Re: Issue with radius accounting
Hi Alan, I am suspecting some radius setting on my server because free radius on other server is responding and authentication and accounting is successful. On May 24, 2013 7:56 PM, freeradius-users-requ...@lists.freeradius.org wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. AES-GCM (Pieter Hulshoff) 2. Re: AES-GCM (Phil Mayers) 3. Re: AES-GCM (Pieter Hulshoff) 4. Re: AES-GCM (Phil Mayers) 5. Re: AES-GCM (Pieter Hulshoff) 6. Re: issue with radius accounting (Alan DeKok) 7. Re: Failure authenticate using IPv6 (Alan DeKok) 8. Re: Retrieving eDirectory VLAN attributes (Alan DeKok) -- Message: 1 Date: Fri, 24 May 2013 12:44:02 +0200 From: Pieter Hulshoff phuls...@xs4all.nl To: freeradius-users@lists.freeradius.org Subject: AES-GCM Message-ID: 2687107.xyZuJZ1fbJ@spaceballsml Content-Type: text/plain; charset=us-ascii Hello all, Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in the documentation, the wiki or the mailinglist archives, but perhaps I'm looking in the wrong place? Kind regards, Pieter Hulshoff -- Message: 2 Date: Fri, 24 May 2013 12:21:47 +0100 From: Phil Mayers p.may...@imperial.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: AES-GCM Message-ID: 519f4d4b.4080...@imperial.ac.uk Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 24/05/13 11:44, Pieter Hulshoff wrote: Hello all, Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in the documentation, the wiki or the mailinglist archives, but perhaps I'm looking in the wrong place? Typically this is down the TLS libraries; it's not usually the case that the application needs to do anything. That said, EAP-TLS is typically TLS 1.0. AIUI, AEAD ciphers require TLS 1.2 - see section 4 of RFC 5288. But again, FreeRADIUS doesn't involve itself in this level of detail - that's an aspect of the TLS library (OpenSSL) we use, and whatever the EAP-TLS client is using. Note also that EAP-TLS (unlike other TLS-based EAP methods, such as PEAP or TTLS) never actually sends any data over the TLS session; essentially, it consists solely of the handshake. In TLS terms, EAP-TLS never sends any TLS records of type=23 (application data). So, the negotiated cipher is not used for very much. PEAP and TTLS have inner EAP exchanges, that are protected with the TLS session, and sent as TLS type=23 records. Slightly OT, there seems to be some degree of uncertainty about GCM in general, and whether it's a sensible cipher mode - for example, see http://www.imperialviolet.org/2013/01/13/rwc03.html -- Message: 3 Date: Fri, 24 May 2013 13:47:36 +0200 From: Pieter Hulshoff phuls...@xs4all.nl To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: AES-GCM Message-ID: 2024766.p6x3QSbeB1@spaceballsml Content-Type: text/plain; charset=us-ascii On Friday, May 24, 2013 12:21:47 PM Phil Mayers wrote: On 24/05/13 11:44, Pieter Hulshoff wrote: Hello all, Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in the documentation, the wiki or the mailinglist archives, but perhaps I'm looking in the wrong place? Typically this is down the TLS libraries; it's not usually the case that the application needs to do anything. It seems I have a lot to learn yet about what is and is not a part of FreeRADIUS. My apologies for pushing (slightly) OT subjects onto the mailinglist. That said, EAP-TLS is typically TLS 1.0. AIUI, AEAD ciphers require TLS 1.2 - see section 4 of RFC 5288. But again, FreeRADIUS doesn't involve itself in this level of detail - that's an aspect of the TLS library (OpenSSL) we use, and whatever the EAP-TLS client is using. I guess that if we want to use AEAD cyphers we'll need to find another TLS library or adapt/contribute to OpenSSL? Note also that EAP-TLS (unlike other TLS-based EAP methods, such as PEAP or TTLS) never actually sends any data over the TLS session; essentially, it consists solely of the handshake. In TLS terms, EAP-TLS never sends any TLS records of type=23 (application data). So, the negotiated cipher is not used for very much. The EAP-TLS Finished (type=20) are secured/signed with this negotiated cipher though,
Re: Issue with radius accounting
On 2013-05-25, at 12:39 PM, Arvind Bahuguni arvind...@gmail.com wrote: Hi Alan, I am suspecting some radius setting on my server because free radius on other server is responding and authentication and accounting is successful For one, you need to edit your posts. It's ridiculous to reply to a digest message, and include hundreds of lines of irrelevant text. And if you know so much more than me about RADIUS, you shouldn't be asking questions on this list. If you're going to ask questions and then argue with the answers, you will be unsubscribed from the list and banned permanently. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user from particular NAS-IP-Address
I'm trying to restrict a guest user from a single NAS-IP-Address via users and I can't get it to work. Doesn't work: testNAS-IP-Address == 127.0.0.1 Auth-Type := Accept testNAS-IP-Address == 127.0.1.1 Auth-Type := Accept Works, but it isn't restricted by NAS: test Auth-Type := Accept I've also tried Calling-Station-ID == 127.0.1.1 to no avail. Also, how would I do this for a group of NAS IP addresses? Is it possible to assign them to a group in clients.conf that can be later checked against in users? Where is the documentation of what can be tested against in the users file? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user from particular NAS-IP-Address
Pete Ashdown wrote: I'm trying to restrict a guest user from a single NAS-IP-Address via users and I can't get it to work. Doesn't work: test NAS-IP-Address == 127.0.0.1 Auth-Type := Accept That's wrong. Why? See the debug output. It *tells* you what's wrong, and how to fix it. See man users. It *documents* the format of the users file. See the sample raddb/users file. Look for Auth-Type. There are *examples* of how to do this. Also, how would I do this for a group of NAS IP addresses? Is it possible to assign them to a group in clients.conf that can be later checked against in users? See raddb/huntgroups. You can group NASes, and check the group membership later. Where is the documentation of what can be tested against in the users file? What does that mean? man users describes how the users file works. After that, if you get something wrong, the debug output will tell you. You *did* run the server in debugging mode, as suggested in the FAQ, README, man page, and daily on this list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or does not exist
I am having trouble starting freeradius at boot on CentOS 6.4. It starts, but it does not connect to my database; however, if run it manually from the command the it works fine. I think there is permission issue somewhere. See the log below: when I run following command as root it works # radiusd Sat May 25 10:26:20 2013 : Info: rlm_sql (sql): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded and linked Sat May 25 10:26:20 2013 : Info: rlm_sql (sql): Attempting to connect to radius@EBHorizon:5000/Horizon Sat May 25 10:26:20 2013 : Info: rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #0 Sat May 25 10:26:20 2013 : Info: rlm_sql (sql): Connected new DB handle, #0 Sat May 25 10:26:20 2013 : Info: rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #1 Sat May 25 10:26:20 2013 : Info: rlm_sql (sql): Connected new DB handle, #1 Sat May 25 10:26:20 2013 : Info: rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #2 Sat May 25 10:26:21 2013 : Info: rlm_sql (sql): Connected new DB handle, #2 Sat May 25 10:26:21 2013 : Info: rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #3 Sat May 25 10:26:21 2013 : Info: rlm_sql (sql): Connected new DB handle, #3 Sat May 25 10:26:21 2013 : Info: rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #4 Sat May 25 10:26:21 2013 : Info: rlm_sql (sql): Connected new DB handle, #4 Sat May 25 10:26:21 2013 : Info: Loaded virtual server default Sat May 25 10:26:21 2013 : Info: Loaded virtual server inner-tunnel Sat May 25 10:26:21 2013 : Info: ... adding new socket proxy address * port 35688 Sat May 25 10:26:21 2013 : Info: Ready to process requests. When I run the command below it does not connect. #service radiusd start Sat May 25 10:29:05 2013 : Info: rlm_sql (sql): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded and linked Sat May 25 10:29:05 2013 : Info: rlm_sql (sql): Attempting to connect to radius@EBHorizon:5000/Horizon Sat May 25 10:29:05 2013 : Info: rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #0 Sat May 25 10:29:05 2013 : Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or does not exist Sat May 25 10:29:05 2013 : Error: rlm_sql_unixodbc: Connection failed Sat May 25 10:29:05 2013 : Error: rlm_sql (sql): Failed to connect DB handle #0 Sat May 25 10:29:05 2013 : Info: Loaded virtual server default Sat May 25 10:29:05 2013 : Info: Loaded virtual server inner-tunnel Sat May 25 10:29:05 2013 : Info: ... adding new socket proxy address * port 59524 Sat May 25 10:29:05 2013 : Info: Ready to process requests. Any help would be greatly appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or does not exist
Bill Grant wrote: I am having trouble starting freeradius at boot on CentOS 6.4. It starts, but it does not connect to my database; however, if run it manually from the command the it works fine. I think there is permission issue somewhere. See the log below: when I run following command as root it works It's probably some SELinux rule. The normal Linux APIs allow *any* process to make outbound connections. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or does not exist
You are right I temporarily disabled SE Linux with echo 0 /selinux/enforce and it worked. Now I just need to figure out exactly what it is blocking. Thanks for the help! From: Alan DeKok [al...@deployingradius.com] Sent: Saturday, May 25, 2013 7:44 PM To: FreeRadius users mailing list Subject: Re: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or doesnot exist Bill Grant wrote: I am having trouble starting freeradius at boot on CentOS 6.4. It starts, but it does not connect to my database; however, if run it manually from the command the it works fine. I think there is permission issue somewhere. See the log below: when I run following command as root it works It's probably some SELinux rule. The normal Linux APIs allow *any* process to make outbound connections. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type = Reject not being obeyed
I think Phil's diagnosis is correct; 'Auth-Type := Reject' requires the ':='
operator to reject a CHAP authentication.
Unfortunately, it's not always easy to place a live production system in
debug mode, hence the initial is this something stupid question :)
(And apologies for the lack of a subject line in the original post).
Cheers,
Matt
-Original Message-
Date: Fri, 24 May 2013 17:31:29 +0100
From: Phil Mayers p.may...@imperial.ac.uk
To: freeradius-users@lists.freeradius.org
Subject: Re: Auth-Type = Reject not being obeyed
Message-ID: 519f95e1.6010...@imperial.ac.uk
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 24/05/13 17:19, Alan Buxey wrote:
The only difference I can see is that the first example uses a
plain-text password, and the RADIUS on the LNS is using CHAP?
The backend database has = in the 'op' field (and not :=), so the
returned attribute is Auth-Type = Reject and not Auth-Type :=
Reject, but it is correctly rejected using radtest/radclient, and I
believe the = operand to be correct.
You might have this:
authorize {
...
chap
sql
...
}
..and Auth-Type is already set by chap, hence = doesn't overwrite it.
Anyway, you're not correct that = is the right operator; := means
force i.e. set this attribute to this value, always, and that's what you
want to do here, right? = means set if unset
As has also been pointed out - show radiusd -X for a problem auth (and set
a subject line...)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or does not exist
I was able to fix it by doing the following. I installed setroubleshoot yum install setroubleshoot Then I ran the following command sealert -a /var/log/audit/audit.log /path/to/mylogfile.txt mylogfile.txt showed: found 3 alerts in /var/log/audit/audit.log SELinux is preventing /usr/sbin/radiusd from create access on the semaphore . * Plugin catchall (100. confidence) suggests *** If you believe that radiusd should be allowed create access on the sem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep radiusd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp SELinux is preventing /usr/sbin/radiusd from search access on the directory /home. * Plugin catchall (100. confidence) suggests *** If you believe that radiusd should be allowed search access on the home directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep radiusd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp SELinux is preventing /usr/sbin/radiusd from name_connect access on the tcp_socket . * Plugin catchall (100. confidence) suggests *** If you believe that radiusd should be allowed name_connect access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep radiusd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp I ran the commands listed above: grep radiusd /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp That fixed the problem, thanks again. From: Bill Grant [wgr...@ebpl.org] Sent: Saturday, May 25, 2013 8:29 PM To: FreeRadius users mailing list Subject: RE: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or doesnot exist You are right I temporarily disabled SE Linux with echo 0 /selinux/enforce and it worked. Now I just need to figure out exactly what it is blocking. Thanks for the help! From: Alan DeKok [al...@deployingradius.com] Sent: Saturday, May 25, 2013 7:44 PM To: FreeRadius users mailing list Subject: Re: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or doesnot exist Bill Grant wrote: I am having trouble starting freeradius at boot on CentOS 6.4. It starts, but it does not connect to my database; however, if run it manually from the command the it works fine. I think there is permission issue somewhere. See the log below: when I run following command as root it works It's probably some SELinux rule. The normal Linux APIs allow *any* process to make outbound connections. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user from particular NAS-IP-Address
On Sat, May 25, 2013 at 06:23:44PM -0400, Alan DeKok wrote: You *did* run the server in debugging mode, as suggested in the FAQ, README, man page, and daily on this list? Yes I did, over a period of about 3 hours of trial and error before banging my head against: [...] [files] users: Matched entry test at line 86 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. [...] I also searched via Google site:lists.freeradius.org because Mailman's archive sucketh and found similar recriminations to RTFM and run radiusd -X. I didn't see a freeradius-newbs list, so I assumed freeradius-users was welcoming like other users mailing lists. I'll unsubscribe now and go back to the trial and error. Sorry to have wasted your time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issue with radius accounting
I am not interested in any argument, i wanted to check what may be the problem with my radius server as accounting is successful with free radius on other server. On May 26, 2013 6:51 AM, freeradius-users-requ...@lists.freeradius.org wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Issue with radius accounting (Alan DeKok) 2. user from particular NAS-IP-Address (Pete Ashdown) 3. Re: user from particular NAS-IP-Address (Alan DeKok) 4. Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or does notexist (Bill Grant) 5. Re: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or doesnot exist (Alan DeKok) 6. RE: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or doesnot exist (Bill Grant) 7. Re: Auth-Type = Reject not being obeyed (Matthew Melbourne) -- Message: 1 Date: Sat, 25 May 2013 13:30:57 -0400 From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Cc: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Subject: Re: Issue with radius accounting Message-ID: b66bb339-4b2c-4608-bb8f-8c6e35f02...@deployingradius.com Content-Type: text/plain; charset=us-ascii On 2013-05-25, at 12:39 PM, Arvind Bahuguni arvind...@gmail.com wrote: Hi Alan, I am suspecting some radius setting on my server because free radius on other server is responding and authentication and accounting is successful For one, you need to edit your posts. It's ridiculous to reply to a digest message, and include hundreds of lines of irrelevant text. And if you know so much more than me about RADIUS, you shouldn't be asking questions on this list. If you're going to ask questions and then argue with the answers, you will be unsubscribed from the list and banned permanently. Alan DeKok. -- next part -- An HTML attachment was scrubbed... URL: http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130525/dc49bb28/attachment-0001.html -- Message: 2 Date: Sat, 25 May 2013 14:31:12 -0600 From: Pete Ashdown pashd...@xmission.com To: freeradius-users@lists.freeradius.org Subject: user from particular NAS-IP-Address Message-ID: 20130525203112.ga20...@xmission.com Content-Type: text/plain; charset=us-ascii I'm trying to restrict a guest user from a single NAS-IP-Address via users and I can't get it to work. Doesn't work: testNAS-IP-Address == 127.0.0.1 Auth-Type := Accept testNAS-IP-Address == 127.0.1.1 Auth-Type := Accept Works, but it isn't restricted by NAS: test Auth-Type := Accept I've also tried Calling-Station-ID == 127.0.1.1 to no avail. Also, how would I do this for a group of NAS IP addresses? Is it possible to assign them to a group in clients.conf that can be later checked against in users? Where is the documentation of what can be tested against in the users file? -- Message: 3 Date: Sat, 25 May 2013 18:23:44 -0400 From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: user from particular NAS-IP-Address Message-ID: 51a139f0.9070...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 Pete Ashdown wrote: I'm trying to restrict a guest user from a single NAS-IP-Address via users and I can't get it to work. Doesn't work: test NAS-IP-Address == 127.0.0.1 Auth-Type := Accept That's wrong. Why? See the debug output. It *tells* you what's wrong, and how to fix it. See man users. It *documents* the format of the users file. See the sample raddb/users file. Look for Auth-Type. There are *examples* of how to do this. Also, how would I do this for a group of NAS IP addresses? Is it possible to assign them to a group in clients.conf that can be later checked against in users? See raddb/huntgroups. You can group NASes, and check the group membership later. Where
