Re: Authentication type (ldap, users, etc) per client or user?
falz wrote: This would technically get things working, but poses a security issue. I want to have clients associated with backends. The above example appears that it will simply give priority of one authentication source over the other, which isn't what I'm trying to do. You can use Autz-Type to get what you want, but it's more complicated. I'll look into 2.0 if this is the only way to get this functionality. It's not the only way, but it's *much* easier in 2.0. You just put an entry in the client configuration saying virtual_server = foo, and all requests get processed through foo. No, I did not remove the files section. It is called, and loaded per my output in the previous email. It's not listed in the debug output you posted. So it's not being called. Looking through the docs, it appears that Autz-Type gives indications of what I am trying to do: http://www.freeradius.org/radiusd/doc/Autz-Type Yes. It may require running two copies of the files module, which is more complicated. I will experiment with it and some syntax, and chime back in when I get things working for future reference for other users (and for me, if I neglect to document it myself :) In 2.0: client a { ipaddr = 1.2.3.4 ... virtual_server = foo } client b { ipaddr = 5.6.7.8 ... virtual_server = bar } server foo { authorize { users ... } ... } server bar { authorize { ldap ... } ... } It's more typing to set up, but it's significantly easier to understand and to maintain. It means that there are fewer possibilities for something to go wrong, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Load-Balancing concept
Hi, load-balancing between the radius servers is not necessarily needed. I think the servers we're going to by will be capable to manage all dialin accounts. So the radius servers will be in fail over mode. If the first one is up, all requests will be handled by it. If it fails, the second one will take over. But will I get any trouble if both servers write their accounting data into the same database? Do I need to setup radrelay? Is the second radius server able to take over if radrelay isn't running? Regards Sebastian On Thu, January 3, 2008 22:54, liran tal wrote: Hey Duane, On Jan 3, 2008 4:31 PM, Duane Cox [EMAIL PROTECTED] wrote: I'm doing this with no problem. I have 2 freeradius servers both writing/reading the same dbms In a case where the entire transaction goes through one server it's ok, but if it gets split up through the two of them, then I'm not sure what will be the outcome. Regards, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius Load-Balancing concept
People, I have several radius severs who have configurated the same databases. As you said radius service has a fail-over when they connect to DB and the first one fails. However, the main problem that I see in your configuration is the concurrency of database access. If you, at least, has two DB servers, both DB have to have the same data. So you have to solve the access concurrency firstly. Date: Fri, 4 Jan 2008 10:20:44 +0100 Subject: Re: Radius Load-Balancing concept From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Hi, load-balancing between the radius servers is not necessarily needed. I think the servers we're going to by will be capable to manage all dialin accounts. So the radius servers will be in fail over mode. If the first one is up, all requests will be handled by it. If it fails, the second one will take over. But will I get any trouble if both servers write their accounting data into the same database? Do I need to setup radrelay? Is the second radius server able to take over if radrelay isn't running? Regards Sebastian On Thu, January 3, 2008 22:54, liran tal wrote: Hey Duane, On Jan 3, 2008 4:31 PM, Duane Cox [EMAIL PROTECTED] wrote: I'm doing this with no problem. I have 2 freeradius servers both writing/reading the same dbmsIn a case where the entire transaction goes through one server it's ok, but if it gets split up through the two of them, then I'm not sure what will be the outcome. Regards, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN Video. http://video.msn.com/?mkt=es-es- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Load-Balancing concept
But will I get any trouble if both servers write their accounting data into the same database? No. Do I need to setup radrelay? Is the second radius server able to take over if radrelay isn't running? Yes, it will take over as NAS starts sending packets to it. No need for radrelay. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Hi Alan, I am trying to do ldap query lookup in the authorize section and after successful authorization ( if ldap entry exists on search query) reply with Access-Accept if not reject. I do not want to do authentication in LDAP as we are not storing userPassword attribute in ldap schema. So in a way trying to do.. if(ldap search success) { Access-Accept } else { Access-Reject } Please check the thread below what Phil told me to do... Hi Phil, Here is the detail configs and logs. Please let me know. Thanks and Regards. modules { ldap { server = ldap://x:1389; identity = uid=appuser,ou=appadm,o=entitlement password = ** basedn = ou=roles,o=entitlement dictionary_mapping = ${raddbdir}/ldap.attrmap filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password})) start_tls = no ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = no } } authorize { .. ldap pap } authenticate { Auth-Type PAP { pap } . } In the users files #DEFAULT Auth-Type := Local #Session-Timeout = 7200, #Fall-Through = Yes #DEFAULT Auth-Type := System #Session-Timeout = 7200, #Fall-Through = Yes Here is the detail log. rad_recv: Access-Request packet from host 216.2.193.1:55729, id=2, length=48 User-Name = test1 User-Password = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = test1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test1 radius_xlat: '((uid=test1)(entitlements=WIFILOC1)(attribute1=1))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://:1389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/ to ldap://xxx:1389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=roles,o=entitlement, with filter ((uid=test1)(entitlements=WIFILOC1)(attribute1=1)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to 216.2.193.1 port 55729 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 2 with timestamp 4761660e Nothing to do. Sleeping until we see a request. --- Phil Mayers p.mayers at imperial.ac.uk wrote: rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. That's the problem. Your LDAP module should be copying the LDAP attribute containing the password to the relevant check item. Slightly confusing, there are two ways to do this: 1. ldap.attrmap 2. password_attribute password_header config items of ldap module What are those setup to do? A full -X debug would help at this point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Assuming you are using a recent version of FreeRadius, you can do one of the following: modules { ldap { ... set_auth_type = no } } authorize { preprocess ldap pap } authenticate { Auth-Type PAP { pap } } --- Alan DeKok [EMAIL PROTECTED] wrote: Eric Martell wrote: Hi Alan, Can you please help me out with the LDAP query? I am still stuck with the issue. What problem is left to solve? i.e. I read and answer a *lot* of
latest CVS 2.0 beta hang problem
hi, a 2.0 beta (latest CVS head) install server locked up on us today in its early test deployment case secnario a request was proxied off to another RADIUS server. no response came back. server totally fails to respond to anything else. the only entry in the 'radiusd -X' is the last 2 lines Fri Jan 4 13:40:23 2008 : Error: Rejecting request 12643 due to lack of any response from home server 10.1.2.3 port 1812 Fri Jan 4 13:40:23 2008 : Error: WARNING: Unresponsive child (id 0) for request 12643, in module server-core component server-core thats all. no further debug i'm afraid. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 problem
hi, ummm, lets get this right - you are using FreeRADIUS 1.1.0 ? I'm sorry - cannot give any support until you are using 1.1.7 (which has many old and obsolete bugs and issues removed) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco command authorization
Stefan Winter wrote: Hi all, there are inquiries every once in a while here about how to enable command authorization for Cisco devices in a Cisco-AVPair. The usual answer is: find out if the NAS has an attribute for it. Now I'm myself trying to get rid of a haunting daemon, the tac_plus daemon, and so I investigated. Cisco claims that there is a complete mapping scheme to translate TACACS+ expressions into Cisco-AVPair Vendor-Specific. This works for example with the priv-lvl attribute: cisco-avpair = shell:priv-lvl=15 There is a web page for Cisco IOS at http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804fe2d8.html detailing which TACACS+ commands exist, and it suggests that cisco-avpair = shell:cmd=show would do the trick to authorize the show command. EXCEPT that there is a tiny note for the commands cmd and cmd-arg saying that they cannot be used for encapsulation in the Vendor-Specific space. These two are the ONLY ones. Since it's just about parsing the string content of cisco-avpair at the router side, there is absolutely no technical reason why these two wouldn't go through. The only explanation then is that this is a deliberate step by Cisco to make sure that TACACS+ is superior to RADIUS by arbitrarily cutting down functionality. Probably the code in IOS is larger with an exception handling to make sure that it doesn't work. I must say: I'm pissed. But I hope I could at least clarify this topic. My next-best approach to circumvent this would be to define an intermediate privilege level that only has the permission to do the commands in question, and only assign the users in question to that lower priv-level. Scales poorly, but enough for us. Maybe that approach serves some others as well. Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Could you add this to the wiki ? http://wiki.freeradius.org/Cisco I myself don't use any Cisco kit, but the situation is much the same with HP Procurve Switches. On all but the most expensive switches TACACS+ is the only way to define command lists, on all the others your either a manager or an operator. HP Claim to support a few VSA's for setting command lists and priv levels, but on most of their switches they don't actually work ! -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Hi Ivan, Actually in the implementation we are going to treat on the website zipcode as a password field. we are asking people to enter username and zipcode which is store in the LDAP Schema. In the radius, I am going to receive username (User-Name) and zipcode ( User-Password). In the ldap module do query filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(zipcode=%{User-Password})) and depends on the resultset, give access or reject. Please let me know if this clear and any other better way to handle this in radius. Thanks and Regards. Eric. --- [EMAIL PROTECTED] wrote: OK, so password is not in LDAP. Where is it then? Are you trying to accept users without passwords? Consider using a perl script to implement that logic and forget about LDAP module in Freeradius. Ivan Kalik Kalik Informatika ISP Dana 4/1/2008, Eric Martell [EMAIL PROTECTED] pi¹e: Hi Alan, I am trying to do ldap query lookup in the authorize section and after successful authorization ( if ldap entry exists on search query) reply with Access-Accept if not reject. I do not want to do authentication in LDAP as we are not storing userPassword attribute in ldap schema. So in a way trying to do.. if(ldap search success) { Access-Accept } else { Access-Reject } Please check the thread below what Phil told me to do... Hi Phil, Here is the detail configs and logs. Please let me know. Thanks and Regards. modules { ldap { server = ldap://x:1389; identity = uid=appuser,ou=appadm,o=entitlement password = ** basedn = ou=roles,o=entitlement dictionary_mapping = ${raddbdir}/ldap.attrmap filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password})) start_tls = no ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = no } } authorize { ... ldap pap } authenticate { Auth-Type PAP { pap } .. } In the users files #DEFAULT Auth-Type := Local #Session-Timeout = 7200, #Fall-Through = Yes #DEFAULT Auth-Type := System #Session-Timeout = 7200, #Fall-Through = Yes Here is the detail log. rad_recv: Access-Request packet from host 216.2.193.1:55729, id=2, length=48 User-Name = test1 User-Password = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = test1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test1 radius_xlat: '((uid=test1)(entitlements=WIFILOC1)(attribute1=1))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://:1389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/ to ldap://xxx:1389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=roles,o=entitlement, with filter ((uid=test1)(entitlements=WIFILOC1)(attribute1=1)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to 216.2.193.1 port 55729 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 2 with timestamp 4761660e Nothing to do. Sleeping until we see a request. --- Phil Mayers p.mayers at imperial.ac.uk wrote: rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0
Cisco command authorization
Hi all, there are inquiries every once in a while here about how to enable command authorization for Cisco devices in a Cisco-AVPair. The usual answer is: find out if the NAS has an attribute for it. Now I'm myself trying to get rid of a haunting daemon, the tac_plus daemon, and so I investigated. Cisco claims that there is a complete mapping scheme to translate TACACS+ expressions into Cisco-AVPair Vendor-Specific. This works for example with the priv-lvl attribute: cisco-avpair = shell:priv-lvl=15 There is a web page for Cisco IOS at http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804fe2d8.html detailing which TACACS+ commands exist, and it suggests that cisco-avpair = shell:cmd=show would do the trick to authorize the show command. EXCEPT that there is a tiny note for the commands cmd and cmd-arg saying that they cannot be used for encapsulation in the Vendor-Specific space. These two are the ONLY ones. Since it's just about parsing the string content of cisco-avpair at the router side, there is absolutely no technical reason why these two wouldn't go through. The only explanation then is that this is a deliberate step by Cisco to make sure that TACACS+ is superior to RADIUS by arbitrarily cutting down functionality. Probably the code in IOS is larger with an exception handling to make sure that it doesn't work. I must say: I'm pissed. But I hope I could at least clarify this topic. My next-best approach to circumvent this would be to define an intermediate privilege level that only has the permission to do the commands in question, and only assign the users in question to that lower priv-level. Scales poorly, but enough for us. Maybe that approach serves some others as well. Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
OK, so password is not in LDAP. Where is it then? Are you trying to accept users without passwords? Consider using a perl script to implement that logic and forget about LDAP module in Freeradius. Ivan Kalik Kalik Informatika ISP Dana 4/1/2008, Eric Martell [EMAIL PROTECTED] piše: Hi Alan, I am trying to do ldap query lookup in the authorize section and after successful authorization ( if ldap entry exists on search query) reply with Access-Accept if not reject. I do not want to do authentication in LDAP as we are not storing userPassword attribute in ldap schema. So in a way trying to do.. if(ldap search success) { Access-Accept } else { Access-Reject } Please check the thread below what Phil told me to do... Hi Phil, Here is the detail configs and logs. Please let me know. Thanks and Regards. modules { ldap { server = ldap://x:1389; identity = uid=appuser,ou=appadm,o=entitlement password = ** basedn = ou=roles,o=entitlement dictionary_mapping = ${raddbdir}/ldap.attrmap filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password})) start_tls = no ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = no } } authorize { ... ldap pap } authenticate { Auth-Type PAP { pap } .. } In the users files #DEFAULT Auth-Type := Local #Session-Timeout = 7200, #Fall-Through = Yes #DEFAULT Auth-Type := System #Session-Timeout = 7200, #Fall-Through = Yes Here is the detail log. rad_recv: Access-Request packet from host 216.2.193.1:55729, id=2, length=48 User-Name = test1 User-Password = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = test1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test1 radius_xlat: '((uid=test1)(entitlements=WIFILOC1)(attribute1=1))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://:1389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/ to ldap://xxx:1389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=roles,o=entitlement, with filter ((uid=test1)(entitlements=WIFILOC1)(attribute1=1)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to 216.2.193.1 port 55729 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 2 with timestamp 4761660e Nothing to do. Sleeping until we see a request. --- Phil Mayers p.mayers at imperial.ac.uk wrote: rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. That's the problem. Your LDAP module should be copying the LDAP attribute containing the password to the relevant check item. Slightly confusing, there are two ways to do this: 1. ldap.attrmap 2. password_attribute password_header config items of ldap module What are those setup to do? A full -X debug would help at this point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Assuming you are using a recent version of FreeRadius, you can do one of the following: modules { ldap { ... set_auth_type = no } } authorize { preprocess ldap pap } authenticate {
Re: mschapv2 problem
Hi, [/udir/delivery_a0028/wacsim_trunk/scripts/services/freeradius-1.1.0//etc/raddb/users]:1 WARNING! Check item EAP-Sim-Rand1 ?found in reply item list for user 123242010015. ?This attribute MUST go on the first line with the other check items ..and many more - this is an obvious issue - please follow what the server says! your users file is incorrect, you must ensure all the check items are on the first line - currently you end your first line with no comma - and have a trailing comma on the last entries. please change this to user type:=XXX blah:=this oh_and:=that, EAP-SIM1 = thisnthat, EAP-blah-blah = morejunk alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and eDirectory
Hi, I'm setting up Freeradius 1.1.4 on a SUSE 10 server for our wireless users with XP SP2 using PEAP. Because we use eDirectory I strip the computer name from the username, not every users uses the Novell client. The user get authorize but I can't get the authentication to work. For some reason the first character of the users password is change for a a, if the first character is a a then it is change for something else. ??? I installed the 885453 and 917021 patches for Windows XP SP2 and changed the supplicant mode to 3, didn't help. This problem does not occur with users using the Novell client SP4. I included a few lines from the debug, the password should be mypassw instead of aypassw. Robert rlm_ldap: bind as cn=User1,ou=Techs,o=ORG/aypassw to rep01.mydomain.ca:389 http://rep01.mydomain.ca:389/ ... res_errno: 49, res_error: NDS error: failed authentication (-669), res_matched: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual Hosts conflicting
On Jan 3, 2008 3:31 PM, Alan DeKok [EMAIL PROTECTED] wrote: Nicholas Hall wrote: *My Goal*: PAP on legacy port 1645, CHAP on 1812 working simultaneously. All you need to do is to configure two listen sections. This can be done in 1.1.7. You don't need two virtual servers. The problem is that my PAP users are in a different location in LDAP. This is why I created two more instances of the LDAP module pointing to a different basedn. *My Environment*: FreeRADIUS 2.0.0-pre2, LDAP user database, MySQL Accounting. Please don't use -pre2. I'll be removing it from the web site soon, as we plan on releasing 2.0.0 within a *very* short while. i.e. grab a copy of the source from CVS, and use that. I'm actually running a CVS snapshot from a while back. It seems to be working fine -- my plan was to continue running it until 2.0.0 is released. *Problem*: I'm running a virtual host for each AUTH port. Each works fine when placed in sites-enabled individually but my CHAP virtualhost fails when both are enabled. The vhost listening on 1812 appears to be referencing an LDAP module that is not listed in it's server{ ... } block. You will see ou=Dialup in the debugging output below of a CHAP request to 1812 that is only contained in the legacy PAP vhost. Any ideas are appreciated!! Please read the *entire* debug log. It's not just doing an LDAP query at random. It's doing an LDAP query because you're using the LDAP-Group attribute in line 16 of the users file. If you don't want a virtual server to do LDAP lookups, don't configure it to use the LDAP-Group attribute. Thanks. Things are working after removing the LDAP-Group attribute. I'm not 100% sure why but for now I'm not going to worry about it! -- Nicholas Hall [EMAIL PROTECTED] 262.208.6271 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
On Jan 4, 2008 9:54 AM, Eric Martell [EMAIL PROTECTED] wrote: Hi Ivan, Actually in the implementation we are going to treat on the website zipcode as a password field. we are asking people to enter username and zipcode which is store in the LDAP Schema. In the radius, I am going to receive username (User-Name) and zipcode ( User-Password). In the ldap module do query filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(zipcode=%{User-Password})) and depends on the resultset, give access or reject. Please let me know if this clear and any other better way to handle this in radius. Couldn't you just map zipcode to the password attribute in ldap.attrmap: checkItem Cleartext-Password zipcode you could then exclude the zipcode condition from your ldap filter as FreeRADIUS should do the work. -- Nicholas Hall [EMAIL PROTECTED] 262.208.6271 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: latest CVS 2.0 beta hang problem
Hi, a 2.0 beta (latest CVS head) install server locked up on us today in its early test deployment Ugh. case secnario a request was proxied off to another RADIUS server. no response came back. server totally fails to respond to anything else. the only entry in the 'radiusd -X' is the last 2 lines I'll go look at that tomorrow. If I can reproduce it, it should be easy to fix. *correction* thats the last 2 output lines from radiusd.log i dont have a radiusd -X output - i will see if i can trigger this behaviour with eg radtest or an EAP session on another test server. the issue doesnt occur with 2.0.0-pre2 PS by default in latest CVS, the server logs a lot less to radiusd.log (eg auth OK, auth fail etc - i have logging set to yes int he config but still no output) whats the required config change to get the 'old behaviour' back? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: latest CVS 2.0 beta hang problem
[EMAIL PROTECTED] wrote: a 2.0 beta (latest CVS head) install server locked up on us today in its early test deployment Ugh. case secnario a request was proxied off to another RADIUS server. no response came back. server totally fails to respond to anything else. the only entry in the 'radiusd -X' is the last 2 lines I'll go look at that tomorrow. If I can reproduce it, it should be easy to fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and eDirectory
Generic Generic wrote: I'm setting up Freeradius 1.1.4 on a SUSE 10 server for our wireless users with XP SP2 using PEAP. Because we use eDirectory I strip the computer name from the username, not every users uses the Novell client. The user get authorize but I can't get the authentication to work. For some reason the first character of the users password is change for a a, if the first character is a a then it is change for something else. ??? The default configuration of FreeRADIUS doesn't re-write passwords this way. In fact, it doesn't re-write passwords at all. Either you changed something on your local system to re-write the passwords like this, OR this is actually how the passwords are being received by FreeRADIUS. If this is how the passwords are being received by FreeRADIUS, then it is NOT a FreeRADIUS problem. Go fix the client, or use a client that works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Eric Martell wrote: I am trying to do ldap query lookup in the authorize section and after successful authorization ( if ldap entry exists on search query) reply with Access-Accept if not reject. So... you're not authenticating anyone? I do not want to do authentication in LDAP as we are not storing userPassword attribute in ldap schema. How will users be authenticated? So in a way trying to do.. if(ldap search success) { Access-Accept } else { Access-Reject } Try this: authorize { ... ldap { notfound = reject } files } And have the users file: DEFAULT Auth-Type := Accept. Of course, in 2.0, you can use unlang to write a rule that looks pretty much like your pseudo-code above. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and eDirectory
Somewhere, can't remember where, the password gets changed like that to force an authentication failure in eDirectory. If there are enough tries it will trigger eDirectory's intruder detection lockout - if it's enabled. Are you sure the user is authorized? Since you didn't send a debug log I'm assuming that you did not have one. The only way you can see if the user is authorized by freeradius is through the debug log. Any other reference to authorized - as in the wireless connect dialogue from Windows - is not what freeradius is talking about. We saw this behavior when the userid in eDirectory did not have the proper radius attributes set. It has to have them and eDirectory has to return them in order for the user to be authorized. Then freeradius binds to eDirectory with the userid and password for authentication. Mearl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Alan DeKok Sent: Friday, January 04, 2008 11:35 AM To: FreeRadius users mailing list Subject: Re: Freeradius and eDirectory Generic Generic wrote: I'm setting up Freeradius 1.1.4 on a SUSE 10 server for our wireless users with XP SP2 using PEAP. Because we use eDirectory I strip the computer name from the username, not every users uses the Novell client. The user get authorize but I can't get the authentication to work. For some reason the first character of the users password is change for a a, if the first character is a a then it is change for something else. ??? The default configuration of FreeRADIUS doesn't re-write passwords this way. In fact, it doesn't re-write passwords at all. Either you changed something on your local system to re-write the passwords like this, OR this is actually how the passwords are being received by FreeRADIUS. If this is how the passwords are being received by FreeRADIUS, then it is NOT a FreeRADIUS problem. Go fix the client, or use a client that works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nübie
Javier Basisty wrote: ... Is there something missing? The debug log from radiusd -X as suggested in the FAQ, README, INSTALL, Wiki, and daily on this list. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: latest CVS 2.0 beta hang problem
[EMAIL PROTECTED] wrote: *correction* thats the last 2 output lines from radiusd.log i dont have a radiusd -X output - i will see if i can trigger this behaviour with eg radtest or an EAP session on another test server. the issue doesnt occur with 2.0.0-pre2 A lot has changed since -pre2. PS by default in latest CVS, the server logs a lot less to radiusd.log (eg auth OK, auth fail etc - i have logging set to yes int he config but still no output) whats the required config change to get the 'old behaviour' back? Hmm... it *should* be configurable in radiusd.conf. See the log section in radiusd.conf. Some configuration items have moved, because it was dumb to have log_foo, log_bar, log_baz, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.0.0pre2
Please don't use -pre2. I'll be removing it from the web site soon, as we plan on releasing 2.0.0 within a *very* short while. i.e. grab a copy of the source from CVS, and use that. AH, now you tell me :) Just installed 2.0.0pre2 Is the HUP issues fixed? Just noticed it wasn't working, but didn't try CVS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: latest CVS 2.0 beta hang problem
hi, okay - got it to do the same with a straight radtest. here is the radiusd -X - several attempts that get proxied away..and never answered. remote site marked as zombie but then any valid requests just dont get serviced. Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Proxy-State = 0x3930 Proxying request 0 to home server 10.1.2.3 port 1812 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Going to the next request Waking up in 0.9 seconds. Waking up in 28.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Waking up in 26.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Waking up in 23.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Waking up in 20.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Waking up in 17.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Waking up in 14.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Waking up in 11.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Waking up in 8.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address = 10.1.2.2 NAS-Port = 1812 Huntgroup-Name = testuser1 Realm = test1 Realm = test1 Proxy-State = 0x3930 Waking up in 5.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=90, length=66 Sending duplicate proxied request to home server 10.1.2.3 port 1812 - ID: 14 Sending Access-Request of id 14 to 10.1.2.3 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing123 NAS-IP-Address =
Re: 2.0.0pre2
Hi, Is the HUP issues fixed? Just noticed it wasn't working, but didn't try CVS. the latest CVS handles HUP a lot better - various modules are now HUP friendly. why are you HUP'ing? what will HUP achieve that a service restart wont? how are you testing the config is sane before restarting the daemon with new information/config? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (was latest CVS 2.0) - logging issue
Hi, A lot has changed since -pre2. Hmm... it *should* be configurable in radiusd.conf. See the log section in radiusd.conf. Some configuration items have moved, because it was dumb to have log_foo, log_bar, log_baz, etc. ha! a lot HAS been changing. damn. you are right. how did i miss that fundamental change to the log {} section. ??? crazy. anyway, i have now moved all the pre-2 log stuff log_auth, log_file etc etc into the correct single log {} stanza and removed the legacy log_ prefix which each entry had. its all working fine now. there was another post by someone else on this list a while back about latest CVS being more quiet than the old. perhaps this needs to be highlighted a little better - perhaps have somehting in the startup parser that can detect these old legacy configs and spew out a warning? in 'the old days' the log_ entries could lie anywhere in radiusd.conf - really should only be in log {} and no entries should start with log_ .. ah! but they do. we have a small oddity log_destination = files surely this should also be cleared into the log {} stanza? eg log { destination = files } sorry for the false alert and thanks for the pointer/tip to getting this little issue sorted. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (was latest CVS 2.0) - logging issue
[EMAIL PROTECTED] wrote: ha! a lot HAS been changing. damn. you are right. how did i miss that fundamental change to the log {} section. ??? It got changed fairly recently. there was another post by someone else on this list a while back about latest CVS being more quiet than the old. perhaps this needs to be highlighted a little better - perhaps have somehting in the startup parser that can detect these old legacy configs and spew out a warning? I just updated the code so that the parsing of entries is re-arranged a bit. It means that old configurations with log_foo will still use *those* definitions. So other people with the same kind of config won't suddenly see the logs get quieter. we havea small oddity log_destination = files surely this should also be cleared into the log {} stanza? eg Likely, yes. log { destination = files } sorry for the false alert and thanks for the pointer/tip to getting this little issue sorted. It's a usability issue that was easy to fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2nd instance of freeradius 1.1.7 fails to run
I'm trying to run 2 separate instances of freeradius for testing another .sql authorization database. I've created a second .conf file location- /etc/raddb2 and similarly created locations for the run and log files (/var/log/radiusd2, /var/run/radiusd2) and edited the 2nd radiusd.conf file appropirately, so I thought- binding it to an IP not used by my other instance of the freeradius server and specifying port 1820 in my second radiusd.conf file. But when I try to run in debug mode, I get this: [EMAIL PROTECTED] run]# /usr/sbin/radiusd2 -d /etc/raddb2 -XX Fri Jan 4 18:38:47 2008 : Info: Starting - reading configuration files ... Fri Jan 4 18:38:47 2008 : Debug: reread_config: reading radiusd.conf Fri Jan 4 18:38:47 2008 : Debug: Config: including file: /etc/raddb2/proxy.conf Fri Jan 4 18:38:47 2008 : Debug: Config: including file: /etc/raddb2/clients.conf Fri Jan 4 18:38:47 2008 : Debug: Config: including file: /etc/raddb2/snmp.conf Fri Jan 4 18:38:47 2008 : Debug: Config: including file: /etc/raddb2/eap.conf Fri Jan 4 18:38:47 2008 : Debug: Config: including file: /etc/raddb2/sql.conf Fri Jan 4 18:38:47 2008 : Debug: Config: including file: /etc/raddb2/sqlcounter.conf Fri Jan 4 18:38:47 2008 : Debug: main: prefix = /usr Fri Jan 4 18:38:47 2008 : Debug: main: localstatedir = /var Fri Jan 4 18:38:47 2008 : Debug: main: logdir = /var/log/radius2 Fri Jan 4 18:38:47 2008 : Debug: main: libdir = /usr/lib Fri Jan 4 18:38:47 2008 : Debug: main: radacctdir = /var/log/radius2/radacct Fri Jan 4 18:38:47 2008 : Debug: main: hostname_lookups = no Fri Jan 4 18:38:47 2008 : Debug: main: snmp = no Fri Jan 4 18:38:47 2008 : Debug: main: max_request_time = 30 Fri Jan 4 18:38:47 2008 : Debug: main: cleanup_delay = 5 Fri Jan 4 18:38:47 2008 : Debug: main: max_requests = 1024 Fri Jan 4 18:38:47 2008 : Debug: main: delete_blocked_requests = 0 Fri Jan 4 18:38:47 2008 : Debug: main: port = 1820 Fri Jan 4 18:38:47 2008 : Debug: main: allow_core_dumps = no Fri Jan 4 18:38:47 2008 : Debug: main: log_stripped_names = no Fri Jan 4 18:38:47 2008 : Debug: main: log_file = /var/log/radius2/radius.log Fri Jan 4 18:38:47 2008 : Debug: main: log_auth = no Fri Jan 4 18:38:47 2008 : Debug: main: log_auth_badpass = no Fri Jan 4 18:38:47 2008 : Debug: main: log_auth_goodpass = no Fri Jan 4 18:38:47 2008 : Debug: main: pidfile = /var/run/radiusd2/radiusd2.pid Fri Jan 4 18:38:47 2008 : Debug: main: bind_address = 6X.XX.XXX.XXX IP address [69.59.117.122] Fri Jan 4 18:38:47 2008 : Debug: main: user = (null) Fri Jan 4 18:38:47 2008 : Debug: main: group = (null) Fri Jan 4 18:38:47 2008 : Debug: main: usercollide = no Fri Jan 4 18:38:47 2008 : Debug: main: lower_user = no Fri Jan 4 18:38:47 2008 : Debug: main: lower_pass = no Fri Jan 4 18:38:47 2008 : Debug: main: nospace_user = no Fri Jan 4 18:38:47 2008 : Debug: main: nospace_pass = no Fri Jan 4 18:38:47 2008 : Debug: main: checkrad = /usr/sbin/checkrad Fri Jan 4 18:38:47 2008 : Debug: main: proxy_requests = yes Fri Jan 4 18:38:47 2008 : Debug: proxy: retry_delay = 5 Fri Jan 4 18:38:47 2008 : Debug: proxy: retry_count = 3 Fri Jan 4 18:38:47 2008 : Debug: proxy: synchronous = no Fri Jan 4 18:38:47 2008 : Debug: proxy: default_fallback = yes Fri Jan 4 18:38:47 2008 : Debug: proxy: dead_time = 120 Fri Jan 4 18:38:47 2008 : Debug: proxy: post_proxy_authorize = no Fri Jan 4 18:38:47 2008 : Debug: proxy: wake_all_if_all_dead = no Fri Jan 4 18:38:47 2008 : Debug: security: max_attributes = 200 Fri Jan 4 18:38:47 2008 : Debug: security: reject_delay = 1 Fri Jan 4 18:38:47 2008 : Debug: security: status_server = no Fri Jan 4 18:38:47 2008 : Debug: main: debug_level = 0 Fri Jan 4 18:38:47 2008 : Debug: read_config_files: reading dictionary Fri Jan 4 18:38:47 2008 : Debug: read_config_files: reading naslist Fri Jan 4 18:38:47 2008 : Info: Using deprecated naslist file. Support for this will go away soon. Fri Jan 4 18:38:47 2008 : Debug: read_config_files: reading clients Fri Jan 4 18:38:47 2008 : Debug: read_config_files: reading realms Fri Jan 4 18:38:47 2008 : Error: There appears to be another RADIUS server running on the authentication port 1820 netstat -tunelup shows only this for radiusd: udp0 0 69.59.138.117:1812 0.0.0.0:* 0 22764540 16572/radiusd udp0 0 69.59.138.117:1813 0.0.0.0:* 0 22764541 16572/radiusd -- Jack Murgia General Manager HubbaDubba Internet Services http://www.hubbadubba.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: latest CVS 2.0 beta hang problem
[EMAIL PROTECTED] wrote: okay - got it to do the same with a straight radtest. here is the radiusd -X - several attempts that get proxied away..and never answered. remote site marked as zombie but then any valid requests just dont get serviced. OK. There are a few issues: Rejecting request 0 due to lack of any response from home server 10.1.2.3 port 1812 WARNING: Unresponsive child (id 0) for request 0, in module server-core component server-core Found Post-Proxy-Type That's just a dumb message, as it's not running in threaded mode, AND the request isn't being process in a child thread! I've committed a fix which prints that message only if there is really a child thread that's unresponsive. Going to the next request WARNING: Marking home server 10.1.2.3 port 1812 as zombie (it looks like it is dead). Waking up in 0.2 seconds. Child is finally responsive for request 0 after this, its a kill -9 job too on the server process. not just kill/killall or server restart via 'service' init.d tool. I think what's happening is that the request is being free'd in a place where it doesn't expect it to be free'd. I've re-arranged the code to note, and catch this race condition. It works in my tests, but my tests didn't see this race condition in the first place... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.0pre2
Duane Cox wrote: Just installed 2.0.0pre2 Is the HUP issues fixed? Just noticed it wasn't working, but didn't try CVS. HUP doesn't work in -pre2. HUP works in CVS. It doesn't *do* much, but it doesn't do anything *bad*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html