Re: SQL connection dropped
leopold wrote: > I am facing a problem with SQL module that drops connections after some > period of time and I have to bounce FreeRadius process in order to establish > db connection again. > When I am doing netstat I see open connections to DB and then after some > time sockets are closed and all radius requests are rejected. > I am using the latest Freeradius 2.0.5 with DB2 backend. I don't know of many people using the DB2 backend. I would suggest running it in debugging mode to see why the connections are dropping. It's either the DB2 client library, or some other networking thing. FreeRADIUS does *not* drop the connections itself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.5 on Solaris with openssl 0.9.8h [SEC=UNCLASSIFIED]
Rafiqul Ahsan wrote: > Thank you for your responses, and I appreciate for your time. I have > few Sun machines, T2000, V210 - all of them has Solaris 10 with > /usr/sfw/ dirs... I would suggest asking Sun for help with this issue. It's a problem specific to Solaris, and in the end, has very little to do with FreeRADIUS. > 3. ./configure --prefix=/usr/local --with-openssl-includes=/usr/local/s > sl/include --with-openssl-libraries=/usr/local/ssl/lib > > See the below WARNING : You've just managed to ignore most of the output of configure, and everything related to how it finds OpenSSL. I have no idea why you think this is useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls)
William Hegardt wrote: > EAP-TLS authentication fails with the "fatal unknown ca" message. The server cert may need to be marked with "CA:true" > If I hack the Makefile like Sergio mentioned last month to sign the > client certificate with > the CA key, then authentication succeeds. That can work, too. > I'd really like to understand what's wrong. Could wpa_supplicant be > somehow incompatible with > the bootstrap certificate chain? It's OpenSSL on both ends. wpa_supplicant && FreeRADIUS are just wrappers to get the SSL data back and forth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling freeradius with oracle support
Alexandre Chapellon wrote: > Ok the modules compils great. and it creates rlm_sql_oracle-2.0.5.so > (and its symlink). I copy thoose two files in /usr/lib/freeradius > but when launching freeradius -X i get: >... > freeradius: symbol lookup error: /usr/lib/freeradius/rlm_sql_oracle.so: > undefined symbol: OCIEnvCreate And we now see the reason why the "configure" script didn't work. > Of course I installed the Oracle instantclient. I also added > /opt/oracle/instantclient_11_1 in ld.so.conf and ran ldconfig afterwards. Is the library in that directory, or in /opt/oracle/instantclient_11_1/lib ? In any case, use the *same* library path here that you used in the Makefile, as the "-L" argument, It should then work. > I have to say that no oracle instance is installed on the server (only > the client libs shipped in the basic.zip file, provided by oracle) and > so the instance freeradius is trying to connect to doesn't exist yet > but i doubt this should be a problem for starting freeradius. That's fine. The error above is much earlier in the startup process than the "connect to Oracle" phase. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling freeradius with oracle support
Ok the modules compils great. and it creates rlm_sql_oracle-2.0.5.so (and its symlink). I copy thoose two files in /usr/lib/freeradius but when launching freeradius -X i get: rlm_sql (sql): Driver rlm_sql_oracle (module rlm_sql_oracle) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_oracle #0 freeradius: symbol lookup error: /usr/lib/freeradius/rlm_sql_oracle.so: undefined symbol: OCIEnvCreate Of course I installed the Oracle instantclient. I also added /opt/oracle/instantclient_11_1 in ld.so.conf and ran ldconfig afterwards. I tried to export ORACLE_HOME (to /opt/oracle and to /op/oracle/instantclient_11_1) as an enveronment variable prior to starting freeradius... but still with no success. I have to say that no oracle instance is installed on the server (only the client libs shipped in the basic.zip file, provided by oracle) and so the instance freeradius is trying to connect to doesn't exist yet but i doubt this should be a problem for starting freeradius. If anyone can help welcome. Alan DeKok a écrit : > Alexandre Chapellon wrote: > >> It says headers (oci.h) are not found, but this file realy is in the >> specified include path. >> > > The configure logs should say why it wasn't built, but even that isn't > really worth looking at. > > >> Does anyone have a clue what i could do? >> > > $ vi src/modules/rlm_sql/drivers/rlm_sql_oracle/Makefile > > Set TARGET = rlm_sql_oracle, and edit the CFLAGS && LDFLAGS lines to > ave the appropriate values: > -I/opt/oracle/instantclient_11_1/sdk/include, and -L > /opt/oracle/instantclient_11_1/ -loracle (?) > > After than, cd to the directory, and type "make". > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I've started to put the book online
its good news for everyone who love FreeRadius :) Date: Tue, 19 Aug 2008 09:23:06 +0200 From: Alan DeKok <[EMAIL PROTECTED]> Subject: I've started to put the book online To: FreeRadius users mailing list Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1 http://deployingradius.com/book/ Only parts of the first chapter are online. It covers the basic concepts behind RADIUS, and should hopefully address a number of common misunderstandings about how it all works. Keep checking the site. More will be coming later. Alan DeKok. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 40, Issue 81 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I've started to put the book online
Alexandre Chapellon escribió: ok then I know what to do today to stop feeling stupid on this list :p Alan DeKok a écrit : http://deployingradius.com/book/ Only parts of the first chapter are online. It covers the basic concepts behind RADIUS, and should hopefully address a number of common misunderstandings about how it all works. Keep checking the site. More will be coming later. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html me too :) at least the links which are at this moment (concepts) will be very useful for beginners. concepts rules. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Post in Netgear Accounting-Packet
>Tue Aug 19 18:11:30 2008 : Auth: Login OK: [test2 /] (from >client AP-Halle1 port 1 cli 001302BE) >Tue Aug 19 18:12:30 2008 : Error: rlm_radutmp: Logout for NAS AP-Halle1 port 0, >but no Login record > .. >It's shows that the user is still connected... >Does anyone know how this is possible? > Login was on port 1. Logout on 0. Acct-Unique-Session-Id is different so session was never closed. Fix NAS to send proper information. Or get one that does. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I've started to put the book online
ok then I know what to do today to stop feeling stupid on this list :p Alan DeKok a écrit : > http://deployingradius.com/book/ > > Only parts of the first chapter are online. It covers the basic > concepts behind RADIUS, and should hopefully address a number of common > misunderstandings about how it all works. > > Keep checking the site. More will be coming later. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Post in Netgear Accounting-Packet
In the "Start"-Packets and "Interim-Update"-Packets it seems to be right. But ALL the "Stop"-Packets have 0 as NAS-Port. So, you agree that this is a bug of the Access-Point? Thank you for your reply. Wolfgang Burger Hello, I've got three WG102 Access Points from Netgear. I'm using the latest firmware Version 4.0.27 because it should "Fixed the issue that 802.1x Authentication does not work with machine authentication" But I can confirm that the accounting it still NOT working everytime. Looking into my logfiles I can see that the cases which worked fine everytime the same port is used. Here are two examples, the first one worked fine, the Session-Id is always the same: Wed Aug 13 20:05:14 2008 Service-Type = Framed-User Acct-Status-Type = Start User-Name = "test1" Framed-MTU = 1488 Acct-Session-Id = " 1" Acct-Authentic = RADIUS Acct-Delay-Time = 0 Called-Station-Id = "00184DC8:Network" Calling-Station-Id = "001A73XX" NAS-Identifier = "APBuero" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" NAS-IP-Address = 192.168.XX.XX NAS-Port = 1 NAS-Port-Id = "STA port # 1" Acct-Unique-Session-Id = "866e0c5655a05a0b" Timestamp = 1218650714 Request-Authenticator = Verified Wed Aug 13 20:10:13 2008 Service-Type = Framed-User Acct-Status-Type = Interim-Update User-Name = "test1" Framed-MTU = 1488 Acct-Session-Id = " 1" Acct-Authentic = RADIUS Acct-Session-Time = 299 Acct-Delay-Time = 0 Called-Station-Id = "00184DC8:Network" Calling-Station-Id = "001A73XX" NAS-Identifier = "APBuero" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" NAS-IP-Address = 192.168.XX.XX NAS-Port = 1 NAS-Port-Id = "STA port # 1" Acct-Unique-Session-Id = "866e0c5655a05a0b" Timestamp = 1218651013 Request-Authenticator = Verified Wed Aug 13 20:34:33 2008 Service-Type = Framed-User Acct-Status-Type = Stop User-Name = "test1" Framed-MTU = 1488 Acct-Session-Id = " 1" Acct-Authentic = RADIUS Acct-Session-Time = 1758 Acct-Terminate-Cause = User-Request Acct-Delay-Time = 0 Called-Station-Id = "00184DC8:Network" Calling-Station-Id = "001A73XX" NAS-Identifier = "APBuero" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" NAS-IP-Address = 192.168.XX.XX NAS-Port = 1 NAS-Port-Id = "STA port # 1" Acct-Unique-Session-Id = "866e0c5655a05a0b" Timestamp = 1218652473 Request-Authenticator = Verified But this second one from today fails with the error: Tue Aug 19 18:11:30 2008 : Auth: Login OK: [test2 /] (from client AP-Halle1 port 1 cli 001302BE) Tue Aug 19 18:12:30 2008 : Error: rlm_radutmp: Logout for NAS AP-Halle1 port 0, but no Login record When looking into detail log I can also see, that the Session-Id and the port changed and I don't know why Tue Aug 19 18:11:30 2008 Service-Type = Framed-User Acct-Status-Type = Start User-Name = "test2" Framed-MTU = 1488 Acct-Session-Id = " 6" Acct-Authentic = RADIUS Acct-Delay-Time = 0 Called-Station-Id = ":Network" Calling-Station-Id = "001302BE" NAS-Identifier = "AP-Halle1" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" NAS-IP-Address = 192.168.xx.xx NAS-Port = 1 NAS-Port-Id = "STA port # 1" Acct-Unique-Session-Id = "11f6ee9422434136" Timestamp = 1219162290 Request-Authenticator = Verified Tue Aug 19 18:12:30 2008 Service-Type = Framed-User Acct-Status-Type = Stop User-Name = "test2" Framed-MTU = 1488 Acct-Session-Id = " 6" Acct-Authentic = RADIUS Acct-Session-Time = 60 Acct-Terminate-Cause = User-Request Acct-Delay-Time = 0 Called-Station-Id = ":Network" Calling-Station-Id = "001302BE" NAS-Identifier = "AP-Halle1" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" NAS-IP-Address = 192.168.xx.xx NAS-Port = 0 NAS-Port-Id = "STA port # 0" Acct-Unique-Session-Id = "9c44efbf7672967b" Timestamp = 1219162350 Request-Authenticator = Verified --- Obviously the netgear access point uses port 1 on start but port 0 on stop. Also the user is definitely NOT connected anymore but radwho shows the following:
Re: Question regarding rlm_perl and Access-Challenge
Yes, that worked a charm. Thanks for the help Alan! -- Harry On Tue, Aug 19, 2008 at 6:03 PM, Alan DeKok <[EMAIL PROTECTED]> wrote: > Harry J Walsh wrote: >> Thanks for the swift reply Dekok. I tried what you suggested and it >> doesn't work. > > Sorry... looking at the code again, the Response-Packet-Type should go > into the control/check items. > ... > >> $RAD_REPLY{'Response-Packet-Type'} = "Access-Challenge"; > > Change that to RAD_CHECK > ... >> The last line here is confusing me. Looking at the code that spits >> out this error, it seems to only happen when there is no >> Response-Packet-Type in a request_post_handler. >> >> switch (request->packet->code) { >> case PW_AUTHENTICATION_REQUEST: >> gettimeofday(&request->next_when, NULL); >> >> if (request->reply->code == 0) { >> /* >> * Check if the lack of response is intentional. >> */ >> vp = pairfind(request->config_items, > > "config_items" is the control/check list. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Harry J Walsh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding rlm_perl and Access-Challenge
Harry J Walsh wrote: > Thanks for the swift reply Dekok. I tried what you suggested and it > doesn't work. Sorry... looking at the code again, the Response-Packet-Type should go into the control/check items. ... > $RAD_REPLY{'Response-Packet-Type'} = "Access-Challenge"; Change that to RAD_CHECK ... > The last line here is confusing me. Looking at the code that spits > out this error, it seems to only happen when there is no > Response-Packet-Type in a request_post_handler. > > switch (request->packet->code) { > case PW_AUTHENTICATION_REQUEST: > gettimeofday(&request->next_when, NULL); > > if (request->reply->code == 0) { > /* > * Check if the lack of response is intentional. > */ > vp = pairfind(request->config_items, "config_items" is the control/check list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type := Accept - CHAP problems
Thomas Buchberger wrote: > we're playing with the freeradius features and are getting confused in > the way it behaves: :) It's simple... just read 1000's of lines of debugging output, and hordes of miscellaneous unrelated unorganized documentation files. > We have several different Users in user-files which works fine. > Now we want that the radius always answers with OK and no more "Login > incorrect" - but with other Options than a correct user. > > We appended in the config: > DEFAULTAuth-Type := Accept ... > users: Matched entry DEFAULT at line 2 Is that entry at line 2 of the "users" file? If not, the server is matching an earlier entry, and not the one with Accept. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: convert steel-belt radius .dct to freeradius dictionary
S Adrian wrote: > I got a file that looks like this (utstarcom.dct) which would need to be > translated to freeradius .. anyone can help? http://github.com/alandekok/freeradius-server/tree/master/share/dictionary.utstarcom :) There's also a simple (i.e. dumb) script that does some of the conversion for anyone with many .dct files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: web based certificate management
Tomoki Taniguchi wrote: is there a good web based certificate management system that users of freeradius recommend? i need something that will apply the needed xpextensions and generate the necessary .p12 and .der certificates for a windows xp client. i am looking into editing the ebox-ca to generate the additional certificates, but would perfer not to have to go through the trouble if possible. FWIW, Red Hat has open sourced the certificate management system it acquired when it purchased a number of assets from Netscape (the Netscape LDAP server has already been open sourced by Red Hat known under the name Directory Server). The certificate server which Red Hat open sourced is essentially the same one used by the DoD (Department of Defence) and many other high end enterprise clients. The open source version is known as DogTag. More information can found here: http://pki.fedoraproject.org/wiki/PKI_Main_Page The effort required to make Certificate Server available as open source was formidable, however Red Hat has a strong commitment to open source and I'm proud of the initiative by my collogues who made this sophisticated PKI technology available to everyone. -- John Dennis <[EMAIL PROTECTED]> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls)
I hate to resurrect this long thread from July 22-28, but I have the same problem and never saw a resolution. I'm using FreeRadius 2.0.5 on CentOS 5.2 with wpa_supplicant 0.6.4 (latest to date). I'm using the bootstrap script to generate example certificates. I also created a client certificate using make client.pem. I configured wpa_supplicant with ca.pem, client.pem and client.key. EAP-TLS authentication fails with the "fatal unknown ca" message. If I hack the Makefile like Sergio mentioned last month to sign the client certificate with the CA key, then authentication succeeds. In last month's thread, Alan DeKok posted: > You need to follow the documentation in eap.conf. > ># If CA_file (below) is not used, then the ># certificate_file below MUST include not ># only the server certificate, but ALSO all ># of the CA certificates used to sign the ># server certificate. >certificate_file = ${certdir}/server.pem > > Have you done that? In my case, CA_file does indeed refer to ca.pem as created by the bootstrap script. So I'm assuming that I don't need to touch the server.pem file as created. I'd really like to understand what's wrong. Could wpa_supplicant be somehow incompatible with the bootstrap certificate chain? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with EAP and LDAP replyItems (2.0.2)
Hi Guys, Since freeradius2 has some major improvements I try to upgrade from 1.1.4. Unfortunately there are a few problems i encounter: cause of some weird reason the server isn't sending back my LDAP replyItems back to the NAS along the Access-Accept packet. In short i want to authenticate using EAP/PEAP against the server, which itself checks against our LDAP Server. Additionally the server should also send back a specific replyItem stored in our LDAP. configuration looks like: authorize { preprocess eap { ok = return } ldap1 } authenticate { Auth-Type MS-CHAP { mschap } eap } in ldap.attrmap the following is configured: replyItem Airespace-Interface-NameradiusCallingStationId so LDAP-Attribute radiusCallingStationId should be transformed to an attribute called "Airespace-Interface-Name" and sent back to the NAS. As you can see in the following debug-output, at the beginning the server sends the attribute back as supposed, but for some weird reason in the access-accept packet the attribute isnt sent along. whats wrong here? Thanks in advance! debug-output: rad_recv: Access-Request packet from host 10.110.101.4 port 32770, id=237, length=182 User-Name = "testuser" Calling-Station-Id = "00-0E-35-AE-DB-DF" Called-Station-Id = "00-1A-30-2E-C9-60:wlan-test" NAS-Port = 29 NAS-IP-Address = 10.110.101.4 NAS-Identifier = "WiSM-2" Airespace-Wlan-Id = 7 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "995" EAP-Message = 0x0202000d0173737065726c3232 Message-Authenticator = 0x1c08d8491b0ebb2a032ab1ebb8f7ee59 +- entering group authorize ++[preprocess] returns ok rlm_eap: EAP packet type response id 2 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser expand: (|(uid=%u)(uid=%U)) -> (|(uid=testuser)(uid=_)) expand: dc=mydomain,dc=ac,dc=at -> dc=mydomain,dc=ac,dc=at rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.mydomain.com:389, authentication 0 rlm_ldap: bind as uid=service-user,ou=services,dc=mydomain,dc=ac,dc=at/passme to ldap.mydomain.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mydomain,dc=ac,dc=at, with filter (|(uid=testuser)(uid=_)) rlm_ldap: Added User-Password = testpwd in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusCallingStationId as RADIUS attribute Airespace-Interface-Name = "599" rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns ok rad_check_password: Found Auth-Type EAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 237 to 10.110.101.4 port 32770 Airespace-Interface-Name = "599" EAP-Message = 0x0103001604104f56bcec8ceb0ba608af483ccb4111c9 Message-Authenticator = 0x State = 0x33b5046233b6000c0bb076d000b26f5e Finished request 0. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.110.101.4 port 32770, id=238, length=193 User-Name = "testuser" Calling-Station-Id = "00-0E-35-AE-DB-DF" Called-Station-Id = "00-1A-30-2E-C9-60:wlan-test" NAS-Port = 29 NAS-IP-Address = 10.110.101.4 NAS-Identifier = "WiSM-2" Airespace-Wlan-Id = 7 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "995" EAP-Message = 0x020300060319 State = 0x33b5046233b6000c0bb076d000b26f5e Message-Authenticator = 0xae7227a437741cee122a96438eb2b8c6 +- entering group authorize ++[preprocess] returns ok rlm_eap: EAP packet type respo
Re: final question about client certs using eap-tls (was: cert bootstrap bug?)
Sergio escribió: Hi, also was so many others. At this time i have got one eap module which authenticates users under a PKI. My client certs are issued by root ca (ca.pem) and everything works. I can manage the crl, because it is public, and authenticate any user against any server. So my question is, what's the final goal of signing certificates with server's? The only difference (i think) is about the crl managing, because in my case, the authority should provide the crl to the server administrators. I don't see any more difference. Thanks Any more goal? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth-Type := Accept - CHAP problems
Hi @ll, we're playing with the freeradius features and are getting confused in the way it behaves: We have several different Users in user-files which works fine. Now we want that the radius always answers with OK and no more "Login incorrect" - but with other Options than a correct user. We appended in the config: DEFAULTAuth-Type := Accept ... various Options ... This works with PAP/CHAP, when the user is not listed in a users file. It also works with PAP when the user is in a list, but not with CHAP! Is there a way to realize this? Debug says: rad_recv: Access-Request packet from host XXX:XX, id=114, length=263 User-Name = "XXX" Acct-Session-Id = "XXX" CHAP-Password = XXX CHAP-Challenge = XXX Service-Type = Framed-User Framed-Protocol = PPP ERX-Pppoe-Description = "XXX" Calling-Station-Id = "XXX" NAS-Port-Type = Ethernet NAS-Port = XXX NAS-Port-Id = "XXX" NAS-IP-Address = XXX NAS-Identifier = "XXX" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 10 rlm_realm: No '@' in User-Name = "XXX", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 10 users: Matched entry DEFAULT at line 2 modcall[authorize]: module "files" returns ok for request 10 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 10 modcall: leaving group authorize (returns ok) for request 10 Found Autz-Type autz_DSL_B Processing the authorize section of radiusd.conf modcall: entering group autz_DSL_B for request 10 users: Matched entry XXX at line 335992 modcall[authorize]: module "autzfile_DSL_B" returns ok for request 10 modcall: leaving group autz_DSL_B (returns ok) for request 10 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 10 rlm_chap: login attempt by "XXX" with CHAP password rlm_chap: Using clear text password "XXX" for user XXX authentication. rlm_chap: Password check failed modcall[authenticate]: module "chap" returns reject for request 10 modcall: leaving group CHAP (returns reject) for request 10 auth: Failed to validate the user. -- Thomas Buchberger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: convert steel-belt radius .dct to freeradius dictionary
> Here it is attached to this message. Thanks .. but still .. those thingies .. c .. cr .. 7064 .. what are they ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: convert steel-belt radius .dct to freeradius dictionary
> That one's pretty easy; have a peek at the other FreeRADIUS-formatted > vendor dictionaries that come with the package and spy the nuances in > the differences. Ok, but what about that radius.dct .. should it affect what I enter in the new freeradius dictionary file ? >> # utstarcom.dct - Radius dictionary for UTStarcom BBS1000 >> @radius.dct >> # UTStarcom specific parameters >> # >> MACRO UTStarcom-VSA(t,s) 26 [vid=7064 type1=%t% len1=+2 data=%s%] Specific .. what the heck are these?! I'm sure they mean something .. >> ATTRIBUTE Utstarcom-VLAN-ID Utstarcom-VSA(140, >> integer) >> r that r and cr at the end should also mean something .. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: convert steel-belt radius .dct to freeradius dictionary
That one's pretty easy; have a peek at the other FreeRADIUS-formatted vendor dictionaries that come with the package and spy the nuances in the differences. On Tue, August 19, 2008 10:33 am, S Adrian wrote: > Hi everybody, > > I got a file that looks like this (utstarcom.dct) which would need to be > translated to freeradius .. anyone can help? > > >>>start of file<< > # utstarcom.dct - Radius dictionary for UTStarcom BBS1000 > @radius.dct > > # > # UTStarcom specific parameters > # > MACRO UTStarcom-VSA(t,s) 26 [vid=7064 type1=%t% len1=+2 data=%s%] > > ATTRIBUTE Utstarcom-VLAN-ID Utstarcom-VSA(140, integer) > r > ATTRIBUTE Utstarcom-CommittedBandwidth Utstarcom-VSA(142, integer) > r > ATTRIBUTE Utstarcom-MaxBandwidthUtstarcom-VSA(143, integer) > r > ATTRIBUTE Utstarcom-PriorityUtstarcom-VSA(145, integer) > r > ATTRIBUTE Utstarcom-Error-ReasonUtstarcom-VSA(147, integer) > r > ATTRIBUTE Utstarcom-PrimaryDNS Utstarcom-VSA(152, integer) > r > ATTRIBUTE Utstarcom-SecondaryDNSUtstarcom-VSA(153, integer) > r > ATTRIBUTE Utstarcom-MaxBurstSizeUtstarcom-VSA(161, integer) > r > ATTRIBUTE Utstarcom-MaxDelayUtstarcom-VSA(162, integer) > r > ATTRIBUTE Utstarcom-MaxJitter Utstarcom-VSA(163, integer) > r > ATTRIBUTE Utstarcom-DeviceIdUtstarcom-VSA(165, string) > cr > ATTRIBUTE Utstarcom-Module-Id Utstarcom-VSA(166, integer) > cr > ATTRIBUTE Utstarcom-Port-No Utstarcom-VSA(167, integer) > cr > ATTRIBUTE Utstarcom-Logical-Port-No Utstarcom-VSA(168, integer) > r > ATTRIBUTE Utstarcom-UNI-MAX-MAC Utstarcom-VSA(169, integer) > r > ATTRIBUTE Utstarcom-Default-Gateway Utstarcom-VSA(170, integer) > r > > ATTRIBUTE Utstarcom-CLI-Access-LevelUtstarcom-VSA(171, integer) > r > ATTRIBUTE Utstarcom-Act-Input-OctetsUtstarcom-VSA(180, string) > r > ATTRIBUTE Utstarcom-Act-Output-Octets Utstarcom-VSA(181, string) > r > ATTRIBUTE Utstarcom-Act-Input-FramesUtstarcom-VSA(182, string) > r > ATTRIBUTE Utstarcom-Act-Output-Frames Utstarcom-VSA(183, string) > r > > ATTRIBUTE Utstarcom-Onu-MC-Filter-Enable Utstarcom-VSA(184, > integer) r > ATTRIBUTE Utstarcom-UNI-Auto-Negotiation Utstarcom-VSA(185, > integer) r > ATTRIBUTE Utstarcom-UNI-Speed Utstarcom-VSA(186, > integer) r > ATTRIBUTE Utstarcom-UNI-Duplex Utstarcom-VSA(187, > integer) r > ATTRIBUTE Utstarcom-ONU-Admin_status Utstarcom-VSA(188, > integer) r > ATTRIBUTE Utstarcom-ONU-FW-SC-Upgrade Utstarcom-VSA(189, > integer) r >>>EOF<< > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
convert steel-belt radius .dct to freeradius dictionary
Hi everybody, I got a file that looks like this (utstarcom.dct) which would need to be translated to freeradius .. anyone can help? >>start of file<< # utstarcom.dct - Radius dictionary for UTStarcom BBS1000 @radius.dct # # UTStarcom specific parameters # MACRO UTStarcom-VSA(t,s) 26 [vid=7064 type1=%t% len1=+2 data=%s%] ATTRIBUTE Utstarcom-VLAN-ID Utstarcom-VSA(140, integer) r ATTRIBUTE Utstarcom-CommittedBandwidth Utstarcom-VSA(142, integer) r ATTRIBUTE Utstarcom-MaxBandwidthUtstarcom-VSA(143, integer) r ATTRIBUTE Utstarcom-PriorityUtstarcom-VSA(145, integer) r ATTRIBUTE Utstarcom-Error-ReasonUtstarcom-VSA(147, integer) r ATTRIBUTE Utstarcom-PrimaryDNS Utstarcom-VSA(152, integer) r ATTRIBUTE Utstarcom-SecondaryDNSUtstarcom-VSA(153, integer) r ATTRIBUTE Utstarcom-MaxBurstSizeUtstarcom-VSA(161, integer) r ATTRIBUTE Utstarcom-MaxDelayUtstarcom-VSA(162, integer) r ATTRIBUTE Utstarcom-MaxJitter Utstarcom-VSA(163, integer) r ATTRIBUTE Utstarcom-DeviceIdUtstarcom-VSA(165, string) cr ATTRIBUTE Utstarcom-Module-Id Utstarcom-VSA(166, integer) cr ATTRIBUTE Utstarcom-Port-No Utstarcom-VSA(167, integer) cr ATTRIBUTE Utstarcom-Logical-Port-No Utstarcom-VSA(168, integer) r ATTRIBUTE Utstarcom-UNI-MAX-MAC Utstarcom-VSA(169, integer) r ATTRIBUTE Utstarcom-Default-Gateway Utstarcom-VSA(170, integer) r ATTRIBUTE Utstarcom-CLI-Access-LevelUtstarcom-VSA(171, integer) r ATTRIBUTE Utstarcom-Act-Input-OctetsUtstarcom-VSA(180, string) r ATTRIBUTE Utstarcom-Act-Output-Octets Utstarcom-VSA(181, string) r ATTRIBUTE Utstarcom-Act-Input-FramesUtstarcom-VSA(182, string) r ATTRIBUTE Utstarcom-Act-Output-Frames Utstarcom-VSA(183, string) r ATTRIBUTE Utstarcom-Onu-MC-Filter-Enable Utstarcom-VSA(184, integer) r ATTRIBUTE Utstarcom-UNI-Auto-Negotiation Utstarcom-VSA(185, integer) r ATTRIBUTE Utstarcom-UNI-Speed Utstarcom-VSA(186, integer) r ATTRIBUTE Utstarcom-UNI-Duplex Utstarcom-VSA(187, integer) r ATTRIBUTE Utstarcom-ONU-Admin_status Utstarcom-VSA(188, integer) r ATTRIBUTE Utstarcom-ONU-FW-SC-Upgrade Utstarcom-VSA(189, integer) r >>EOF<< - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crash on x64?
Alex Balashov wrote: Alan DeKok wrote: John Dennis wrote: Actually, on Fedora & RHEL you don't need to rebuild with debugging symbols on. All packages built for Fedora & RHEL always have matching debuginfo packages which can optionally be installed, which once installed will give you line number information in the debugger. Nice. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Whatever the problem was, it definitely went away on 32-bit Debian. Same version of Postgres, libpq, FreeRADIUS, etc. About the only thing that could possibly be different is the precise glibc2 revision. FWIW, I recently investigated a similar memory corruption problem with freeradius reported by glibc on RHEL 5. I was not able to reproduce it on a current RHEL 5.2 system. The fact I couldn't reproduce it does not in and of itself mean anything, the memory corruption could require a specific series of events to trigger it, but I do believe glibc had been updated between the original report and my efforts at reproducing it. This might corroborate your observation (or might not :-) -- John Dennis <[EMAIL PROTECTED]> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realms and proxying
Hi, Is this position dependant? Does it have to appear before the liv.ac.uk realm to prevent "[EMAIL PROTECTED]" being caught by the first realm? No, unless you use a regex in the realm stanza, the matches are *literal* realms. i.e. realm liv.ac.uk does not match foo.bar.liv.ac.uk. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realms and proxying
I currently have a realm defined: realm liv.ac.uk { type= radius authhost= LOCAL accthost= LOCAL } I now have one of my departments, which for various complex reasons, has been allowed to have its own user accounts. They have the subdomain name "csc.liv.ac.uk". I want to proxy RADIUS to their server. If I add: realm csc.liv.ac.uk { type= radius authhost= server.csc.liv.ac.uk:1812 accthost= server.csc.liv.ac.uk:1813 } Is this position dependant? Does it have to appear before the liv.ac.uk realm to prevent "[EMAIL PROTECTED]" being caught by the first realm? I have: realm suffix { format = suffix delimiter = "@" } in radius.conf. --- Barry Dean Networks Team Computing Services Department Tel: 0151 794 5641 (x45641) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding rlm_perl and Access-Challenge
Thanks for the swift reply Dekok. I tried what you suggested and it doesn't work. Looking at dictionary.freeradius.internal and double checking the values in the pair everything looks okay.I'm going to play about with this a bit, but in the mean time here's some more details and I would greatly appreciate it if you would scan over them to see if there is anything obvious I am missing. Here's my authenticate sub. # Function to handle authenticate sub authenticate { # For debugging purposes only &log_request_attributes; if (($RAD_REQUEST{'User-Name'} =~ /^test/) && ($RAD_REQUEST{'User-Password'} =~ /^pass/)) { $RAD_REPLY{'State'} = "challenge"; $RAD_REPLY{'Reply-Message'} = "Challenge: "; $RAD_REPLY{'Response-Packet-Type'} = "Access-Challenge"; &log_request_attributes; return RLM_MODULE_HANDLED; } else { # Reject user and tell him why $RAD_REPLY{'Reply-Message'} = "Denied access by rlm_perl function"; return RLM_MODULE_REJECT; } } And here's the debug output: perl_pool: item 0x827b1a0 asigned new request. Handled so far: 1 found interpetator at address 0x827b1a0 rlm_perl: RAD_REQUEST: User-Name = test rlm_perl: RAD_REQUEST: User-Password = pass rlm_perl: RAD_REQUEST: Service-Type = Login-User rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.250.0.170 rlm_perl: RAD_REQUEST: NAS-Port = 6 rlm_perl: RAD_REQUEST: User-Name = test rlm_perl: RAD_REQUEST: User-Password = pass rlm_perl: RAD_REQUEST: Service-Type = Login-User rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.250.0.170 rlm_perl: RAD_REQUEST: NAS-Port = 6 rlm_perl: RAD_REPLY: Reply-Message = Challenge: rlm_perl: RAD_REPLY: Response-Packet-Type = Access-Challenge rlm_perl: RAD_REPLY: State = challenge rlm_perl: Added pair User-Name = test rlm_perl: Added pair User-Password = pass rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair NAS-IP-Address = 10.250.0.170 rlm_perl: Added pair NAS-Port = 6 rlm_perl: Added pair Reply-Message = Challenge: rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair State = challenge rlm_perl: Added pair Auth-Type = Perl perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x827b1a0 ++[perl] returns handled There was no response configured: rejecting request 0 == The last line here is confusing me. Looking at the code that spits out this error, it seems to only happen when there is no Response-Packet-Type in a request_post_handler. switch (request->packet->code) { case PW_AUTHENTICATION_REQUEST: gettimeofday(&request->next_when, NULL); if (request->reply->code == 0) { /* * Check if the lack of response is intentional. */ vp = pairfind(request->config_items, PW_RESPONSE_PACKET_TYPE); if (!vp) { DEBUG2("There was no response configured: rejecting request %d", request->number); request->reply->code = PW_AUTHENTICATION_REJECT; } else if (vp->vp_integer == 256) { DEBUG2("Not responding to request %d", request->number); } else { request->reply->code = vp->vp_integer; } } On Tue, Aug 19, 2008 at 1:09 PM, Alan DeKok <[EMAIL PROTECTED]> wrote: > Harry J Walsh wrote: >> I want to develop some test cases for a radius client I am developing >> and I would like to be able to use rlm_perl to simulate various >> scenarios. The one I am having major problems with is >> Access-Challenge. I really like rlm_perl and the flexibility it >> provides and I would like to be able to specify the reply type. I've >> looked through documentation and the rlm_perl code for any hints on >> how to do this and at this stage I'm thinking I'll have to create a >> new interface to allow my perl script to specify the correct reply >> type to rlm_perl. > > Configure the reply with "Response-Packet-Type = Access-Challenge", > and make sure that the authenticate section returns "handled". That > should do it. > > And yes, this isn't documented. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Harry J Walsh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding rlm_perl and Access-Challenge
Harry J Walsh wrote: > I want to develop some test cases for a radius client I am developing > and I would like to be able to use rlm_perl to simulate various > scenarios. The one I am having major problems with is > Access-Challenge. I really like rlm_perl and the flexibility it > provides and I would like to be able to specify the reply type. I've > looked through documentation and the rlm_perl code for any hints on > how to do this and at this stage I'm thinking I'll have to create a > new interface to allow my perl script to specify the correct reply > type to rlm_perl. Configure the reply with "Response-Packet-Type = Access-Challenge", and make sure that the authenticate section returns "handled". That should do it. And yes, this isn't documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question regarding rlm_perl and Access-Challenge
Hi, I want to develop some test cases for a radius client I am developing and I would like to be able to use rlm_perl to simulate various scenarios. The one I am having major problems with is Access-Challenge. I really like rlm_perl and the flexibility it provides and I would like to be able to specify the reply type. I've looked through documentation and the rlm_perl code for any hints on how to do this and at this stage I'm thinking I'll have to create a new interface to allow my perl script to specify the correct reply type to rlm_perl. Do any of you know of an existing way to do this? -- Harry J Walsh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I've started to put the book online
Just great! Thanks, I'll be sure to read it. 2008/8/19 Alan DeKok <[EMAIL PROTECTED]> > http://deployingradius.com/book/ > > Only parts of the first chapter are online. It covers the basic > concepts behind RADIUS, and should hopefully address a number of common > misunderstandings about how it all works. > > Keep checking the site. More will be coming later. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've started to put the book online
http://deployingradius.com/book/ Only parts of the first chapter are online. It covers the basic concepts behind RADIUS, and should hopefully address a number of common misunderstandings about how it all works. Keep checking the site. More will be coming later. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html