATE OR REPLACE FUNCTION restart_radiusd() RETURNS TRIGGER AS $rr_rad$ system(/usr/bin/sudo /usr/bin/killall -HUP radiusd); return; $rr_rad$ LANGUAGE plperlu; DROP TRIGGER IF EXISTS need_to_restart_radiusd ON nas_table; CREATE TRIGGER need_to_restart_radiusd AFTER INSERT OR UPDATE OR DELETE ON nas_table FOR EACH STATEMENT EXECUTE PROCEDURE restart_radiusd(); /etc/sudoers: postgresqluser ALL=(radiususer) NOPASSWD: /usr/bin/killall -HUP radiusd This way, you will restart freeradius only when needed. You said that your backend is mysql, you will probably be able to come up with the mysql version, but your main issue is not that. SIGHUP must work. Coches nuevos, coches de ocasión, coches de Km 0 Si piensas en cambiar de coche, MSN Motor. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS
Hi Thanks for the replies to my posting yesterday. Perhaps I can explain the situation more clearly. My goal is to authenticate login to the digital repository DSpace against a Windows IAS server. I do not have physical access to the IAS server and cannot change it's shared secret. So far I have been unable to successfully authenticate DSpace directly against the remote IAS server. As a result of this I came up with the idea of setting up a Freeradius proxy server running on the same Linux box as DSpace, which would act as a proxy to the remote IAS server for authentication purposes in the hope that this would work. I have been able to successfully validate login to Dspace against the FreeRADIUS server when authentication is carried out against the unix account files /etc/passwd and /etc/shadow on the local machine. However, I have been unsucessful in validating DSpace login against the IAS server with Freeradius is acting as a proxy. We also use the Moodle VLE running on the same Linux box as DSpace and Freeradius, which has been using a PHP module to successfully validate against the IAS server using the mschapv2 protocol for several years. As part of debugging I decided to try pointing Moodle at the Freeradius proxy instead of directly at IAS. I append the log trace resulting from this below. Dspace, Moodle and Freeradius are on 10.200.0.14 Windows IAS is on 10.200.0.2 It suggests to me that the shared secrets are wrong, but I've double checked them and they are identical. Any suggestions very greatfully received :-) Dspace, Moodle and Freeradius are on 10.200.0.14 Windows IAS is on 10.200.0.2 Thanks very much Clive [EMAIL PROTECTED] raddb]# /usr/sbin/radiusd -sfxxyz -l stdout radlog [EMAIL PROTECTED] raddb]# cat radlog Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: bind_address = 10.200.0.14 IP address [10.200.0.14] main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap (mschap) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null =
EAP-TLS
Hi, I have a setup where my client is trying to perform authentication to server by using EAP-TLS. The server is a pass through server, which forwards the packet to the free radius. The free radius, instead of sending the server certificates, bails out on seeing the client Hello and the TLS handshake aborts. I am not being able to figure out the exact cause. Any help will be appreciated. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /root/temp/freeradius-1.1.6/raddb/certs/cert- srv.pem tls: certificate_file = /root/temp/freeradius-1.1.6/raddb/certs/cert- srv.pem tls: CA_file = /root/temp/freeradius-1.1.6/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /root/temp/freeradius-1.1.6/raddb/certs/dh tls: random_file = /root/temp/freeradius-1.1.6/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = DEFAULT tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm
Re: Freeradius as a proxy to Windows IAS
On Tue 31 Jul 2007, Clive Gould wrote: Hi Thanks for the replies to my posting yesterday. Perhaps I can explain the situation more clearly. My goal is to authenticate login to the digital repository DSpace against a Windows IAS server. I do not have physical access to the IAS server and cannot change it's shared secret. So far I have been unable to successfully authenticate DSpace directly against the remote IAS server. Well, I would suggest you solve this problem first. As a result of this I came up with the idea of setting up a Freeradius proxy server running on the same Linux box as DSpace, which would act as a proxy to the remote IAS server for authentication purposes in the hope that this would work. FreeRADIUS is not magic... Fix the IAS server and the FreeRADIUS bit should just work.. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS (Peter Nixon)
Hi Peter Thanks for the prompt reply. The Windows IAS server is working fine and I have been successfully authenticating against it using Moodle/PHP on the Linux server for several years. I've put the Freeradius server in between Moodle and IAS purely to test out my proxing configuration and then authentication fails despite the shared secrets being identical. This is the response from the IAS server (10.200.0.2) as received by the Freeradius acting as a proxy: Waking up in 6 seconds... rad_recv: Access-Accept packet from host 10.200.0.2:1812, id=0, length=236 Received Access-Accept packet from 10.200.0.2:1812 with invalid signature (err=2)! (Shared secret is incorrect.) Server rejecting request 0. Are there any characters (e.g. \) which must not be used in a shared secret with a Freeradius server? Best wishes Clive On Tue 31 Jul 2007, Clive Gould wrote: Hi Thanks for the replies to my posting yesterday. Perhaps I can explain the situation more clearly. My goal is to authenticate login to the digital repository DSpace against a Windows IAS server. I do not have physical access to the IAS server and cannot change it's shared secret. So far I have been unable to successfully authenticate DSpace directly against the remote IAS server. Well, I would suggest you solve this problem first. As a result of this I came up with the idea of setting up a Freeradius proxy server running on the same Linux box as DSpace, which would act as a proxy to the remote IAS server for authentication purposes in the hope that this would work. FreeRADIUS is not magic... Fix the IAS server and the FreeRADIUS bit should just work.. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS - Solved!
Hi everyone Please ignore my postings about problems with IAS authentication. I have just read this in the FAQ: FreeRADIUS is limited to 16 characters for the shared secret. The shared secret on our IAS server is 25 characters long :-( Thanks anyway Clive - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS
Hi, I have a setup where my client is trying to perform authentication to server by using EAP-TLS. The server is a pass through server, which forwards the packet to the free radius. The free radius, instead of sending the server certificates, bails out on seeing the client Hello and the TLS handshake aborts. I am not being able to figure out the exact cause. Any help will be appreciated. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /root/temp/freeradius- 1.1.6/raddb/certs/cert- srv.pem tls: certificate_file = /root/temp/freeradius-1.1.6/raddb/certs/cert- srv.pem tls: CA_file = /root/temp/freeradius-1.1.6/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /root/temp/freeradius-1.1.6/raddb/certs/dh tls: random_file = /root/temp/freeradius-1.1.6/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = DEFAULT tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm
Re: Adding a NAS via SQL
Hi Santiago, Tuesday, July 31, 2007, 11:21:36 AM, you wrote: I have one question to this, you suposed that RADIUS and DataBase services are in the same machine, what happens if these services are in severa or there are replicate servers? Most probably you will have the radius and the database on separate machines. If you have replication or if you have many updates (a farm of dyndns radius clients) or if you dont want to HUP the server too often, you will have to create a simple program to just NOTIFY another application responsible with HUPing the freeradius. Example from a fantasy world: == database trigger CREATE OR REPLACE FUNCTION restart_radiusd() RETURNS TRIGGER AS $rr_rad$ use IO::Socket; my($sock, $SERVER_IP, $SERVER_PORT); $SERVER_IP = '1.2.3.4'; $SERVER_PORT = 1818; $sock = IO::Socket::INET-new(Proto = 'udp', PeerPort = $SERVER_PORT, PeerAddr = $SERVER_IP); $sock-send(please restart); return; $rr_rad$ LANGUAGE plperlu; === This trigger will send an udp packet to 1.2.3.4:1818 with the text please restart. On the 1.2.3.4 end, we'll have a little gipsy opening the door every min_restart_interval seconds to check for stickies.. He's very sensitive and we must be polite to him. == freeradius machine = #!/usr/bin/perl use IO::Socket; my ($server, $request, $server_port, $min_restart_interval, $need_to_restart, $msg_max_length, $message); $min_restart_interval = 300; #seconds $server_port = 1818; $need_to_restart = 0; $msg_max_length = 1024; $server = IO::Socket::INET-new(LocalPort = $server_port, Proto = udp) or die Couldn't bind udp server on port $server_port : [EMAIL PROTECTED]; $SIG{ALRM} = sub { if ($need_to_restart == 1) { system(/usr/bin/sudo /usr/bin/killall -HUP radiusd); $need_to_restart = 0; } alarm $min_restart_interval; }; alarm $min_restart_interval; while (1) { $request = $server-recv($message, $msg_max_length); $need_to_restart = 1 if ($message =~ /please/); } === In the real world, you also have many other ways, like using ssh, RPC - rsh... If you are paranoic about opening a port, i guess you can also make freeradius to shoot itself in the leg by using rlm_exec and %{Client-IP-Address}. Best regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 My advice is to create a database trigger on INSERTs, UPDATEs, DELETEs. For example, my postgresql trigger written in plperlu: CREATE OR REPLACE FUNCTION restart_radiusd() RETURNS TRIGGER AS $rr_rad$ system(/usr/bin/sudo /usr/bin/killall -HUP radiusd); return; $rr_rad$ LANGUAGE plperlu; DROP TRIGGER IF EXISTS need_to_restart_radiusd ON nas_table; CREATE TRIGGER need_to_restart_radiusd AFTER INSERT OR UPDATE OR DELETE ON nas_table FOR EACH STATEMENT EXECUTE PROCEDURE restart_radiusd(); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas Type
YvesDM wrote: On 7/30/07, *Roberto Greiner* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: YvesDM wrote: Hi Robert, As for m0n0wall (and I guess pfsense too), you can also use the diable concurrent logins option in the CP setup. This way there will never be simultaneous use from the same nas. Kind Regards, Yves Yes, I've seen that option, and I actually have it enabled. What I don't like with it, is that instead of blocking a user, it accepts the new session and simply disconnects the session that was active. Anyway, thank you very much, Roberto Yes indeed, and that way they will never share their credentials again :-) Anyway if you plan to use simultaneous use on your radius, and have the re-authenticate every minute option in monowall enabled, you will need to allow at least 3 (or 2 don't quite remember) sessions or re-authentication will fail and user gets logged out after 1 minute. Kind regards, Yves Yes, I saw that option, but my monowall server has a peak usage of over 200 simultaneous users. Enabling that would put some strain on freeradius (don't need to say, I know it would take it easily), but mostly on monowall. With 200 users we already had to make some modification to make it stay stable. That strain would probably kill it. :-( Thanks anyway, Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS - Solved!
Clive Gould wrote: I have just read this in the FAQ: FreeRADIUS is limited to 16 characters for the shared secret. The shared secret on our IAS server is 25 characters long :-( The limit in 1.1.7 is 32 characters, not 16. And if you use radclient, there is no limit to the secret length. 1) Use radclient on the machine running FreeRADIUS to test IAS with the 25-character shared secret. If that works, 2) Type the secret into FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CalledStationID
Jeffrey Sewell wrote: Looks like that was designed to do exactly what I'm thinking. I haven't been following the threads on version 2's status, how is it coming? Anything I can do to help? There are one or two patches that I think should go into CVS. After that, we can release 2.0.0-pre2. Maybe this week, maybe next week. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS - Solved!
Hi, The limit in 1.1.7 is 32 characters, not 16. And if you use radclient, there is no limit to the secret length. 1) Use radclient on the machine running FreeRADIUS to test IAS with the 25-character shared secret. If that works, 2) Type the secret into FreeRADIUS. hmm, its interesting that the key length is an issue - I guess we _could_ have a much larger number with no real issue...but would that actually gain anything security wise? I also note that MANY NAS devices have much smaller maximum shared secrets (memory is precious I guess..) eg only 16 characters in length! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS - Solved!
[EMAIL PROTECTED] wrote: hmm, its interesting that the key length is an issue - I guess we _could_ have a much larger number with no real issue...but would that actually gain anything security wise? I also note that MANY NAS devices have much smaller maximum shared secrets (memory is precious I guess..) eg only 16 characters in length! Yup. MD5 has been pretty much broken. Many RADIUS secrets can be cracked in a few minutes. Shared secrets should be as long as you can make them, and include upper/lowercase letters, numbers, etc. That gives (26+26+10)^16, or about 2^95 possibilities. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Client
Hi! i'm trying to authenticate a Linux client but i'm having some problems. I'm running the server in debbuging mode, and when i send a request from the linux client, the server rejects it saying invalid password. The password it shows is sth like/245/eer/m43 and so on, so i thougth the problem could be the secret word. however, i've checked it, both in the server's clients.conf file, and in the client's servers file, and it's ok. I've also tried with radstatus and the message i get is Packet does not contain required Message-Authenticator attribute I would appreciate a lot if sb could help me. regards, Sofia _ Visita MSN Latino Noticias: Todo lo que pasa en el mundo y en tu paín, ¡en tu idioma! http://latino.msn.com/noticias/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius proxy: Assertionfailed problem
Hi! I seem to be getting errors such as Tue Jul 31 11:50:23 2007 : Error: Assertion failed in request_list.c, line 1012 in my Radius logs from time to time, especially during high load. This assertion failure leads to Radius server getting stuck, which in turn results in my clients getting stuck... My Radius server functions solely as a proxy to an another server. Any suggestions would be greatly appreciated. Cheers, --Janne Peltonen -- Janne Peltonen [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS - not solved after all :-(
Hi everyone Thanks for all the help and advice so far :-) I have installed freeradius 1.1.7 and get the appended message when I try to use it as a proxy between a Linux/Moodle/PHP radius client and a Windows IAS server. The shared secrets are definitely the same. The Linux/Moodle/PHP radius client authenticates directly with the Windows IAS server without any problems, but it will not authenticate with the freeradius proxy in between! I need a working freeradius proxy. Help... Clive Sending Access-Request of id 0 to 10.200.0.2 port 1812 NAS-Identifier = vle.bromley.ac.uk NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = 127.0.0.1 User-Name = [EMAIL PROTECTED] MS-CHAP2-Response = removed from message MS-CHAP-Challenge = removed from message NAS-IP-Address = 10.200.0.14 Proxy-State = 0x3832 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Accept packet from host 10.200.0.2:1812, id=0, length=235 Received Access-Accept packet from client 10.200.0.2 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) Dropping packet without response. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS - not solved after all :-(
Hi, Windows IAS server. The shared secrets are definitely the same. i would beg to say they arent. have you double checked the shared secrets for both ends of the link ie linux VLE - FR proxy --- IAS 12 need to check the client and server shared secrets for both 1 and 2 so VLE client/server relationship with FR and FR relationship with IAS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a NAS via SQL
Thanks for that Claudiu - I'll have to see what I can do :) Handling the sighup would be a big deal. I am adding my NAS via a php script so I can easily ask it to give the server a kick once i've added a NAS. It may be that I can live with an hourly cron job - will have to see. In theory there could be a lot of NAS deviced being added... Paul. On 7/31/07, Claudiu Filip [EMAIL PROTECTED] wrote: Hi Santiago, Tuesday, July 31, 2007, 11:21:36 AM, you wrote: I have one question to this, you suposed that RADIUS and DataBase services are in the same machine, what happens if these services are in severa or there are replicate servers? Most probably you will have the radius and the database on separate machines. If you have replication or if you have many updates (a farm of dyndns radius clients) or if you dont want to HUP the server too often, you will have to create a simple program to just NOTIFY another application responsible with HUPing the freeradius. Example from a fantasy world: == database trigger CREATE OR REPLACE FUNCTION restart_radiusd() RETURNS TRIGGER AS $rr_rad$ use IO::Socket; my($sock, $SERVER_IP, $SERVER_PORT); $SERVER_IP = '1.2.3.4'; $SERVER_PORT = 1818; $sock = IO::Socket::INET-new(Proto = 'udp', PeerPort = $SERVER_PORT, PeerAddr = $SERVER_IP); $sock-send(please restart); return; $rr_rad$ LANGUAGE plperlu; === This trigger will send an udp packet to 1.2.3.4:1818 with the text please restart. On the 1.2.3.4 end, we'll have a little gipsy opening the door every min_restart_interval seconds to check for stickies.. He's very sensitive and we must be polite to him. == freeradius machine = #!/usr/bin/perl use IO::Socket; my ($server, $request, $server_port, $min_restart_interval, $need_to_restart, $msg_max_length, $message); $min_restart_interval = 300; #seconds $server_port = 1818; $need_to_restart = 0; $msg_max_length = 1024; $server = IO::Socket::INET-new(LocalPort = $server_port, Proto = udp) or die Couldn't bind udp server on port $server_port : [EMAIL PROTECTED]; $SIG{ALRM} = sub { if ($need_to_restart == 1) { system(/usr/bin/sudo /usr/bin/killall -HUP radiusd); $need_to_restart = 0; } alarm $min_restart_interval; }; alarm $min_restart_interval; while (1) { $request = $server-recv($message, $msg_max_length); $need_to_restart = 1 if ($message =~ /please/); } === In the real world, you also have many other ways, like using ssh, RPC - rsh... If you are paranoic about opening a port, i guess you can also make freeradius to shoot itself in the leg by using rlm_exec and %{Client-IP-Address}. Best regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 My advice is to create a database trigger on INSERTs, UPDATEs, DELETEs. For example, my postgresql trigger written in plperlu: CREATE OR REPLACE FUNCTION restart_radiusd() RETURNS TRIGGER AS $rr_rad$ system(/usr/bin/sudo /usr/bin/killall -HUP radiusd); return; $rr_rad$ LANGUAGE plperlu; DROP TRIGGER IF EXISTS need_to_restart_radiusd ON nas_table; CREATE TRIGGER need_to_restart_radiusd AFTER INSERT OR UPDATE OR DELETE ON nas_table FOR EACH STATEMENT EXECUTE PROCEDURE restart_radiusd(); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius as a proxy to Windows IAS - not solved after all :-(
Clive Gould said: I have installed freeradius 1.1.7 and get the appended message when I try to use it as a proxy between a Linux/Moodle/PHP radius client and a Windows IAS server. The shared secrets are definitely the same. [snip] Received Access-Accept packet from client 10.200.0.2 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) Dropping packet without response. Have you actually retyped the secret in FR (or better yet, copy and paste from your Moodle config) and restarted the service? Sometimes our eyes can deceive us, and even on close inspection, we can see what we expect to see, not what is actually there. Have you tried running a 'radclient' test by hand from the FR box to IAS, copying and pasting the secret onto the command line from your FR config? BTW, in an earlier email you said: I do not have physical access to the IAS server and cannot change it's shared secret How are you actually checking the secret on IAS? I haven't run IAS for a looong time ... does it have a way of verifying a shared secret for a client? For instance, in Funk's SBRNT there is a 'verify' button, that lets you type (or paste) the secret in a modal dialog and it'll tell you if you have it right or not. Last idea ... do you have spaces in the secret? I'm not sure how FR would handle that, i.e. might it require quotes around the secret in clients.conf? -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius proxy: Assertionfailed problem
Hi, We suffer from exactly the same issue (fr1.1.6). The only workaround I found is to use a script that checks if freeradius is aliave and if not - starts it again. Obviously it still causes some disruptions but it's better then freeradius dying completely. kind regards Pshem On 01/08/07, Janne Peltonen [EMAIL PROTECTED] wrote: Hi! I seem to be getting errors such as Tue Jul 31 11:50:23 2007 : Error: Assertion failed in request_list.c, line 1012 in my Radius logs from time to time, especially during high load. This assertion failure leads to Radius server getting stuck, which in turn results in my clients getting stuck... My Radius server functions solely as a proxy to an another server. Any suggestions would be greatly appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius proxy: Assertionfailed problem
Janne Peltonen wrote: I seem to be getting errors such as Tue Jul 31 11:50:23 2007 : Error: Assertion failed in request_list.c, line 1012 Which version? 1.1.7 doesn't have an assertion on that line, and it has a LOT of fixes over earlier versions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html